[***] Summary: [***]
18 new OPEN, 28 new PRO (18 + 10) Zerologon, Gamaredon,
DonotGroup, Apache APISIX Admin API Authentication Bypass
(CVE-2022-24112), Extensis Portfolio Unrestricted File Upload
(CVE-2022-24252), Remcos and Win32/PurgeStealer.
Thanks @Unit42_Intel, @shadowchasing1, @malwrhunterteam, @JAMESWT_MHT,
@ffforward and @TheDFIRReport
Important note regarding Zerologon signatures:
These rules have been tagged with a "significant" performance impact,
but _are_ enabled by default as TheDFIRReport has observed exploitation as
observed in the following report -
https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-do…
To limit performance impact, please deploy them selectively on sensors
which monitor traffic to/from domain controllers and locally modify the
host variables to further limit traffic inspection to domain controllers.
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030888 - ET INFO [401TRG] RPCNetlogon UUID (CVE-2020-1472) (Set)
(info.rules)
2035258 - ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2
Request with 0x00 Client Challenge and Sign and Seal Disabled
(CVE-2020-1472) M1 (exploit.rules)
2035259 - ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2
Request with 0x00 Client Challenge and Sign and Seal Disabled
(CVE-2020-1472) M2 (exploit.rules)
2035260 - ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3
Request with 0x00 Client Challenge and Sign and Seal Disabled
(CVE-2020-1472) M1 (exploit.rules)
2035261 - ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3
Request with 0x00 Client Challenge and Sign and Seal Disabled
(CVE-2020-1472) M2 (exploit.rules)
2035262 - ET EXPLOIT Zerologon Phase 3/3 - Malicious
NetrServerPasswordSet2 (CVE-2020-1472) (exploit.rules)
2035263 - ET EXPLOIT Zerologon Phase 3/3 - NetrLogonSamLogonWithFlags
Request with 0x00 Client Credentials (CVE-2020-1472) (exploit.rules)
2035264 - ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
(info.rules)
2035265 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET)
(trojan.rules)
2035266 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET)
(trojan.rules)
2035267 - ET TROJAN Gamaredon Maldoc Activity (GET) (trojan.rules)
2035268 - ET TROJAN DonotGroup APT Related Domain in DNS Lookup
(tobaccosafe .xyz) (trojan.rules)
2035269 - ET TROJAN DonotGroup APT Related Domain in DNS Lookup (font
.backuplogs .xyz) (trojan.rules)
2035270 - ET TROJAN DonotGroup APT Related Domain in DNS Lookup
(srvrfontsdrive .xyz) (trojan.rules)
2035271 - ET TROJAN JS/TrojanDownloader.Agent.TXV CnC Activity
(trojan.rules)
2035272 - ET EXPLOIT Apache APISIX Admin API Authentication Bypass
(CVE-2022-24112) M1 (exploit.rules)
2035273 - ET EXPLOIT Apache APISIX Admin API Authentication Bypass
(CVE-2022-24112) M2 (exploit.rules)
2035274 - ET EXPLOIT Extensis Portfolio Unrestricted File Upload
(CVE-2022-24252) (exploit.rules)
Pro:
2851139 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-02-21 1) (trojan.rules)
2851140 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-02-21 2) (trojan.rules)
2851141 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-02-21 3) (trojan.rules)
2851142 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-02-21 4) (trojan.rules)
2851143 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-02-21 5) (trojan.rules)
2851144 - ETPRO TROJAN Win32/Remcos RAT Checkin 776 (trojan.rules)
2851145 - ETPRO TROJAN Win32/Remcos RAT Checkin 777 (trojan.rules)
2851146 - ETPRO TROJAN Win32/PurgeStealer Activity (POST) (trojan.rules)
2851147 - ETPRO INFO File Upload Activity (gofile .io) (info.rules)
2851148 - ETPRO TROJAN Win32/Injector.ERDQ Download Request (trojan.rules)
[+++] Enabled and modified rules: [+++]
2030870 - ET EXPLOIT Possible Zerologon Phase 1/3 -
NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)
(exploit.rules)
[///] Modified active rules: [///]
2814578 - ETPRO DNS SkullSecurity Encrypted Shell Tunnel 2 (dns.rules)
[---] Removed rules: [---]
2030888 - ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) UUID
flowbit set (exploit.rules)
2035217 - ET TROJAN test CnC Domain in DNS Lookup (trojan.rules)