Daily Ruleset Update Summary 2022/05/10

Daily Ruleset Update Summary

[***] Summary: [***]

6 new OPEN, 37 new PRO (6 + 31). Various APT, CVE 2022-1388, Various
INFO/Hunting and Posh C2.

Thanks @MinervaLabs and Kaspersky

Due to a corporate holiday, there will not be a rules release on
Friday, May 13, 2022.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036551 - ET HUNTING Suspicious HTTP Connection Header Observed (hunting.rules)
2036552 - ET MALWARE BluStealer Related Domain in DNS Lookup
(premium12 .web-hosting .com) (malware.rules)
2036553 - ET MALWARE Win32/SilentBreak Related Domain in DNS Lookup
(eleed .cloud) (malware.rules)
2036554 - ET MALWARE Win32/SilentBreak Related Domain in DNS Lookup
(eleed .online) (malware.rules)
2036555 - ET MALWARE Win32/SilentBreak Related Domain in DNS Lookup
(malware.rules)
2036556 - ET EXPLOIT F5 BIG-IP iControl REST authentication bypass
attempt (CVE 2022-1388) M2 (exploit.rules)

Pro:

2851601 - ETPRO MALWARE FreeEdgeBot Checkin via Telegram (malware.rules)
2851602 - ETPRO HUNTING Suspicious Reversed String Inbound
(VS_VERSION_INFO) M1 (hunting.rules)
2851603 - ETPRO HUNTING Suspicious Reversed String Inbound
(VS_VERSION_INFO) M2 (hunting.rules)
2851604 - ETPRO HUNTING Suspicious Reversed String Inbound
(VarFileInfo) M1 (hunting.rules)
2851605 - ETPRO HUNTING Suspicious Reversed String Inbound
(VarFileInfo) M2 (hunting.rules)
2851606 - ETPRO HUNTING Suspicious Reversed String Inbound
(StringFileInfo) M1 (hunting.rules)
2851607 - ETPRO HUNTING Suspicious Reversed String Inbound
(StringFileInfo) M2 (hunting.rules)
2851608 - ETPRO HUNTING Suspicious Reversed String Inbound (Comments)
M1 (hunting.rules)
2851609 - ETPRO HUNTING Suspicious Reversed String Inbound (Comments)
M2 (hunting.rules)
2851610 - ETPRO HUNTING Suspicious Reversed String Inbound
(CompanyName) M1 (hunting.rules)
2851611 - ETPRO HUNTING Suspicious Reversed String Inbound
(CompanyName) M2 (hunting.rules)
2851612 - ETPRO HUNTING Suspicious Reversed String Inbound
(FileDescription) M1 (hunting.rules)
2851613 - ETPRO HUNTING Suspicious Reversed String Inbound
(FileDescription) M2 (hunting.rules)
2851614 - ETPRO HUNTING Suspicious Reversed String Inbound
(InternalName) M1 (hunting.rules)
2851615 - ETPRO HUNTING Suspicious Reversed String Inbound
(InternalName) M2 (hunting.rules)
2851616 - ETPRO HUNTING Suspicious Reversed String Inbound
(FileVersion) M1 (hunting.rules)
2851617 - ETPRO HUNTING Suspicious Reversed String Inbound
(FileVersion) M2 (hunting.rules)
2851618 - ETPRO HUNTING Suspicious Reversed String Inbound
(LegalCopyright) M1 (hunting.rules)
2851619 - ETPRO HUNTING Suspicious Reversed String Inbound
(LegalCopyright) M2 (hunting.rules)
2851620 - ETPRO HUNTING Suspicious Reversed String Inbound
(LegalTrademarks) M1 (hunting.rules)
2851621 - ETPRO HUNTING Suspicious Reversed String Inbound
(LegalTrademarks) M2 (hunting.rules)
2851622 - ETPRO HUNTING Suspicious Reversed String Inbound
(OriginalFilename) M1 (hunting.rules)
2851623 - ETPRO HUNTING Suspicious Reversed String Inbound
(OriginalFilename) M2 (hunting.rules)
2851624 - ETPRO HUNTING Suspicious Reversed String Inbound
(ProductName) M1 (hunting.rules)
2851625 - ETPRO HUNTING Suspicious Reversed String Inbound
(ProductName) M2 (hunting.rules)
2851626 - ETPRO HUNTING Suspicious Reversed String Inbound
(ProductVersion) M1 (hunting.rules)
2851627 - ETPRO HUNTING Suspicious Reversed String Inbound
(ProductVersion) M2 (hunting.rules)
2851628 - ETPRO HUNTING Suspicious Reversed String Inbound (Assembly
Version) M1 (hunting.rules)
2851629 - ETPRO HUNTING Suspicious Reversed String Inbound (Assembly
Version) M2 (hunting.rules)
2851630 - ETPRO MALWARE Orcus RAT Related Domain in DNS Lookup (malware.rules)
2851631 - ETPRO MALWARE PoshC2 Beacon Exfil (POST) M10 (malware.rules)

[///] Modified active rules: [///]

2036546 - ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass
(CVE 2022-1388) M1 (exploit.rules)
2850888 - ETPRO MALWARE OnionRAT Checkin via Telegram (malware.rules)
2851592 - ETPRO MALWARE PoshC2 Beacon Exfil (POST) M2 (malware.rules)
2851594 - ETPRO MALWARE PoshC2 Beacon Exfil (POST) M4 (malware.rules)
2851595 - ETPRO MALWARE PoshC2 Beacon Exfil (POST) M5 (malware.rules)
2851597 - ETPRO MALWARE PoshC2 Beacon Exfil (POST) M6 (malware.rules)
2851598 - ETPRO MALWARE PoshC2 Beacon Exfil (POST) M7 (malware.rules)
2851599 - ETPRO MALWARE PoshC2 Beacon Exfil (POST) M8 (malware.rules)
2851600 - ETPRO MALWARE PoshC2 Beacon Exfil (POST) M9 (malware.rules)

[---] Disabled and modified rules: [---]

2851593 - ETPRO MALWARE PoshC2 Beacon Exfil (POST) M3 (malware.rules)

[---] Removed rules: [---]

2851596 - ETPRO MALWARE PoshC2 Beacon Exfil (POST) M5 (malware.rules)

Date:

Tuesday, May 10, 2022

Summary title:

6 new OPEN, 37 new PRO (6 + 31). Various APT, CVE 2022-1388, Various INFO/Hunting and Posh C2.