[***] Summary: [***]
23 new OPEN, 32 new PRO (23 + 9) Gamaredon, Patchwork, Bablosoft,
SocGholish, Inbound JARM Scanning.
Thanks @500mk500, @sysopfb, @teamcymru, @InQuest
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2011819 - ET HUNTING Zero Content-Length HTTP POST with data
(outbound) (hunting.rules)
2036682 - ET MALWARE Gamaredon APT Maldoc Related Activity (GET)
(malware.rules)
2036683 - ET MALWARE Patchwork APT Related Activity (POST) (malware.rules)
2036684 - ET MALWARE Patchwork APT Related Activity M2 (POST) (malware.rules)
2036685 - ET INFO Bablosoft BAS Related Domain in DNS Lookup
(bablosoft .com) (info.rules)
2036686 - ET INFO Observed Bablosoft BAS Related SSL Cert (bablosoft
.com) (info.rules)
2036687 - ET MALWARE SocGholish Related Domain in DNS Lookup
(irsbusinessaudit .net) (malware.rules)
2036688 - ET MALWARE SocGholish Related Domain in DNS Lookup
(irsgetwell .net) (malware.rules)
2036689 - ET MALWARE MSIL/Spy.Agent.CVT CnC Exfil (malware.rules)
2036690 - ET INFO Possible JARM Fingerprinting Client Hello via
tls1_2_forward (info.rules)
2036691 - ET INFO Possible JARM Fingerprinting Client Hello via
tls1_2_reverse (info.rules)
2036692 - ET INFO Possible JARM Fingerprinting Client Hello via
tls1_2_top_half (info.rules)
2036693 - ET INFO Possible JARM Fingerprinting Client Hello via
tls1_2_bottom_half (info.rules)
2036694 - ET INFO Possible JARM Fingerprinting Client Hello via
tls1_2_middle_out (info.rules)
2036695 - ET INFO Possible JARM Fingerprinting Client Hello via
tls1_1_middle_out (info.rules)
2036696 - ET INFO Possible JARM Fingerprinting Client Hello via
tls1_3_forward (info.rules)
2036697 - ET INFO Possible JARM Fingerprinting Client Hello via
tls1_3_reverse (info.rules)
2036698 - ET INFO Possible JARM Fingerprinting Client Hello via
tls1_3_reverse (info.rules)
2036699 - ET INFO Possible JARM Fingerprinting Client Hello via
tls1_3_invalid (info.rules)
2036700 - ET INFO Possible JARM Fingerprinting Client Hello via
tls1_3_middle_out (info.rules)
2036701 - ET PHISHING Successful Microsoft Credential Phish
2022-05-26 (phishing.rules)
2036702 - ET PHISHING Credito Emiliano Credential Phish Landing Page
2022-05-26 (phishing.rules)
2036703 - ET MALWARE Observed DNS Query to bablosoft Domain
(bablosoft .com) (malware.rules)
Pro:
2851700 - ETPRO ATTACK_RESPONSE PowerShell Byte Array Obfuscation
Inbound (attack_response.rules)
2851701 - ETPRO ATTACK_RESPONSE PowerShell Binary Array Obfuscation
Inbound (attack_response.rules)
2851702 - ETPRO ATTACK_RESPONSE VBS Hex Encoded HTTP String with
Execute Inbound (attack_response.rules)
2851703 - ETPRO ATTACK_RESPONSE VBS Hex Encoded AppData String with
Execute Inbound (attack_response.rules)
2851704 - ETPRO ATTACK_RESPONSE VBS Hex Encoded Windows Startup Path
String with Execute Inbound (attack_response.rules)
2851705 - ETPRO MALWARE Possible MalDoc Retrieving Payload
2022-05-25 (malware.rules)
2851706 - ETPRO MALWARE Malicious Word Document Template Download
Domain in DNS Lookup (truecolor8 .xyz) (malware.rules)
2851707 - ETPRO MALWARE Observed Malicious Word Document Template
Download Domain (truecolor8 .xyz) in TLS SNI (malware.rules)
2851708 - ETPRO MALWARE Malicious Word Document Template Download
Attempt (malware.rules)
[///] Modified active rules: [///]
2019326 - ET MALWARE Likely Bot Nick in IRC (Country Code ISO 3166-1
alpha-2) (malware.rules)
2019327 - ET MALWARE Likely Bot Nick in IRC (Country Code ISO 3166-1
alpha-3) (malware.rules)
2036548 - ET EXPLOIT Sophos Firewall Authentication Bypass
(CVE-2022-1040) (exploit.rules)
2036549 - ET EXPLOIT Sophos Firewall Authentication Bypass
(CVE-2022-1040) Server Response M1 (exploit.rules)
2036550 - ET EXPLOIT Sophos Firewall Authentication Bypass
(CVE-2022-1040) Server Response M2 (exploit.rules)
[---] Removed rules: [---]
2011819 - ET POLICY Zero Content-Length HTTP POST with data
(outbound) (policy.rules)