Daily Ruleset Update Summary 2022/06/30

Daily Ruleset Update Summary

[***] Summary: [***]

28 new OPEN, 32 new PRO (28 + 4). Win32/SessionManager2,
SilentLibrarian, LinPEAS, Others.

Thanks @TeamDreier

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2013559 - ET INFO Delphi JEDI Visual Component Library User-Agent
(JEDI-VCL) (info.rules)
2037214 - ET MALWARE Observed Malicious SSL/TLS Certificate (MageCart
Payload CnC) (malware.rules)
2037215 - ET MALWARE Observed Malicious SSL/TLS Certificate (MageCart
Payload CnC) (malware.rules)
2037216 - ET EXPLOIT Possible ManageEngine ADAudit Plus Directory
Traversal Leading to Deserialization (exploit.rules)
2037217 - ET EXPLOIT Possible ManageEngine ADAudit Plus XXE
(CVE-2022-28219) (exploit.rules)
2037218 - ET WEB_SERVER Win32/SessionManager Backdoor ReadFile Command
(Inbound) (web_server.rules)
2037219 - ET WEB_SERVER Win32/SessionManager2 Backdoor GETFILE Command
(Inbound) (web_server.rules)
2037220 - ET WEB_SERVER Win32/SessionManager2 Backdoor PUTFILE Command
(Inbound) (web_server.rules)
2037221 - ET WEB_SERVER Win32/SessionManager2 Backdoor DELETEFILE Command
(Inbound) (web_server.rules)
2037222 - ET WEB_SERVER Win32/SessionManager2 Backdoor FILESIZE Command
(Inbound) (web_server.rules)
2037223 - ET WEB_SERVER Win32/SessionManager2 Backdoor CMD Command
(Inbound) (web_server.rules)
2037224 - ET WEB_SERVER Win32/SessionManager2 Backdoor PING Command
(Inbound) (web_server.rules)
2037225 - ET WEB_SERVER Win32/SessionManager2 Backdoor S5CONNECT Command
(Inbound) (web_server.rules)
2037226 - ET WEB_SERVER Win32/SessionManager2 Backdoor S5WRITE Command
(Inbound) (web_server.rules)
2037227 - ET WEB_SERVER Win32/SessionManager2 Backdoor S5READ Command
(Inbound) (web_server.rules)
2037228 - ET WEB_SERVER Win32/SessionManager2 Backdoor S5CLOSE Command
(Inbound) (web_server.rules)
2037229 - ET MALWARE LinPEAS Privilege Escalation Script Response (With
Banner) (malware.rules)
2037230 - ET MALWARE LinPEAS Privilege Escalation Script Response
(Without Banner) (malware.rules)
2037231 - ET MALWARE SilentLibrarian Domain in DNS Lookup (login .cardiff
.acuk .me) (malware.rules)
2037232 - ET MALWARE Observed Malicious SSL Cert (SilentLibrarian)
(malware.rules)
2037233 - ET MALWARE Troj_Yahoya Variant CnC Checkin (malware.rules)
2037234 - ET MALWARE Win32/Fynloski.AA CnC Checkin (malware.rules)
2037235 - ET MALWARE Win32/Wacatac.B!ml CnC Checkin (malware.rules)
2037236 - ET MALWARE Win32/Wacatac.B!ml Data Exfiltration (malware.rules)
2037237 - ET PHISHING Sucessful Global Sources Credential Phish
2022-06-29 (phishing.rules)
2037238 - ET PHISHING Sucessful Alibaba Credential Phish 2022-06-29
(phishing.rules)
2037239 - ET MALWARE MSIL/PSW.Agent.SUD Zipped Data Exfil (set)
(malware.rules)
2037240 - ET MALWARE MSIL/PSW.Agent.SUD Zipped Data Exfil (malware.rules)

Pro:

2851849 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-06-30 1) (coinminer.rules)
2851850 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-06-30 2) (coinminer.rules)
2851851 - ETPRO MALWARE Observed DNS Query to TA402 Domain (malware.rules)
2851852 - ETPRO MALWARE Observed TA402 Domain in TLS SNI (malware.rules)

[///] Modified active rules: [///]

2030691 - ET MALWARE Possible KONNI CnC Activity (malware.rules)
2827202 - ETPRO MALWARE Lets Encrypt Free SSL Cert Observed in Possible
Proofpoint Phishing (malware.rules)
2843622 - ETPRO MALWARE Likely Evil Powershell Inbound (Invoke-Mimikatz)
(malware.rules)
2843856 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST
Request (screenshot.) M2 (malware.rules)
2851779 - ETPRO MALWARE Agent Tesla Telegram Exfil (malware.rules)

[---] Disabled and modified rules: [---]

2807237 - ETPRO WEB_CLIENT Adobe PDF file corrupted download
(CVE-2013-3355) 1 (web_client.rules)
2807238 - ETPRO WEB_CLIENT Adobe PDF file corrupted download
(CVE-2013-3355) 2 (web_client.rules)

[---] Removed rules: [---]

2013559 - ET MALWARE Delphi Trojan Downloader User-Agent (JEDI-VCL)
(malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Thursday, June 30, 2022

Summary title:

28 new OPEN, 32 new PRO (28 + 4). Win32/SessionManager2, SilentLibrarian, LinPEAS, Others.