Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/07/13

[***] Summary: [***]

9 new OPEN, 12 new PRO (9 + 3). Win32/HackTool.Agent.CS,
MSIL/Blitzed Grabber, Miners and Phishing.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2037752 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037753 - ET HUNTING GET Request to Pastebin .com with PowerShell
User-Agent (hunting.rules)
2037754 - ET MALWARE Win32/HackTool.Agent.CS SMTP Scanner CnC
Checkin (malware.rules)
2037755 - ET MALWARE Win32/HackTool.Agent.CS SMTP activity (malware.rules)
2037756 - ET PHISHING Successful Standard Bank Credential Phish
2022-07-12 M1 (phishing.rules)
2037757 - ET PHISHING Successful Standard Bank Credential Phish
2022-07-12 M2 (phishing.rules)
2037758 - ET PHISHING Successful Standard Bank Credential Phish
2022-07-12 M3 (phishing.rules)
2037759 - ET PHISHING Successful Standard Bank Credential Phish
2022-07-12 M4 (phishing.rules)
2037760 - ET MALWARE Win64/Agent.qwiakk CnC Checkin (malware.rules)

Pro:

2851888 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-07-13 1) (coinminer.rules)
2851889 - ETPRO MALWARE MSIL/Blitzed Grabber Exfil via Discord (malware.rules)
2851893 - ETPRO COINMINER Monero CoinMiner Setup Script (coinminer.rules)

[///] Modified active rules: [///]

2016101 - ET MALWARE DNS Reply Sinkhole - Microsoft -
131.253.18.11-12 (malware.rules)
2016102 - ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24
(malware.rules)
2016413 - ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111 (dns.rules)
2016418 - ET DNS Reply Sinkhole - Dr. Web (dns.rules)
2016419 - ET DNS Reply Sinkhole - Zinkhole.org (dns.rules)
2016422 - ET DNS Reply Sinkhole - Georgia Tech (1) (dns.rules)
2016423 - ET DNS Reply Sinkhole - Georgia Tech (2) (dns.rules)
2016591 - ET DNS Reply Sinkhole - 106.187.96.49
blacklistthisdomain.com (dns.rules)
2018455 - ET MALWARE DNS Reply Sinkhole - Anubis - 195.22.26.192/26
(malware.rules)
2018517 - ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234 (dns.rules)
2018642 - ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain (malware.rules)
2019508 - ET MALWARE DNS Reply Sinkhole - IP - 161.69.13.44 (malware.rules)
2020889 - ET MALWARE Vobus/Beebone Sinkhole DNS Reply (malware.rules)
2021021 - ET MALWARE Kaspersky Sinkhole DNS Reply (malware.rules)
2021022 - ET MALWARE Wapack Labs Sinkhole DNS Reply (malware.rules)
2823811 - ETPRO EXPLOIT_KIT DNSChanger EK DNS Reply Adfraud Server 1
Dec 12 2016 (exploit_kit.rules)
2823812 - ETPRO EXPLOIT_KIT DNSChanger EK DNS Reply Adfraud Server 2
Dec 12 2016 (exploit_kit.rules)

[///] Modified inactive rules: [///]

2016103 - ET MALWARE DNS Reply Sinkhole - Microsoft - 207.46.90.0/24
(malware.rules)
2016104 - ET MALWARE DNS Reply for unallocated address space -
Potentially Malicious 1.1.1.0/24 (malware.rules)
2016420 - ET DNS Reply Sinkhole - German Company (dns.rules)
2016421 - ET DNS Reply Sinkhole - 1and1 Internet AG (dns.rules)
2031197 - ET MALWARE DNS Reply Sinkhole - Anubis/BitSight -
35.205.61.67 (malware.rules)

[---] Disabled and modified rules: [---]

2016305 - ET WEB_SERVER Ruby on Rails RCE Attempt Inbound
(CVE-2013-0333) (web_server.rules)
2017174 - ET WEB_SERVER Possible Apache Struts OGNL Command
Execution CVE-2013-2251 redirect (web_server.rules)
2017175 - ET WEB_SERVER Possible Apache Struts OGNL Command
Execution CVE-2013-2251 redirectAction (web_server.rules)
2017176 - ET WEB_SERVER Possible Apache Struts OGNL Command
Execution CVE-2013-2251 action (web_server.rules)
2017366 - ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632
(web_server.rules)
2017684 - ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi Name
Parameter Buffer Overflow Attempt CVE-2013-3621 (web_server.rules)
2017685 - ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi PWD
Parameter Buffer Overflow Attempt CVE-2013-3621 (web_server.rules)
2017686 - ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi
sess_sid Parameter Buffer Overflow Attempt CVE-2013-3623
(web_server.rules)
2017687 - ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi
ACT Parameter Buffer Overflow Attempt CVE-2013-3623 (web_server.rules)
2806187 - ETPRO EXPLOIT Apache Struts ParametersInterceptor Remote
Code Execution (CVE-2011-3923) (exploit.rules)
2806970 - ETPRO WEB_SERVER Microsoft SharePoint DoS 1 CVE-2013-0081
(web_server.rules)
2806971 - ETPRO WEB_SERVER Microsoft SharePoint DoS 2 CVE-2013-0081
(web_server.rules)
2807107 - ETPRO WEB_SERVER Microsoft SharePoint XSS attempt
(CVE-2013-3895) (web_server.rules)

[---] Removed rules: [---]

2016170 - ET EXPLOIT CVE-2012-4792 EIP in URI M2 (exploit.rules)
2017007 - ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit
plugin-detect script access (exploit.rules)

Date:
Summary title:
9 new OPEN, 12 new PRO (9 + 3). Win32/HackTool.Agent.CS, MSIL/Blitzed Grabber, Miners and Phishing.