Daily Ruleset Update Summary 2022/09/13

Daily Ruleset Update Summary

[***] Summary: [***]

18 new OPEN, 28 new PRO (18 + 10). Win32/Injector.DKUN, Sidewinder
APT, Powershell/PowHeartBeat CnC and IcedID.

Thanks @ESET, @HuntressLabs and @zscaler

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2012707 - ET MALWARE Win32/Injector.DKUN Variant Response (malware.rules)
2038809 - ET HUNTING Suspicious Windows Installer UA for non-MSI
(hunting.rules)
2038810 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
2038811 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
2038812 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
2038813 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
2038814 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
2038815 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
2038816 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
2038817 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
2038818 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
2038819 - ET INFO SQLite DLL Retrieval by Name (GET) (info.rules)
2038820 - ET MALWARE Sidewinder APT Related Malware Activity M1
(GET) (malware.rules)
2038821 - ET MALWARE Powershell/PowHeartBeat CnC Checkin - ICMP
(malware.rules)
2038822 - ET MALWARE Observed DNS Query to Malicious Powershell
Payload domain (onerecovery .click) (malware.rules)
2038823 - ET MALWARE Observed DNS Query to Reverse Shell Payload
Domain (opentunnel .quest) (malware.rules)
2038824 - ET MALWARE Observed Malicious Powershell Payload Delivery
Domain (onerecovery .click) in TLS SNI (malware.rules)
2038825 - ET MALWARE Observed Reverse Shell Payload Delivery Domain
(opentunnel .quest) in TLS SNI (malware.rules)

Pro:

2852367 - ETPRO INFO HTTP Request With Uppercase Host Header
Observed (info.rules)
2852368 - ETPRO MALWARE Win32/IcedID Stage2 CnC Activity M2 (GET)
(malware.rules)

[///] Modified active rules: [///]

2025633 - ET MALWARE [PTsecurity] Win32/SpyAgent.Raptor
(realtime-spy) CnC activity 1 (malware.rules)
2025634 - ET MALWARE [PTsecurity] Win32/SpyAgent.Raptor
(realtime-spy) CnC activity 2 (malware.rules)
2032947 - ET MALWARE Ares Activity (POST) (malware.rules)
2037002 - ET MALWARE Win32/Grandoreiro Loader Checkin Activity
(POST) (malware.rules)
2038618 - ET MALWARE Win32/Grandoreiro Sending System Information
(POST) (malware.rules)
2038619 - ET MALWARE Win32/Grandoreiro Related Activity (GET) (malware.rules)
2833510 - ETPRO POLICY SentryPC/Realtime Spy Host Monitor Software -
Screenshot POST (policy.rules)

[---] Removed rules: [---]

2012707 - ET HUNTING Suspicious double Server Header (hunting.rules)
2832607 - ETPRO HUNTING Suspicious Windows Installer UA for non-MSI
(hunting.rules)
2850605 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET)
(malware.rules)
2850606 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET)
(malware.rules)
2850607 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET)
(malware.rules)
2850608 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET)
(malware.rules)
2850609 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET)
(malware.rules)
2850610 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET)
(malware.rules)
2850611 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET)
(malware.rules)
2850612 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET)
(malware.rules)
2850621 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET)
(malware.rules)
2852278 - ETPRO MALWARE HTML/TrojanDownloader.Agent.NKU CnC Activity
M1 (malware.rules)

Date:

Tuesday, September 13, 2022

Summary title:

18 new OPEN, 28 new PRO (18 + 10). Win32/Injector.DKUN, Sidewinder APT, Powershell/PowHeartBeat CnC and IcedID.