Daily Ruleset Update Summary 2022/10/24

Daily Ruleset Update Summary

[***] Summary: [***]

25 new OPEN, 30 new PRO (25 + 5) TA452, Cobalt Strike, Various Phish,
Various DNS rules

Thanks @korteke @StopMalvertisin @safebreach @BlackBerry @Fortinet

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2039512 - ET MALWARE MSIL/InfoStealer Variant Activity (POST)
(malware.rules)
2039513 - ET MALWARE TA452 Related Backdoor Activity (GET) (malware.rules)
2039514 - ET MALWARE TA452 Related Backdoor Activity (POST)
(malware.rules)
2039515 - ET MALWARE TA452 Related Backdoor Activity (POST)
(malware.rules)
2039516 - ET INFO MegaNerd DNS Over HTTPS Certificate Inbound (info.rules)
2039517 - ET INFO Mullvad DNS Over HTTPS Certificate Inbound (info.rules)
2039518 - ET INFO Mullvad DNS Over HTTPS Certificate Inbound (info.rules)
2039519 - ET INFO NextDNS DNS Over HTTPS Certificate Inbound (info.rules)
2039520 - ET INFO Njalla DNS Over HTTPS Certificate Inbound (info.rules)
2039521 - ET INFO Open Internet DNS Over HTTPS Certificate Inbound
(info.rules)
2039522 - ET INFO Paesa DNS Over HTTPS Certificate Inbound (info.rules)
2039523 - ET INFO Plan9-dns DNS Over HTTPS Certificate Inbound
(info.rules)
2039524 - ET INFO Plan9-dns DNS Over HTTPS Certificate Inbound
(info.rules)
2039525 - ET INFO PureDNS DNS Over HTTPS Certificate Inbound (info.rules)
2039526 - ET INFO Plan9-dns DNS Over HTTPS Certificate Inbound
(info.rules)
2039527 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (pedaily
.online) (malware.rules)
2039528 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup
(ellechina .online) (malware.rules)
2039529 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (gov .mil
.ua .aspx .io) (malware.rules)
2039530 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (notfiled
.com) (malware.rules)
2039531 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain
(advanced-ip-scanners .com) (malware.rules)
2039532 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain
(advanced-ip-scaner .com) (malware.rules)
2039533 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (4qzm .com)
(malware.rules)
2039534 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (www .get
.adobe .com .aspx .io) (malware.rules)
2039535 - ET PHISHING Successful BoA Credential Phish 2022-10-24
(phishing.rules)
2039536 - ET PHISHING Successful Citizens Bank Credential Phish
2022-10-24 (phishing.rules)

Pro:

2852646 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-10-20 1) (coinminer.rules)
2852647 - ETPRO MALWARE Win32/Remcos RAT Checkin 846 (malware.rules)
2852648 - ETPRO PHISHING Successful Bank of America Phish 2022-10-24
(phishing.rules)

[///] Modified active rules: [///]

2039464 - ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix
(CVE-2022-42889) (Inbound) (exploit.rules)
2039465 - ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix
(CVE-2022-42889) (Outbound) (exploit.rules)
2039466 - ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix
(CVE-2022-42889) (Inbound) (exploit.rules)
2039467 - ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix
(CVE-2022-42889) (Outbound) (exploit.rules)
2039468 - ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix
(CVE-2022-42889) (Inbound) (exploit.rules)
2039469 - ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix
(CVE-2022-42889) (Outbound) (exploit.rules)
2039470 - ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path
(CVE-2022-42889) (Inbound) (exploit.rules)
2039471 - ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path
(CVE-2022-42889) (Outbound) (exploit.rules)
2804765 - ETPRO MALWARE Dirt Jumper/Russkill v5 Checkin (malware.rules)

Date:

Monday, October 24, 2022

Summary title:

25 new OPEN, 30 new PRO (25 + 5) TA452, Cobalt Strike, Various Phish, Various DNS rules