Weekly Detection Rule (YARA and Snort) Information – Week 4, June 2024
The following is the information on Yara and Snort rules (week 4, June 2024) collected and shared by the AhnLab TIP service.
- 8 YARA Rules
| Detection name | Description | Source |
| malware_cobaltstrike_workersdevloader | Detects a CobaltStrike loader | https://github.com/JPCERTCC/jpcert-yara |
| Kimsuky_downloader_vbs | Detects Kimsuky VBS file downloader Powershell | https://github.com/JPCERTCC/jpcert-yara |
| Kimsuky_PokDoc_ps1 | Detects Kimsuky device information collection Powershell | https://github.com/JPCERTCC/jpcert-yara |
| Kimsuky_InfoKey_ps1 | Detects Kimsuky keylogger Powershell | https://github.com/JPCERTCC/jpcert-yara |
| malware_DOPLUGS | Detects DOPLUGS | https://github.com/JPCERTCC/jpcert-yara |
| malware_DOPLUGSLoader | Detects DOPLUGS loader | https://github.com/JPCERTCC/jpcert-yara |
| malware_webrcs_lnk | Detects WEBRCS executable LNK files | https://github.com/JPCERTCC/jpcert-yara |
| malware_webrcs | Detects WEBRCS | https://github.com/JPCERTCC/jpcert-yara |
- 14 Snort Rules
| Detection name | Description | Source |
| ET EXPLOIT HikVision Arbitrary Directory Traversal Attempt | Detects HikVision arbitrary file reading vulnerability attempt packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Win32/ProcessKiller CnC Initialization M2 | Detects ProcessKiller C2 connection packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN ClickFix CnC Activity (POST) | Detects CLickFix C2 connection packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN ClickFix Obfuscated Payload Inbound | Detects ClickFix obfuscation payload incoming packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Fickle Stealer C2 Server Tasking | Detects Fickle Stealer C2 connection packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Suspected Powershell Empire Activity M1 | Detects Powershell Empire packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Suspected Powershell Empire Activity M2 | Detects Powershell Empire packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Suspected Powershell Empire Activity M3 | Detects Powershell Empire packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN [ANY.RUN] NjRat (tXRAT v.2.3R) Client Sends State Active Window | Detects NjRat packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN [ANY.RUN] NjRat (tXRAT v.2.3R) Server Sends Plugin to Client | Detects NjRat packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN [ANY.RUN] NjRat (tXRAT v.2.3R) Client Sends Check-in Packet | Detects NjRat packet | https://rules.emergingthreatspro.com/open/ |
| ET MOBILE_MALWARE Android Rafel RAT Checkin M2 | Detects Rafael RAT C2 connection packet | https://rules.emergingthreatspro.com/open/ |
| ET MOBILE_MALWARE Android Rafel RAT Checkin M1 | Detects Rafael RAT C2 connection packet | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT Solarwinds Serv-U Directory Traversal Attempt Inbound (CVE-2024-28995) | Detects Solawinds CVE-2024-28995 exploit attempt packet | https://rules.emergingthreatspro.com/open/ |
Detailed rule files are attached.
