Weekly Detection Rule (YARA and Snort) Information – Week 3, June 2024
The following is the information on Yara and Snort rules (week 3, June 2024) collected and shared by the AhnLab TIP service.
- 10 YARA Rules
| Detection name | Description | Source |
| PK_DBS_baglan | Detects a phishing kit impersonating DBS bank | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_NatWest_admin | Detects a phishing kit impersonating NatWest bank | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Postbank_buff | Detects a phishing kit impersonating PostBank | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_RAM_otp | Detects a phishing kit impersonating RAM.co.za (transportation) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Telstra_flow | Detects a phishing kit impersonating Telstra | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Chase_Xbaltiv2 | Detects a phishing kit impersonating Chase bank | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_KeyBank_otp | Detects a phishing kit impersonating KeyBank | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_NavyFederal_Hemsworth | Detects a phishing kit impersonating Navy Federal Credit Union (bank for military personnel and their families) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Spotify_antics | Detects a phishing kit impersonating Spotify | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_SwissPass_blackforce | Detects a phishing kit impersonating SwissPass | https://github.com/t4d/PhishingKit-Yara-Rules |
- 42 Snort Rules
| Detection name | Description | Source |
| ET EXPLOIT PHP-Live-Chat Get Shell Attempt Inbound | Detects PHP-Live-Chat administrator account creation attempt packet | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT Hongjing eHR Showmedia.jsp SQL Injection Inbound | Detects Hongjin eHR SQL Injection attempt packet | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT NextGen Mirth Connect <4.4.1 RCE Attempt (CVE-2023-43208) | Detects NextGen Mirth Connect RCE vulnerability exploit packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN ClearFlake CnC Activity Outbound (source_id) | Detects ClearFlake C2 connection packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN ClearFlake CnC Checkin (POST) | Detects ClearFlake C2 connection packet | https://rules.emergingthreatspro.com/open/ |
| ET INFO Suspicious Header Name In HTTP Request (U) | Detects suspicious header name packet in HTTP Request | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Telegram QR Code Login Landing Page 2024-06-10 | Detects Telegram QR login landing page packet detection | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS UEFA EURO 2024 Survey Landing Page 2024-06-11 | Detects UEFA EURO 2024 survey landing page packet | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT UFIDA PLM getWorkGroups Unauthorized Information Access Attempt | Detects UFIDA PLM getWorkGroups unauthorized access attempt packet | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT Zhibang International ERP System SQL Injection Attempt | Detects Zhibang International ERP SQL Injection attempt packet | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT ZhongCheng Kexin Ticket Management System SQLi Attempt | Detects ZhongCheng Kexin ticket management system SQL injection attempt packet | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT JEPaaS Development Platform File Upload Authentication Bypass | Detects JEPaas Development Platform file upload authentication bypass packet | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT Possible Telerik Deserialization Attempt – POST to Vulnerable Path with Specific Extension (CVE-2024-1800) | Detects Telerik CVE-2024-1800 vulnerability exploit packet | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT Possible Telerik Auth Bypass Attempt – Account Creation from External Host (CVE-2024-4358) | Detects Telerik CVE-2024-4358 vulnerability exploit packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection (varchar2) in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection CHAR() in HTTP Request Body M1 | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection CHAR() in HTTP Request Body M2 | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection CHR() in HTTP Request Body M1 | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection CHR() in HTTP Request Body M2 | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection sp_configure in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection DELETE FROM in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection INSERT INTO in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection SELECT FROM in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection (varchar) in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection (exec) in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection (declare) in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection INTO OUTFILE in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection Obfuscated by REVERSE function in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection SELECT CONCAT in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection SELECT CAST in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection UNION SELECT in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection SELECT CAST in HTTP URI | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL Injection WAITFOR DELAY in HTTP URI | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER Possible SQL injection WAITFOR DELAY in HTTP Request Body | Detects SQL injection packet | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Generic Survey Credential Phish Landing Page 2024-06-11 | Detects credential phishing landing page | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Generic Survey Credential Phish Landing Page 2024-06-12 | Detects credential phishing landing page | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT Dahua DSS Security Management Platform Attempted Privilege Escalation | Detects Dahua DSS Security Management Platform privilege escalation attempt packet | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT Telecommunications Gateway Configuration Management System Unauthenticated File Upload | Detects Telecommunications Gateway Configuration Management System unauthorized file upload attempt packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Apache OFBiz Directory Traversal Remote Code Execution Attempt (CVE-2024-36104) | Detects Apache OFBiz RCE vulnerability (CVE-2024-36104) attempt packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN [ANY.RUN] Gh0stRAT.Gen Server Response (SweetSpecter) | Detects Gh0stRat server response packet | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Generic Credential Phish Landing Page 2024-06-13 | Detects credential phishing landing page | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Win64/TrojanDownloader.Agent.AUO User Agent | Detects Downloader User Agent | https://rules.emergingthreatspro.com/open/ |
Detailed rule files are attached.
