Weekly Detection Rule (YARA and Snort) Information – Week 2, December 2024
The following is the information on Yara and Snort rules (week 2, December 2024) collected and shared by the AhnLab TIP service.
- 8 YARA Rules
|
Detection name |
Description |
Source |
|---|---|---|
| VeeamHax | exe – file VeeamHax.exe | https://github.com/The-DFIR-Report/Yara-Rules |
| PK_Elster_darknet | Phishing Kit impersonating Elster tax office (DE) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Nickel_memoryerror | Phishing Kit impersonating Nickel | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Telegram_gambar | Phishing Kit impersonating Telegram (Malaysian users) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Ledger_shadowroot | Phishing Kit impersonating Ledger | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_PayPal_system | Phishing Kit impersonating Paypal | https://github.com/t4d/PhishingKit-Yara-Rules |
| Brooxml_Hunting | Detects Microsoft OOXML files with prepended data/manipulated header | https://github.com/Neo23x0/signature-base |
| Brooxml_Phishing | Detects PDF and OOXML files leading to AiTM phishing | https://github.com/Neo23x0/signature-base |
- 8 Snort Rules
|
Detection name |
Source |
|---|---|
| ET ATTACK_RESPONSE Base64 Encoded Powershell Performing Byte Operations Inbound | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Mitel MiCollab Pre-Authentication SQLi (CVE-2024-35286) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Mitel MiCollab Unauthenticated Path Traversal (CVE-2024-41713) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Zabbix Server SQLi API user.get Method (CVE-2024-42327) | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Bitcoin Scam Victim Details Exfiltration (POST) | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Bitcoin Scam Webpage Observed | https://rules.emergingthreatspro.com/open/ |
| ET ATTACK_RESPONSE RuPSRAT Command Inbound (Download/Execute GoBayden) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Riello Netman 204 UPS SQL Injection Attempt (CVE-2024-8877) | https://rules.emergingthreatspro.com/open/ |
