Weekly Detection Rule (YARA and Snort) Information – Week 3, December 2024
The following is the information on Yara and Snort rules (week 3, December 2024) collected and shared by the AhnLab TIP service.
- 6 YARA Rules
|
Detection name |
Description |
Source |
|---|---|---|
| EXPL_Cleo_Exploitation_Log_Indicators_Dec24 | Detects indicators found in logs during and after Cleo software exploitation (as reported by Huntress in December 2024) | https://github.com/Neo23x0/signature-base |
| EXPL_Cleo_Exploitation_PS1_Indicators_Dec24 | Detects encoded PowerShell loader used during and after Cleo software exploitation (as reported by Huntress in December 2024) | https://github.com/Neo23x0/signature-base |
| SUSP_EXPL_JAR_Indicators_Dec24 | Detects characteristics of JAR files used during Cleo software exploitation (as reported by Huntress in December 2024) | https://github.com/Neo23x0/signature-base |
| EXPL_Cleo_Exploitation_XML_Indicators_Dec24 | Detects XML used during and after Cleo software exploitation (as reported by Huntress in December 2024) | https://github.com/Neo23x0/signature-base |
| EXPL_Cleo_Exploitation_JAVA_Payloads_Dec24_1_1 | Detects characteristics of JAVA files used during Cleo software exploitation (as reported by Huntress in December 2024) – files Cli, ScSlot, Slot, SrvSlot | https://github.com/Neo23x0/signature-base |
| EXPL_Cleo_Exploitation_JAVA_Payloads_Dec24_2 | Detects characteristics of JAVA files used during Cleo software exploitation (as reported by Huntress in December 2024) – file Proc | https://github.com/Neo23x0/signature-base |
- 25 Snort Rules
|
Detection name |
Source |
|---|---|
| ET TROJAN Retdoor CnC Checkin | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN QuickResponseC2 Default Tasking Struct | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN QuickResponseC2 Default Response Struct | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN PeakLight/Emmenhtal Loader Payload Delivery Template Observed | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN PeakLight/Emmenhtal Loader Payload Delivery WebPage Observed | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Write (CVE-2024-50623) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Read (CVE-2024-50623) | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Generic Office365 Phish Landing Page (2024-12-12) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Github Enterprise S3 OIDC Command Injection Attempt (CVE-2024-0507) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Github Enterprise Unsafe Reflection Information Leak Attempt (CVE-2024-0200) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity KeepAlive M1 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity KeepAlive M2 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity KeepAlive M3 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity KeepAlive M1 (Inbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity KeepAlive M2 (Inbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity KeepAlive M3 (Inbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity SendInfo M1 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity SendInfo M2 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity SendInfo M3 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity, Disconnect M1 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity Disconnect M2 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity, Disconnect M3 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity List Process M1 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity List Process M2 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity List Process M3 (Outbound) | https://rules.emergingthreatspro.com/open/ |
