Weekly Detection Rule (YARA and Snort) Information – Week 4, December 2024
The following is the information on Yara and Snort rules (week 4, December 2024) collected and shared by the AhnLab TIP service.
- 5 YARA Rules
|
Detection name |
Description |
Source |
|---|---|---|
| PK_BankID_poko | Phishing Kit impersonating BankID | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_DisneyPlus_blackforce | Phishing Kit impersonating Disney Plus | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_O365_itna1337 | Phishing Kit impersonating Office 365 | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_BanquePostale_z0n51_2 | Phishing Kit impersonating la Banque Postale | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_antai_inun2 | Phishing Kit impersonating French ANTAI (amendes) portal | https://github.com/t4d/PhishingKit-Yara-Rules |
- 27 Snort Rules
|
Detection name |
Source |
|---|---|
| ET TROJAN Zloader User-Agent Observed (PresidentPutin) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Zloader CnC Activity (POST) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Write (CVE-2024-55956) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity KeepAlive M4 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity KeepAlive M4 (Inbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity SendInfo M4 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity Disconnect M4 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN XiebroC2 CnC Activity List Process M4 (Outbound) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Apache Struts2 Path Traversal Attempt Inbound M1 (CVE-2024-53677) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Apache Struts2 Path Traversal Attempt Inbound M2 (CVE-2024-53677) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi cvmcfgupload Command Injection Attempt (CVE-2020-15415) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi trustcaupload Command Injection Attempt (CVE-2023-1162) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Generic Powershell Loader Using Encryption Routine Inbound | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi commandTable parameter Command Injection Attempt (CVE-2023-24229) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS NUUO NVRmini upgrade_handle.php uploaddir Command Injection Attempt (CVE-2018-14933) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi doCfgExport option Arbitrary File Read Attempt (CVE-2023-1009) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi getSyslogFile option Arbitrary File Read Attempt (CVE-2023-1163) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi dumpSyslog option Arbitrary File Deletion Attempt (CVE-2023-6265) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Fortinet FortiWLM Unauthenticated Command Injection (CVE-2023-34993) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Fortinet FortiWLM Unauthenticated Limited Arbitrary File Read | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Fortinet FortiWLM Authenticated Command Injection (CVE-2023-48782) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Fortinet FortiWLM Unauthenticated Arbitrary File Read (CVE-2023-48783) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Xenorat Default C2 Server Response Inbound | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Xenorat Default Handshake Inbound | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT Fortinet FortiClient EMS SQL Injection (CVE-2023-48788) | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Microsoft Windows Contacts Syslink Control href Attribute Escape (CVE-2022-44666) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Craft CMS Template Path Injection RCE (CVE-2024-56145) | https://rules.emergingthreatspro.com/open/ |
