Weekly Detection Rule (YARA and Snort) Information – Week 1, February 2025
The following is the information on Yara and Snort rules (week 1, February 2025) collected and shared by the AhnLab TIP service.
- 14 YARA Rules
|
Detection name |
Description |
Source |
|---|---|---|
| PK_Ameli_sunrise22 | Phishing Kit impersonating Ameli.fr/Carte vitale | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Aramex_panel | Phishing Kit impersonating Aramex | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Doctolib_js | Phishing Kit impersonating Doctolib | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Email_CN | Phishing Kit stealing email credentials from 126 and 163.com | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_OneDrive_hrm | Phishing Kit impersonating OneDrive | https://github.com/t4d/PhishingKit-Yara-Rules |
| sig_27138_Veeam_Get_Creds | 27138 – file Veeam-Get-Creds.ps1 | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_lockbit_sd | 27138 – file sd.exe | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_setup_wm | 27138 – file setup_wm.exe | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_share_svcmc | 27138 – file svcmc.dll | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_systembc_svc | 27138 – file svc.dll | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_svchosts_ghostsocks | 27138 – file svchosts.exe | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_share__SETUP | 27138 – file SETUP.bat | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_files_check | 27138 – file check.exe | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_svcmc_svchosts_0 | 27138 – from files svcmc.dll, svchosts.exe | https://github.com/The-DFIR-Report/Yara-Rules |
- 30 Snort Rules
|
Detection name |
Source |
|---|---|
| ET TROJAN Nosviak C2 Variant Advertised Services in HTML Elements | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Cindy C2 SSH Server Banner | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Moonly C2 SSH Server Banner | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Nosviak C2 SSH Server Banner | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN RCNC C2 SSH Server Banner | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Sentinel C2 SSH Server Banner | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Microsoft Configuration Manager Unauthenticated SQL Injection (CVE-2024-43468) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS TP-Link TL-WR940N Hardware v3/v4 Authenticated Remote Code Execution (CVE-2024-54887) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera TestEmail Authenticated Command Injection Attempt (CVE-2019-11001) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition during JSP Compilation (CVE-2024-50379) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Next.js Forced Caching via x-now-route-matches HTTP Header (CVE-2024-46982) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Next.js Cached Server Response (CVE-2024-46982) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera SetLocalLink Authenticated Command Injection Attempt (CVE-2021-40410, CVE-2021-40411) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera SetDevName Authenticated Command Injection Attempt (CVE-2021-40412) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS CyberPanel getresetstatus statusfile Parameter Command Injection Attempt (CVE-2024-51378) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M1 – Title Defacement Attempt (CVE-2024-11680) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS QNAP QTS/QuTS File Upload (CVE-2024-53691) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS QNAP QTS/QuTS Unpack File (CVE-2024-53691) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M2 – Account Creation Attempt (CVE-2024-11680) | https://rules.emergingthreatspro.com/open/ |
| ET ATTACK_RESPONSE Koi Loader/Stealer CnC Config Inbound | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M3 – PHP File Upload Attempt (CVE-2024-11680) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS QNAP QTS/QuTS Decrypt File (CVE-2024-53691) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Apache Solr ConfigSet APIv1 Upload Relative Path Traversal (CVE-2024-52012) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Apache Solr ConfigSet APIv2 Upload Relative Path Traversal (CVE-2024-52012) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Win32/Koi Stealer CnC Checkin (GET) | https://rules.emergingthreatspro.com/open/ |
| ET ATTACK_RESPONSE Koi Loader/Stealer Payload Inbound | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Mitel 6800 802.1x Support Command Injection (CVE-2024-41710) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass (CVE-2024-53704) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN CoinMiner Exfiltration via IRC Config Inbound (Italian) | https://rules.emergingthreatspro.com/open/ |
