Weekly Detection Rule (YARA and Snort) Information – Week 1, March 2025
The following is the information on Yara and Snort rules (week 1, March 2025) collected and shared by the AhnLab TIP service.
- 1 YARA Rules
|
Detection name |
Description |
Source |
|---|---|---|
| sig_27244_metasploit_hta_stager | file UsySLX1n.hta | https://github.com/The-DFIR-Report/Yara-Rules |
- 23 Snort Rules
|
Detection name |
Source |
|---|---|
| ET WEB_SPECIFIC_APPS Paessler PRTG Notification Command Injection Attempt (CVE-2018-9276) | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT Exim SQLite (DBM) Injection (CVE-2025-26794) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Divulge Stealer CnC Checkin | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Divulge Stealer Data Exfiltration Attempt | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Darcula Credential Phish Socket Response 2025-02-27 | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Darcula Credential Phish Landing Page M1 2025-02-27 | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Darcula Credential Phish Landing Page M2 2025-02-27 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M1 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M2 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M3 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M4 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M1 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20118) M2 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Cisco Small Business Router RV Series Command Injection (CVE-2023-20128) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS MITRE Caldera Remote Code Execution (CVE-2025-27364) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Observed Malicious SSL Cert Associated with PolarEdge Botnet M1 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Observed Malicious SSL Cert Associated with PolarEdge Botnet M2 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Observed Malicious SSL Cert Associated with PolarEdge Botnet M3 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Observed Malicious SSL Cert Associated with PolarEdge Botnet M4 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN PolarEdge Webshell Installation attempt | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN PolarEdge Webshell Activity | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN PolarEdge TLS Backdoor Installation Attempt | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN PolarEdge CnC Checkin | https://rules.emergingthreatspro.com/open/ |
