주간 탐지 룰(YARA, Snort) 정보 – 2025년 2월 1주차
AhnLab TIP 서비스에서 수집한, 공개된 YARA, Snort룰(2025년 2월 1주) 정보입니다.
- 14 YARA Rules
|
탐지명 |
설명 |
출처 |
|---|---|---|
| PK_Ameli_sunrise22 | Ameli.fr (프랑스 건강보험)을 사칭한 Phishing Kit 탐지 | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Aramex_panel | Aramex (국제 물류 배송)를 사칭한 Phishing Kit 탐지 | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Doctolib_js | Doctolib (프랑스 온라인 의료 예약 플랫폼)를 사칭한 Phishing Kit 탐지 | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Email_CN | 126.com, 163.com (중국 메일 서비스)을 사칭한 Phishing Kit 탐지 | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_OneDrive_hrm | OneDrive 를 사칭한 Phishing Kit 탐지 | https://github.com/t4d/PhishingKit-Yara-Rules |
| sig_27138_Veeam_Get_Creds | 악성코드 Veeam-Get-Creds.ps1 파일 탐지 | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_lockbit_sd | 악성코드 sd.exe 파일 탐지 | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_setup_wm | 악성코드 setup_wm.exe 파일 탐지 | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_share_svcmc | 악성코드 svcmc.dll 파일 탐지 | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_systembc_svc | 악성코드 svc.dll 파일 탐지 | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_svchosts_ghostsocks | 악성코드 svchosts.exe 파일 탐지 | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_share__SETUP | 악성코드 SETUP.bat 파일 탐지 | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_files_check | 악성코드 check.exe 파일 탐지 | https://github.com/The-DFIR-Report/Yara-Rules |
| sig_27138_svcmc_svchosts_0 | 악성코드 svcmc.dll, svchosts.exe 파일 탐지 | https://github.com/The-DFIR-Report/Yara-Rules |
- 30 Snort Rules
|
탐지명 |
설명 |
출처 |
|---|---|---|
| ET TROJAN Nosviak C2 Variant Advertised Services in HTML Elements | Nosviak C2 변종 광고 서비스 HTML Elements 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Cindy C2 SSH Server Banner | Cindy C2 SSH 서버 배너 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Moonly C2 SSH Server Banner | Moonly C2 SSH 서버 배너 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Nosviak C2 SSH Server Banner | Nosviak C2 SSH 서버 배너 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN RCNC C2 SSH Server Banner | RCNC C2 SSH 서버 배너 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Sentinel C2 SSH Server Banner | Sentinel C2 SSH 서버 배너 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Microsoft Configuration Manager Unauthenticated SQL Injection (CVE-2024-43468) | Microsoft Configuration Manager 비인가 SQL 인젝션(CVE-2024-43468) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS TP-Link TL-WR940N Hardware v3/v4 Authenticated Remote Code Execution (CVE-2024-54887) | TP-Link TL-WR940N 하드웨어 v3/v4 인증된 원격 코드 실행(CVE-2024-54887) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera TestEmail Authenticated Command Injection Attempt (CVE-2019-11001) | Reolink RLC Series IP Camera TestEmail 인증된 커맨드 인젝션 시도(CVE-2019-11001) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition during JSP Compilation (CVE-2024-50379) | Apache Tomcat Time-of-check Time-of-use (TOCTOU) 레이스 컨디션 (CVE-2024-50379) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Next.js Forced Caching via x-now-route-matches HTTP Header (CVE-2024-46982) | Next.js x-now-route-matches HTTP 헤더를 통한 강제 캐싱(CVE-2024-46982) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Next.js Cached Server Response (CVE-2024-46982) | Next.js 캐시된 서버 응답(CVE-2024-46982) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera SetLocalLink Authenticated Command Injection Attempt (CVE-2021-40410, CVE-2021-40411) | Reolink RLC Series IP Camera SetLocalLink 인증된 커맨드 인젝션 시도(CVE-2021-40410, CVE-2021-40411) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera SetDevName Authenticated Command Injection Attempt (CVE-2021-40412) | Reolink RLC Series IP Camera SetDevName 인증된 커맨드 인젝션 시도(CVE-2021-40412) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS CyberPanel getresetstatus statusfile Parameter Command Injection Attempt (CVE-2024-51378) | CyberPanel getresetstatus statusfile 파라미터 커맨드 인젝션 시도(CVE-2024-51378) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M1 – Title Defacement Attempt (CVE-2024-11680) | ProjectSend 인증 우회 시도 (CVE-2024-11680) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS QNAP QTS/QuTS File Upload (CVE-2024-53691) | QNAP QTS/QuTS 파일 업로드(CVE-2024-53691) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS QNAP QTS/QuTS Unpack File (CVE-2024-53691) | QNAP QTS/QuTS 파일 압축 해제(CVE-2024-53691) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M2 – Account Creation Attempt (CVE-2024-11680) | ProjectSend 인증 우회 시도(CVE-2024-11680) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET ATTACK_RESPONSE Koi Loader/Stealer CnC Config Inbound | Koi Loader/Stealer C2 Config 유입 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M3 – PHP File Upload Attempt (CVE-2024-11680) | ProjectSend 인증 우회 시도(CVE-2024-11680) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS QNAP QTS/QuTS Decrypt File (CVE-2024-53691) | QNAP QTS/QuTS 파일 복호화(CVE-2024-53691) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Apache Solr ConfigSet APIv1 Upload Relative Path Traversal (CVE-2024-52012) | Apache Solr ConfigSet APIv1 업로드 상대 경로 탐색(CVE-2024-52012) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Apache Solr ConfigSet APIv2 Upload Relative Path Traversal (CVE-2024-52012) | Apache Solr ConfigSet APIv2 업로드 상대 경로 탐색(CVE-2024-52012) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Win32/Koi Stealer CnC Checkin (GET) | Koi Stealer C2 연결 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET ATTACK_RESPONSE Koi Loader/Stealer Payload Inbound | Koi Loader/Stealer 페이로드 유입 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Mitel 6800 802.1x Support Command Injection (CVE-2024-41710) | Mitel 6800 802.1x Support 커맨드 인젝션(CVE-2024-41710) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass (CVE-2024-53704) | SonicOS SSLVPN 인증 우회(CVE-2024-53704) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365) | Qlik Sense Enterprise HTTP 요청 터널링 시도 (CVE-2023-48365) 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN CoinMiner Exfiltration via IRC Config Inbound (Italian) | CoinMiner IRC Config 유입을 통한 데이터 유출 패킷 탐지 | https://rules.emergingthreatspro.com/open/ |
