Daily Ruleset Update Summary 2022/09/13

Ruleset Updates
1

Summary:

18 new OPEN, 28 new PRO (18 + 10).
Win32/Injector.DKUN, Sidewinder APT, Powershell/PowHeartBeat CnC and IcedID.

Thanks @ESET, @HuntressLabs and @zscaler

Added rules:

Open:

  • 2012707 - ET MALWARE Win32/Injector.DKUN Variant Response (malware.rules)
  • 2038809 - ET HUNTING Suspicious Windows Installer UA for non-MSI (hunting.rules)
  • 2038810 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2038811 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2038812 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2038813 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2038814 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2038815 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2038816 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2038817 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2038818 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2038819 - ET INFO SQLite DLL Retrieval by Name (GET) (info.rules)
  • 2038820 - ET MALWARE Sidewinder APT Related Malware Activity M1 (GET) (malware.rules)
  • 2038821 - ET MALWARE Powershell/PowHeartBeat CnC Checkin - ICMP (malware.rules)
  • 2038822 - ET MALWARE Observed DNS Query to Malicious Powershell Payload domain (onerecovery .click) (malware.rules)
  • 2038823 - ET MALWARE Observed DNS Query to Reverse Shell Payload Domain (opentunnel .quest) (malware.rules)
  • 2038824 - ET MALWARE Observed Malicious Powershell Payload Delivery Domain (onerecovery .click) in TLS SNI (malware.rules)
  • 2038825 - ET MALWARE Observed Reverse Shell Payload Delivery Domain
    (opentunnel .quest) in TLS SNI (malware.rules)

Pro:

  • 2852367 - ETPRO INFO HTTP Request With Uppercase Host Header Observed (info.rules)
  • 2852368 - ETPRO MALWARE Win32/IcedID Stage2 CnC Activity M2 (GET) (malware.rules)

Modified active rules:

  • 2025633 - ET MALWARE [PTsecurity] Win32/SpyAgent.Raptor (realtime-spy) CnC activity 1 (malware.rules)
  • 2025634 - ET MALWARE [PTsecurity] Win32/SpyAgent.Raptor (realtime-spy) CnC activity 2 (malware.rules)
  • 2032947 - ET MALWARE Ares Activity (POST) (malware.rules)
  • 2037002 - ET MALWARE Win32/Grandoreiro Loader Checkin Activity (POST) (malware.rules)
  • 2038618 - ET MALWARE Win32/Grandoreiro Sending System Information (POST) (malware.rules)
  • 2038619 - ET MALWARE Win32/Grandoreiro Related Activity (GET) (malware.rules)
  • 2833510 - ETPRO POLICY SentryPC/Realtime Spy Host Monitor Software Screenshot POST (policy.rules)

Removed rules:

  • 2012707 - ET HUNTING Suspicious double Server Header (hunting.rules)
  • 2832607 - ETPRO HUNTING Suspicious Windows Installer UA for non-MSI (hunting.rules)
  • 2850605 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2850606 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2850607 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2850608 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2850609 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2850610 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2850611 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2850612 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2850621 - ETPRO MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2852278 - ETPRO MALWARE HTML/TrojanDownloader.Agent.NKU CnC Activity M1 (malware.rules)