Summary:
27 new OPEN, 36 new PRO (27 + 9) WarHawk, Cobalt Strike, and various DNS rules
Thanks @zscaler
Please share issues, feedback, and requests at Feedback
Added rules:
Open:
2039537 - ET MALWARE Win32/WarHawk Checkin Activity (malware.rules)
2039538 - ET MALWARE Win32/WarHawk Activity (ping) (malware.rules)
2039539 - ET MALWARE Win32/WarHawk Activity (task) (malware.rules)
2039540 - ET MALWARE Win32/WarHawk Activity (cmd) (malware.rules)
2039541 - ET MALWARE Win32/WarHawk Activity (filemgr) (malware.rules)
2039542 - ET MALWARE Win32/WarHawk Activity (filemgr) M2 (malware.rules)
2039543 - ET MALWARE Win32/WarHawk Activity (fileupload) (malware.rules)
2039544 - ET MALWARE Win32/WarHawk Activity (task_done) (malware.rules)
2039545 - ET MALWARE Win32/WarHawk Sending Windows System Information (POST) (malware.rules)
2039546 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (malware.rules)
2039547 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (malware.rules)
2039548 - ET MALWARE Sidewinder APT Related Malware Activity M2 (GET) (malware.rules)
2039549 - ET INFO Qihoo 360 DNS Over HTTPS Certificate Inbound (info.rules)
2039550 - ET INFO Restena DNS Over HTTPS Certificate Inbound (info.rules)
2039551 - ET INFO Rezhajul DNS Over HTTPS Certificate Inbound (info.rules)
2039552 - ET INFO Ryan Palmer DNS Over HTTPS Certificate Inbound (info.rules)
2039553 - ET INFO Safe Surfer DNS Over HTTPS Certificate Inbound (info.rules)
2039554 - ET INFO Switch DNS Over HTTPS Certificate Inbound (info.rules)
2039555 - ET INFO TheRifleMan DNS Over HTTPS Certificate Inbound (info.rules)
2039556 - ET INFO Usable Privacy DNS Over HTTPS Certificate Inbound (info.rules)
2039557 - ET INFO WeDNS DNS Over HTTPS Certificate Inbound (info.rules)
2039558 - ET INFO WeDNS DNS Over HTTPS Certificate Inbound (info.rules)
2039559 - ET INFO MyDNS .network DNS Over HTTPS Certificate Inbound (info.rules)
2039560 - ET INFO Null31 DNS Over HTTPS Certificate Inbound (info.rules)
2039561 - ET INFO Public Array DNS Over HTTPS Certificate Inbound (info.rules)
2039562 - ET INFO Public Array DNS Over HTTPS Certificate Inbound (info.rules)
2039563 - ET POLICY External IP Lookup (ip .anysrc .net) (policy.rules)
Pro:
2852659 - ETPRO PHISHING Successful Generic Phish 2022-10-25 (phishing.rules)
2852666 - ETPRO POLICY Observed SSL Cert (anysrc .net) (policy.rules)
Modified active rules:
2026743 - ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me) (hunting.rules)
2039442 - ET MALWARE SocGholish Domain in DNS Lookup (consultant .meredithklemmblog .com) (malware.rules)
2829638 - ETPRO POLICY External IP Address Lookup via ident .me (policy.rules)
2840685 - ETPRO POLICY Observed SSL Cert (ipecho IP Check) (policy.rules)
Disabled and modified rules:
2038950 - ET MALWARE SocGholish Domain in DNS Lookup (amplifier .myjesusloves .me) (malware.rules)
2039030 - ET MALWARE TA569 Domain in DNS Lookup (skambio-porte .com) (malware.rules)
2039140 - ET MALWARE SocGholish CnC Domain in DNS Lookup (houses .in-vermont .com) (malware.rules)
2039169 - ET MALWARE SocGholish CnC Domain in DNS Lookup (demand .sageyogatherapies .com) (malware.rules)
Removed rules:
2852635 - ETPRO MALWARE Win32/WarHawk Checkin Activity (malware.rules)
2852636 - ETPRO MALWARE Win32/WarHawk Activity (ping) (malware.rules)
2852637 - ETPRO MALWARE Win32/WarHawk Activity (task) (malware.rules)
2852638 - ETPRO MALWARE Win32/WarHawk Activity (cmd) (malware.rules)
2852639 - ETPRO MALWARE Win32/WarHawk Activity (filemgr) (malware.rules)
2852640 - ETPRO MALWARE Win32/WarHawk Activity (filemgr) M2 (malware.rules)
2852641 - ETPRO MALWARE Win32/WarHawk Activity (fileupload) (malware.rules)