Ruleset Update Summary - 2023/04/10 - v10294

Summary:

2 new OPEN, 2 new PRO (2 + 0)


Added rules:

Open:

  • 2044914 - ET WEB_SERVER Generic Webshell Activity (Response) (web_server.rules)
  • 2044915 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (devcodejs .org) (malware.rules)

Modified inactive rules:

  • 2034396 - ET MALWARE WBK Download from dotted-quad Host (malware.rules)
  • 2034479 - ET MALWARE ABCbot CnC Instruction (stop) (malware.rules)
  • 2034484 - ET MALWARE ABCbot CnC Instruction (syn) (malware.rules)
  • 2034485 - ET MALWARE ABCbot CnC Instruction (dns) (malware.rules)
  • 2034486 - ET MALWARE ABCbot CnC Instruction (bigudp) (malware.rules)
  • 2035400 - ET MALWARE JS/Skimmer Inbound (Likely MageCart) M2 (malware.rules)
  • 2035753 - ET MALWARE MSIL/Unk.CoinMiner Downloader (malware.rules)
  • 2800833 - ETPRO SMTP IBM Lotus Domino nrouter.exe iCalendar MAILTO Stack Buffer Overflow (smtp.rules)
  • 2808504 - ETPRO MALWARE Bublik.sda pastebin Request (malware.rules)
  • 2850558 - ETPRO MALWARE PowerShell/MSF Stager Inbound (malware.rules)
  • 2851294 - ETPRO MALWARE Win32/AsyncRAT Successful Payload Download (malware.rules)
  • 2851313 - ETPRO MALWARE VBS/TrojanDownloader.Agent.WVY Obfuscated ShellExecute Command (SilentlyContinue) (malware.rules)

Disabled and modified rules:

  • 2034287 - ET MALWARE DonotGroup Maldoc Activity (GET) (malware.rules)
  • 2034305 - ET MALWARE Win32/Agent.UWW Variant Activity (Retrieving Commands) (malware.rules)
  • 2034306 - ET MALWARE Win32/Agent.UWW Variant Activity (Sending System Information) (malware.rules)
  • 2034317 - ET MALWARE PinkBot CnC Domain in DNS Lookup (cnc .pinklander .com) (malware.rules)
  • 2044437 - ET MALWARE Maldoc Related Domain in DNS Lookup (nationalweatherserviceapp .com) (malware.rules)
  • 2044521 - ET MALWARE TA444 Related Domain in DNS Lookup (azure .doc-view .cloud) (malware.rules)
  • 2044525 - ET MALWARE PlugX Related Domain in DNS Lookup (cdn .imango .ink) (malware.rules)
  • 2044526 - ET MALWARE PlugX Related Domain in DNS Lookup (api .imango .ink) (malware.rules)
  • 2850284 - ETPRO PHISHING Successful Generic Phish 2021-10-25 (phishing.rules)
  • 2850291 - ETPRO PHISHING Successful Generic Phish 2021-10-26 (phishing.rules)
  • 2850313 - ETPRO PHISHING Successful Facebook Phish 2021-10-27 (phishing.rules)

Removed rules:

  • 2809487 - ETPRO DOS MS Telnet Service DoS Vulnerability CVE-2015-0014 (dos.rules)