Ruleset Update Summary - 2023/04/17 - v10299

Summary:

48 new OPEN, 68 new PRO (48 + 20)

Thanks @suyog41, @500mk500, @Cyber0verload


Added rules:

Open:

  • 2012384 - ET HUNTING Suspicious Purported MSIE 7 with terse HTTP Headers GET to PHP (hunting.rules)
  • 2014567 - ET HUNTING EXE Download With Content Type Specified As Empty (hunting.rules)
  • 2015675 - ET EXPLOIT_KIT SimpleTDS go.php (sid) (exploit_kit.rules)
  • 2017300 - ET EXPLOIT_KIT Rawin -TDS - POST w/Java Version (exploit_kit.rules)
  • 2017906 - ET EXPLOIT_KIT TDS Unknown_.aso - URI - IP.aso (exploit_kit.rules)
  • 2018177 - ET EXPLOIT_KIT OnClick Anti-BOT TDS POST Feb 25 2014 (exploit_kit.rules)
  • 2018178 - ET EXPLOIT_KIT OnClick Anti-BOT TDS Hidden Form Feb 25 2014 (exploit_kit.rules)
  • 2018357 - ET EXPLOIT_KIT EvilTDS Redirection (exploit_kit.rules)
  • 2027207 - ET HUNTING HTTP Request with Double Cache-Control (hunting.rules)
  • 2031615 - ET EXPLOIT_KIT Observed Evil Keitaro TDS Redirection Domain (fiberswatch .com in TLS SNI) (exploit_kit.rules)
  • 2038550 - ET EXPLOIT_KIT Parrot TDS Check (exploit_kit.rules)
  • 2038551 - ET EXPLOIT_KIT Parrot TDS Cleared Response (exploit_kit.rules)
  • 2038552 - ET EXPLOIT_KIT Parrot TDS Malicious Response (exploit_kit.rules)
  • 2044703 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (jqueryns .com) (exploit_kit.rules)
  • 2044704 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (jqscr .com) (exploit_kit.rules)
  • 2044791 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (jsqur .com) (exploit_kit.rules)
  • 2044792 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (jqueryh .org) (exploit_kit.rules)
  • 2044847 - ET EXPLOIT_KIT TA569 TDS Domain in DNS Lookup (xjquery .com) (exploit_kit.rules)
  • 2044894 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (devqeury .org) (exploit_kit.rules)
  • 2044907 - ET EXPLOIT_KIT TDS Landing Page - Observed Leading to CryptoClipper (exploit_kit.rules)
  • 2044908 - ET EXPLOIT_KIT TDS checkResult Request - Observed Leading to CryptoClipper (exploit_kit.rules)
  • 2044915 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (devcodejs .org) (exploit_kit.rules)
  • 2044938 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (backendjs .org) (exploit_kit.rules)
  • 2044939 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (assistpayout .org) (exploit_kit.rules)
  • 2044940 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (jsviewdev .org) (exploit_kit.rules)
  • 2044962 - ET MALWARE Gamaredon APT Maldoc Retrieving Remote Template (GET) (malware.rules)
  • 2044963 - ET ATTACK_RESPONSE Win32/StormKitty CnC Telegram Notification M1 (attack_response.rules)
  • 2044964 - ET ATTACK_RESPONSE Win32/StormKitty CnC Telegram Notification M2 (attack_response.rules)
  • 2044965 - ET MALWARE StormKitty Download Request With Minimal Headers (malware.rules)
  • 2044966 - ET MALWARE TyphonStealer Exfil via Telegram (malware.rules)
  • 2044967 - ET MALWARE TyphonStealer Exfil via AnonFiles (POST) (malware.rules)
  • 2044968 - ET PHISHING Crypto Credential Phish Landing Page 2023-04-17 (phishing.rules)
  • 2044969 - ET INFO Git Service Hosted with Gittea (info.rules)
  • 2044970 - ET INFO URL Shortener Service Domain in DNS Lookup (ffm .to) (info.rules)
  • 2044971 - ET INFO TDS Domain in DNS Lookup (cloakerly .com) (info.rules)
  • 2044972 - ET PHISHING Tech Support Phone Scam Landing 2023-04-17 (phishing.rules)
  • 2044973 - ET PHISHING Successful Bank of America Credential Phish 2023-04-17 (phishing.rules)
  • 2044974 - ET MALWARE PlutoCrypt Decryption Key Exfil (malware.rules)
  • 2044975 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (etaqeryg .org) (exploit_kit.rules)
  • 2044976 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (debquery .org) (exploit_kit.rules)
  • 2044977 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (rygesqua .org) (exploit_kit.rules)
  • 2044978 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (aeryqget .org) (exploit_kit.rules)
  • 2044979 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (quaryget .org) (exploit_kit.rules)
  • 2044980 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (squaryge .org) (exploit_kit.rules)
  • 2044981 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (tqeuryge .org) (exploit_kit.rules)
  • 2044982 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (ygequary .org) (exploit_kit.rules)
  • 2044983 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (uaqryges .org) (exploit_kit.rules)
  • 2044984 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .reseller .wonderfulworldblog .com) (malware.rules)

Pro:

  • 2811216 - ETPRO HUNTING C: \ filepath observed in HTTP header (hunting.rules)
  • 2821106 - ETPRO EXPLOIT_KIT Evil Redirector Leading to EK SutraTDS Jul 13 2016 T1 (exploit_kit.rules)
  • 2821731 - ETPRO MALWARE MalDoc Request for Payload Aug 17 2016 (malware.rules)
  • 2823059 - ETPRO EXPLOIT_KIT Evil Redirector Leading to EK Keitaro TDS Nov 01 2016 (exploit_kit.rules)
  • 2823173 - ETPRO EXPLOIT_KIT Evil Redirector Leading to EK Keitaro TDS Nov 01 2016 (exploit_kit.rules)
  • 2823247 - ETPRO EXPLOIT_KIT Evil Redirector Leading to EK Keitaro TDS Nov 14 2016 (exploit_kit.rules)
  • 2825526 - ETPRO EXPLOIT_KIT Evil Redirector Leading to EK Keitaro TDS Mar 17 2017 (exploit_kit.rules)
  • 2826249 - ETPRO EXPLOIT_KIT Android ShadowTDS Response (exploit_kit.rules)
  • 2826393 - ETPRO EXPLOIT_KIT Evil Redirector Leading to EK Keitaro TDS May 15 2017 (exploit_kit.rules)
  • 2827154 - ETPRO EXPLOIT_KIT Evil Redirector Leading to EK Keitaro TDS July 16 2017 (exploit_kit.rules)
  • 2827157 - ETPRO EXPLOIT_KIT Evil Redirector Leading to EK Keitaro TDS July 16 2017 2 (exploit_kit.rules)
  • 2828506 - ETPRO EXPLOIT_KIT Evil Redirector Leading to EK Keitaro TDS Nov 2 2017 2 (exploit_kit.rules)
  • 2828539 - ETPRO EXPLOIT_KIT Evil Redirector Leading to MalDoc Keitaro TDS Nov 6 2017 (exploit_kit.rules)
  • 2831076 - ETPRO EXPLOIT_KIT Sysffic TDS CnC Checkin (exploit_kit.rules)
  • 2836207 - ETPRO EXPLOIT_KIT Evil Keitaro TDS CnC Domain in DNS Lookup (exploit_kit.rules)
  • 2836208 - ETPRO EXPLOIT_KIT Observed Malicious SSL Cert (Evil Keitaro TDS CnC) (exploit_kit.rules)
  • 2838756 - ETPRO EXPLOIT_KIT Observed Malicious SSL Cert (Evil Keitaro TDS Redirection) (exploit_kit.rules)
  • 2853053 - ETPRO EXPLOIT_KIT Ursnif TDS URI pattern observed (exploit_kit.rules)
  • 2853110 - ETPRO EXPLOIT_KIT 404 TDS Redirect (exploit_kit.rules)
  • 2854180 - ETPRO INFO Observed DNS Query to .onion Proxy Domain Domain (info.rules)

Modified inactive rules:

  • 2014539 - ET EXPLOIT_KIT Malicious TDS /indigo? (exploit_kit.rules)
  • 2014884 - ET EXPLOIT_KIT Request to malicious SutraTDS - lonly= in cookie (exploit_kit.rules)
  • 2015479 - ET EXPLOIT_KIT Possible Unknown TDS /rem2.html (exploit_kit.rules)
  • 2015897 - ET EXPLOIT_KIT Possible TDS Exploit Kit /flow redirect at .ru domain (exploit_kit.rules)
  • 2016412 - ET EXPLOIT_KIT TDS Vdele (exploit_kit.rules)
  • 2016542 - ET EXPLOIT_KIT Possible Portal TDS Kit GET (exploit_kit.rules)
  • 2016543 - ET EXPLOIT_KIT Possible Portal TDS Kit GET (2) (exploit_kit.rules)
  • 2017028 - ET EXPLOIT_KIT MALVERTISING Unknown_InIFRAME - RedTDS URI Structure (exploit_kit.rules)
  • 2017797 - ET EXPLOIT_KIT HiMan EK - TDS - POST hyt= (exploit_kit.rules)
  • 2020824 - ET EXPLOIT_KIT VBScript Driveby Related TDS MAR 31 2015 (exploit_kit.rules)
  • 2021696 - ET EXPLOIT_KIT Possible TDS Redirecting to EK Aug 19 2015 (exploit_kit.rules)
  • 2026774 - ET INFO DNS Over TLS Request Outbound (info.rules)
  • 2805942 - ETPRO INFO SSL server Hello certificate Internet Widgits Pty Ltd State or Province name Some-State (info.rules)

Disabled and modified rules:

  • 2031194 - ET MALWARE Suspected Snugy DNS Backdoor CnC Activity (Hostname Send) (malware.rules)
  • 2031206 - ET MALWARE CCleaner Backdoor DGA Domain (ab1de19d80ae6 .com) in DNS Lookup (malware.rules)
  • 2032947 - ET MALWARE Ares Activity (POST) (malware.rules)
  • 2033022 - ET MALWARE Suspected Gootkit Activity (malware.rules)
  • 2033109 - ET MALWARE ELF/Facefish Empty Payload (set) (malware.rules)
  • 2033110 - ET MALWARE ELF/Facefish Server Response (201) (malware.rules)
  • 2033111 - ET MALWARE ELF/Facefish Client Response (202) (malware.rules)
  • 2033112 - ET MALWARE ELF/Facefish Session Closing (400) (malware.rules)
  • 2033796 - ET MALWARE Cobalt Strike Malleable C2 (Custom Profile) (malware.rules)
  • 2033810 - ET MALWARE Cobalt Strike Beacon (Custom Wordpress Profile) (malware.rules)
  • 2033981 - ET MALWARE Gamaredon Maldoc Activity (GET) (malware.rules)
  • 2034039 - ET MALWARE Win32/Voltron/Spectre Stealer Download Activity (GET) (malware.rules)
  • 2034088 - ET MALWARE ELF/MachO.Netwire Connectivity Check (malware.rules)
  • 2034119 - ET MALWARE W32.Tomiris C2 (init) (malware.rules)
  • 2044668 - ET MALWARE Observed DNS Query To Gamaredon Domain (balatu .ru) (malware.rules)
  • 2044669 - ET MALWARE Observed DNS Query To Gamaredon Domain (paratai .ru) (malware.rules)
  • 2044670 - ET MALWARE Observed DNS Query To Gamaredon Domain (gokols .ru) (malware.rules)
  • 2044671 - ET MALWARE Observed DNSQuery to Gamaredon Domain (omranpo .ru) (malware.rules)
  • 2044672 - ET MALWARE Observed DNSQuery to Gamaredon Domain (orduhanpo .ru) (malware.rules)
  • 2845655 - ETPRO MALWARE Jupyter Stealer Activity (POST) (malware.rules)
  • 2846183 - ETPRO PHISHING Successful Chase Phish 2020-12-18 (phishing.rules)
  • 2849201 - ETPRO ADWARE_PUP SafeCleaner Activity (POST) (adware_pup.rules)
  • 2850153 - ETPRO PHISHING Succesful Snapchat Phish 2021-10-11 (phishing.rules)

Removed rules:

  • 2012384 - ET INFO Suspicious Purported MSIE 7 with terse HTTP Headers GET to PHP (info.rules)
  • 2014567 - ET INFO EXE Download With Content Type Specified As Empty (info.rules)
  • 2015675 - ET INFO SimpleTDS go.php (sid) (info.rules)
  • 2017300 - ET CURRENT_EVENTS Rawin -TDS - POST w/Java Version (current_events.rules)
  • 2017906 - ET CURRENT_EVENTS TDS Unknown_.aso - URI - IP.aso (current_events.rules)
  • 2018177 - ET CURRENT_EVENTS OnClick Anti-BOT TDS POST Feb 25 2014 (current_events.rules)
  • 2018178 - ET CURRENT_EVENTS OnClick Anti-BOT TDS Hidden Form Feb 25 2014 (current_events.rules)
  • 2018357 - ET WEB_CLIENT EvilTDS Redirection (web_client.rules)
  • 2027207 - ET INFO HTTP Request with Double Cache-Control (info.rules)
  • 2031615 - ET MALWARE Observed Evil Keitaro TDS Redirection Domain (fiberswatch .com in TLS SNI) (malware.rules)
  • 2038550 - ET MALWARE Parrot TDS Check (malware.rules)
  • 2038551 - ET MALWARE Parrot TDS Cleared Response (malware.rules)
  • 2038552 - ET MALWARE Parrot TDS Malicious Response (malware.rules)
  • 2040350 - ET MALWARE Observed DNS Query to W32/Filecoder.KY!tr.ransom Domain (81 .59 .117 .34 .bc .googleusercontent .com) (malware.rules)
  • 2044703 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jqueryns .com) (malware.rules)
  • 2044704 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jqscr .com) (malware.rules)
  • 2044791 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jsqur .com) (malware.rules)
  • 2044792 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jqueryh .org) (malware.rules)
  • 2044847 - ET MALWARE TA569 TDS Domain in DNS Lookup (xjquery .com) (malware.rules)
  • 2044894 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (devqeury .org) (malware.rules)
  • 2044907 - ET MALWARE TDS Landing Page - Observed Leading to CryptoClipper (malware.rules)
  • 2044908 - ET MALWARE TDS checkResult Request - Observed Leading to CryptoClipper (malware.rules)
  • 2044915 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (devcodejs .org) (malware.rules)
  • 2044938 - ET WEB_CLIENT TA569 Keitaro TDS Domain in DNS Lookup (backendjs .org) (web_client.rules)
  • 2044939 - ET WEB_CLIENT TA569 Keitaro TDS Domain in DNS Lookup (assistpayout .org) (web_client.rules)
  • 2044940 - ET WEB_CLIENT TA569 Keitaro TDS Domain in DNS Lookup (jsviewdev .org) (web_client.rules)
  • 2806924 - ETPRO INFO Korean Web Traffic Statistics Service (info.rules)
  • 2811216 - ETPRO INFO C: \ filepath observed in HTTP header (info.rules)
  • 2821106 - ETPRO WEB_CLIENT Evil Redirector Leading to EK SutraTDS Jul 13 2016 T1 (web_client.rules)
  • 2821731 - ETPRO INFO MalDoc Request for Payload Aug 17 2016 (info.rules)
  • 2823059 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Keitaro TDS Nov 01 2016 (web_client.rules)
  • 2823173 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Keitaro TDS Nov 01 2016 (web_client.rules)
  • 2823247 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Keitaro TDS Nov 14 2016 (web_client.rules)
  • 2825526 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Keitaro TDS Mar 17 2017 (web_client.rules)
  • 2826249 - ETPRO MOBILE_MALWARE Android ShadowTDS Response (mobile_malware.rules)
  • 2826393 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Keitaro TDS May 15 2017 (web_client.rules)
  • 2827154 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Keitaro TDS July 16 2017 (web_client.rules)
  • 2827157 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Keitaro TDS July 16 2017 2 (web_client.rules)
  • 2828506 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Keitaro TDS Nov 2 2017 2 (web_client.rules)
  • 2828539 - ETPRO WEB_CLIENT Evil Redirector Leading to MalDoc Keitaro TDS Nov 6 2017 (web_client.rules)
  • 2831076 - ETPRO MALWARE Sysffic TDS CnC Checkin (malware.rules)
  • 2836207 - ETPRO MALWARE Evil Keitaro TDS CnC Domain in DNS Lookup (malware.rules)
  • 2836208 - ETPRO MALWARE Observed Malicious SSL Cert (Evil Keitaro TDS CnC) (malware.rules)
  • 2838756 - ETPRO MALWARE Observed Malicious SSL Cert (Evil Keitaro TDS Redirection) (malware.rules)
  • 2846180 - ETPRO INFO TDS Redirect DNS Lookup (daily-prize-best .life) (info.rules)
  • 2846181 - ETPRO INFO TDS Redirect DNS Lookup (profit-strategy .life) (info.rules)
  • 2846182 - ETPRO INFO TDS Redirect DNS Lookup (bonusclub-forme .life) (info.rules)
  • 2853053 - ETPRO MALWARE Ursnif TDS URI pattern observed (malware.rules)
  • 2853110 - ETPRO MALWARE 404 TDS Redirect (malware.rules)