Ruleset Update Summary - 2023/04/18 - v10300

Summary:

63 new OPEN, 86 new PRO (63 + 23)

Thanks @Cyber0verload, @James_inthe_box, @Jane_0sint, @crep1x, @malPileDriver, @TLP_R3D, @ViriBack


Added rules:

Open:

  • 2015820 - ET HUNTING Suspicious Windows NT version 7 User-Agent (hunting.rules)
  • 2015821 - ET HUNTING Suspicious Windows NT version 8 User-Agent (hunting.rules)
  • 2015822 - ET HUNTING Suspicious Windows NT version 9 User-Agent (hunting.rules)
  • 2015898 - ET HUNTING Suspicious Windows NT version 1 User-Agent (hunting.rules)
  • 2015899 - ET HUNTING Suspicious Windows NT version 2 User-Agent (hunting.rules)
  • 2015900 - ET HUNTING Suspicious Windows NT version 3 User-Agent (hunting.rules)
  • 2016880 - ET HUNTING Suspicious Windows NT version 0 User-Agent (hunting.rules)
  • 2016898 - ET HUNTING Suspicious MSIE 10 on Windows NT 5 (hunting.rules)
  • 2044985 - ET MALWARE IcedID CnC Domain in DNS Lookup (apoligazanattions .com) (malware.rules)
  • 2044986 - ET INFO DYNAMIC_DNS Query to a *.loghomelights .com Domain (info.rules)
  • 2044987 - ET INFO DYNAMIC_DNS HTTP Request to a *.loghomelights .com Domain (info.rules)
  • 2044988 - ET INFO DYNAMIC_DNS Query to a *.funk .co .za Domain (info.rules)
  • 2044989 - ET INFO DYNAMIC_DNS HTTP Request to a *.funk .co .za Domain (info.rules)
  • 2044990 - ET INFO DYNAMIC_DNS Query to a *.emldn .com Domain (info.rules)
  • 2044991 - ET INFO DYNAMIC_DNS HTTP Request to a *.emldn .com Domain (info.rules)
  • 2044992 - ET INFO DYNAMIC_DNS Query to a *.ocean-nation .co .il Domain (info.rules)
  • 2044993 - ET INFO DYNAMIC_DNS HTTP Request to a *.ocean-nation .co .il Domain (info.rules)
  • 2044994 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (unsuitable .ru) (malware.rules)
  • 2044995 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (vesterac .ru) (malware.rules)
  • 2044996 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (hctntmc .ru) (malware.rules)
  • 2044997 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (superficial .ru) (malware.rules)
  • 2044998 - ET INFO OpenAI API Domain in DNS Lookup (api .openai .com) (info.rules)
  • 2044999 - ET MALWARE Win32/LeftHook Stealer CnC Activity (GET) M1 (malware.rules)
  • 2045000 - ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response (attack_response.rules)
  • 2045001 - ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound (attack_response.rules)
  • 2045002 - ET MALWARE Win32/LeftHook Stealer CnC Activity (GET) M2 (malware.rules)
  • 2045003 - ET MALWARE Win32/LeftHook Stealer CnC Command - get_socket (POST) (malware.rules)
  • 2045004 - ET MALWARE Win32/LeftHook Stealer CnC Command - save_cookies (POST) (malware.rules)
  • 2045005 - ET ATTACK_RESPONSE Win32/LeftHook Stealer Payload Inbound (attack_response.rules)
  • 2045006 - ET ATTACK_RESPONSE Win32/LeftHook Stealer - CnC Response (get_socket) (attack_response.rules)
  • 2045007 - ET MALWARE Observed DNS Query to Gamaredon Domain (atonpi .ru) (malware.rules)
  • 2045008 - ET MALWARE Observed DNS Query to Gamaredon Domain (akenatonbo .ru) (malware.rules)
  • 2045009 - ET MALWARE Observed DNS Query to Gamaredon Domain (aktaypo .ru) (malware.rules)
  • 2045010 - ET MALWARE Observed DNS Query to Gamaredon Domain (anumbo .ru) (malware.rules)
  • 2045011 - ET MALWARE Observed DNS Query to Gamaredon Domain (amonbo .ru) (malware.rules)
  • 2045012 - ET MALWARE Observed DNS Query to Gamaredon Domain (asheypi .ru) (malware.rules)
  • 2045013 - ET MALWARE Observed DNS Query to Gamaredon Domain (aydinpo .ru) (malware.rules)
  • 2045014 - ET MALWARE Observed DNS Query to Gamaredon Domain (azibobo .ru) (malware.rules)
  • 2045015 - ET MALWARE Observed DNS Query to Gamaredon Domain (addzhobo .ru) (malware.rules)
  • 2045016 - ET MALWARE Observed DNS Query to Gamaredon Domain (altugpo .ru) (malware.rules)
  • 2045017 - ET MALWARE Observed DNS Query to Gamaredon Domain (agshinpo .ru) (malware.rules)
  • 2045018 - ET MALWARE Observed DNS Query to Gamaredon Domain (velevas .ru) (malware.rules)
  • 2045019 - ET MALWARE Observed DNS Query to Gamaredon Domain (akyuldizpo .ru) (malware.rules)
  • 2045020 - ET MALWARE Observed DNS Query to Gamaredon Domain (garame .ru) (malware.rules)
  • 2045021 - ET MALWARE Observed DNS Query to Gamaredon Domain (alpaslanpo .ru) (malware.rules)
  • 2045022 - ET MALWARE Observed DNS Query to Gamaredon Domain (adempo .ru) (malware.rules)
  • 2045023 - ET MALWARE Observed DNS Query to Gamaredon Domain (uranic .ru) (malware.rules)
  • 2045024 - ET MALWARE Observed DNS Query to Gamaredon Domain (agasypo .ru) (malware.rules)
  • 2045025 - ET MALWARE Observed DNS Query to Gamaredon Domain (ayrympo .ru) (malware.rules)
  • 2045026 - ET MALWARE Observed DNS Query to Gamaredon Domain (aydoganpo .ru) (malware.rules)
  • 2045027 - ET MALWARE Observed DNS Query to Gamaredon Domain (aktanpo .ru) (malware.rules)
  • 2045028 - ET MALWARE Observed DNS Query to Gamaredon Domain (aytashpo .ru) (malware.rules)
  • 2045029 - ET MALWARE Observed DNS Query to Gamaredon Domain (nalogw .ru) (malware.rules)
  • 2045030 - ET MALWARE Observed DNS Query to Gamaredon Domain (aytyurkpo .ru) (malware.rules)
  • 2045031 - ET MALWARE Observed DNS Query to Gamaredon Domain (baharas .ru) (malware.rules)
  • 2045032 - ET MALWARE Observed DNS Query to Gamaredon Domain (lefant .ru) (malware.rules)
  • 2045033 - ET MALWARE Observed DNS Query to Gamaredon Domain (agakiypo .ru) (malware.rules)
  • 2045034 - ET MALWARE Observed DNS Query to Gamaredon Domain (agastanpo .ru) (malware.rules)
  • 2045035 - ET MALWARE Observed DNS Query to Nemesis Domain (es-megadom .com) (malware.rules)
  • 2045036 - ET MALWARE Observed DNS Query to Nemesis Domain (plus-lema .com) (malware.rules)
  • 2045037 - ET MALWARE Observed DNS Query to Nemesis Domain (deveparty .com) (malware.rules)
  • 2045038 - ET ATTACK_RESPONSE Nemesis Admin Panel Inbound (attack_response.rules)
  • 2045039 - ET PHISHING Successful OneDrive Credential Phish 2023-04-18 (phishing.rules)

Pro:

  • 2832374 - ETPRO HUNTING HTTP Request for Single Char VBS (hunting.rules)
  • 2832430 - ETPRO HUNTING HTTP Request for Single Char BAT (hunting.rules)
  • 2832467 - ETPRO HUNTING HTTP Request for Single Char PS1 (hunting.rules)
  • 2854181 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CCM CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2854182 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
  • 2854183 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
  • 2854184 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
  • 2854185 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
  • 2854186 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
  • 2854187 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
  • 2854188 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
  • 2854189 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2854190 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854191 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854192 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2854193 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2854194 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2854195 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2854196 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2854197 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2854198 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2854199 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2854200 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)

Disabled and modified rules:

  • 2034221 - ET MALWARE Maldoc Activity (GET) (malware.rules)
  • 2034475 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2853519 - ETPRO EXPLOIT Microsoft Protected Extensible Authentication Protocol RCE xbits set, noalert (CVE-2023-21690) (exploit.rules)

Removed rules:

  • 2015820 - ET INFO Suspicious Windows NT version 7 User-Agent (info.rules)
  • 2015821 - ET INFO Suspicious Windows NT version 8 User-Agent (info.rules)
  • 2015822 - ET INFO Suspicious Windows NT version 9 User-Agent (info.rules)
  • 2015898 - ET INFO Suspicious Windows NT version 1 User-Agent (info.rules)
  • 2015899 - ET INFO Suspicious Windows NT version 2 User-Agent (info.rules)
  • 2015900 - ET INFO Suspicious Windows NT version 3 User-Agent (info.rules)
  • 2016880 - ET INFO Suspicious Windows NT version 0 User-Agent (info.rules)
  • 2016898 - ET INFO Suspicious MSIE 10 on Windows NT 5 (info.rules)
  • 2832374 - ETPRO INFO HTTP Request for Single Char VBS (info.rules)
  • 2832430 - ETPRO INFO HTTP Request for Single Char BAT (info.rules)
  • 2832467 - ETPRO INFO HTTP Request for Single Char PS1 (info.rules)