Ruleset Update Summary - 2023/04/18 - v10300

rulesbot · April 18, 2023, 9:24pm

Summary:

63 new OPEN, 86 new PRO (63 + 23)

Thanks @Cyber0verload, @James_inthe_box, @Jane_0sint, @crep1x, @malPileDriver, @TLP_R3D, @ViriBack

Added rules:

Open:

2015820 - ET HUNTING Suspicious Windows NT version 7 User-Agent (hunting.rules)
2015821 - ET HUNTING Suspicious Windows NT version 8 User-Agent (hunting.rules)
2015822 - ET HUNTING Suspicious Windows NT version 9 User-Agent (hunting.rules)
2015898 - ET HUNTING Suspicious Windows NT version 1 User-Agent (hunting.rules)
2015899 - ET HUNTING Suspicious Windows NT version 2 User-Agent (hunting.rules)
2015900 - ET HUNTING Suspicious Windows NT version 3 User-Agent (hunting.rules)
2016880 - ET HUNTING Suspicious Windows NT version 0 User-Agent (hunting.rules)
2016898 - ET HUNTING Suspicious MSIE 10 on Windows NT 5 (hunting.rules)
2044985 - ET MALWARE IcedID CnC Domain in DNS Lookup (apoligazanattions .com) (malware.rules)
2044986 - ET INFO DYNAMIC_DNS Query to a *.loghomelights .com Domain (info.rules)
2044987 - ET INFO DYNAMIC_DNS HTTP Request to a *.loghomelights .com Domain (info.rules)
2044988 - ET INFO DYNAMIC_DNS Query to a *.funk .co .za Domain (info.rules)
2044989 - ET INFO DYNAMIC_DNS HTTP Request to a *.funk .co .za Domain (info.rules)
2044990 - ET INFO DYNAMIC_DNS Query to a *.emldn .com Domain (info.rules)
2044991 - ET INFO DYNAMIC_DNS HTTP Request to a *.emldn .com Domain (info.rules)
2044992 - ET INFO DYNAMIC_DNS Query to a *.ocean-nation .co .il Domain (info.rules)
2044993 - ET INFO DYNAMIC_DNS HTTP Request to a *.ocean-nation .co .il Domain (info.rules)
2044994 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (unsuitable .ru) (malware.rules)
2044995 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (vesterac .ru) (malware.rules)
2044996 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (hctntmc .ru) (malware.rules)
2044997 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (superficial .ru) (malware.rules)
2044998 - ET INFO OpenAI API Domain in DNS Lookup (api .openai .com) (info.rules)
2044999 - ET MALWARE Win32/LeftHook Stealer CnC Activity (GET) M1 (malware.rules)
2045000 - ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response (attack_response.rules)
2045001 - ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound (attack_response.rules)
2045002 - ET MALWARE Win32/LeftHook Stealer CnC Activity (GET) M2 (malware.rules)
2045003 - ET MALWARE Win32/LeftHook Stealer CnC Command - get_socket (POST) (malware.rules)
2045004 - ET MALWARE Win32/LeftHook Stealer CnC Command - save_cookies (POST) (malware.rules)
2045005 - ET ATTACK_RESPONSE Win32/LeftHook Stealer Payload Inbound (attack_response.rules)
2045006 - ET ATTACK_RESPONSE Win32/LeftHook Stealer - CnC Response (get_socket) (attack_response.rules)
2045007 - ET MALWARE Observed DNS Query to Gamaredon Domain (atonpi .ru) (malware.rules)
2045008 - ET MALWARE Observed DNS Query to Gamaredon Domain (akenatonbo .ru) (malware.rules)
2045009 - ET MALWARE Observed DNS Query to Gamaredon Domain (aktaypo .ru) (malware.rules)
2045010 - ET MALWARE Observed DNS Query to Gamaredon Domain (anumbo .ru) (malware.rules)
2045011 - ET MALWARE Observed DNS Query to Gamaredon Domain (amonbo .ru) (malware.rules)
2045012 - ET MALWARE Observed DNS Query to Gamaredon Domain (asheypi .ru) (malware.rules)
2045013 - ET MALWARE Observed DNS Query to Gamaredon Domain (aydinpo .ru) (malware.rules)
2045014 - ET MALWARE Observed DNS Query to Gamaredon Domain (azibobo .ru) (malware.rules)
2045015 - ET MALWARE Observed DNS Query to Gamaredon Domain (addzhobo .ru) (malware.rules)
2045016 - ET MALWARE Observed DNS Query to Gamaredon Domain (altugpo .ru) (malware.rules)
2045017 - ET MALWARE Observed DNS Query to Gamaredon Domain (agshinpo .ru) (malware.rules)
2045018 - ET MALWARE Observed DNS Query to Gamaredon Domain (velevas .ru) (malware.rules)
2045019 - ET MALWARE Observed DNS Query to Gamaredon Domain (akyuldizpo .ru) (malware.rules)
2045020 - ET MALWARE Observed DNS Query to Gamaredon Domain (garame .ru) (malware.rules)
2045021 - ET MALWARE Observed DNS Query to Gamaredon Domain (alpaslanpo .ru) (malware.rules)
2045022 - ET MALWARE Observed DNS Query to Gamaredon Domain (adempo .ru) (malware.rules)
2045023 - ET MALWARE Observed DNS Query to Gamaredon Domain (uranic .ru) (malware.rules)
2045024 - ET MALWARE Observed DNS Query to Gamaredon Domain (agasypo .ru) (malware.rules)
2045025 - ET MALWARE Observed DNS Query to Gamaredon Domain (ayrympo .ru) (malware.rules)
2045026 - ET MALWARE Observed DNS Query to Gamaredon Domain (aydoganpo .ru) (malware.rules)
2045027 - ET MALWARE Observed DNS Query to Gamaredon Domain (aktanpo .ru) (malware.rules)
2045028 - ET MALWARE Observed DNS Query to Gamaredon Domain (aytashpo .ru) (malware.rules)
2045029 - ET MALWARE Observed DNS Query to Gamaredon Domain (nalogw .ru) (malware.rules)
2045030 - ET MALWARE Observed DNS Query to Gamaredon Domain (aytyurkpo .ru) (malware.rules)
2045031 - ET MALWARE Observed DNS Query to Gamaredon Domain (baharas .ru) (malware.rules)
2045032 - ET MALWARE Observed DNS Query to Gamaredon Domain (lefant .ru) (malware.rules)
2045033 - ET MALWARE Observed DNS Query to Gamaredon Domain (agakiypo .ru) (malware.rules)
2045034 - ET MALWARE Observed DNS Query to Gamaredon Domain (agastanpo .ru) (malware.rules)
2045035 - ET MALWARE Observed DNS Query to Nemesis Domain (es-megadom .com) (malware.rules)
2045036 - ET MALWARE Observed DNS Query to Nemesis Domain (plus-lema .com) (malware.rules)
2045037 - ET MALWARE Observed DNS Query to Nemesis Domain (deveparty .com) (malware.rules)
2045038 - ET ATTACK_RESPONSE Nemesis Admin Panel Inbound (attack_response.rules)
2045039 - ET PHISHING Successful OneDrive Credential Phish 2023-04-18 (phishing.rules)

Pro:

2832374 - ETPRO HUNTING HTTP Request for Single Char VBS (hunting.rules)
2832430 - ETPRO HUNTING HTTP Request for Single Char BAT (hunting.rules)
2832467 - ETPRO HUNTING HTTP Request for Single Char PS1 (hunting.rules)
2854181 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CCM CnC Domain in DNS Lookup (mobile_malware.rules)
2854182 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
2854183 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
2854184 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
2854185 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
2854186 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
2854187 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
2854188 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
2854189 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2854190 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2854191 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2854192 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2854193 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
2854194 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2854195 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
2854196 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2854197 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2854198 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2854199 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2854200 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)

Disabled and modified rules:

2034221 - ET MALWARE Maldoc Activity (GET) (malware.rules)
2034475 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
2853519 - ETPRO EXPLOIT Microsoft Protected Extensible Authentication Protocol RCE xbits set, noalert (CVE-2023-21690) (exploit.rules)

Removed rules:

2015820 - ET INFO Suspicious Windows NT version 7 User-Agent (info.rules)
2015821 - ET INFO Suspicious Windows NT version 8 User-Agent (info.rules)
2015822 - ET INFO Suspicious Windows NT version 9 User-Agent (info.rules)
2015898 - ET INFO Suspicious Windows NT version 1 User-Agent (info.rules)
2015899 - ET INFO Suspicious Windows NT version 2 User-Agent (info.rules)
2015900 - ET INFO Suspicious Windows NT version 3 User-Agent (info.rules)
2016880 - ET INFO Suspicious Windows NT version 0 User-Agent (info.rules)
2016898 - ET INFO Suspicious MSIE 10 on Windows NT 5 (info.rules)
2832374 - ETPRO INFO HTTP Request for Single Char VBS (info.rules)
2832430 - ETPRO INFO HTTP Request for Single Char BAT (info.rules)
2832467 - ETPRO INFO HTTP Request for Single Char PS1 (info.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/05/02 - v10313 Ruleset Updates	396	May 2, 2023
Ruleset Update Summary - 2023/05/08 - v10318 Ruleset Updates	307	May 8, 2023
Ruleset Update Summary - 2023/07/25 - v10379 Ruleset Updates	223	July 25, 2023
Ruleset Update Summary - 2023/12/27 - v10494 Ruleset Updates	227	December 27, 2023
Ruleset Update Summary - 2023/12/28 - v10495 Ruleset Updates	175	December 28, 2023

Ruleset Update Summary - 2023/04/18 - v10300

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related Topics