Ruleset Update Summary - 2023/04/19 - v10301

Summary:

66 new OPEN, 109 new PRO (66 + 43)

Thanks @malPileDiver, @MavericksInt, @Cyber0verload, @Gi7w0rm, @Yeti_Sec


Added rules:

Open:

  • 2010908 - ET HUNTING Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake (hunting.rules)
  • 2017206 - ET ATTACK_RESPONSE Obfuscated Eval String 1 (attack_response.rules)
  • 2017207 - ET ATTACK_RESPONSE Obfuscated Eval String 2 (attack_response.rules)
  • 2017208 - ET ATTACK_RESPONSE Obfuscated Eval String 3 (attack_response.rules)
  • 2017209 - ET ATTACK_RESPONSE Obfuscated Eval String 4 (attack_response.rules)
  • 2017210 - ET ATTACK_RESPONSE Obfuscated Eval String 5 (attack_response.rules)
  • 2017211 - ET ATTACK_RESPONSE Obfuscated Eval String 6 (attack_response.rules)
  • 2017212 - ET ATTACK_RESPONSE Obfuscated Eval String (Single Q) 1 (attack_response.rules)
  • 2017213 - ET ATTACK_RESPONSE Obfuscated Eval String (Single Q) 2 (attack_response.rules)
  • 2017214 - ET ATTACK_RESPONSE Obfuscated Eval String (Single Q) 3 (attack_response.rules)
  • 2017215 - ET ATTACK_RESPONSE Obfuscated Eval String (Single Q) 4 (attack_response.rules)
  • 2017216 - ET ATTACK_RESPONSE Obfuscated Eval String (Single Q) 5 (attack_response.rules)
  • 2017217 - ET ATTACK_RESPONSE Obfuscated Eval String (Single Q) 6 (attack_response.rules)
  • 2017218 - ET ATTACK_RESPONSE Obfuscated Eval String (Single Q) 7 (attack_response.rules)
  • 2017219 - ET ATTACK_RESPONSE Obfuscated Eval String 7 (attack_response.rules)
  • 2017499 - ET ATTACK_RESPONSE Probably Evil Long Unicode string only string and unescape 1 (attack_response.rules)
  • 2017500 - ET ATTACK_RESPONSE Probably Evil Long Unicode string only string and unescape 2 (attack_response.rules)
  • 2017501 - ET ATTACK_RESPONSE Probably Evil Long Unicode string only string and unescape 3 (attack_response.rules)
  • 2017502 - ET ATTACK_RESPONSE Probably Evil Long Unicode string only string and unescape 3 (attack_response.rules)
  • 2026074 - ET ATTACK_RESPONSE Inbound PowerShell Checking for Virtual Host (Win32_Fan WMI) (attack_response.rules)
  • 2026075 - ET ATTACK_RESPONSE Inbound PowerShell Checking for Virtual Host (MSAcpi_ThermalZoneTemperature WMI) (attack_response.rules)
  • 2026076 - ET ATTACK_RESPONSE Inbound PowerShell Checking for Virtual Host (Win32_PointingDevice WMI) (attack_response.rules)
  • 2026077 - ET ATTACK_RESPONSE Inbound PowerShell Checking for Virtual Host (Win32_DiskDevice WMI) (attack_response.rules)
  • 2026078 - ET ATTACK_RESPONSE Inbound PowerShell Checking for Virtual Host (Win32_BaseBoard WMI) (attack_response.rules)
  • 2026427 - ET ATTACK_RESPONSE Possibly Malicious VBS Writing to Persistence Registry Location (attack_response.rules)
  • 2026988 - ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell Stagers (attack_response.rules)
  • 2026989 - ET ATTACK_RESPONSE PowerShell Hidden Window Command Common In Powershell Stagers M1 (attack_response.rules)
  • 2026990 - ET ATTACK_RESPONSE PowerShell Hidden Window Command Common In Powershell Stagers M2 (attack_response.rules)
  • 2026991 - ET ATTACK_RESPONSE PowerShell NonInteractive Command Common In Powershell Stagers (attack_response.rules)
  • 2026992 - ET ATTACK_RESPONSE PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1 (attack_response.rules)
  • 2026993 - ET ATTACK_RESPONSE PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2 (attack_response.rules)
  • 2026994 - ET ATTACK_RESPONSE PowerShell DownloadFile Command Common In Powershell Stagers (attack_response.rules)
  • 2026995 - ET ATTACK_RESPONSE PowerShell DownloadString Command Common In Powershell Stagers (attack_response.rules)
  • 2026996 - ET ATTACK_RESPONSE PowerShell DownloadData Command Common In Powershell Stagers (attack_response.rules)
  • 2033201 - ET MALWARE Ransomware Decryptor Domain in DNS Query (decryptor .top) (malware.rules)
  • 2033202 - ET MALWARE Ransomware Decryptor Domain in DNS Query (decoder .re) (malware.rules)
  • 2035671 - ET WEB_SERVER Common JSP WebShell String Observed in HTTP Header M1 (web_server.rules)
  • 2035672 - ET WEB_SERVER Common JSP WebShell String Observed in HTTP Header M2 (web_server.rules)
  • 2035673 - ET WEB_SERVER Common JSP WebShell String Observed in HTTP Header M3 (web_server.rules)
  • 2037863 - ET MALWARE Trojan.Dropper.HTML.Agent Payload (malware.rules)
  • 2039089 - ET MALWARE JS/Comm100 Trojan Backdoor Inbound (malware.rules)
  • 2039090 - ET MALWARE JS/Comm100 Trojan CnC Payload Inbound (malware.rules)
  • 2044909 - ET MALWARE VBS/TrojanDownloader.Agent.XAO Payload Inbound (malware.rules)
  • 2044937 - ET MALWARE Win32/ScarCruf Payload Inbound (malware.rules)
  • 2045040 - ET MOBILE_MALWARE Android/Harly.AO CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2045041 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.GoatRat CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2045042 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (barakapi .ru) (malware.rules)
  • 2045043 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (badrupi .ru) (malware.rules)
  • 2045044 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (ahmozpi .ru) (malware.rules)
  • 2045045 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (bakaripi .ru) (malware.rules)
  • 2045046 - ET HUNTING Gamaredon APT Style jpeg Request (GET) (hunting.rules)
  • 2045047 - ET HUNTING Gamaredon APT Style Request (GET) (hunting.rules)
  • 2045048 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (akenatonbo .ru) (malware.rules)
  • 2045049 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (asheypi .ru) (malware.rules)
  • 2045050 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (atonpi .ru) (malware.rules)
  • 2045051 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (anumbo .ru) (malware.rules)
  • 2045052 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (aktaypo .ru) (malware.rules)
  • 2045053 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (amonbo .ru) (malware.rules)
  • 2045054 - ET INFO MailJet URL Shortening Service Domain in DNS Lookup (mjt .lu) (info.rules)
  • 2045055 - ET ATTACK_RESPONSE Nemesis Admin Panel Inbound (attack_response.rules)
  • 2045056 - ET MALWARE Win32/Fabookie.ek CnC Domain in DNS Lookup (malware.rules)
  • 2045057 - ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET) (malware.rules)
  • 2045058 - ET MALWARE Win32/Fabookie.ek CnC Activity M2 (malware.rules)
  • 2045059 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .alvosec .com) (info.rules)
  • 2045060 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .7sec .com) (info.rules)
  • 2045061 - ET MALWARE Domino Loader CnC Domain (upperdunk .com) in DNS Lookup (malware.rules)

Pro:

  • 2829398 - ETPRO ATTACK_RESPONSE Possibly Malicious VBScript Executing WScript.Shell Run M1 (attack_response.rules)
  • 2832052 - ETPRO ATTACK_RESPONSE Possible System Enumeration via PowerShell over TCP (IPv4 Regex) (attack_response.rules)
  • 2832053 - ETPRO ATTACK_RESPONSE Possible System Enumeration via PowerShell over TCP (Win32 Get-WmiObject) (attack_response.rules)
  • 2832054 - ETPRO ATTACK_RESPONSE Possible System Enumeration via PowerShell over TCP (OSVersion.Version) (attack_response.rules)
  • 2832055 - ETPRO ATTACK_RESPONSE Possible System Enumeration via PowerShell over TCP (GetCurrent User) (attack_response.rules)
  • 2832056 - ETPRO ATTACK_RESPONSE Possible System Enumeration via PowerShell over TCP (AntiVirus Query) (attack_response.rules)
  • 2832377 - ETPRO ATTACK_RESPONSE Possibly Malicious VBScript Executing WScript.Shell Run M2 (attack_response.rules)
  • 2832456 - ETPRO ATTACK_RESPONSE Inbound PowerShell Checking for Virtual Host (Virtual string check) (attack_response.rules)
  • 2832457 - ETPRO ATTACK_RESPONSE Inbound PowerShell Checking for Virtual Host (VM ware string check) (attack_response.rules)
  • 2833038 - ETPRO ATTACK_RESPONSE Possibly Obfuscated Payload - CharCode HTTP Inbound in JavaScript (attack_response.rules)
  • 2833475 - ETPRO ATTACK_RESPONSE Possible System Enumeration via PowerShell over TCP (Win32_ComputerSystem) (attack_response.rules)
  • 2833476 - ETPRO ATTACK_RESPONSE Possible System Enumeration via PowerShell over TCP (OS Install Date) (attack_response.rules)
  • 2833477 - ETPRO ATTACK_RESPONSE Possible System Enumeration via PowerShell over TCP (System Language) (attack_response.rules)
  • 2833478 - ETPRO ATTACK_RESPONSE Possible System Enumeration via PowerShell over TCP (Win32_VideoController) (attack_response.rules)
  • 2835434 - ETPRO ATTACK_RESPONSE Inbound Batch File Creating Scheduled Task as System (attack_response.rules)
  • 2837924 - ETPRO MALWARE Observed Malicious SSL Cert (Card Skimmer CnC) (malware.rules)
  • 2851975 - ETPRO MALWARE LNK/Agent.12F8!tr.dldr Payload Inbound (malware.rules)
  • 2852001 - ETPRO MALWARE LNK/LALALA Stealer Payload Inbound (malware.rules)
  • 2852002 - ETPRO MALWARE LNK/LALALA Stealer Payload Inbound (malware.rules)
  • 2852027 - ETPRO MALWARE Win32/Agent_AGen.BV CnC Response (malware.rules)
  • 2852280 - ETPRO MALWARE Bitter APT CHM CnC Response (malware.rules)
  • 2852546 - ETPRO MALWARE Win32/Spy.Mekotio.EP CnC Response (DOWNLOAD) (malware.rules)
  • 2854115 - ETPRO MALWARE CrDatLoader CnC Response Inbound M1 (malware.rules)
  • 2854124 - ETPRO MALWARE CrDatLoader CnC Activity Inbound M2 (malware.rules)
  • 2854201 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CPA Checkin (mobile_malware.rules)
  • 2854202 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fakeapp.fa CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2854203 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.FakeApp.p Checkin (mobile_malware.rules)
  • 2854204 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.BRats.d Checkin (mobile_malware.rules)
  • 2854205 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.BRats.d CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2854206 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Kokbot.j Checkin (mobile_malware.rules)
  • 2854207 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CPM SQL Login (mobile_malware.rules)
  • 2854208 - ETPRO MOBILE_MALWARE Android.BankBot.Coper.1934 CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2854209 - ETPRO MOBILE_MALWARE Android.BankBot.Coper.1934 CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2854210 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Goatrat.a CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2854211 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Goatrat.a CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2854212 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.BRats.c CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2854213 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Fakecalls.at CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2854214 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.k CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2854215 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.k CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2854216 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Xhunter.a CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2854217 - ETPRO MALWARE BeeShell Get-Command Request (malware.rules)
  • 2854218 - ETPRO MALWARE BeeShell Send-Results Request (malware.rules)
  • 2854219 - ETPRO MALWARE BeeShell Upload-File Request (malware.rules)

Removed rules:

  • 2010908 - ET INFO Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake (info.rules)
  • 2017206 - ET INFO Obfuscated Eval String 1 (info.rules)
  • 2017207 - ET INFO Obfuscated Eval String 2 (info.rules)
  • 2017208 - ET INFO Obfuscated Eval String 3 (info.rules)
  • 2017209 - ET INFO Obfuscated Eval String 4 (info.rules)
  • 2017210 - ET INFO Obfuscated Eval String 5 (info.rules)
  • 2017211 - ET INFO Obfuscated Eval String 6 (info.rules)
  • 2017212 - ET INFO Obfuscated Eval String (Single Q) 1 (info.rules)
  • 2017213 - ET INFO Obfuscated Eval String (Single Q) 2 (info.rules)
  • 2017214 - ET INFO Obfuscated Eval String (Single Q) 3 (info.rules)
  • 2017215 - ET INFO Obfuscated Eval String (Single Q) 4 (info.rules)
  • 2017216 - ET INFO Obfuscated Eval String (Single Q) 5 (info.rules)
  • 2017217 - ET INFO Obfuscated Eval String (Single Q) 6 (info.rules)
  • 2017218 - ET INFO Obfuscated Eval String (Single Q) 7 (info.rules)
  • 2017219 - ET INFO Obfuscated Eval String 7 (info.rules)
  • 2017499 - ET INFO Probably Evil Long Unicode string only string and unescape 1 (info.rules)
  • 2017500 - ET INFO Probably Evil Long Unicode string only string and unescape 2 (info.rules)
  • 2017501 - ET INFO Probably Evil Long Unicode string only string and unescape 3 (info.rules)
  • 2017502 - ET INFO Probably Evil Long Unicode string only string and unescape 3 (info.rules)
  • 2017919 - ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 (dos.rules)
  • 2026074 - ET INFO Inbound PowerShell Checking for Virtual Host (Win32_Fan WMI) (info.rules)
  • 2026075 - ET INFO Inbound PowerShell Checking for Virtual Host (MSAcpi_ThermalZoneTemperature WMI) (info.rules)
  • 2026076 - ET INFO Inbound PowerShell Checking for Virtual Host (Win32_PointingDevice WMI) (info.rules)
  • 2026077 - ET INFO Inbound PowerShell Checking for Virtual Host (Win32_DiskDevice WMI) (info.rules)
  • 2026078 - ET INFO Inbound PowerShell Checking for Virtual Host (Win32_BaseBoard WMI) (info.rules)
  • 2026427 - ET INFO Possibly Malicious VBS Writing to Persistence Registry Location (info.rules)
  • 2026988 - ET INFO PowerShell NoProfile Command Received In Powershell Stagers (info.rules)
  • 2026989 - ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M1 (info.rules)
  • 2026990 - ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M2 (info.rules)
  • 2026991 - ET INFO PowerShell NonInteractive Command Common In Powershell Stagers (info.rules)
  • 2026992 - ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1 (info.rules)
  • 2026993 - ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2 (info.rules)
  • 2026994 - ET INFO PowerShell DownloadFile Command Common In Powershell Stagers (info.rules)
  • 2026995 - ET INFO PowerShell DownloadString Command Common In Powershell Stagers (info.rules)
  • 2026996 - ET INFO PowerShell DownloadData Command Common In Powershell Stagers (info.rules)
  • 2033201 - ET INFO Ransomware Decryptor Domain in DNS Query (decryptor .top) (info.rules)
  • 2033202 - ET INFO Ransomware Decryptor Domain in DNS Query (decoder .re) (info.rules)
  • 2035671 - ET INFO Common JSP WebShell String Observed in HTTP Header M1 (info.rules)
  • 2035672 - ET INFO Common JSP WebShell String Observed in HTTP Header M2 (info.rules)
  • 2035673 - ET INFO Common JSP WebShell String Observed in HTTP Header M3 (info.rules)
  • 2037863 - ET ATTACK_RESPONSE Trojan.Dropper.HTML.Agent Payload (attack_response.rules)
  • 2039089 - ET ATTACK_RESPONSE JS/Comm100 Trojan Backdoor Inbound (attack_response.rules)
  • 2039090 - ET ATTACK_RESPONSE JS/Comm100 Trojan CnC Payload Inbound (attack_response.rules)
  • 2044909 - ET ATTACK_RESPONSE VBS/TrojanDownloader.Agent.XAO Payload Inbound (attack_response.rules)
  • 2044937 - ET ATTACK_RESPONSE Win32/ScarCruf Payload Inbound (attack_response.rules)
  • 2829398 - ETPRO INFO Possibly Malicious VBScript Executing WScript.Shell Run M1 (info.rules)
  • 2832052 - ETPRO INFO Possible System Enumeration via PowerShell over TCP (IPv4 Regex) (info.rules)
  • 2832053 - ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32 Get-WmiObject) (info.rules)
  • 2832054 - ETPRO INFO Possible System Enumeration via PowerShell over TCP (OSVersion.Version) (info.rules)
  • 2832055 - ETPRO INFO Possible System Enumeration via PowerShell over TCP (GetCurrent User) (info.rules)
  • 2832056 - ETPRO INFO Possible System Enumeration via PowerShell over TCP (AntiVirus Query) (info.rules)
  • 2832377 - ETPRO INFO Possibly Malicious VBScript Executing WScript.Shell Run M2 (info.rules)
  • 2832456 - ETPRO INFO Inbound PowerShell Checking for Virtual Host (Virtual string check) (info.rules)
  • 2832457 - ETPRO INFO Inbound PowerShell Checking for Virtual Host (VM ware string check) (info.rules)
  • 2833038 - ETPRO INFO Possibly Obfuscated Payload - CharCode HTTP Inbound in JavaScript (info.rules)
  • 2833475 - ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32_ComputerSystem) (info.rules)
  • 2833476 - ETPRO INFO Possible System Enumeration via PowerShell over TCP (OS Install Date) (info.rules)
  • 2833477 - ETPRO INFO Possible System Enumeration via PowerShell over TCP (System Language) (info.rules)
  • 2833478 - ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32_VideoController) (info.rules)
  • 2835434 - ETPRO INFO Inbound Batch File Creating Scheduled Task as System (info.rules)
  • 2837924 - ETPRO INFO Observed Malicious SSL Cert (Card Skimmer CnC) (info.rules)
  • 2851115 - ETPRO MALWARE Win32/Fabookie.ek CnC Activity M2 (malware.rules)
  • 2851975 - ETPRO ATTACK_RESPONSE LNK/Agent.12F8!tr.dldr Payload Inbound (attack_response.rules)
  • 2852001 - ETPRO ATTACK_RESPONSE LNK/LALALA Stealer Payload Inbound (attack_response.rules)
  • 2852002 - ETPRO ATTACK_RESPONSE LNK/LALALA Stealer Payload Inbound (attack_response.rules)
  • 2852027 - ETPRO ATTACK_RESPONSE Win32/Agent_AGen.BV CnC Response (attack_response.rules)
  • 2852280 - ETPRO ATTACK_RESPONSE Bitter APT CHM CnC Response (attack_response.rules)
  • 2852546 - ETPRO ATTACK_RESPONSE Win32/Spy.Mekotio.EP CnC Response (DOWNLOAD) (attack_response.rules)
  • 2854115 - ETPRO ATTACK_RESPONSE CrDatLoader CnC Response Inbound M1 (attack_response.rules)
  • 2854124 - ETPRO ATTACK_RESPONSE CrDatLoader CnC Activity Inbound M2 (attack_response.rules)