Ruleset Update Summary - 2023/04/20 - v10303

Ruleset Updates
1

Summary:

65 new OPEN, 89 new PRO (65 + 24)

Thanks @TLP_R3D, @bridewellsec

Added rules:

Open:

  • 2012612 - ET HUNTING Hiloti Style GET to PHP with invalid terse MSIE headers (hunting.rules)
  • 2026758 - ET SCAN External Host Probing for ChromeCast Devices (scan.rules)
  • 2027394 - ET ATTACK_RESPONSE PowerShell Internet Connectivity Check via Network GUID Inbound (attack_response.rules)
  • 2038988 - ET MALWARE Lockbit Ransomware Related Domain in DNS Lookup (lockbitapt) (malware.rules)
  • 2045062 - ET INFO Mailtrack .io Email Activity Tracking M1 (info.rules)
  • 2045063 - ET INFO Mailtrack Email Activity Tracking M2 (info.rules)
  • 2045064 - ET MALWARE Observed DNSQuery to TA444 Domain (ns2 .trytiponlineresult .com) (malware.rules)
  • 2045065 - ET MALWARE Observed DNSQuery to TA444 Domain (tet .dnx .capital) (malware.rules)
  • 2045066 - ET MALWARE Observed DNSQuery to TA444 Domain (dmarc .onlineshares .cloud) (malware.rules)
  • 2045067 - ET MALWARE Observed DNSQuery to TA444 Domain (onlineshares .cloud) (malware.rules)
  • 2045068 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .azurehosting .co) (malware.rules)
  • 2045069 - ET MALWARE Observed DNSQuery to TA444 Domain (deck .altair-vc .com) (malware.rules)
  • 2045070 - ET MALWARE Observed DNSQuery to TA444 Domain (doc .256ventures .us) (malware.rules)
  • 2045071 - ET MALWARE Observed DNSQuery to TA444 Domain (doc .gdocshare .one) (malware.rules)
  • 2045072 - ET MALWARE Observed DNSQuery to TA444 Domain (shippingspro .com) (malware.rules)
  • 2045073 - ET MALWARE Observed DNSQuery to TA444 Domain (phcnetworks .net) (malware.rules)
  • 2045074 - ET MALWARE Observed DNSQuery to TA444 Domain (phcdevworks .com) (malware.rules)
  • 2045075 - ET MALWARE Observed DNSQuery to TA444 Domain (down .tomming .us) (malware.rules)
  • 2045076 - ET MALWARE Observed DNSQuery to TA444 Domain (safe .doc-share .pro) (malware.rules)
  • 2045077 - ET MALWARE Observed DNSQuery to TA444 Domain (ns1 .trytiponlineresult .com) (malware.rules)
  • 2045078 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .j-ic .co) (malware.rules)
  • 2045079 - ET MALWARE Observed DNSQuery to TA444 Domain (naogoze .com) (malware.rules)
  • 2045080 - ET MALWARE Observed DNSQuery to TA444 Domain (inter .gpmtreit .co) (malware.rules)
  • 2045081 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .j-ic .com) (malware.rules)
  • 2045082 - ET MALWARE Observed DNSQuery to TA444 Domain (fs .digiboxes .us) (malware.rules)
  • 2045083 - ET MALWARE Observed DNSQuery to TA444 Domain (altair .linkpc .net) (malware.rules)
  • 2045084 - ET MALWARE Observed DNSQuery to TA444 Domain (down .j-ic .com) (malware.rules)
  • 2045085 - ET MALWARE Observed DNSQuery to TA444 Domain (internal .j-ic .co) (malware.rules)
  • 2045086 - ET MALWARE Observed DNSQuery to TA444 Domain (down .j-ic .co) (malware.rules)
  • 2045087 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .gpmtreit .co) (malware.rules)
  • 2045088 - ET MALWARE Observed DNSQuery to TA444 Domain (trytiponlineresult .com) (malware.rules)
  • 2045089 - ET MALWARE Observed DNSQuery to TA444 Domain (partner .deepcore .v .entures) (malware.rules)
  • 2045090 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .mekongcapital .net) (malware.rules)
  • 2045091 - ET MALWARE Observed DNSQuery to TA444 Domain (corporateimageguru .com) (malware.rules)
  • 2045092 - ET MALWARE Observed DNSQuery to TA444 Domain (sarahbeery .docsend .me) (malware.rules)
  • 2045093 - ET MALWARE Observed DNSQuery to TA444 Domain (deck .toyota-ai .org) (malware.rules)
  • 2045094 - ET MALWARE Observed DNSQuery to TA444 Domain (docsend .me) (malware.rules)
  • 2045095 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .anobaka .info) (malware.rules)
  • 2045096 - ET MALWARE Observed DNSQuery to TA444 Domain (safe .doc-share .top) (malware.rules)
  • 2045097 - ET MALWARE Observed DNSQuery to TA444 Domain (deck .altair-vc .co .uk) (malware.rules)
  • 2045098 - ET MALWARE Observed DNSQuery to TA444 Domain (down .protectedviewer .co) (malware.rules)
  • 2045099 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .espcapital .pro) (malware.rules)
  • 2045100 - ET MALWARE Observed DNSQuery to TA444 Domain (ms .msteam .biz) (malware.rules)
  • 2045101 - ET MALWARE Observed DNSQuery to TA444 Domain (share .1drvmicrosoft .com) (malware.rules)
  • 2045102 - ET MALWARE Observed DNSQuery to TA444 Domain (down .gpmtreit .us) (malware.rules)
  • 2045103 - ET MALWARE Observed DNSQuery to TA444 Domain (down .gpmtreit .co) (malware.rules)
  • 2045104 - ET MALWARE Observed DNSQuery to TA444 Domain (server-1 .phcnetworks .net) (malware.rules)
  • 2045105 - ET MALWARE Observed DNSQuery to TA444 Domain (down .aidpartners .org) (malware.rules)
  • 2045106 - ET MALWARE Observed DNSQuery to TA444 Domain (site .siteshare .me) (malware.rules)
  • 2045107 - ET MALWARE Observed DNSQuery to TA444 Domain (down .espcapital .co) (malware.rules)
  • 2045108 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .dnx .capital) (malware.rules)
  • 2045109 - ET MALWARE Observed DNS Query to TA444 Domain (nbright .best) (malware.rules)
  • 2045110 - ET MALWARE FROZENBARENTS (SANDWORM) APT Related Domain in DNS Lookup (cpcpipe .org) (malware.rules)
  • 2045111 - ET MALWARE FROZENBARENTS (SANDWORM) APT Related Domain in DNS Lookup (ukroboronprom .com .ukr .pm) (malware.rules)
  • 2045112 - ET MALWARE FROZENBARENTS (SANDWORM) APT Related Domain in DNS Lookup (cpcpipe .com) (malware.rules)
  • 2045113 - ET MALWARE FROZENLAKE (APT 28) Related Domain in DNS Lookup (setnewcreds .ukr .net .frge .io) (malware.rules)
  • 2045114 - ET MALWARE FROZENLAKE (APT 28) Related Domain in DNS Lookup (robot-876 .frge .io) (malware.rules)
  • 2045115 - ET MALWARE FROZENLAKE (APT 28) Related Domain in DNS Lookup (ukrprivatesite .frge .io) (malware.rules)
  • 2045116 - ET MALWARE PUSHCHA Related Domain in DNS Lookup (passport-ua .site) (malware.rules)
  • 2045117 - ET MALWARE PUSHCHA Related Domain in DNS Lookup (meta-l .space) (malware.rules)
  • 2045118 - ET MALWARE PUSHCHA Related Domain in DNS Lookup (passport-log .online) (malware.rules)
  • 2045119 - ET MALWARE Cuba Ransomware Related Domain in DNS Lookup (masterofdigital .org) (malware.rules)
  • 2045120 - ET MALWARE Cuba Ransomware Related Domain in DNS Lookup (chatgpt4beta .com) (malware.rules)
  • 2045121 - ET MALWARE Win32/Injector.DYZG Variant Checkin (malware.rules)
  • 2045122 - ET PHISHING Successful International Card Services Credential Phish 2023-04-20 (phishing.rules)

Pro:

  • 2819840 - ETPRO HUNTING EXE Downloaded From Known Malicious Path (hunting.rules)
  • 2824650 - ETPRO WEB_SPECIFIC_APPS Vulnerable Jupyter Notebook Banner Detected (CVE-2016-9970) (web_specific_apps.rules)
  • 2829515 - ETPRO MALWARE LaZagne EXE Download (malware.rules)
  • 2854221 - ETPRO INFO PenTesesting Related Domain in DNS Lookup (info.rules)
  • 2854222 - ETPRO INFO PenTesesting Related Domain in DNS Lookup (info.rules)
  • 2854223 - ETPRO INFO PenTesesting Related Domain in DNS Lookup (info.rules)
  • 2854224 - ETPRO INFO PenTesesting Related Domain in DNS Lookup (info.rules)
  • 2854225 - ETPRO INFO PenTesesting Related Domain in DNS Lookup (info.rules)
  • 2854226 - ETPRO INFO PenTesesting Related Domain in DNS Lookup (info.rules)
  • 2854227 - ETPRO INFO PenTesesting Related Domain in DNS Lookup (info.rules)
  • 2854228 - ETPRO INFO PenTesesting Related Domain in DNS Lookup (info.rules)
  • 2854229 - ETPRO INFO PenTesesting Related Domain in DNS Lookup (info.rules)
  • 2854230 - ETPRO INFO PenTesesting Related Domain in DNS Lookup (info.rules)
  • 2854231 - ETPRO INFO PenTesesting Related Domain in DNS Lookup (info.rules)
  • 2854232 - ETPRO INFO PenTesesting Related Domain in DNS Lookup (info.rules)
  • 2854233 - ETPRO INFO Observed Open Redirect Domain in TLS SNI (info.rules)
  • 2854234 - ETPRO INFO Open Redirect Domain in DNS Lookup (info.rules)
  • 2854235 - ETPRO MALWARE TA544 Related Tag (Response) (malware.rules)
  • 2854236 - ETPRO MALWARE TA544 Related Tag (Response) M2 (malware.rules)
  • 2854237 - ETPRO MALWARE TA544 Related Tag (Response) M3 (malware.rules)
  • 2854238 - ETPRO MALWARE TA544 Related Tag (Response) M4 (malware.rules)
  • 2854239 - ETPRO MALWARE TA544 Related Tag (Response) M5 (malware.rules)
  • 2854242 - ETPRO PHISHING Successful Generic Sports Betting Credential Phish 2023-04-20 (phishing.rules)
  • 2854243 - ETPRO PHISHING Generic Sports Betting Phish Landing Page (phishing.rules)

Modified inactive rules:

  • 2014149 - ET INFO Possible URL List or Clickfraud URLs Delivered To Client (info.rules)
  • 2021216 - ET INFO Executable Downloaded from Google Cloud Storage (info.rules)

Removed rules:

  • 2012612 - ET INFO Hiloti Style GET to PHP with invalid terse MSIE headers (info.rules)
  • 2026758 - ET INFO External Host Probing for ChromeCast Devices (info.rules)
  • 2027394 - ET INFO PowerShell Internet Connectivity Check via Network GUID Inbound (info.rules)
  • 2038988 - ET INFO Lockbit Ransomware Related Domain in DNS Lookup (lockbitapt) (info.rules)
  • 2819840 - ETPRO INFO EXE Downloaded From Known Malicious Path (info.rules)
  • 2824650 - ETPRO INFO Vulnerable Jupyter Notebook Banner Detected (CVE-2016-9970) (info.rules)
  • 2829515 - ETPRO INFO LaZagne EXE Download (info.rules)
  • 2840047 - ETPRO INFO Possible OAuth Redirect Observed (info.rules)
  • 2840048 - ETPRO INFO Possible OAuth Redirect Observed (info.rules)
  • 2853797 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)