Ruleset Update Summary - 2023/04/21 - v10304

rulesbot · April 21, 2023, 9:16pm

Summary:

29 new OPEN, 33 new PRO (29 + 4)

Thanks @HuntressLabs, @nao_sec

Added rules:

Open:

2044957 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (jquery0 .com) (exploit_kit.rules)
2044958 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (jquery01 .com) (exploit_kit.rules)
2044959 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (jquery-bin .com) (exploit_kit.rules)
2044961 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (getquery .org) (exploit_kit.rules)
2045123 - ET INFO Jasmin Ransomware Panel Activity (Response) (info.rules)
2045124 - ET MALWARE Donot Group Activity (GET) (malware.rules)
2045125 - ET EXPLOIT Apache log4j RCE Attempt (http) (Outbound) (CVE-2021-44228) (exploit.rules)
2045126 - ET EXPLOIT Apache log4j RCE Attempt (http) (Inbound) (CVE-2021-44228) (exploit.rules)
2045127 - ET PHISHING Fake Google Chrome Error Landing Page, Anti-Analysis Technique (phishing.rules)
2045128 - ET PHISHING Fake Google Chrome Error Landing Page, Control Access with Cookie (phishing.rules)
2045129 - ET PHISHING Fake Google Chrome Error Landing Page, Load Payload (phishing.rules)
2045130 - ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350) (exploit.rules)
2045131 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowcsupdates .com) (attack_response.rules)
2045132 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (anydeskupdate .com) (attack_response.rules)
2045133 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (anydeskupdates .com) (attack_response.rules)
2045134 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecemter .com) (attack_response.rules)
2045135 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (winserverupdates .com) (attack_response.rules)
2045136 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (netviewremote .com) (attack_response.rules)
2045137 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (updateservicecenter .com) (attack_response.rules)
2045138 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecenter .com) (attack_response.rules)
2045139 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecentar .com) (attack_response.rules)
2045140 - ET HUNTING Observed DNS Query to autoitscript .com (hunting.rules)
2045141 - ET HUNTING Observed Domain (autoitscript .com) in TLS SNI (hunting.rules)
2045142 - ET HUNTING IPFS Gateway Domain in DNS Lookup (ipfs .w3s .link) (hunting.rules)
2045143 - ET HUNTING IPFS Gateway Domain in DNS Lookup (ipfs .dweb .link) (hunting.rules)
2045144 - ET HUNTING IPFS Gateway Domain in DNS Lookup (gateway .pinata .cloud) (hunting.rules)
2045145 - ET HUNTING Observed IPFS Gateway Domain (ipfs .w3s .link) in TLS SNI (hunting.rules)
2045146 - ET HUNTING Observed IPFS Gateway Domain (ipfs .dweb .link) in TLS SNI (hunting.rules)
2045147 - ET HUNTING Observed IPFS Gateway Domain (gateway .pinata .cloud) in TLS SNI (hunting.rules)

Pro:

2854244 - ETPRO MALWARE Observed DNS Query to AgentTesla Domain (malware.rules)
2854245 - ETPRO MALWARE Win32/Ladrona Stealer CnC Exfil (malware.rules)
2854246 - ETPRO MALWARE Gatef Loader Payload Retrieval Attempt (malware.rules)
2854247 - ETPRO MALWARE Win32/Spy.Autoit.GK CnC Checkin (malware.rules)

Disabled and modified rules:

2036687 - ET MALWARE SocGholish Related Domain in DNS Lookup (irsbusinessaudit .net) (malware.rules)
2036688 - ET MALWARE SocGholish Related Domain in DNS Lookup (irsgetwell .net) (malware.rules)
2037789 - ET MALWARE JS.SocGholish CnC Activity (POST) (malware.rules)
2044176 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .distributor .techsavvyauto .com) (malware.rules)
2044177 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .picture .mercedesbestphoto .store) (malware.rules)
2833520 - ETPRO MALWARE Observed Malicious SSL Cert (SocGholish Redirect) (malware.rules)
2843276 - ETPRO MALWARE Observed SocGholish Domain in TLS SNI (malware.rules)
2843287 - ETPRO MALWARE Observed SocGholish Domain in TLS SNI (malware.rules)
2843643 - ETPRO MALWARE Observed SocGholish Domain in TLS SNI (malware.rules)
2843654 - ETPRO MALWARE Observed SocGholish Domain in TLS SNI (malware.rules)

Removed rules:

2044957 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jquery0 .com) (malware.rules)
2044958 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jquery01 .com) (malware.rules)
2044959 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jquery-bin .com) (malware.rules)
2044961 - ET WEB_CLIENT TA569 Keitaro TDS Domain in DNS Lookup (getquery .org) (web_client.rules)
2045064 - ET MALWARE Observed DNSQuery to TA444 Domain (ns2 .trytiponlineresult .com) (malware.rules)
2045069 - ET MALWARE Observed DNSQuery to TA444 Domain (deck .altair-vc .com) (malware.rules)
2045072 - ET MALWARE Observed DNSQuery to TA444 Domain (shippingspro .com) (malware.rules)
2045073 - ET MALWARE Observed DNSQuery to TA444 Domain (phcnetworks .net) (malware.rules)
2045074 - ET MALWARE Observed DNSQuery to TA444 Domain (phcdevworks .com) (malware.rules)
2045077 - ET MALWARE Observed DNSQuery to TA444 Domain (ns1 .trytiponlineresult .com) (malware.rules)
2045079 - ET MALWARE Observed DNSQuery to TA444 Domain (naogoze .com) (malware.rules)
2045083 - ET MALWARE Observed DNSQuery to TA444 Domain (altair .linkpc .net) (malware.rules)
2045088 - ET MALWARE Observed DNSQuery to TA444 Domain (trytiponlineresult .com) (malware.rules)
2045089 - ET MALWARE Observed DNSQuery to TA444 Domain (partner .deepcore .v .entures) (malware.rules)
2045091 - ET MALWARE Observed DNSQuery to TA444 Domain (corporateimageguru .com) (malware.rules)
2045092 - ET MALWARE Observed DNSQuery to TA444 Domain (sarahbeery .docsend .me) (malware.rules)
2045094 - ET MALWARE Observed DNSQuery to TA444 Domain (docsend .me) (malware.rules)
2045097 - ET MALWARE Observed DNSQuery to TA444 Domain (deck .altair-vc .co .uk) (malware.rules)
2045098 - ET MALWARE Observed DNSQuery to TA444 Domain (down .protectedviewer .co) (malware.rules)
2045099 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .espcapital .pro) (malware.rules)
2045104 - ET MALWARE Observed DNSQuery to TA444 Domain (server-1 .phcnetworks .net) (malware.rules)
2045105 - ET MALWARE Observed DNSQuery to TA444 Domain (down .aidpartners .org) (malware.rules)
2045107 - ET MALWARE Observed DNSQuery to TA444 Domain (down .espcapital .co) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/07/02 - v10635 Ruleset Updates	417	July 2, 2024
Ruleset Update Summary - 2023/09/14 - v10417 Ruleset Updates	242	September 14, 2023
Ruleset Update Summary - 2023/07/21 - v10377 Ruleset Updates	277	July 21, 2023
Ruleset Update Summary - 2024/06/07 - v10612 Ruleset Updates	283	June 7, 2024
Ruleset Update Summary - 2023/09/19 - v10420 Ruleset Updates	264	September 19, 2023

Ruleset Update Summary - 2023/04/21 - v10304

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related topics