Ruleset Update Summary - 2023/04/24 - v10305

rulesbot · April 24, 2023, 9:14pm

Summary:

35 new OPEN, 49 new PRO (35 + 14)

Thanks @JamfSoftware, @malPileDiver, @kaspersky

Added rules:

Open:

2014645 - ET EXPLOIT RuggedCom Banner with MAC (SET) (exploit.rules)
2014646 - ET EXPLOIT RuggedCom factory account backdoor (exploit.rules)
2018233 - ET HUNTING JAR Sent Claiming To Be Image - Likely Exploit Kit (hunting.rules)
2018234 - ET HUNTING JAR Sent Claiming To Be Text Content - Likely Exploit Kit (hunting.rules)
2036725 - ET EXPLOIT Potential External VMware vRealize Automation Authentication Bypass Vulnerability (exploit.rules)
2045148 - ET MALWARE IcedID CnC Domain in DNS Lookup (ewyersbetter .com) (malware.rules)
2045149 - ET MALWARE IcedID CnC Domain in DNS Lookup (nizanigrola .com) (malware.rules)
2045150 - ET MALWARE IcedID CnC Domain in DNS Lookup (pingwiskot .com) (malware.rules)
2045151 - ET MALWARE IcedID CnC Domain in DNS Lookup (klonpiparf .com) (malware.rules)
2045152 - ET MALWARE IcedID CnC Domain in DNS Lookup (skigimeetroc .com) (malware.rules)
2045153 - ET MALWARE IcedID CnC Domain in DNS Lookup (auronavtimor .com) (malware.rules)
2045154 - ET MALWARE IcedID CnC Domain in DNS Lookup (jinowera .com) (malware.rules)
2045155 - ET MALWARE IcedID CnC Domain in DNS Lookup (animamagaznaf .com) (malware.rules)
2045156 - ET MALWARE IcedID CnC Domain in DNS Lookup (plitspiritnox .com) (malware.rules)
2045157 - ET MALWARE TA444 Related Domain in DNS Lookup (malware.rules)
2045158 - ET USER_AGENTS Win32/FakeAV InternetSecurityGuard User-Agent (user_agents.rules)
2045159 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (pihole4 .hoerli .net) (info.rules)
2045160 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (pihole3 .hoerli .net) (info.rules)
2045161 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (pihole2 .hoerli .net) (info.rules)
2045162 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (res-acst3 .absolight .net) (info.rules)
2045163 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (resolver2 .absolight .net) (info.rules)
2045164 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (resolver1 .absolight .net) (info.rules)
2045165 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (pihole1 .hoerli .net) (info.rules)
2045166 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (kilabit .info) (info.rules)
2045167 - ET MALWARE DNS Query to Gamaredon Domain (bankoulpi .ru) (malware.rules)
2045168 - ET MALWARE DNS Query to Gamaredon Domain (barutipi .ru) (malware.rules)
2045169 - ET MALWARE DNS Query to Gamaredon Domain (apispi .ru) (malware.rules)
2045170 - ET MALWARE DNS Query to Gamaredon Domain (anherpi .ru) (malware.rules)
2045171 - ET MALWARE DNS Query to Gamaredon Domain (fushiguro .ru) (malware.rules)
2045172 - ET MALWARE DNS Query to Gamaredon Domain (22defeated .ayrympo .ru) (malware.rules)
2045173 - ET PHISHING OV6 Phish Kit Landing Page 2023-04-24 (phishing.rules)
2045174 - ET MALWARE Roopy File Grabber Exfiltration Attempt (malware.rules)
2045175 - ET MALWARE JLORAT CnC Checkin (malware.rules)
2045176 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (greenpapers .org) (exploit_kit.rules)
2045177 - ET PHISHING Successful DHL Credential Phish 2023-04-24 (phishing.rules)

Pro:

2854248 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2854249 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2854250 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2854251 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2854252 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
2854253 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2854254 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
2854255 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2854256 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2854257 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2854258 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2854259 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
2854260 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2854261 - ETPRO MALWARE Win32/Fake LogMeInRescue CnC Exfil (POST) (malware.rules)

Modified inactive rules:

2016510 - ET INFO Serialized Java Applet (Used by some EKs in the Wild) (info.rules)
2044665 - ET INFO Outbound SMB NTLM Auth Attempt to External Address (info.rules)
2821749 - ETPRO INFO HTTP 522 Returned to Client Possible Broken Malware Checkin (info.rules)

Disabled and modified rules:

2016494 - ET INFO Serialized Java Applet (Used by some EKs in the Wild) (info.rules)
2034471 - ET MALWARE Danabot Associated Activity (GET) (malware.rules)
2043268 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043269 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043992 - ET MALWARE Observed DNS Query to IcedID Domain (swordnifhing .com) (malware.rules)
2043994 - ET MALWARE Observed DNS Query to IcedID Domain (trotimera .com) (malware.rules)
2044890 - ET MALWARE Malicious NetSupport CnC Domain in DNS Lookup (irejhg .fun) (malware.rules)
2044891 - ET MALWARE Malicious NetSupport Loader Domain in DNS Lookup (tumnt .top) (malware.rules)
2044892 - ET MALWARE Malicious NetSupport Loader Domain in DNS Lookup (rtern .top) (malware.rules)
2044893 - ET MALWARE Malicious NetSupport CnC Domain in DNS Lookup (dfrgb .fun) (malware.rules)
2850746 - ETPRO PHISHING Successful Generic Phish 2021-12-29 (phishing.rules)
2850747 - ETPRO PHISHING Successful Generic Phish 2021-12-29 (phishing.rules)
2850832 - ETPRO PHISHING Successful Generic Phish 2022-01-10 (phishing.rules)

Removed rules:

2014645 - ET INFO RuggedCom Banner with MAC (info.rules)
2014646 - ET MISC RuggedCom factory account backdoor (misc.rules)
2014925 - ET INFO NetSSH SSH Version String Hardcoded in Metasploit (info.rules)
2018233 - ET INFO JAR Sent Claiming To Be Image - Likely Exploit Kit (info.rules)
2018234 - ET INFO JAR Sent Claiming To Be Text Content - Likely Exploit Kit (info.rules)
2034330 - ET INFO Possible GoCD Authentication Bypass URI Path - add-on (info.rules)
2036725 - ET INFO Potential External VMware vRealize Automation Authentication Bypass Vulnerability (info.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/04/27 - v10309 Ruleset Updates	286	April 27, 2023
Ruleset Update Summary - 2023/04/14 - v10298 Ruleset Updates	352	April 14, 2023
Ruleset Update Summary - 2023/07/18 - v10374 Ruleset Updates	230	July 18, 2023
Ruleset Update Summary - 2023/05/01 - v10312 Ruleset Updates	462	May 1, 2023
Ruleset Update Summary - 2023/09/27 - v10426 Ruleset Updates	318	September 27, 2023

Ruleset Update Summary - 2023/04/24 - v10305

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Removed rules:

Related topics