Ruleset Update Summary - 2023/04/25 - v10307

rulesbot · April 25, 2023, 8:52pm

Summary:

33 new OPEN, 50 new PRO (33 + 17)

Thanks @500mk500, @malwrhunterteam, @Yeti_Sec, @0xToxin, @ViriBack, @malpiledriver

Added rules:

Open:

2001330 - ET INFO RDP - Response To External Host (info.rules)
2002945 - ET INFO Java Url Lib User Agent Web Crawl (Inbound) (info.rules)
2026989 - ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1 (hunting.rules)
2026990 - ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M2 (hunting.rules)
2026991 - ET HUNTING PowerShell NonInteractive Command Common In Powershell Stagers (hunting.rules)
2026994 - ET HUNTING PowerShell DownloadFile Command Common In Powershell Stagers (hunting.rules)
2026995 - ET HUNTING PowerShell DownloadString Command Common In Powershell Stagers (hunting.rules)
2026996 - ET HUNTING PowerShell DownloadData Command Common In Powershell Stagers (hunting.rules)
2045178 - ET INFO DYNAMIC_DNS Query to a *.buhichan .net Domain (info.rules)
2045179 - ET INFO DYNAMIC_DNS HTTP Request to a *.buhichan .net Domain (info.rules)
2045180 - ET INFO DYNAMIC_DNS Query to a *.friendship .twa Domain (info.rules)
2045181 - ET INFO DYNAMIC_DNS HTTP Request to a *.friendship .twa Domain (info.rules)
2045182 - ET MALWARE Suspected DPRK APT Related Activity (GET) (malware.rules)
2045183 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
2045184 - ET MALWARE DNS Query to Blind Eagle Domain (dfdagsdsag .con-ip .com) (malware.rules)
2045185 - ET MALWARE ZStealer Admin Panel Inbound (malware.rules)
2045186 - ET PHISHING Successful Generic Credential Phish from W3LL Store Phishkit 2023-04-25 (phishing.rules)
2045187 - ET PHISHING W3LL Store Credential Phish Landing Page 2023-04-25 (phishing.rules)
2045188 - ET MALWARE Gamaredon APT Domain in DNS Lookup (ruizchris .ru) (malware.rules)
2045189 - ET MALWARE Gamaredon APT Domain in DNS Lookup (valasati .ru) (malware.rules)
2045190 - ET MALWARE Gamaredon APT Domain in DNS Lookup (ayarimar .ru) (malware.rules)
2045191 - ET MALWARE Gamaredon APT Domain in DNS Lookup (nutriag .ru) (malware.rules)
2045192 - ET MALWARE Gamaredon APT Domain in DNS Lookup (vilaverde .ru) (malware.rules)
2045193 - ET MALWARE Gamaredon APT Domain in DNS Lookup (fortunyzo .ru) (malware.rules)
2045194 - ET MALWARE Gamaredon APT Domain in DNS Lookup (dussaut .ru) (malware.rules)
2045195 - ET MALWARE Gamaredon APT Domain in DNS Lookup (samiseto .ru) (malware.rules)
2045196 - ET MALWARE Gamaredon APT Domain in DNS Lookup (boraito .ru) (malware.rules)
2045197 - ET MALWARE Gamaredon APT Domain in DNS Lookup (enokida .ru) (malware.rules)
2045198 - ET MALWARE Gamaredon APT Domain in DNS Lookup (kaigitang .ru) (malware.rules)
2045199 - ET MALWARE TA453 Domain in DNS Lookup (update-windows-security .tk) (malware.rules)
2045200 - ET MALWARE TA453 Domain in DNS Lookup (sync-system-time .cf) (malware.rules)
2045201 - ET MALWARE TA453 Domain in DNS Lookup (oracle-java .cf) (malware.rules)
2045202 - ET MALWARE TA453 Domain in DNS Lookup (dns-iprecords .tk) (malware.rules)

Pro:

2854262 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2854263 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2854264 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2854265 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2854266 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
2854267 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2854268 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
2854269 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2854270 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2854271 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2854272 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2854273 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
2854274 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2854275 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (381c9) (exploit_kit.rules)
2854276 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (f3dd1) (exploit_kit.rules)
2854277 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (9fb19) (exploit_kit.rules)
2854278 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (983de) (exploit_kit.rules)

Disabled and modified rules:

2035117 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
2035118 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
2035131 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
2035132 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
2035166 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
2035167 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
2035168 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
2035169 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
2035170 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
2035171 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
2035375 - ET MALWARE Suspected Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
2850869 - ETPRO MALWARE Win32/Vulturi CnC Activity (POST) (malware.rules)

Disabled rules:

2850745 - ETPRO PHISHING Successful Generic Phish 2021-12-29 (set) (phishing.rules)

Removed rules:

2001330 - ET POLICY RDP connection confirm (policy.rules)
2002945 - ET POLICY Java Url Lib User Agent Web Crawl (policy.rules)
2026989 - ET ATTACK_RESPONSE PowerShell Hidden Window Command Common In Powershell Stagers M1 (attack_response.rules)
2026990 - ET ATTACK_RESPONSE PowerShell Hidden Window Command Common In Powershell Stagers M2 (attack_response.rules)
2026991 - ET ATTACK_RESPONSE PowerShell NonInteractive Command Common In Powershell Stagers (attack_response.rules)
2026994 - ET ATTACK_RESPONSE PowerShell DownloadFile Command Common In Powershell Stagers (attack_response.rules)
2026995 - ET ATTACK_RESPONSE PowerShell DownloadString Command Common In Powershell Stagers (attack_response.rules)
2026996 - ET ATTACK_RESPONSE PowerShell DownloadData Command Common In Powershell Stagers (attack_response.rules)
2036552 - ET MALWARE BluStealer Related Domain in DNS Lookup (premium12 .web-hosting .com) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/04/18 - v10300 Ruleset Updates	327	April 18, 2023
Ruleset Update Summary - 2023/05/02 - v10313 Ruleset Updates	441	May 2, 2023
Ruleset Update Summary - 2023/04/20 - v10303 Ruleset Updates	332	April 20, 2023
Ruleset Update Summary - 2023/08/23 - v10401 Ruleset Updates	289	August 23, 2023
Ruleset Update Summary - 2023/05/26 - v10333 Ruleset Updates	397	May 26, 2023

Ruleset Update Summary - 2023/04/25 - v10307

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Disabled rules:

Removed rules:

Related topics