Summary:
34 new OPEN, 35 new PRO (34 + 1)
Thanks @aucyble, @Malwarebytes, @malPileDriver, @Unit42_Intel
Added rules:
Open:
- 2014926 - ET HUNTING PDF embedded in XDP file (Possibly Malicious) (hunting.rules)
- 2027199 - ET INFO URL Shortener Service Domain in DNS Lookup (tiny .cc) (info.rules)
- 2027200 - ET INFO Observed SSL Cert (URL Shortener Service - tiny .cc) (info.rules)
- 2029258 - ET INFO GG Url Shortener Observed in DNS Query (info.rules)
- 2030340 - ET EXPLOIT GnuTLS Cryptographic Flaw Observed (CVE-2020-13777) (exploit.rules)
- 2033666 - ET INFO Observed URL Shortening Service Domain (longurl .in in TLS SNI) (info.rules)
- 2036628 - ET INFO Observed URL Shortening Service SSL/TLS Cert (rb.gy) (info.rules)
- 2038697 - ET WEB_SPECIFIC_APPS Vulnerable SAP NetWeaver Path Observed - Information Disclosure (CVE-2016-2388) (web_specific_apps.rules)
- 2045229 - ET MALWARE Win32/Phorpiex Template 9 Active - Outbound Malicious Email Spam (malware.rules)
- 2045230 - ET MALWARE Win32/Phorpiex Requesting Compromised Email Credentials List (malware.rules)
- 2045231 - ET TROJAN Win32/Cryptbotv2 CnC Activity (POST) M2 (trojan.rules)
- 2045232 - ET INFO Observed DNS Query to Reverse Shell Generator (reverse-shell .sh) (info.rules)
- 2045233 - ET MALWARE DonotGroup Pult Downloader Activity (POST) M4 (malware.rules)
- 2045234 - ET MALWARE Donot Group APT Related Domain in DNS Lookup (pic .onesolution .buzz) (malware.rules)
- 2045235 - ET MALWARE DonotGroup Pult Downloader Activity (POST) M5 (malware.rules)
- 2045236 - ET MALWARE Donot Group APT Related Domain in DNS Lookup (epiczplus .buzz) (malware.rules)
- 2045237 - ET MALWARE DNS Query to MageCart Domain (genlytec .us) (malware.rules)
- 2045238 - ET MALWARE DNS Query to MageCart Domain (pyatiticdigt .shop) (malware.rules)
- 2045239 - ET MALWARE DNS Query to MageCart Domain (shumtech .shop) (malware.rules)
- 2045240 - ET MALWARE DNS Query to MageCart Domain (interytec .shop) (malware.rules)
- 2045241 - ET MALWARE DNS Query to MageCart Domain (stacstocuh .quest) (malware.rules)
- 2045242 - ET MALWARE DNS Query to MageCart Domain (daichetmob .sbs) (malware.rules)
- 2045243 - ET MALWARE DNS Query to MageCart Domain (zapolmob .sbs) (malware.rules)
- 2045244 - ET MALWARE MageCart Skimmer Header Observed Outbound (malware.rules)
- 2045245 - ET PHISHING USPS Credential Phish Landing Page M1 2023-04-28 (phishing.rules)
- 2045246 - ET PHISHING USPS Credential Phish Landing Page M2 2023-04-28 (phishing.rules)
- 2045247 - ET PHISHING Generic Credential Phish Landing Page 2023-04-28 (phishing.rules)
- 2045248 - ET MALWARE Gamaredon APT Domain in DNS Lookup (decorous .ru) (malware.rules)
- 2045249 - ET MALWARE Gamaredon APT Domain in DNS Lookup (judicious .ru) (malware.rules)
- 2045250 - ET MALWARE Gamaredon APT Domain in DNS Lookup (succinct .ru) (malware.rules)
- 2045251 - ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup (yrhsywu2009 .zapto .org) (malware.rules)
- 2045252 - ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup (vpn729380678 .softether .net) (malware.rules)
- 2045253 - ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup (saspecialforces .co .za) (malware.rules)
- 2045254 - ET PHISHING Lucy Phishing Framework Plugin List POST (phishing.rules)
Pro:
- 2851049 - ETPRO INFO URL Shortening Domain in DNS Lookup (info.rules)
Modified inactive rules:
- 2035304 - ET INFO Observed URL Shortening Service Domain (0sh .org in TLS SNI) (info.rules)
- 2035305 - ET INFO Observed URL Shortening Service Domain (prourl .in in TLS SNI) (info.rules)
- 2044666 - ET INFO Outbound SMB Protocol Request to External Address (info.rules)
Disabled and modified rules:
- 2034560 - ET MALWARE Kimsuky Related Activity Sending Windows Information (POST) (malware.rules)
- 2850576 - ETPRO MALWARE WIRTE APT Group Activity (malware.rules)
Removed rules:
- 2014926 - ET INFO PDF embedded in XDP file (Possibly Malicious) (info.rules)
- 2027199 - ET POLICY URL Shortener Service Domain in DNS Lookup (tiny .cc) (policy.rules)
- 2027200 - ET POLICY Observed SSL Cert (URL Shortener Service - tiny .cc) (policy.rules)
- 2027367 - ET INFO Query for Suspicious shell .now .sh Domain (info.rules)
- 2029258 - ET POLICY GG Url Shortener Observed in DNS Query (policy.rules)
- 2030340 - ET INFO GnuTLS Cryptographic Flaw Observed (CVE-2020-13777) (info.rules)
- 2033666 - ET POLICY Observed URL Shortening Service Domain (longurl .in in TLS SNI) (policy.rules)
- 2036628 - ET POLICY Observed URL Shortening Service SSL/TLS Cert (rb.gy) (policy.rules)
- 2038697 - ET INFO Vulnerable SAP NetWeaver Path Observed - Information Disclosure (CVE-2016-2388) (info.rules)
- 2044125 - ET TROJAN Win32/Phorpiex Template 7 Active - Outbound Malicious Email Spam (trojan.rules)
- 2044126 - ET TROJAN Win32/Phorpiex Template 8 Active - Outbound Malicious Email Spam (trojan.rules)
- 2851049 - ETPRO POLICY URL Shortening Domain in DNS Lookup (policy.rules)