Ruleset Update Summary - 2023/04/28 - v10310

rulesbot · April 28, 2023, 9:31pm

Summary:

34 new OPEN, 35 new PRO (34 + 1)

Thanks @aucyble, @Malwarebytes, @malPileDriver, @Unit42_Intel

Added rules:

Open:

2014926 - ET HUNTING PDF embedded in XDP file (Possibly Malicious) (hunting.rules)
2027199 - ET INFO URL Shortener Service Domain in DNS Lookup (tiny .cc) (info.rules)
2027200 - ET INFO Observed SSL Cert (URL Shortener Service - tiny .cc) (info.rules)
2029258 - ET INFO GG Url Shortener Observed in DNS Query (info.rules)
2030340 - ET EXPLOIT GnuTLS Cryptographic Flaw Observed (CVE-2020-13777) (exploit.rules)
2033666 - ET INFO Observed URL Shortening Service Domain (longurl .in in TLS SNI) (info.rules)
2036628 - ET INFO Observed URL Shortening Service SSL/TLS Cert (rb.gy) (info.rules)
2038697 - ET WEB_SPECIFIC_APPS Vulnerable SAP NetWeaver Path Observed - Information Disclosure (CVE-2016-2388) (web_specific_apps.rules)
2045229 - ET MALWARE Win32/Phorpiex Template 9 Active - Outbound Malicious Email Spam (malware.rules)
2045230 - ET MALWARE Win32/Phorpiex Requesting Compromised Email Credentials List (malware.rules)
2045231 - ET TROJAN Win32/Cryptbotv2 CnC Activity (POST) M2 (trojan.rules)
2045232 - ET INFO Observed DNS Query to Reverse Shell Generator (reverse-shell .sh) (info.rules)
2045233 - ET MALWARE DonotGroup Pult Downloader Activity (POST) M4 (malware.rules)
2045234 - ET MALWARE Donot Group APT Related Domain in DNS Lookup (pic .onesolution .buzz) (malware.rules)
2045235 - ET MALWARE DonotGroup Pult Downloader Activity (POST) M5 (malware.rules)
2045236 - ET MALWARE Donot Group APT Related Domain in DNS Lookup (epiczplus .buzz) (malware.rules)
2045237 - ET MALWARE DNS Query to MageCart Domain (genlytec .us) (malware.rules)
2045238 - ET MALWARE DNS Query to MageCart Domain (pyatiticdigt .shop) (malware.rules)
2045239 - ET MALWARE DNS Query to MageCart Domain (shumtech .shop) (malware.rules)
2045240 - ET MALWARE DNS Query to MageCart Domain (interytec .shop) (malware.rules)
2045241 - ET MALWARE DNS Query to MageCart Domain (stacstocuh .quest) (malware.rules)
2045242 - ET MALWARE DNS Query to MageCart Domain (daichetmob .sbs) (malware.rules)
2045243 - ET MALWARE DNS Query to MageCart Domain (zapolmob .sbs) (malware.rules)
2045244 - ET MALWARE MageCart Skimmer Header Observed Outbound (malware.rules)
2045245 - ET PHISHING USPS Credential Phish Landing Page M1 2023-04-28 (phishing.rules)
2045246 - ET PHISHING USPS Credential Phish Landing Page M2 2023-04-28 (phishing.rules)
2045247 - ET PHISHING Generic Credential Phish Landing Page 2023-04-28 (phishing.rules)
2045248 - ET MALWARE Gamaredon APT Domain in DNS Lookup (decorous .ru) (malware.rules)
2045249 - ET MALWARE Gamaredon APT Domain in DNS Lookup (judicious .ru) (malware.rules)
2045250 - ET MALWARE Gamaredon APT Domain in DNS Lookup (succinct .ru) (malware.rules)
2045251 - ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup (yrhsywu2009 .zapto .org) (malware.rules)
2045252 - ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup (vpn729380678 .softether .net) (malware.rules)
2045253 - ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup (saspecialforces .co .za) (malware.rules)
2045254 - ET PHISHING Lucy Phishing Framework Plugin List POST (phishing.rules)

Pro:

2851049 - ETPRO INFO URL Shortening Domain in DNS Lookup (info.rules)

Modified inactive rules:

2035304 - ET INFO Observed URL Shortening Service Domain (0sh .org in TLS SNI) (info.rules)
2035305 - ET INFO Observed URL Shortening Service Domain (prourl .in in TLS SNI) (info.rules)
2044666 - ET INFO Outbound SMB Protocol Request to External Address (info.rules)

Disabled and modified rules:

2034560 - ET MALWARE Kimsuky Related Activity Sending Windows Information (POST) (malware.rules)
2850576 - ETPRO MALWARE WIRTE APT Group Activity (malware.rules)

Removed rules:

2014926 - ET INFO PDF embedded in XDP file (Possibly Malicious) (info.rules)
2027199 - ET POLICY URL Shortener Service Domain in DNS Lookup (tiny .cc) (policy.rules)
2027200 - ET POLICY Observed SSL Cert (URL Shortener Service - tiny .cc) (policy.rules)
2027367 - ET INFO Query for Suspicious shell .now .sh Domain (info.rules)
2029258 - ET POLICY GG Url Shortener Observed in DNS Query (policy.rules)
2030340 - ET INFO GnuTLS Cryptographic Flaw Observed (CVE-2020-13777) (info.rules)
2033666 - ET POLICY Observed URL Shortening Service Domain (longurl .in in TLS SNI) (policy.rules)
2036628 - ET POLICY Observed URL Shortening Service SSL/TLS Cert (rb.gy) (policy.rules)
2038697 - ET INFO Vulnerable SAP NetWeaver Path Observed - Information Disclosure (CVE-2016-2388) (info.rules)
2044125 - ET TROJAN Win32/Phorpiex Template 7 Active - Outbound Malicious Email Spam (trojan.rules)
2044126 - ET TROJAN Win32/Phorpiex Template 8 Active - Outbound Malicious Email Spam (trojan.rules)
2851049 - ETPRO POLICY URL Shortening Domain in DNS Lookup (policy.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/08/23 - v10401 Ruleset Updates	206	August 23, 2023
Ruleset Update Summary - 2023/08/11 - v10392 Ruleset Updates	252	August 11, 2023
Ruleset Update Summary - 2023/11/22 - v10471 Ruleset Updates	272	November 22, 2023
Ruleset Update Summary - 2023/04/20 - v10303 Ruleset Updates	290	April 20, 2023
Ruleset Update Summary - 2023/05/03 - v10315 Ruleset Updates	291	May 3, 2023

Ruleset Update Summary - 2023/04/28 - v10310

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Removed rules:

Related Topics