Summary:
36 new OPEN, 39 new PRO (36 + 3)
Thanks @MichalKoczwara, @CPResearch, @suyog41, @StopMalvertisin
Added rules:
Open:
- 2024764 - ET ADWARE_PUP Suspicious Darkwave Popads Pop Under Redirect (adware_pup.rules)
- 2026413 - ET ATTACK_RESPONSE Possible System Enumeration via WMI Queries (AntiVirusProduct) (attack_response.rules)
- 2026414 - ET ATTACK_RESPONSE Possible System Enumeration via WMI Queries (AntiSpywareProduct) (attack_response.rules)
- 2026415 - ET ATTACK_RESPONSE Possible System Enumeration via WMI Queries (FirewallProduct) (attack_response.rules)
- 2045255 - ET MALWARE IcedID CnC Domain in DNS Lookup (bgreenglobus .com) (malware.rules)
- 2045256 - ET MALWARE IcedID CnC Domain in DNS Lookup (rtofmethough .top) (malware.rules)
- 2045257 - ET MALWARE IcedID CnC Domain in DNS Lookup (alepscoking .com) (malware.rules)
- 2045258 - ET MALWARE IcedID CnC Domain in DNS Lookup (xairdone .com) (malware.rules)
- 2045259 - ET INFO DYNAMIC_DNS Query to a *.irq .ro Domain (info.rules)
- 2045260 - ET INFO DYNAMIC_DNS HTTP Request to a *.irq .ro Domain (info.rules)
- 2045261 - ET INFO DYNAMIC_DNS Query to a *.codingtheworld .com Domain (info.rules)
- 2045262 - ET INFO DYNAMIC_DNS HTTP Request to a *.codingtheworld .com Domain (info.rules)
- 2045263 - ET INFO DYNAMIC_DNS Query to a *.runyeard .com Domain (info.rules)
- 2045264 - ET INFO DYNAMIC_DNS HTTP Request to a *.runyeard .com Domain (info.rules)
- 2045265 - ET INFO DYNAMIC_DNS Query to a *.etsang .com Domain (info.rules)
- 2045266 - ET INFO DYNAMIC_DNS HTTP Request to a *.etsang .com Domain (info.rules)
- 2045267 - ET MALWARE MSIL/Whitesnake Variant Stealer Sending System Info via Telegram (GET) (malware.rules)
- 2045268 - ET MALWARE Ducktail Stealer Related Domain in DNS Lookup (techvibeo .com) (malware.rules)
- 2045269 - ET HUNTING HTTP Request to transfer .sh via Powershell (hunting.rules)
- 2045270 - ET MALWARE Havoc Framework Header in HTTP Response (malware.rules)
- 2045271 - ET MALWARE DNS Query to RokRat Domain (link .b4a .app) (malware.rules)
- 2045272 - ET MALWARE DNS Query to RokRat Domain (daum-store .com) (malware.rules)
- 2045273 - ET MALWARE DNS Query to RokRat Domain (docx1 .b4a .app) (malware.rules)
- 2045274 - ET MALWARE DNS Query to RokRat Domain (nate-download .com) (malware.rules)
- 2045275 - ET MALWARE DNS Query to RokRat Domain (naver-file .com) (malware.rules)
- 2045276 - ET MALWARE DNS Query to RokRat Domain (naver-storage .com) (malware.rules)
- 2045277 - ET MALWARE Win32/RokRat CnC Activity (GET) (malware.rules)
- 2045278 - ET MALWARE Win32/RokRat CnC Activity (POST) (malware.rules)
- 2045279 - ET PHISHING Generic Credential Phish Landing Page from Text Scam M1 2023-05-01 (phishing.rules)
- 2045280 - ET PHISHING Generic Credential Phish Landing Page from Text Scam M2 2023-05-01 (phishing.rules)
- 2045281 - ET PHISHING Generic Credential Phish Landing Page from Text Scam M3 2023-05-01 (phishing.rules)
- 2045282 - ET PHISHING Generic Credential Phish Landing Page from Text Scam M4 2023-05-01 (phishing.rules)
- 2045283 - ET MALWARE CMDASP Webshell Command Request (malware.rules)
- 2045284 - ET MALWARE CMDASP Webshell Default Title in HTTP Response (malware.rules)
- 2045285 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (lemonicecold .org) (exploit_kit.rules)
- 2045286 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .score .symposiumhaiti .com) (malware.rules)
Pro:
- 2835754 - ETPRO ADWARE_PUP Smartkey Password Recovery Tool Update Check (adware_pup.rules)
- 2854287 - ETPRO MALWARE Arkei Stealer Exfil (malware.rules)
- 2854288 - ETPRO MALWARE Win64/Spy.Agent.FD Variant Exfil (malware.rules)
Modified inactive rules:
- 2015743 - ET INFO Revoked Adobe Code Signing Certificate Seen (info.rules)
- 2036219 - ET INFO WebSocket Session Initiation Request (info.rules)
Disabled and modified rules:
- 2016154 - ET INFO Possible TURKTRUST Spoofed Google Cert (info.rules)
- 2035175 - ET MALWARE Win32/PrivateLoader Related Domain in DNS Lookup (fouratlinks .com) (malware.rules)
- 2044975 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (etaqeryg .org) (exploit_kit.rules)
- 2044976 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (debquery .org) (exploit_kit.rules)
- 2044977 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (rygesqua .org) (exploit_kit.rules)
- 2044980 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (squaryge .org) (exploit_kit.rules)
- 2044981 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (tqeuryge .org) (exploit_kit.rules)
- 2044982 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (ygequary .org) (exploit_kit.rules)
- 2044983 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (uaqryges .org) (exploit_kit.rules)
- 2044984 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .reseller .wonderfulworldblog .com) (malware.rules)
Removed rules:
- 2024764 - ET INFO Suspicious Darkwave Popads Pop Under Redirect (info.rules)
- 2026413 - ET INFO Possible System Enumeration via WMI Queries (AntiVirusProduct) (info.rules)
- 2026414 - ET INFO Possible System Enumeration via WMI Queries (AntiSpywareProduct) (info.rules)
- 2026415 - ET INFO Possible System Enumeration via WMI Queries (FirewallProduct) (info.rules)
- 2835754 - ETPRO INFO Smartkey Password Recovery Tool Update Check (info.rules)