Ruleset Update Summary - 2023/05/01 - v10312

Summary:

36 new OPEN, 39 new PRO (36 + 3)

Thanks @MichalKoczwara, @CPResearch, @suyog41, @StopMalvertisin

Added rules:

Open:

• 2024764 - ET ADWARE_PUP Suspicious Darkwave Popads Pop Under Redirect (adware_pup.rules)
• 2026413 - ET ATTACK_RESPONSE Possible System Enumeration via WMI Queries (AntiVirusProduct) (attack_response.rules)
• 2026414 - ET ATTACK_RESPONSE Possible System Enumeration via WMI Queries (AntiSpywareProduct) (attack_response.rules)
• 2026415 - ET ATTACK_RESPONSE Possible System Enumeration via WMI Queries (FirewallProduct) (attack_response.rules)
• 2045255 - ET MALWARE IcedID CnC Domain in DNS Lookup (bgreenglobus .com) (malware.rules)
• 2045256 - ET MALWARE IcedID CnC Domain in DNS Lookup (rtofmethough .top) (malware.rules)
• 2045257 - ET MALWARE IcedID CnC Domain in DNS Lookup (alepscoking .com) (malware.rules)
• 2045258 - ET MALWARE IcedID CnC Domain in DNS Lookup (xairdone .com) (malware.rules)
• 2045259 - ET INFO DYNAMIC_DNS Query to a *.irq .ro Domain (info.rules)
• 2045260 - ET INFO DYNAMIC_DNS HTTP Request to a *.irq .ro Domain (info.rules)
• 2045261 - ET INFO DYNAMIC_DNS Query to a *.codingtheworld .com Domain (info.rules)
• 2045262 - ET INFO DYNAMIC_DNS HTTP Request to a *.codingtheworld .com Domain (info.rules)
• 2045263 - ET INFO DYNAMIC_DNS Query to a *.runyeard .com Domain (info.rules)
• 2045264 - ET INFO DYNAMIC_DNS HTTP Request to a *.runyeard .com Domain (info.rules)
• 2045265 - ET INFO DYNAMIC_DNS Query to a *.etsang .com Domain (info.rules)
• 2045266 - ET INFO DYNAMIC_DNS HTTP Request to a *.etsang .com Domain (info.rules)
• 2045267 - ET MALWARE MSIL/Whitesnake Variant Stealer Sending System Info via Telegram (GET) (malware.rules)
• 2045268 - ET MALWARE Ducktail Stealer Related Domain in DNS Lookup (techvibeo .com) (malware.rules)
• 2045269 - ET HUNTING HTTP Request to transfer .sh via Powershell (hunting.rules)
• 2045270 - ET MALWARE Havoc Framework Header in HTTP Response (malware.rules)
• 2045271 - ET MALWARE DNS Query to RokRat Domain (link .b4a .app) (malware.rules)
• 2045272 - ET MALWARE DNS Query to RokRat Domain (daum-store .com) (malware.rules)
• 2045273 - ET MALWARE DNS Query to RokRat Domain (docx1 .b4a .app) (malware.rules)
• 2045274 - ET MALWARE DNS Query to RokRat Domain (nate-download .com) (malware.rules)
• 2045275 - ET MALWARE DNS Query to RokRat Domain (naver-file .com) (malware.rules)
• 2045276 - ET MALWARE DNS Query to RokRat Domain (naver-storage .com) (malware.rules)
• 2045277 - ET MALWARE Win32/RokRat CnC Activity (GET) (malware.rules)
• 2045278 - ET MALWARE Win32/RokRat CnC Activity (POST) (malware.rules)
• 2045279 - ET PHISHING Generic Credential Phish Landing Page from Text Scam M1 2023-05-01 (phishing.rules)
• 2045280 - ET PHISHING Generic Credential Phish Landing Page from Text Scam M2 2023-05-01 (phishing.rules)
• 2045281 - ET PHISHING Generic Credential Phish Landing Page from Text Scam M3 2023-05-01 (phishing.rules)
• 2045282 - ET PHISHING Generic Credential Phish Landing Page from Text Scam M4 2023-05-01 (phishing.rules)
• 2045283 - ET MALWARE CMDASP Webshell Command Request (malware.rules)
• 2045284 - ET MALWARE CMDASP Webshell Default Title in HTTP Response (malware.rules)
• 2045285 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (lemonicecold .org) (exploit_kit.rules)
• 2045286 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .score .symposiumhaiti .com) (malware.rules)

Pro:

• 2835754 - ETPRO ADWARE_PUP Smartkey Password Recovery Tool Update Check (adware_pup.rules)
• 2854287 - ETPRO MALWARE Arkei Stealer Exfil (malware.rules)
• 2854288 - ETPRO MALWARE Win64/Spy.Agent.FD Variant Exfil (malware.rules)

Modified inactive rules:

• 2015743 - ET INFO Revoked Adobe Code Signing Certificate Seen (info.rules)
• 2036219 - ET INFO WebSocket Session Initiation Request (info.rules)

Disabled and modified rules:

• 2016154 - ET INFO Possible TURKTRUST Spoofed Google Cert (info.rules)
• 2035175 - ET MALWARE Win32/PrivateLoader Related Domain in DNS Lookup (fouratlinks .com) (malware.rules)
• 2044975 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (etaqeryg .org) (exploit_kit.rules)
• 2044976 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (debquery .org) (exploit_kit.rules)
• 2044977 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (rygesqua .org) (exploit_kit.rules)
• 2044980 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (squaryge .org) (exploit_kit.rules)
• 2044981 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (tqeuryge .org) (exploit_kit.rules)
• 2044982 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (ygequary .org) (exploit_kit.rules)
• 2044983 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (uaqryges .org) (exploit_kit.rules)
• 2044984 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .reseller .wonderfulworldblog .com) (malware.rules)

Removed rules:

• 2024764 - ET INFO Suspicious Darkwave Popads Pop Under Redirect (info.rules)
• 2026413 - ET INFO Possible System Enumeration via WMI Queries (AntiVirusProduct) (info.rules)
• 2026414 - ET INFO Possible System Enumeration via WMI Queries (AntiSpywareProduct) (info.rules)
• 2026415 - ET INFO Possible System Enumeration via WMI Queries (FirewallProduct) (info.rules)
• 2835754 - ETPRO INFO Smartkey Password Recovery Tool Update Check (info.rules)