Ruleset Update Summary - 2023/05/02 - v10313

Summary:

19 new OPEN, 34 new PRO (19 + 15)

Thanks @0xrb, @StopMalvertisin, @TLP_R3D, @500mk500, @jaydinbas, @t3ft3lb, @TheDFIRReport


Added rules:

Open:

  • 2020705 - ET HUNTING Generic - Mozilla 4.0 EXE Request (hunting.rules)
  • 2043026 - ET HUNTING Suspicious Empty Accept-Encoding Header (hunting.rules)
  • 2045287 - ET MOBILE_MALWARE Trojan-Ransom.AndroidOS.CryCrypt.c Checkin (mobile_malware.rules)
  • 2045288 - ET INFO DYNAMIC_DNS Query to a *.24h .hk Domain (info.rules)
  • 2045289 - ET INFO DYNAMIC_DNS HTTP Request to a *.24h .hk Domain (info.rules)
  • 2045290 - ET HUNTING Office User-Agent Requesting Non-Standard Filename (hunting.rules)
  • 2045291 - ET MALWARE CloudAtlas APT Related Domain in DNS Lookup (malware.rules)
  • 2045292 - ET ATTACK_RESPONSE Mystic Stealer Admin Panel Inbound (attack_response.rules)
  • 2045293 - ET MALWARE Win32/KLBanker CnC Response (malware.rules)
  • 2045294 - ET ATTACK_RESPONSE reNgine Recon Panel Inbound (attack_response.rules)
  • 2045295 - ET PHISHING W3LL STORE Phish Kit Landing Page 2023-05-02 (phishing.rules)
  • 2045296 - ET MALWARE Win32/WarHawk Sending Windows System Information (POST) M2 (malware.rules)
  • 2045297 - ET MALWARE WarHawk Activity (Deploy) (malware.rules)
  • 2045298 - ET MALWARE Truebot/Silence.Downloader No Tasking Response from Server (malware.rules)
  • 2045299 - ET MALWARE TrueBot/Silence.Downloader CnC Checkin 4 (malware.rules)
  • 2045300 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram (malware.rules)
  • 2045301 - ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M10 (CVE-2022-47966) (exploit.rules)
  • 2045302 - ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M11 (CVE-2022-47966) (exploit.rules)
  • 2045303 - ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M12 (CVE-2022-47966) (exploit.rules)

Pro:

  • 2854289 - ETPRO ATTACK_RESPONSE Obfuscated .bat File Inbound (attack_response.rules)
  • 2854290 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2854291 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854292 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854293 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2854294 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2854295 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2854296 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2854297 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2854298 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2854299 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2854300 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2854301 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2854302 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2854303 - ETPRO MALWARE njRAT Telegram Exfil (malware.rules)

Modified inactive rules:

  • 2009303 - ET INFO Commonly Abused File Sharing Service Domain HTTP request (mediafire .com) (info.rules)
  • 2014954 - ET INFO Vulnerable iTunes Version 10.6.x (set) (info.rules)

Disabled and modified rules:

  • 2035404 - ET MALWARE TA445/Ghostwrite APT Related Domain in DNS Lookup (xbeta .online) (malware.rules)
  • 2035405 - ET PHISHING FancyBear/APT28 Related Phish Landing Page 2022-03-08 (phishing.rules)
  • 2035406 - ET PHISHING FancyBear/APT28 Related Phish Landing Page 2022-03-08 (phishing.rules)
  • 2035407 - ET MALWARE TA450 Nagual/STARWHALE Beacon Activity (POST) (malware.rules)
  • 2035408 - ET MALWARE TA450 Nagual/STARWHALE GoLang Beacon Activity (POST) (malware.rules)
  • 2035425 - ET MALWARE MuddyWater APT Related Activity (POST) (malware.rules)
  • 2035426 - ET MALWARE MuddyWater APT Related Activity (GET) (malware.rules)
  • 2035917 - ET MALWARE TransparentTribe APT Related Activity (POST) (malware.rules)
  • 2043307 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (magento-cdn .net) (malware.rules)

Removed rules:

  • 2020705 - ET INFO Generic - Mozilla 4.0 EXE Request (info.rules)
  • 2043026 - ET INFO Suspicious Empty Accept-Encoding Header (info.rules)