Ruleset Update Summary - 2023/05/03 - v10315

Ruleset Updates
1

Summary:

13 new OPEN, 20 new PRO (13 + 7)

Thanks @assetnote, @Jhaddix, @bscarvell, @infosec_au, @suyog41, @Cyber0verload

Added rules:

Open:

  • 2020475 - ET INFO Metasploit Framework Checking For Update (info.rules)
  • 2045304 - ET MALWARE Suspected CloudAtlas APT Related Activity (GET) (malware.rules)
  • 2045305 - ET INFO URL Shortening Domain in DNS Lookup (da .gd) (info.rules)
  • 2045306 - ET INFO Observed URL Shortening Domain (da .gd in TLS SNI) (info.rules)
  • 2045307 - ET EXPLOIT Possible Oracle Opera RCE Attempt (CVE-2023-21932) (exploit.rules)
  • 2045308 - ET MALWARE Donot Group Pult Downloader Activity (POST) M6 (malware.rules)
  • 2045309 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
  • 2045310 - ET MALWARE Win32/80mb3rm4n Grabber CnC Exfil via Discord (POST) (malware.rules)
  • 2045311 - ET MALWARE Win32/BlackSun.B Retrieving Payload (malware.rules)
  • 2045312 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (ns0 .fdn .fr) (info.rules)
  • 2045313 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (ns1 .fdn .fr) (info.rules)
  • 2045314 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (neworderspath .org) (exploit_kit.rules)
  • 2045315 - ET MALWARE SocGholish Domain in DNS Lookup (promo .kingdombusinessconnections .com) (malware.rules)

Pro:

  • 2854304 - ETPRO MALWARE Win32/Qbot CnC Activity (GET) (malware.rules)
  • 2854305 - ETPRO INFO External IP Address Lookup Domain in DNS Lookup (ipaddresslocation .org) (info.rules)
  • 2854306 - ETPRO INFO External IP Address Lookup Domain in TLS SNI (geolocation-db .com) (info.rules)
  • 2854307 - ETPRO INFO External IP Address Lookup Domain in DNS Lookup (geolocation-db .com) (info.rules)
  • 2854308 - ETPRO INFO External IP Address Lookup Domain in TLS SNI (ipaddresslocation .org) (info.rules)
  • 2854309 - ETPRO MALWARE Agent Tesla Discord Exfil (malware.rules)
  • 2854310 - ETPRO MALWARE Win32/Leonem Exfil (malware.rules)

Disabled and modified rules:

  • 2044190 - ET MALWARE DonotGroup Pult Downloader Activity M3 (malware.rules)
  • 2836511 - ETPRO MALWARE Win32/KeyLogger.Spia CnC Request (set) (malware.rules)
  • 2836513 - ETPRO MALWARE Win32/KeyLogger.Spia CnC Response (malware.rules)

Removed rules:

  • 2020475 - ET POLICY Metasploit Framework Checking For Update (policy.rules)