Ruleset Update Summary - 2023/05/08 - v10318

Ruleset Updates
1

Summary:

15 new OPEN, 18 new PRO (15 + 3)

Thanks @StopMalvertisin, @suyog41, @SquiblydooBlog, @Gi7w0rm

There will not be a release this Friday (5/12) due to a Proofpoint holiday.

Added rules:

Open:

  • 2010066 - ET HUNTING Data POST to an image file (gif) (hunting.rules)
  • 2010067 - ET HUNTING Data POST to an image file (jpg) (hunting.rules)
  • 2010068 - ET HUNTING Data POST to an image file (jpeg) (hunting.rules)
  • 2010069 - ET HUNTING Data POST to an image file (bmp) (hunting.rules)
  • 2010070 - ET HUNTING Data POST to an image file (png) (hunting.rules)
  • 2045613 - ET MALWARE Win32/KLBanker Activity (GET) (malware.rules)
  • 2045614 - ET MALWARE MSIL/Spyware Activity via Telegram (Response) (malware.rules)
  • 2045615 - ET HUNTING Telegram API Request (GET) (hunting.rules)
  • 2045616 - ET MALWARE Win32/Xworm Exfil Via Telegram (POST) (malware.rules)
  • 2045617 - ET MALWARE Win32/Xworm Exfil Via Telegram CnC Response (malware.rules)
  • 2045618 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 (malware.rules)
  • 2045619 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 (malware.rules)
  • 2045620 - ET MALWARE Win32/DarkVision RAT CnC Checkin M2 (malware.rules)
  • 2045621 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (deeptrickday .org) (exploit_kit.rules)
  • 2045622 - ET MALWARE SocGholish Domain in DNS Lookup (backroom .tauetaepsilon .org) (malware.rules)

Pro:

  • 2807118 - ETPRO HUNTING SSL server Hello certificate Default Company Ltd CN=google.com (hunting.rules)
  • 2808482 - ETPRO MALWARE outgoing icmp_shell session detected (malware.rules)
  • 2854318 - ETPRO MALWARE Win32/RA-based.NLR Exfil (malware.rules)

Modified inactive rules:

  • 2003653 - ET POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc) (policy.rules)
  • 2008575 - ET POLICY ASProtect/ASPack Packed Binary (policy.rules)
  • 2012523 - ET POLICY Executable Download From Russian Content-Language Website (policy.rules)
  • 2012524 - ET POLICY Executable Download From Chinese Content-Language Website (policy.rules)
  • 2801246 - ETPRO POLICY 51.la related free stats service on off port - often malware related (policy.rules)

Removed rules:

  • 2010066 - ET POLICY Data POST to an image file (gif) (policy.rules)
  • 2010067 - ET POLICY Data POST to an image file (jpg) (policy.rules)
  • 2010068 - ET POLICY Data POST to an image file (jpeg) (policy.rules)
  • 2010069 - ET POLICY Data POST to an image file (bmp) (policy.rules)
  • 2010070 - ET POLICY Data POST to an image file (png) (policy.rules)
  • 2807118 - ETPRO POLICY SSL server Hello certificate Default Company Ltd CN=google.com (policy.rules)
  • 2808482 - ETPRO POLICY outgoing icmp_shell session detected (policy.rules)