Summary:
15 new OPEN, 18 new PRO (15 + 3)
Thanks @StopMalvertisin, @suyog41, @SquiblydooBlog, @Gi7w0rm
There will not be a release this Friday (5/12) due to a Proofpoint holiday.
Added rules:
Open:
- 2010066 - ET HUNTING Data POST to an image file (gif) (hunting.rules)
- 2010067 - ET HUNTING Data POST to an image file (jpg) (hunting.rules)
- 2010068 - ET HUNTING Data POST to an image file (jpeg) (hunting.rules)
- 2010069 - ET HUNTING Data POST to an image file (bmp) (hunting.rules)
- 2010070 - ET HUNTING Data POST to an image file (png) (hunting.rules)
- 2045613 - ET MALWARE Win32/KLBanker Activity (GET) (malware.rules)
- 2045614 - ET MALWARE MSIL/Spyware Activity via Telegram (Response) (malware.rules)
- 2045615 - ET HUNTING Telegram API Request (GET) (hunting.rules)
- 2045616 - ET MALWARE Win32/Xworm Exfil Via Telegram (POST) (malware.rules)
- 2045617 - ET MALWARE Win32/Xworm Exfil Via Telegram CnC Response (malware.rules)
- 2045618 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 (malware.rules)
- 2045619 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 (malware.rules)
- 2045620 - ET MALWARE Win32/DarkVision RAT CnC Checkin M2 (malware.rules)
- 2045621 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (deeptrickday .org) (exploit_kit.rules)
- 2045622 - ET MALWARE SocGholish Domain in DNS Lookup (backroom .tauetaepsilon .org) (malware.rules)
Pro:
- 2807118 - ETPRO HUNTING SSL server Hello certificate Default Company Ltd CN=google.com (hunting.rules)
- 2808482 - ETPRO MALWARE outgoing icmp_shell session detected (malware.rules)
- 2854318 - ETPRO MALWARE Win32/RA-based.NLR Exfil (malware.rules)
Modified inactive rules:
- 2003653 - ET POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc) (policy.rules)
- 2008575 - ET POLICY ASProtect/ASPack Packed Binary (policy.rules)
- 2012523 - ET POLICY Executable Download From Russian Content-Language Website (policy.rules)
- 2012524 - ET POLICY Executable Download From Chinese Content-Language Website (policy.rules)
- 2801246 - ETPRO POLICY 51.la related free stats service on off port - often malware related (policy.rules)
Removed rules:
- 2010066 - ET POLICY Data POST to an image file (gif) (policy.rules)
- 2010067 - ET POLICY Data POST to an image file (jpg) (policy.rules)
- 2010068 - ET POLICY Data POST to an image file (jpeg) (policy.rules)
- 2010069 - ET POLICY Data POST to an image file (bmp) (policy.rules)
- 2010070 - ET POLICY Data POST to an image file (png) (policy.rules)
- 2807118 - ETPRO POLICY SSL server Hello certificate Default Company Ltd CN=google.com (policy.rules)
- 2808482 - ETPRO POLICY outgoing icmp_shell session detected (policy.rules)