Ruleset Update Summary - 2023/05/11 - v10321

Summary:

48 new OPEN, 52 new PRO (48 + 4)

Thanks @DeepInsinctSec, @CISAgov

There will not be a release this Friday (5/12) due to a Proofpoint holiday.

Added rules:

Open:

• 2045069 - ET MALWARE Observed DNSQuery to TA444 Domain (altair-vc .com) (malware.rules)
• 2045094 - ET MALWARE Observed DNSQuery to TA444 Domain (docsend .me) (malware.rules)
• 2045097 - ET MALWARE Observed DNSQuery to TA444 Domain (altair-vc .co .uk) (malware.rules)
• 2045098 - ET MALWARE Observed DNSQuery to TA444 Domain (protectedviewer .co) (malware.rules)
• 2045636 - ET EXPLOIT Possible Command Injection via User-Agent (PwnAgent) - CVE-2023-24749, CVE-2022-47208 (exploit.rules)
• 2045637 - ET MALWARE MalDoc/TA427 Payload Request (GET) (malware.rules)
• 2045638 - ET MALWARE FSB Snake CnC Activity Outbound via TCP (AA23-129A) M1 (malware.rules)
• 2045639 - ET MALWARE FSB Snake CnC Activity Outbound via TCP (AA23-129A) M2 (malware.rules)
• 2045640 - ET MALWARE FSB Snake CnC Activity Inbound via TCP (AA23-129A) M1 (malware.rules)
• 2045641 - ET MALWARE FSB Snake CnC Activity Inbound via TCP (AA23-129A) M2 (malware.rules)
• 2045642 - ET MALWARE FSB Snake CnC Activity Inbound via TCP (AA23-129A) M3 (malware.rules)
• 2045643 - ET MALWARE FSB Snake CnC Activity Inbound via TCP (AA23-129A) M4 (malware.rules)
• 2045644 - ET MALWARE DNS Query to TA444 Domain (parallaxdigital .online) (malware.rules)
• 2045645 - ET MALWARE DNS Query to TA444 Domain (myfirmdocument .online) (malware.rules)
• 2045646 - ET MALWARE DNS Query to TA444 Domain (morganstanleycorp .co .uk) (malware.rules)
• 2045647 - ET MALWARE DNS Query to TA444 Domain (docs-send .online) (malware.rules)
• 2045648 - ET MALWARE DNS Query to TA444 Domain (cyberwalletsecurity .online) (malware.rules)
• 2045649 - ET MALWARE DNS Query to TA444 Domain (drop-box .cloud) (malware.rules)
• 2045650 - ET MALWARE DNS Query to TA444 Domain (gunosis .global) (malware.rules)
• 2045651 - ET MALWARE DNS Query to TA444 Domain (altair-vc .info) (malware.rules)
• 2045652 - ET MALWARE DNS Query to TA444 Domain (cryptyk .webredirect .org) (malware.rules)
• 2045653 - ET MALWARE DNS Query to TA444 Domain (acuitykp .co) (malware.rules)
• 2045654 - ET MALWARE DNS Query to TA444 Domain (doc .linkpc .net) (malware.rules)
• 2045655 - ET MALWARE DNS Query to TA444 Domain (docsend .business) (malware.rules)
• 2045656 - ET MALWARE DNS Query to TA444 Domain (werfaultserver .com) (malware.rules)
• 2045657 - ET MALWARE DNS Query to TA444 Domain (nextera .capital) (malware.rules)
• 2045658 - ET MALWARE DNS Query to TA444 Domain (companydeck .cloud) (malware.rules)
• 2045659 - ET MALWARE DNS Query to TA444 Domain (docs-send .cloud) (malware.rules)
• 2045660 - ET MALWARE DNS Query to TA444 Domain (docs-send .com) (malware.rules)
• 2045661 - ET MALWARE DNS Query to TA444 Domain (sabrpatners .com) (malware.rules)
• 2045662 - ET MALWARE DNS Query to TA444 Domain (cryptyk .online) (malware.rules)
• 2045663 - ET MALWARE DNS Query to TA444 Domain (forumpatners .com) (malware.rules)
• 2045664 - ET MALWARE DNS Query to TA444 Domain (autoupdatecheck .work .gd) (malware.rules)
• 2045665 - ET MALWARE DNS Query to TA444 Domain (docsend-host .cloud) (malware.rules)
• 2045666 - ET MALWARE DNS Query to TA444 Domain (hyperchaincapital .online) (malware.rules)
• 2045667 - ET MALWARE DNS Query to TA444 Domain (j-ic .co .in) (malware.rules)
• 2045668 - ET MALWARE DNS Query to TA444 Domain (docupload .site) (malware.rules)
• 2045669 - ET MALWARE DNS Query to TA444 Domain (cryptyk .sytes .net) (malware.rules)
• 2045670 - ET MALWARE DNS Query to TA444 Domain (companydeck .online) (malware.rules)
• 2045671 - ET MALWARE DNS Query to TA444 Domain (cryptyk .cloud) (malware.rules)
• 2045672 - ET MALWARE BPFDoor V2 TCP Magic Packet Inbound (malware.rules)
• 2045673 - ET MALWARE BPFDoor V2 UDP Magic Packet Inbound (malware.rules)
• 2045674 - ET MALWARE BPFDoor V2 SCTP Magic Packet Inbound (malware.rules)
• 2045675 - ET MALWARE SocGholish Domain in DNS Lookup (product .sammyhallam .com) (malware.rules)
• 2045676 - ET MALWARE SocGholish Domain in DNS Lookup (games .iglesiaelarca .org) (malware.rules)
• 2045677 - ET MALWARE SocGholish Domain in DNS Lookup (support .newshoop .com) (malware.rules)
• 2045678 - ET MALWARE SocGholish Domain in DNS Lookup (achievements .ritagamer .com) (malware.rules)
• 2045679 - ET MALWARE SocGholish Domain in DNS Lookup (books .friendsofthefolsomlibrary .org) (malware.rules)

Pro:

• 2854322 - ETPRO MALWARE Malicious SSL Certificate Detected Inbound (Mtoken) (malware.rules)
• 2854323 - ETPRO MALWARE Win32/Mtoken CnC Activity (GET) (malware.rules)
• 2854324 - ETPRO MALWARE Win32/Mtoken CnC Response M1 (malware.rules)
• 2854325 - ETPRO MALWARE Win32/Mtoken CnC Response M2 (malware.rules)

Removed rules:

• 2028767 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028769 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028771 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028786 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028787 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028788 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028789 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028790 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028791 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028794 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028799 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028803 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028806 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028807 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028810 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028812 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028815 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)
• 2028816 - ET JA3 Hash - [Abuse.ch] Possible Tofsee (ja3.rules)