Ruleset Update Summary - 2023/05/18 - v10326

Ruleset Updates
1

Summary:

17 new OPEN, 32 new PRO (17 + 15)

Thanks @AhnLab_SecuInfo

Added rules:

Open:

  • 2045755 - ET INFO ChatGPT-User Traffic Detected Inbound M1 (info.rules)
  • 2045756 - ET INFO ChatGPT-User Traffic Detected Inbound M2 (info.rules)
  • 2045757 - ET INFO Keepnetlabs Domain in DNS Lookup (keepnetlabs .com) (info.rules)
  • 2045758 - ET INFO Observed DNS Query to .foo TLD (info.rules)
  • 2045759 - ET INFO Observed DNS Query to .zip TLD (info.rules)
  • 2045760 - ET INFO Observed DNS Query to .dad TLD (info.rules)
  • 2045761 - ET INFO Observed DNS Query to .prof TLD (info.rules)
  • 2045762 - ET INFO Observed DNS Query to .move TLD (info.rules)
  • 2045763 - ET INFO Observed DNS Query to .nexus TLD (info.rules)
  • 2045764 - ET INFO Observed DNS Query to .phd TLD (info.rules)
  • 2045765 - ET INFO Observed DNS Query to .esq TLD (info.rules)
  • 2045766 - ET MALWARE Stellar Stealer Data Exfiltration Attempt M1 (malware.rules)
  • 2045767 - ET MALWARE Stellar Stealer Data Exfiltration Attempt M2 (malware.rules)
  • 2045768 - ET MALWARE Stellar Stealer Data Exfiltration Attempt M3 (malware.rules)
  • 2045769 - ET MALWARE Stellar Stealer Data Exfiltration Attempt M4 (malware.rules)
  • 2045770 - ET MALWARE Stellar Stealer Data Exfiltration Attempt M5 (malware.rules)
  • 2045771 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .accounting .bridgemastersllc .com) (malware.rules)

Pro:

  • 2854358 - ETPRO USER_AGENTS Suspicious User-Agent in HTTP Request (Download) (user_agents.rules)
  • 2854359 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M1 (CVE-2023-29324) (exploit.rules)
  • 2854360 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M2 (CVE-2023-29324) (exploit.rules)
  • 2854361 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M3 (CVE-2023-29324) (exploit.rules)
  • 2854362 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M4 (CVE-2023-29324) (exploit.rules)
  • 2854363 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M5 (CVE-2023-29324) (exploit.rules)
  • 2854364 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M6 (CVE-2023-29324) (exploit.rules)
  • 2854365 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M7 (CVE-2023-29324) (exploit.rules)
  • 2854366 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M8 (CVE-2023-29324) (exploit.rules)
  • 2854367 - ETPRO MALWARE Win32/TrojanDownloader.Agent Variant CnC Activity (GET) M1 (malware.rules)
  • 2854368 - ETPRO MALWARE Win32/TrojanDownloader.Agent Variant CnC Activity (GET) M2 (malware.rules)
  • 2854369 - ETPRO MALWARE Win32/TrojanDownloader.Agent Variant CnC Activity Outbound (malware.rules)
  • 2854370 - ETPRO MALWARE Win32/TrojanDownloader.Agent Variant CnC Activity Inbound (malware.rules)
  • 2854371 - ETPRO USER_AGENTS Suspicious User-Agent in HTTP Request (GameInfo) (user_agents.rules)
  • 2854372 - ETPRO MALWARE O97M/Sonbokli.A!cl Checkin (malware.rules)

Disabled and modified rules:

  • 2035612 - ET WEB_SERVER Webserver Resolving Known Webshell CnC Domain (anonymousfox) (web_server.rules)

Removed rules:

  • 2843773 - ETPRO USER_AGENTS Observed Suspicious UA (Download) (user_agents.rules)