Ruleset Update Summary - 2023/05/24 - v10331

Summary:

21 new OPEN, 36 new PRO (21 + 15)

Thanks @TheDFIRReport

There will not be a signature release Monday, May 29, 2023 due to a US holiday.


Added rules:

Open:

  • 2020202 - ET HUNTING Terse Named Filename EXE Download - Possibly Hostile (hunting.rules)
  • 2039190 - ET INFO 404/Snake/Matiex Keylogger Style External IP Check (info.rules)
  • 2045845 - ET INFO DYNAMIC_DNS Query to a *.ilovetkd .com Domain (info.rules)
  • 2045846 - ET INFO DYNAMIC_DNS HTTP Request to a *.ilovetkd .com Domain (info.rules)
  • 2045847 - ET INFO DYNAMIC_DNS Query to a *.cky .cl Domain (info.rules)
  • 2045848 - ET INFO DYNAMIC_DNS HTTP Request to a *.cky .cl Domain (info.rules)
  • 2045849 - ET MALWARE DNS Query to Cobalt Strike Domain (iconnectgs .com) (malware.rules)
  • 2045850 - ET MALWARE DNS Query to Cobalt Strike Domain (aicsoftware .com) (malware.rules)
  • 2045851 - ET MALWARE DNS Query to IcedID Domain (kicknocisd .com) (malware.rules)
  • 2045852 - ET MALWARE DNS Query to IcedID Domain (guaracheza .pics) (malware.rules)
  • 2045853 - ET MALWARE DNS Query to IcedID Domain (curabiebarristie .com) (malware.rules)
  • 2045854 - ET MALWARE DNS Query to IcedID Domain (simipimi .com) (malware.rules)
  • 2045855 - ET MALWARE DNS Query to IcedID Domain (belliecow .wiki) (malware.rules)
  • 2045856 - ET MALWARE DNS Query to IcedID Domain (stayersa .art) (malware.rules)
  • 2045857 - ET MALWARE Cobalt Strike CnC Beacon (POST) (malware.rules)
  • 2045858 - ET INFO Free Website Builder Domain (webwave .dev) in DNS Lookup (info.rules)
  • 2045859 - ET HUNTING Possible Successful Generic Phish to webwave .dev Domain 2023-05-24 (hunting.rules)
  • 2045860 - ET HUNTING Rejetto HTTP File Sever Response (hunting.rules)
  • 2045861 - ET MALWARE SocGholish Domain in DNS Lookup (initiatives .ayitiexpo .com) (malware.rules)
  • 2045862 - ET MALWARE SocGholish Domain in DNS Lookup (reporting .theamericasfashionfest .com) (malware.rules)
  • 2045863 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .offer .rpacxtaxappeal .com) (malware.rules)

Pro:

  • 2854390 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2854391 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854392 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854393 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2854394 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2854395 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2854396 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2854397 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2854398 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2854399 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2854400 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2854401 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2854402 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2854403 - ETPRO MALWARE Observed Sharp Panda APT Related Activity (malware.rules)
  • 2854404 - ETPRO MALWARE Sharp Panda APT Related Template Retrieval Request (malware.rules)

Removed rules:

  • 2020202 - ET POLICY Terse Named Filename EXE Download - Possibly Hostile (policy.rules)
  • 2039190 - ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check (malware.rules)