Ruleset Update Summary - 2023/05/25 - v10332

Summary:

10 new OPEN, 24 new PRO (10 + 14)

Thanks @Jane_0sint, @anyrun_app

There will not be a signature release Monday, May 29, 2023 due to a US holiday.


Added rules:

Open:

  • 2016810 - ET INFO Tor2Web .onion Proxy Service SSL Cert (2) (info.rules)
  • 2022815 - ET INFO Possible SQLi Attempt in User Agent (Outbound) (info.rules)
  • 2027201 - ET INFO Explorer Shell CLSID COM Object Call Method Inbound via TCP (info.rules)
  • 2045864 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (ric .openbld .net) (info.rules)
  • 2045865 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (ada .openbld .net) (info.rules)
  • 2045866 - ET MALWARE Bandit Stealer Data Exfiltration Attempt (malware.rules)
  • 2045867 - ET MALWARE Bandit Stealer Reporting Attempt (malware.rules)
  • 2045868 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) (malware.rules)
  • 2045869 - ET MALWARE WhiteSnake Stealer Telegram Checkin (malware.rules)
  • 2045870 - ET MALWARE SocGholish Domain in DNS Lookup (strategy .transversalgroup .co) (malware.rules)

Pro:

  • 2804589 - ETPRO INFO HTTP POST on port 53 DNS (info.rules)
  • 2806057 - ETPRO INFO File Sharing Service SSL Certificate detected (info.rules)
  • 2806289 - ETPRO INFO RemoteAdmin Win32.Ammyy.z Checkin (info.rules)
  • 2806798 - ETPRO INFO XenArmor Password Recovery License Check/securityxploded retrieval UA (info.rules)
  • 2807167 - ETPRO INFO Baidu Spider Crawler User-Agent Outbound (info.rules)
  • 2809749 - ETPRO INFO WebDAV request for SysVol Outbound (info.rules)
  • 2810515 - ETPRO INFO Elsinore ScreenConnect URI Struct (info.rules)
  • 2814182 - ETPRO ADWARE_PUP Slimware Driver Updater Checkin (adware_pup.rules)
  • 2816508 - ETPRO INFO Incog-Neato .onion Proxy Domain (info.rules)
  • 2822023 - ETPRO INFO IP Check ip.tool.la (info.rules)
  • 2832260 - ETPRO COINMINER Hashvault Monero Miner Pool Configuration File Downloaded (coinminer.rules)
  • 2854405 - ETPRO MALWARE Suspected Kimsuky APT Related Activity (GET) (malware.rules)
  • 2854406 - ETPRO MALWARE PureCrypter Loader Activity (malware.rules)
  • 2854407 - ETPRO MALWARE PureCrypter Loader Activity (malware.rules)

Modified inactive rules:

  • 2011541 - ET POLICY OpenSSL Demo CA - Cryptsoft Pty (CN) (policy.rules)

Disabled and modified rules:

  • 2044242 - ET MALWARE SocGholish Domain in DNS Lookup (blockchain .shannongougenheim .com) (malware.rules)
  • 2044554 - ET MALWARE SocGholish NetSupport CnC Domain in DNS Lookup (itugbjhb .xyz) (malware.rules)
  • 2045176 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (greenpapers .org) (exploit_kit.rules)
  • 2045199 - ET MALWARE TA453 Domain in DNS Lookup (update-windows-security .tk) (malware.rules)
  • 2045200 - ET MALWARE TA453 Domain in DNS Lookup (sync-system-time .cf) (malware.rules)
  • 2045201 - ET MALWARE TA453 Domain in DNS Lookup (oracle-java .cf) (malware.rules)
  • 2045202 - ET MALWARE TA453 Domain in DNS Lookup (dns-iprecords .tk) (malware.rules)
  • 2045286 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .score .symposiumhaiti .com) (malware.rules)
  • 2045622 - ET MALWARE SocGholish Domain in DNS Lookup (backroom .tauetaepsilon .org) (malware.rules)

Removed rules:

  • 2014471 - ET POLICY DRIVEBY Generic - EXE Download by Java (policy.rules)
  • 2016810 - ET POLICY Tor2Web .onion Proxy Service SSL Cert (2) (policy.rules)
  • 2022815 - ET POLICY Possible SQLi Attempt in User Agent (Outbound) (policy.rules)
  • 2027201 - ET POLICY Explorer Shell CLSID COM Object Call Method Inbound via TCP (policy.rules)
  • 2804589 - ETPRO POLICY HTTP POST on port 53 DNS (policy.rules)
  • 2806057 - ETPRO POLICY 4shared SSL Certificate detected (policy.rules)
  • 2806289 - ETPRO POLICY RemoteAdmin Win32.Ammyy.z Checkin (policy.rules)
  • 2806798 - ETPRO POLICY XenArmor Password Recovery License Check/securityxploded retrieval UA (policy.rules)
  • 2807167 - ETPRO POLICY Baidu Spider Crawler User-Agent (baiduspider) (policy.rules)
  • 2809749 - ETPRO POLICY WebDAV request for SysVol Outbound (policy.rules)
  • 2810515 - ETPRO POLICY Elsinore ScreenConnect URI Struct (policy.rules)
  • 2814182 - ETPRO POLICY Slimware Driver Updater Checkin (policy.rules)
  • 2816508 - ETPRO POLICY Incog-Neato .onion Proxy Domain (policy.rules)
  • 2822023 - ETPRO POLICY IP Check ip.tool.la (policy.rules)
  • 2832260 - ETPRO POLICY Hashvault Monero Miner Pool Configuration File Downloaded (policy.rules)