Ruleset Update Summary - 2023/05/26 - v10333

Summary:

8 new OPEN, 10 new PRO (8 + 2)

There will not be a signature release Monday, May 29, 2023 due to a US holiday.


Added rules:

Open:

  • 2045871 - ET HUNTING V8 JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M2 (hunting.rules)
  • 2045872 - ET MALWARE Gamaredon APT Related Activity (malware.rules)
  • 2045873 - ET MALWARE pswshopro_bot Stealer CnC Checkin (malware.rules)
  • 2045874 - ET MALWARE pswshopro_bot Stealer data exfiltration attempt (malware.rules)
  • 2045875 - ET MALWARE SocGholish Domain in DNS Lookup (enterprise .alliantlaw .us) (malware.rules)
  • 2045876 - ET MALWARE SocGholish Domain in DNS Lookup (sapphire .abogados .services) (malware.rules)
  • 2045877 - ET MALWARE SocGholish Domain in DNS Lookup (exclusive .transversalbranding .com) (malware.rules)
  • 2045878 - ET MALWARE SocGholish Domain in DNS Lookup (archives .finanpress .com) (malware.rules)

Pro:

  • 2854442 - ETPRO MALWARE Kimsuky APT Related Activity (malware.rules)
  • 2854443 - ETPRO MALWARE Kimsuky APT Related Activity (malware.rules)

Modified inactive rules:

  • 2023271 - ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b641) (exploit_kit.rules)
  • 2023272 - ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b642) (exploit_kit.rules)
  • 2043304 - ET INFO Suspicious Large HTTP Header Key Observed - Possible Exploit Activity (info.rules)
  • 2847670 - ETPRO HUNTING Generic HTTP Header Buffer Overflow Check - http.content_len (hunting.rules)
  • 2847671 - ETPRO HUNTING Generic HTTP Header Buffer Overflow Check - http.user_agent (hunting.rules)
  • 2847672 - ETPRO HUNTING Generic HTTP Header Buffer Overflow Check - http.accept (hunting.rules)
  • 2847694 - ETPRO HUNTING Generic HTTP Header Buffer Overflow Check - http.accept_lang (hunting.rules)
  • 2847695 - ETPRO HUNTING Generic HTTP Header Buffer Overflow Check - http.accept_enc (hunting.rules)
  • 2849665 - ETPRO HUNTING Observed Suspicious URI Structure with Common Escape Character - Possible Exploit (hunting.rules)
  • 2849666 - ETPRO HUNTING Observed Suspicious Raw URI Structure with Common Escape Character - Possible Exploit (hunting.rules)
  • 2850488 - ETPRO HUNTING V8 JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M1 (hunting.rules)
  • 2850490 - ETPRO HUNTING V8 JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M3 (hunting.rules)
  • 2850491 - ETPRO HUNTING Chakra JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M1 (hunting.rules)
  • 2850492 - ETPRO HUNTING Chakra JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M2 (hunting.rules)
  • 2853642 - ETPRO HUNTING Large RTF Font Table Observed - Possible Exploit Activity (CVE-2023-21716) (hunting.rules)
  • 2853735 - ETPRO EXPLOIT Inbound Fragmented ICMP Flood - Possible Exploit Activity (CVE-2023-23415) (exploit.rules)

Disabled and modified rules:

  • 2034833 - ET MALWARE OWOWA Stealer CnC Domain in DNS Lookup (malware.rules)
  • 2038647 - ET INFO URL Shortening Service Domain in DNS Lookup (vk .cc) (info.rules)
  • 2038648 - ET INFO URL Shortening Service Domain in DNS Lookup (vk .com) (info.rules)
  • 2038649 - ET INFO Observed URL Shortening Service Domain (vk .cc in TLS SNI) (info.rules)
  • 2038650 - ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI) (info.rules)
  • 2045206 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (waterlinesheet .org) (exploit_kit.rules)

Removed rules:

  • 2850489 - ETPRO HUNTING V8 JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M2 (hunting.rules)