Summary:
9 new OPEN, 10 new PRO (9 + 1)
Thanks @jay_townsend1, @Jane_0sint
Added rules:
Open:
- 2045881 - ET WEB_SPECIFIC_APPS Wordpress - posts-layout (post-layout Doppelganger) Plugin Activation (web_specific_apps.rules)
- 2045973 - ET WEB_CLIENT Suspected Credit Card Stealer Related Domain Domain in DNS Lookup (byvlsa .com) (web_client.rules)
- 2045974 - ET MALWARE [ANY.RUN] LgoogLoader Retrieving Config File (malware.rules)
- 2045975 - ET INFO DYNAMIC_DNS HTTP Request to a *.zip Domain (info.rules)
- 2045976 - ET INFO DYNAMIC_DNS HTTP Request to a *.mov Domain (info.rules)
- 2045977 - ET MALWARE BellaCiao ASPX Backdoor Response (malware.rules)
- 2045978 - ET MALWARE SocGholish Domain in DNS Lookup (background .bodyguardchicago .com) (malware.rules)
- 2045979 - ET MALWARE SocGholish Domain in DNS Lookup (hardware .deltavis .com) (malware.rules)
- 2045980 - ET MALWARE SocGholish Domain in DNS Lookup (masterclass .teamupnetwork .org) (malware.rules)
Pro:
- 2854455 - ETPRO HUNTING External Script Tag Placed Before Opening HTML Tags (hunting.rules)
Disabled and modified rules:
- 2041454 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (cdn-jsnode-call .com) (malware.rules)
- 2041653 - ET MALWARE Win32/DuckLogs Malware Related Domain in DNS Lookup (ducklogs .com) (malware.rules)
- 2041655 - ET MALWARE Observed Win32/DuckLogs Malware Domain (ducklogs .com in TLS SNI) (malware.rules)
- 2044150 - ET INFO Observed URL Shortening Service Domain (surl .li in TLS SNI) (info.rules)
- 2044151 - ET INFO URL Shortening Service Domain in DNS Lookup (surl .li) (info.rules)
- 2044198 - ET MALWARE Donot Group Related Domain in DNS Lookup (mayosasa .buzz) (malware.rules)
- 2044199 - ET MALWARE Observed Donot Group Relaed Domain (mayosasa .buzz in TLS SNI) (malware.rules)
- 2045234 - ET MALWARE Donot Group APT Related Domain in DNS Lookup (pic .onesolution .buzz) (malware.rules)
Removed rules:
- 2045881 - ET MALWARE Wordpress - posts-layout (post-layout Doppelganger) Plugin Activation (malware.rules)