Ruleset Update Summary - 2023/06/05 - v10340

Summary:

32 new OPEN, 33 new PRO (32 + 1)

Thanks @Cyber0verload, @nextronsystems, @eclecticiq, @kk_onstantin, @DCSO_CyTec

Added rules:

Open:

• 2046071 - ET INFO Observed Google DNS over HTTPS Domain (dns .google .com in TLS SNI) (info.rules)
• 2046072 - ET INFO DYNAMIC_DNS Query to a *.centrodiagnosticogenetico .com Domain (info.rules)
• 2046073 - ET INFO DYNAMIC_DNS HTTP Request to a *.centrodiagnosticogenetico .com Domain (info.rules)
• 2046074 - ET INFO DYNAMIC_DNS Query to a *.qvd .com .br Domain (info.rules)
• 2046075 - ET INFO DYNAMIC_DNS HTTP Request to a *.qvd .com .br Domain (info.rules)
• 2046076 - ET MALWARE Win32/DarkPink KamiKakaBot CnC Exfil (POST) (malware.rules)
• 2046077 - ET MALWARE [DCSO] Andariel Exfil Activity (malware.rules)
• 2046078 - ET MALWARE [DCSO] Possible Andariel Exfil Activity (malware.rules)
• 2046079 - ET MALWARE [DCSO] Andariel CnC Activity, Check String (malware.rules)
• 2046080 - ET MALWARE Gamaredon Domain in DNS Lookup (havxcq .ru) (malware.rules)
• 2046081 - ET MALWARE Gamaredon Domain in DNS Lookup (ozaharso .ru) (malware.rules)
• 2046082 - ET MALWARE Gamaredon Domain in DNS Lookup (okparaso .ru) (malware.rules)
• 2046083 - ET MALWARE Gamaredon Domain in DNS Lookup (omariso .ru) (malware.rules)
• 2046084 - ET MALWARE Gamaredon Domain in DNS Lookup (ozirisso .ru) (malware.rules)
• 2046085 - ET MALWARE Gamaredon Domain in DNS Lookup (remmaoso .ru) (malware.rules)
• 2046086 - ET MALWARE Gamaredon Domain in DNS Lookup (oddzhiso .ru) (malware.rules)
• 2046087 - ET MALWARE Gamaredon Domain in DNS Lookup (itoram .ru) (malware.rules)
• 2046088 - ET MALWARE Gamaredon Domain in DNS Lookup (rvawc .ru) (malware.rules)
• 2046089 - ET MALWARE Gamaredon Domain in DNS Lookup (gajasx .ru) (malware.rules)
• 2046090 - ET MALWARE Gamaredon Domain in DNS Lookup (xopekar .ru) (malware.rules)
• 2046091 - ET MALWARE Gamaredon Domain in DNS Lookup (nalfas .ru) (malware.rules)
• 2046092 - ET MALWARE Gamaredon Domain in DNS Lookup (blootundicht .ru) (malware.rules)
• 2046093 - ET MALWARE Gamaredon Domain in DNS Lookup (tulocal .ru) (malware.rules)
• 2046094 - ET MALWARE Gamaredon Domain in DNS Lookup (boptizol .ru) (malware.rules)
• 2046095 - ET MALWARE Gamaredon Domain in DNS Lookup (yorisant .ru) (malware.rules)
• 2046096 - ET MALWARE Gamaredon Domain in DNS Lookup (viratuk .ru) (malware.rules)
• 2046097 - ET MALWARE Gamaredon Domain in DNS Lookup (reposant .ru) (malware.rules)
• 2046098 - ET MALWARE SocGholish Domain in DNS Lookup (stockroom .baybeboutiquellc .com) (malware.rules)
• 2046099 - ET MALWARE SocGholish Domain in DNS Lookup (collaboration .porchlightcs .org) (malware.rules)
• 2046100 - ET MALWARE SocGholish Domain in DNS Lookup (prepare .dawarel3mda .com) (malware.rules)
• 2046101 - ET MALWARE SocGholish Domain in DNS Lookup (dashboard .smartmetereducationnetwork .com) (malware.rules)
• 2046102 - ET MALWARE SocGholish Domain in DNS Lookup (reception .q-dent .com) (malware.rules)

Pro:

• 2854489 - ETPRO INFO MS Teams URL Shortening Service Domain in DNS Lookup (info.rules)

Modified inactive rules:

• 2013353 - ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - flickr.com.* (web_client.rules)
• 2013354 - ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - picasa.com.* (web_client.rules)
• 2013355 - ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - blogger.com.* (web_client.rules)
• 2013357 - ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - wordpress.com.* (web_client.rules)
• 2013358 - ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - img.youtube.com.* (web_client.rules)
• 2013359 - ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* (web_client.rules)
• 2013360 - ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - photobucket.com.* (web_client.rules)
• 2825300 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.IC File Download (mobile_malware.rules)

Removed rules:

• 2838110 - ETPRO INFO Observed Google DNS over HTTPS Domain (dns .google .com in TLS SNI) (info.rules)