Summary:
14 new OPEN, 39 new PRO (14 + 25)
Thanks @Gi7w0rm, @Jane_0sint
Added rules:
Open:
- 2046149 - ET EXPLOIT Possible [401TRG] GhostCat LFI Successful Exploit (CVE-2020-1938) (exploit.rules)
- 2046175 - ET MALWARE IIS-Raid Module Backdoor - Successful PING in HTTP Response (PONG) (malware.rules)
- 2046176 - ET MALWARE IIS-Raid Module Backdoor - INJ Command in HTTP Request (malware.rules)
- 2046177 - ET MALWARE IIS-Raid Module Backdoor - Successful INJ Command in HTTP Response (malware.rules)
- 2046178 - ET INFO DYNAMIC_DNS Query to a *.revitcity .com Domain (info.rules)
- 2046179 - ET INFO DYNAMIC_DNS HTTP Request to a *.revitcity .com Domain (info.rules)
- 2046180 - ET INFO DYNAMIC_DNS Query to a *.kyleconstance .com Domain (info.rules)
- 2046181 - ET INFO DYNAMIC_DNS HTTP Request to a *.kyleconstance .com Domain (info.rules)
- 2046182 - ET INFO DYNAMIC_DNS Query to a *.kst .ru Domain (info.rules)
- 2046183 - ET INFO DYNAMIC_DNS HTTP Request to a *.kst .ru Domain (info.rules)
- 2046184 - ET MALWARE Win32/0xtaRAT CnC Activity M3 (GET) (malware.rules)
- 2046185 - ET MALWARE Win32/0xtaRAT CnC Activity M4 (GET) (malware.rules)
- 2046186 - ET MALWARE Win32/0xtaRAT CnC Activity M5 (POST) (malware.rules)
- 2046187 - ET MALWARE [ANY.RUN] Win32/DynamicRAT CnC Activity (malware.rules)
Pro:
- 2854508 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CRL CnC Domain in DNS Lookup (mobile_malware.rules)
- 2854509 - ETPRO MOBILE_MALWARE Observed Android/Spy.Agent.CRL Domain in TLS SNI (mobile_malware.rules)
- 2854510 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CLW CnC Domain in DNS Lookup (mobile_malware.rules)
- 2854511 - ETPRO MOBILE_MALWARE Observed Android/Spy.Agent.CLW Domain in TLS SNI (mobile_malware.rules)
- 2854512 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.l CnC Domain in DNS Lookup (mobile_malware.rules)
- 2854513 - ETPRO MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Realrat.l Domain in TLS SNI (mobile_malware.rules)
- 2854514 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.l CnC Domain in DNS Lookup (mobile_malware.rules)
- 2854515 - ETPRO MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Realrat.l Domain in TLS SNI (mobile_malware.rules)
- 2854516 - ETPRO MOBILE_MALWARE Android/Agent.ELP CnC Domain in DNS Lookup (mobile_malware.rules)
- 2854517 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.awwv Checkin (mobile_malware.rules)
- 2854518 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.awwv CnC Domain in DNS Lookup (mobile_malware.rules)
- 2854519 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.avcd CnC Domain in DNS Lookup (mobile_malware.rules)
- 2854520 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.HNH CnC Domain in DNS Lookup (mobile_malware.rules)
- 2854521 - ETPRO MOBILE_MALWARE Observed Android/TrojanDropper.Agent.HNH Domain in TLS SNI (mobile_malware.rules)
- 2854522 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Kokbot.n CnC Domain in DNS Lookup (mobile_malware.rules)
- 2854523 - ETPRO MOBILE_MALWARE Observed Trojan-Banker.AndroidOS.Kokbot.n Domain in TLS SNI (mobile_malware.rules)
- 2854524 - ETPRO MOBILE_MALWARE Observed Trojan-Banker.AndroidOS.Rewardsteal.ao Domain in TLS SNI (mobile_malware.rules)
- 2854525 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.a DNS Lookup (mobile_malware.rules)
- 2854526 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.a DNS Lookup (mobile_malware.rules)
- 2854527 - ETPRO MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Realrat.a Domain in TLS SNI (mobile_malware.rules)
- 2854528 - ETPRO MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Realrat.a Domain in TLS SNI (mobile_malware.rules)
- 2854529 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ty CnC Domain in DNS Lookup (mobile_malware.rules)
- 2854530 - ETPRO MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.SmsThief.ty Domain in TLS SNI (mobile_malware.rules)
- 2854531 - ETPRO MALWARE ValleyRat Domain in DNS Lookup (malware.rules)
- 2854532 - ETPRO PHISHING Phishing Domain in DNS Lookup (2023-06-09) (phishing.rules)
Removed rules:
- 2046149 - ET HUNTING Default Tomcat JSP web.xml Observed - Possible CVE-2020-1938 Exploit Success (hunting.rules)