Ruleset Update Summary - 2023/06/12 - v10346

Ruleset Updates
1

Summary:

54 new OPEN, 132 new PRO (54 + 78)

Thanks @_cpresearch, @rapid7, @Horizon3ai, @Jane_0sint, @Cyber0verload

Added rules:

Open:

  • 2046188 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Varibles - Guest Account Creation - CVE-2023-34362 Stage 1a (web_specific_apps.rules)
  • 2046189 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Varibles - SQLi Payload Creation - CVE-2023-34362 Stage 1b (web_specific_apps.rules)
  • 2046190 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - CSRF Token Request on guestaccess.aspx - CVE-2023-34362 Stage 1b (web_specific_apps.rules)
  • 2046191 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful CSRF Token Request on guestaccess.aspx - CVE-2023-34362 Stage 1b (web_specific_apps.rules)
  • 2046192 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Trigger SQL Injection via guestaccess.aspx - CVE-2023-34362 Stage 2 (web_specific_apps.rules)
  • 2046193 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - API Token Request - CVE-2023-34362 Stage 3 (web_specific_apps.rules)
  • 2046194 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful API Token Request - CVE-2023-34362 Stage 3 (web_specific_apps.rules)
  • 2046195 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Folder Request - CVE-2023-34362 Stage 4 (web_specific_apps.rules)
  • 2046196 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful Folder Request - CVE-2023-34362 Stage 4 (web_specific_apps.rules)
  • 2046197 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Varibles - SQLi Payload Creation - CVE-2023-34362 Stage 5a (web_specific_apps.rules)
  • 2046198 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Payload Trigger Request - CVE-2023-34362 Stage 5b (web_specific_apps.rules)
  • 2046199 - ET MALWARE Observed Maldoc Macro Request (GET) (malware.rules)
  • 2046200 - ET MALWARE Suspected Stealth Soldier Backdoor Related Activity M1 (GET) (malware.rules)
  • 2046201 - ET MALWARE Suspected Stealth Soldier Backdoor Related Activity M2 (GET) (malware.rules)
  • 2046202 - ET MALWARE Suspected Stealth Soldier Backdoor Related Activity M3 (GET) (malware.rules)
  • 2046203 - ET MALWARE Suspected Stealth Soldier Backdoor Related Activity M4 (GET) (malware.rules)
  • 2046204 - ET MALWARE Stealth Soldier Backdoor Related Activity M1 (POST) (malware.rules)
  • 2046205 - ET MALWARE Stealth Soldier Backdoor Related Domain in DNS Lookup (filestoragehub .live) (malware.rules)
  • 2046206 - ET INFO Level.io Agent Domain in DNS Lookup (agents .level .io) (info.rules)
  • 2046207 - ET INFO Level.io Check Connectivity Status in DNS Lookup (online .level .io) (info.rules)
  • 2046208 - ET INFO Level.io Agent Update Domain in DNS Lookup (builds .level .io) (info.rules)
  • 2046209 - ET INFO Level.io Download Agent Domain in DNS Lookup (downloads .level .io) (info.rules)
  • 2046210 - ET INFO Level.io Agent P2P Connection Domain in DNS Lookup (global .turn .twilio .com) (info.rules)
  • 2046211 - ET INFO Level.io Agent P2P Connection Domain in DNS Lookup (global .stun .twilio .com) (info.rules)
  • 2046212 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .blindtechs .com) (info.rules)
  • 2046213 - ET MALWARE Gamaredon Domain in DNS Lookup (gawsxc .ru) (malware.rules)
  • 2046214 - ET MALWARE Gamaredon Domain in DNS Lookup (perccottuspi .ru) (malware.rules)
  • 2046215 - ET MALWARE Gamaredon Domain in DNS Lookup (razuiso .ru) (malware.rules)
  • 2046216 - ET MALWARE Gamaredon Domain in DNS Lookup (dzhabrailho .ru) (malware.rules)
  • 2046217 - ET MALWARE Gamaredon Domain in DNS Lookup (tispai .ru) (malware.rules)
  • 2046218 - ET MALWARE Gamaredon Domain in DNS Lookup (reyyfadsf .ru) (malware.rules)
  • 2046219 - ET MALWARE Gamaredon Domain in DNS Lookup (dumerilipi .ru) (malware.rules)
  • 2046220 - ET MALWARE Gamaredon Domain in DNS Lookup (bladefishpi .ru) (malware.rules)
  • 2046221 - ET MALWARE Gamaredon Domain in DNS Lookup (spatulapi .ru) (malware.rules)
  • 2046222 - ET MALWARE Gamaredon Domain in DNS Lookup (gawcq .ru) (malware.rules)
  • 2046223 - ET MALWARE Gamaredon Domain in DNS Lookup (agonepi .ru) (malware.rules)
  • 2046224 - ET MALWARE Gamaredon Domain in DNS Lookup (albacorepi .ru) (malware.rules)
  • 2046225 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .hostingim .com) (info.rules)
  • 2046226 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .pumpkinvrar .com) (info.rules)
  • 2046227 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .joey01245 .nl) (info.rules)
  • 2046228 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .hinytz .com) (info.rules)
  • 2046229 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .freyja .pw) (info.rules)
  • 2046230 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .aganin .org) (info.rules)
  • 2046231 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .technochat .in) (info.rules)
  • 2046232 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (adguard .nocnik .org) (info.rules)
  • 2046233 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .nikolagjorgjijoski .com) (info.rules)
  • 2046234 - ET MALWARE Trojan.PSW.Autoit Data Exfiltration Attempt (malware.rules)
  • 2046235 - ET PHISHING Successful iCloud Credential Phish 2023-06-12 (phishing.rules)
  • 2046236 - ET MALWARE SocGholish Domain in DNS Lookup (specific .autonerdmobilerepairs .com) (malware.rules)
  • 2046237 - ET MALWARE SocGholish Domain in DNS Lookup (mentoring .yogayield .net) (malware.rules)
  • 2046238 - ET MALWARE SocGholish Domain in DNS Lookup (form .haysllc .net) (malware.rules)
  • 2046239 - ET MALWARE SocGholish Domain in DNS Lookup (forbes .firstmillionaires .com) (malware.rules)
  • 2046240 - ET MALWARE SocGholish Domain in DNS Lookup (names .expressyourselfesthetics .com) (malware.rules)
  • 2046241 - ET MALWARE SocGholish Domain in DNS Lookup (superposition .mathgeniusacademy .com) (malware.rules)

Pro:

  • 2854533 - ETPRO INFO Observed Abused CDN Domain in DNS Lookup (info.rules)
  • 2854534 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854535 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854536 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854537 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854538 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854539 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854540 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854541 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854542 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854543 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854544 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854545 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854546 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854547 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854548 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854549 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854550 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854551 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854552 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854553 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854554 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854555 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854556 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854557 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854558 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854559 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854560 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854561 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854562 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854563 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854564 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854565 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854566 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854567 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854568 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854569 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854570 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854571 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854572 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854573 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854574 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854575 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854576 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854577 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854578 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854579 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854580 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854581 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854582 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854583 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854584 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854585 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854586 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854587 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854588 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854589 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854590 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854591 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854592 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854593 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854594 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854595 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854596 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854597 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854598 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854599 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854600 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854601 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854602 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854603 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854604 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854605 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854606 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854607 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854608 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854609 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)
  • 2854610 - ETPRO PHISHING DNS Query to Call Center Scam Domain (2023-06-12) (phishing.rules)

Disabled and modified rules:

  • 2029619 - ET MOBILE_MALWARE Suspected SandCat Related CnC (mobile_malware.rules)
  • 2045680 - ET MALWARE TA444 Related Domain in DNS Lookup (cryptofundsresearch .com) (malware.rules)
  • 2045681 - ET MALWARE TA444 Related Domain in DNS Lookup (jobdescription .us .com) (malware.rules)
  • 2045682 - ET MALWARE TA444 Related Domain in DNS Lookup (cryptyk .info) (malware.rules)
  • 2045683 - ET MALWARE TA444 Related Domain in DNS Lookup (doc-send .online) (malware.rules)
  • 2045684 - ET MALWARE TA444 Related Domain in DNS Lookup (bdcc .bio) (malware.rules)
  • 2045685 - ET MALWARE TA444 Related Domain in DNS Lookup (contractresearch .blog) (malware.rules)
  • 2045686 - ET MALWARE TA444 Related Domain in DNS Lookup (espcapital .co .in) (malware.rules)
  • 2045687 - ET MALWARE TA444 Related Domain in DNS Lookup (shared-document .cloud) (malware.rules)
  • 2045688 - ET MALWARE TA444 Related Domain in DNS Lookup (javarepo .net) (malware.rules)
  • 2045689 - ET MALWARE TA444 Related Domain in DNS Lookup (contract-research .blog) (malware.rules)
  • 2045690 - ET MALWARE TA444 Related Domain in DNS Lookup (gumi-cryptos .loan) (malware.rules)
  • 2045691 - ET MALWARE TA444 Related Domain in DNS Lookup (doc-send .com) (malware.rules)
  • 2045692 - ET MALWARE TA444 Related Domain in DNS Lookup (smart-contracts .blog) (malware.rules)
  • 2045693 - ET MALWARE TA444 Related Domain in DNS Lookup (verifydocument .online) (malware.rules)