Ruleset Update Summary - 2023/06/13 - v10347

Summary:

21 new OPEN, 21 new PRO (21 + 0)

Thanks @welivesecurity, @SentinelOne, @LexfoSecurite


Added rules:

Open:

  • 2046242 - ET ATTACK_RESPONSE FightAgent WebShell Response Outbound (attack_response.rules)
  • 2046243 - ET MALWARE Asylum Ambuscade Related CnC Activity (GET) M1 (malware.rules)
  • 2046244 - ET MALWARE Asylum Ambuscade Related CnC Activity (GET) M2 (malware.rules)
  • 2046245 - ET MALWARE Asylum Ambuscade Related CnC Activity (GET) M3 (malware.rules)
  • 2046246 - ET MALWARE Asylum Ambuscade Related CnC Activity (SendLog) (malware.rules)
  • 2046247 - ET MALWARE Asylum Ambuscade Related CnC Activity (install) (malware.rules)
  • 2046248 - ET MALWARE Successful Win32/TrojanDownloader.VB.RUI Exfil Activity M1 (malware.rules)
  • 2046249 - ET MALWARE Successful Win32/TrojanDownloader.VB.RUI Exfil Activity M2 (malware.rules)
  • 2046250 - ET MALWARE Win32/TrojanDownloader.VB.RUI Checkin (malware.rules)
  • 2046251 - ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/hostcheck_validate (CVE-2023-27997) (exploit.rules)
  • 2046252 - ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/hostcheck_validate (CVE-2023-27997) M1 (exploit.rules)
  • 2046253 - ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/hostcheck_validate (CVE-2023-27997) M2 (exploit.rules)
  • 2046254 - ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/logincheck (CVE-2023-27997) (exploit.rules)
  • 2046255 - ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/logincheck (CVE-2023-27997) (exploit.rules)
  • 2046256 - ET EXPLOIT Fortigate VPN - Request to /remote/info - Possible CVE-2023-27997 Exploit Attempt (exploit.rules)
  • 2046257 - ET MALWARE Kimsuky ReconShark Payload Retrieval Request M1 (malware.rules)
  • 2046258 - ET MALWARE Kimsuky ReconShark Payload Retrieval Request M2 (malware.rules)
  • 2046259 - ET MALWARE Kimsuky Related APT Activity (malware.rules)
  • 2046260 - ET MALWARE Kimsuky HTA Payload Retrieval Attempt (malware.rules)
  • 2046261 - ET MALWARE SocGholish Domain in DNS Lookup (ibm .deltavis .net) (malware.rules)
  • 2046262 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (libertader .org) (exploit_kit.rules)