Ruleset Update Summary - 2023/06/26 - v10358

Ruleset Updates
1

Summary:

29 new OPEN, 32 new PRO (29 + 3)

Thanks @anyrun_app, @AuCyble, @Cyber0verload

Added rules:

Open:

  • 2014030 - ET ADWARE_PUP Rebate Informer User-Agent (REBATEINF) (adware_pup.rules)
  • 2024789 - ET INFO DNS request for Monero mining pool (info.rules)
  • 2027285 - ET INFO Monero Mining Pool DNS Lookup (info.rules)
  • 2046641 - ET MALWARE DNS Query to SupremeBot Domain (shadowlegion .duckdns .org) (malware.rules)
  • 2046642 - ET MALWARE DNS Query to SupremeBot Domain (silentlegion .duckdns .org) (malware.rules)
  • 2046643 - ET MALWARE Win32/SupremeBot CnC Checkin (POST) M1 (malware.rules)
  • 2046644 - ET MALWARE Win32/SupremeBot CnC Checkin (POST) M2 (malware.rules)
  • 2046645 - ET MALWARE Gamaredon Domain in DNS Lookup (namibbo .ru) (malware.rules)
  • 2046646 - ET MALWARE Gamaredon Domain in DNS Lookup (kyzylkumbo .ru) (malware.rules)
  • 2046647 - ET MALWARE Gamaredon Domain in DNS Lookup (bukatam .ru) (malware.rules)
  • 2046648 - ET MALWARE Gamaredon Domain in DNS Lookup (negevbo .ru) (malware.rules)
  • 2046649 - ET MALWARE Gamaredon Domain in DNS Lookup (totalav .ru) (malware.rules)
  • 2046650 - ET MALWARE Gamaredon Domain in DNS Lookup (durakam .ru) (malware.rules)
  • 2046651 - ET MALWARE Gamaredon Domain in DNS Lookup (gutarax .ru) (malware.rules)
  • 2046652 - ET INFO Commonly Abused File Sharing Domain (put .io) in DNS Lookup (info.rules)
  • 2046653 - ET INFO Commonly Abused File Sharing Domain (wasabi .com) in DNS Lookup (info.rules)
  • 2046654 - ET INFO Abused File Sharing Domain (put .io) in TLS SNI (info.rules)
  • 2046655 - ET INFO Abused File Sharing Domain (wasabi .com) in TLS SNI (info.rules)
  • 2046656 - ET INFO Commonly Abused File Sharing Domain (wasabisys .com) in DNS Lookup (info.rules)
  • 2046657 - ET INFO Commonly Abused File Sharing Domain (wasabisys .com) in TLS SNI (info.rules)
  • 2046658 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .mmmalia .com) (info.rules)
  • 2046659 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .tvk .rwth-aachen .de) (info.rules)
  • 2046660 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .cornes .me) (info.rules)
  • 2046661 - ET MALWARE [ANY.RUN] Gh0stBins Checkin (malware.rules)
  • 2046662 - ET MALWARE [ANY.RUN] Possible Gh0stRat Checkin (malware.rules)
  • 2046663 - ET MALWARE [ANY.RUN] Gh0stBins Kernel Download Request (malware.rules)
  • 2046664 - ET MALWARE [ANY.RUN] Gh0stBins RDP Remote Connection (malware.rules)
  • 2046665 - ET MALWARE SocGholish Domain in DNS Lookup (marathon .teachmemoney .net) (malware.rules)
  • 2046666 - ET MALWARE SocGholish Domain in DNS Lookup (therapy .rationallifestyleconsulting .org) (malware.rules)

Pro:

  • 2804642 - ETPRO INFO Remote Manipulator System (RMS) Init Connect (info.rules)
  • 2808335 - ETPRO INFO Remote Manipulator System (RMS) Checkin (info.rules)
  • 2811004 - ETPRO INFO Remote Manipulator System (RMS) Traffic (info.rules)

Removed rules:

  • 2014030 - ET POLICY Rebate Informer User-Agent (REBATEINF) (policy.rules)
  • 2024789 - ET POLICY DNS request for Monero mining pool (policy.rules)
  • 2027285 - ET POLICY Monero Mining Pool DNS Lookup (policy.rules)
  • 2804642 - ETPRO POLICY Remote Manipulator Init Connect (policy.rules)
  • 2808335 - ETPRO POLICY Win32/RemoteAdmin.RemoteUtilities.C Checkin (policy.rules)
  • 2811004 - ETPRO MALWARE Remote Manipulator Traffic (malware.rules)
1 Like