Ruleset Update Summary - 2023/07/06 - v10366

Ruleset Updates
1

Summary:

10 new OPEN, 18 new PRO (10 + 8)

Added rules:

Open:

  • 2011800 - ET HUNTING Abnormal User-Agent No space after colon - Likely Hostile (hunting.rules)
  • 2013190 - ET INFO Likely PCTools.com Installer User-Agent (Installer Ping) (info.rules)
  • 2013710 - ET GAMES FreeRide Games (games.rules)
  • 2046739 - ET ADWARE_PUP Win32/FeIQ Activity (GET) (adware_pup.rules)
  • 2046740 - ET INFO Cloud Storage API Related Domain in DNS Lookup (api .pcloud .com) (info.rules)
  • 2046741 - ET MALWARE Cinoshi Clipper Related Domain in DNS Lookup (tryno .ru) (malware.rules)
  • 2046742 - ET MALWARE SmugX Domain in DNS Lookup (newsmailnet .com) (malware.rules)
  • 2046743 - ET MALWARE SmugX Domain in DNS Lookup (jcswcd .com) (malware.rules)
  • 2046744 - ET WEB_SERVER ASPXSPY Webshell Login Attempt (web_server.rules)
  • 2046745 - ET MALWARE SocGholish Domain in DNS Lookup (launch .viewthesteps .com) (malware.rules)

Pro:

  • 2803167 - ETPRO INFO MOBILE Android Device User-Agent (info.rules)
  • 2803621 - ETPRO INFO Rapidshare Manager User-Agent (RapidUploader) (info.rules)
  • 2803804 - ETPRO INFO Games Site lava.cn User-Agent (DDVInstall) (info.rules)
  • 2806799 - ETPRO INFO SecurityXploded Version Check (info.rules)
  • 2854746 - ETPRO MALWARE MalDoc Retrieving Payload (2023-07-06) (malware.rules)
  • 2854747 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.HBX Payload Request (GET) (malware.rules)
  • 2854748 - ETPRO MALWARE Malicious Domain in DNS Lookup (malware.rules)
  • 2854759 - ETPRO MALWARE Agent Tesla DiscordApp Exfil (malware.rules)

Disabled and modified rules:

  • 2024706 - ET EXPLOIT Possible CVE-2017-8759 Soap File DL (exploit.rules)
  • 2032390 - ET PHISHING Successful Chase Phish 2016-06-15 (phishing.rules)
  • 2032391 - ET PHISHING Successful Apple Phish 2016-06-15 (phishing.rules)
  • 2032392 - ET PHISHING Successful USAA Phish 2016-06-15 (phishing.rules)
  • 2032393 - ET PHISHING Successful Paypal Phish 2016-06-15 (phishing.rules)
  • 2032485 - ET PHISHING Successful Docusign Phish M2 2016-08-17 (phishing.rules)
  • 2032633 - ET PHISHING Successful Western Union Phish 2016-09-27 (phishing.rules)
  • 2032679 - ET PHISHING Possible Successful SWF/XML Phish 2016-05-02 (phishing.rules)
  • 2033217 - ET PHISHING Observed Possible Phishing Landing Page 2021-06-29 (phishing.rules)
  • 2033482 - ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M1 (exploit.rules)
  • 2033483 - ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M2 (exploit.rules)
  • 2033484 - ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M3 (exploit.rules)
  • 2033524 - ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M1 (exploit.rules)
  • 2033525 - ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M2 (exploit.rules)
  • 2033526 - ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M3 (exploit.rules)
  • 2033566 - ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M1 (exploit.rules)
  • 2033567 - ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M2 (exploit.rules)
  • 2033568 - ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M3 (exploit.rules)
  • 2035937 - ET PHISHING Sparkasse Credential Phish Landing Page M3 2022-04-13 (phishing.rules)
  • 2038920 - ET MALWARE Observed DNS Query to TA444 Domain (share .anobaka .info) (malware.rules)
  • 2043391 - ET MALWARE IcedID CnC Domain in DNS Lookup (needzolapa .com) (malware.rules)
  • 2043393 - ET MALWARE IcedID CnC Domain in DNS Lookup (avoymratax .com) (malware.rules)
  • 2043396 - ET MALWARE IcedID CnC Domain in DNS Lookup (wcollopracket .com) (malware.rules)
  • 2043399 - ET MALWARE IcedID CnC Domain in DNS Lookup (likasertik .shop) (malware.rules)
  • 2043402 - ET MALWARE IcedID CnC Domain in DNS Lookup (trinazhkoma .club) (malware.rules)
  • 2043403 - ET MALWARE IcedID CnC Domain in DNS Lookup (brakudafear .pics) (malware.rules)
  • 2044142 - ET PHISHING Possible Phishing Domain in DNS Lookup (c1 .biz) (phishing.rules)
  • 2044706 - ET MALWARE SocGholish Domain in DNS Lookup (archive .vibezik .com) (malware.rules)
  • 2044707 - ET MALWARE SocGholish Domain in DNS Lookup (scripts .asi .services) (malware.rules)
  • 2044708 - ET MALWARE SocGholish Domain in DNS Lookup (trackrecord .wheresbecky .com) (malware.rules)
  • 2044844 - ET MALWARE SocGholish Domain in DNS Lookup (unit4 .majesticpg .com) (malware.rules)
  • 2044845 - ET MALWARE SocGholish Domain in DNS Lookup (examples .propertytax4less .com) (malware.rules)
  • 2044846 - ET MALWARE SocGholish Domain in DNS Lookup (life .judyfay .com) (malware.rules)
  • 2044856 - ET MALWARE SocGholish Domain in DNS Lookup (agreement .panworldtradersllc .com) (malware.rules)
  • 2044911 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .cloudid .teacherhamish .com) (malware.rules)
  • 2044961 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (getquery .org) (exploit_kit.rules)
  • 2044978 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (aeryqget .org) (exploit_kit.rules)
  • 2044979 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (quaryget .org) (exploit_kit.rules)
  • 2045843 - ET MALWARE SocGholish Domain in DNS Lookup (booty .midatlanticlaw .org) (malware.rules)
  • 2045844 - ET MALWARE SocGholish Domain in DNS Lookup (internal .metro1properties .us) (malware.rules)
  • 2045862 - ET MALWARE SocGholish Domain in DNS Lookup (reporting .theamericasfashionfest .com) (malware.rules)
  • 2045863 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .offer .rpacxtaxappeal .com) (malware.rules)
  • 2045870 - ET MALWARE SocGholish Domain in DNS Lookup (strategy .transversalgroup .co) (malware.rules)
  • 2045876 - ET MALWARE SocGholish Domain in DNS Lookup (sapphire .abogados .services) (malware.rules)
  • 2045877 - ET MALWARE SocGholish Domain in DNS Lookup (exclusive .transversalbranding .com) (malware.rules)
  • 2045878 - ET MALWARE SocGholish Domain in DNS Lookup (archives .finanpress .com) (malware.rules)
  • 2045970 - ET MALWARE SocGholish Domain in DNS Lookup (deploy .vanquicktech .com) (malware.rules)
  • 2045971 - ET MALWARE SocGholish Domain in DNS Lookup (practices .bodyandsoulmassage .com) (malware.rules)
  • 2045972 - ET MALWARE SocGholish Domain in DNS Lookup (old .onepercentage .org) (malware.rules)
  • 2045979 - ET MALWARE SocGholish Domain in DNS Lookup (hardware .deltavis .com) (malware.rules)
  • 2045980 - ET MALWARE SocGholish Domain in DNS Lookup (masterclass .teamupnetwork .org) (malware.rules)
  • 2046067 - ET MALWARE SocGholish Domain in DNS Lookup (failure .mathgeniusa .com) (malware.rules)
  • 2046068 - ET MALWARE SocGholish Domain in DNS Lookup (static .laytonroadconstruction .com) (malware.rules)
  • 2046099 - ET MALWARE SocGholish Domain in DNS Lookup (collaboration .porchlightcs .org) (malware.rules)
  • 2046101 - ET MALWARE SocGholish Domain in DNS Lookup (dashboard .smartmetereducationnetwork .com) (malware.rules)
  • 2046102 - ET MALWARE SocGholish Domain in DNS Lookup (reception .q-dent .com) (malware.rules)
  • 2046130 - ET MALWARE SocGholish Domain in DNS Lookup (templates .jdlaytongrademaker .com) (malware.rules)
  • 2801003 - ETPRO SCADA CONTROL MICROSYSTEMS (Event 32) Change Time Attempt (scada.rules)
  • 2801027 - ETPRO SCADA CONTROL MICROSYSTEMS (Event 40)TCP UDP Port Change Attempt (scada.rules)
  • 2801031 - ETPRO SCADA GE (Event 33) Change Date Attempt (scada.rules)
  • 2801062 - ETPRO SCADA DIRECTLOGIC (Event 32)Change Time Attempt (scada.rules)
  • 2801073 - ETPRO SCADA DIRECTLOGIC (Event 33)Change Date Attempt (scada.rules)
  • 2801163 - ETPRO SCADA SCHWEITZER (Event 41)Config File Change (scada.rules)
  • 2809851 - ETPRO MALWARE Cobalt Strike Covert DNS CnC Channel TXT Lookup (tcp) (malware.rules)
  • 2812486 - ETPRO WEB_CLIENT Possible CoreImpact Client Exploit In Progress Silverlight (web_client.rules)
  • 2827153 - ETPRO PHISHING Successful Generic Phish Jul 17 2017 (phishing.rules)
  • 2827827 - ETPRO PHISHING Credphish Domain in SNI (phishing.rules)
  • 2835383 - ETPRO PHISHING Successful Paxful Phish 2019-03-14 (phishing.rules)
  • 2835538 - ETPRO PHISHING Successful Microsoft Account Phish 2019-03-25 (phishing.rules)
  • 2835773 - ETPRO PHISHING Successful Generic Credit Card Information Phish 2019-04-07 (phishing.rules)
  • 2835790 - ETPRO PHISHING Successful Apple Phish 2019-04-09 (phishing.rules)
  • 2835792 - ETPRO PHISHING Successful Generic Credit Card Information Phish 2019-04-09 (phishing.rules)
  • 2836015 - ETPRO PHISHING Successful Simplii Phish 2019-04-24 (phishing.rules)
  • 2836847 - ETPRO PHISHING Successful Wells Fargo Phish 2019-06-14 (phishing.rules)
  • 2836855 - ETPRO PHISHING Successful Adobe PDF Online Phish 2019-06-14 (phishing.rules)
  • 2837049 - ETPRO PHISHING Successful Bank of America Phish 2019-06-25 (phishing.rules)
  • 2837135 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2837411 - ETPRO ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS Certificate Observed M58 (attack_response.rules)
  • 2838759 - ETPRO PHISHING Successful CIBC Phish 2019-10-04 (phishing.rules)
  • 2839410 - ETPRO PHISHING Successful Microsoft Account Phish 2019-11-13 (phishing.rules)
  • 2840009 - ETPRO PHISHING Successful Chase Phish 2019-12-19 (phishing.rules)
  • 2840055 - ETPRO PHISHING Successful Chase Phish 2019-12-23 (phishing.rules)
  • 2840307 - ETPRO PHISHING Successful CIBC Phish 2020-01-07 (phishing.rules)
  • 2840328 - ETPRO MALWARE Observed Malicious SSL Cert (Gozi CnC) (malware.rules)
  • 2840624 - ETPRO HUNTING Suspicious Zipped Filename in Outbound POST Request (Chrome_Default_Cookies) (hunting.rules)
  • 2841397 - ETPRO PHISHING Successful Netease 163 Phish 2020-03-05 (phishing.rules)
  • 2841631 - ETPRO PHISHING Successful Chase Phish 2020-03-20 (phishing.rules)
  • 2842127 - ETPRO PHISHING Successful Generic Credit Card Information Phish 2020-04-21 (phishing.rules)
  • 2843182 - ETPRO PHISHING Possible Successful Generic Res Phish 2020-06-24 (phishing.rules)
  • 2844014 - ETPRO PHISHING Successful Generic Phish 2020-08-17 (phishing.rules)
  • 2844055 - ETPRO HUNTING Suspicious Zipped Filename in Outbound POST Request (Browsers/Autofills/) M2 (hunting.rules)
  • 2844090 - ETPRO PHISHING Successful Alibaba Phish 2020-08-20 (phishing.rules)
  • 2844091 - ETPRO PHISHING Successful Instagram Phish 2020-08-20 (phishing.rules)
  • 2844108 - ETPRO PHISHING Successful Generic Webmail Phish 2020-08-21 (phishing.rules)
  • 2844984 - ETPRO PHISHING Successful WeTransfer Phish 2020-10-16 (phishing.rules)
  • 2846675 - ETPRO PHISHING Successful Bank of America Phish 2021-01-21 (phishing.rules)
  • 2846924 - ETPRO PHISHING Successful Chase Phish 2021-02-04 (phishing.rules)
  • 2847475 - ETPRO PHISHING Successful WeTransfer Phish 2021-03-08 (phishing.rules)
  • 2847477 - ETPRO PHISHING Successful Facebook Phish 2021-03-08 (phishing.rules)
  • 2848351 - ETPRO HUNTING Suspicious HTTP Header (RAM) (hunting.rules)
  • 2849544 - ETPRO MOBILE_MALWARE AndroSpy Checkin 3 (mobile_malware.rules)
  • 2850896 - ETPRO PHISHING Successful nic.in Phish 2022-01-20 (phishing.rules)
  • 2853299 - ETPRO MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)

Removed rules:

  • 2011800 - ET POLICY Abnormal User-Agent No space after colon - Likely Hostile (policy.rules)
  • 2013190 - ET POLICY Likely PCTools.com Installer User-Agent (Installer Ping) (policy.rules)
  • 2013710 - ET POLICY FreeRide Games Some AVs report as TrojWare.Win32.Trojan.Agent.Gen (policy.rules)
  • 2016921 - ET HUNTING Suspicious Mozilla UA with no Space after colon (hunting.rules)
  • 2028763 - ET JA3 Hash - [Abuse.ch] Possible Adwind (ja3.rules)
  • 2803167 - ETPRO POLICY MOBILE Android Device User-Agent (policy.rules)
  • 2803621 - ETPRO POLICY Rapidshare Manager User-Agent (RapidUploader) (policy.rules)
  • 2803804 - ETPRO POLICY Games Site lava.cn User-Agent (DDVInstall) (policy.rules)
  • 2806799 - ETPRO POLICY securityxploded malware retrieval URI (policy.rules)