Ruleset Update Summary - 2023/08/01 - v10385

Ruleset Updates
1

Summary:

10 new OPEN, 12 new PRO (10 + 2)

Thanks @cyfirma

All ETOPEN and ETPRO customers, Please be aware that Friday, August 4th, 2023 is a ProofPoint company holiday. As such, there will be no rule release that day. Thank you for your continued patronage and support.

Added rules:

Open:

  • 2047008 - ET INFO DYNAMIC_DNS Query to a *.grid-tronix .com Domain (info.rules)
  • 2047009 - ET INFO DYNAMIC_DNS HTTP Request to a *.grid-tronix .com Domain (info.rules)
  • 2047010 - ET MALWARE IcedID CnC Domain in DNS Lookup (mineskateroff .com) (malware.rules)
  • 2047011 - ET MALWARE Observed IcedID Domain (mineskateroff .com in TLS SNI) (malware.rules)
  • 2047012 - ET WEB_SPECIFIC_APPS Possible Metabase Pre-Auth RCE Attempt - CVE-2023-38646 (web_specific_apps.rules)
  • 2047013 - ET MALWARE Possible Raspberry Robin Activity (GET) M3 (malware.rules)
  • 2047014 - ET EXPLOIT Javascript Initiating Remote Server Search with Window’s Search-MS URI Handler (exploit.rules)
  • 2047015 - ET MALWARE abubasbanditbot CnC Checkin (malware.rules)
  • 2047016 - ET MALWARE Bahamut APT Group CnC Domain in DNS Lookup (laborer-posted .nl) (malware.rules)
  • 2047017 - ET MALWARE Observed Bahamut APT Group Domain (laborer-posted .nl) in TLS SNI (malware.rules)

Pro:

  • 2854974 - ETPRO MALWARE VBS/ObfDldr Variant Payload Request (GET) (malware.rules)
  • 2854975 - ETPRO MALWARE Agent Tesla Discord Exfil M3 (malware.rules)

Disabled and modified rules:

  • 2035604 - ET MALWARE Observed DNS Query to Win32/TrojanDownloader.Agent.GEM Domain (malware.rules)
  • 2035731 - ET MALWARE Observed DNS Query to LOADOUT Domain (malware.rules)
  • 2035732 - ET MALWARE Observed DNS Query to LOADOUT Domain (malware.rules)
  • 2035733 - ET MALWARE Observed DNS Query to LOADOUT Domain (malware.rules)
  • 2035734 - ET MALWARE Observed DNS Query to LOADOUT Domain (malware.rules)
  • 2035807 - ET MALWARE Observed DNS Query to TA455 Domain (cortanaupdate .co) (malware.rules)
  • 2035808 - ET MALWARE Observed DNS Query to TA455 Domain (cortanaservice .com) (malware.rules)
  • 2035809 - ET MALWARE Observed DNS Query to TA455 Domain (cloudgoogle .co) (malware.rules)
  • 2035810 - ET MALWARE Observed DNS Query to TA455 Domain (onedrivelive .me) (malware.rules)
  • 2035811 - ET MALWARE Observed DNS Query to TA455 Domain (edge-cloudservices .com) (malware.rules)
  • 2035812 - ET MALWARE Observed DNS Query to TA455 Domain (online-audible .com) (malware.rules)
  • 2035813 - ET MALWARE Observed DNS Query to TA455 Domain (updatedefender .net) (malware.rules)
  • 2035814 - ET MALWARE Observed DNS Query to TA455 Domain (sparrowsgroup .org) (malware.rules)
  • 2035815 - ET MALWARE Observed DNS Query to TA455 Domain (helpdesk-product .com) (malware.rules)
  • 2035816 - ET MALWARE Observed DNS Query to TA455 Domain (defenderupdate .ddns .net) (malware.rules)
  • 2035817 - ET MALWARE Observed DNS Query to TA455 Domain (enerflex .ddns .net) (malware.rules)
  • 2035824 - ET MALWARE Observed DNS Query to TA455 Domain (online-chess .live) (malware.rules)
  • 2035825 - ET MALWARE Observed DNS Query to TA455 Domain (exprogroup .org) (malware.rules)
  • 2035827 - ET MALWARE Observed DNS Query to TA455 Domain (mastergatevpn .com) (malware.rules)
  • 2035828 - ET MALWARE Observed DNS Query to TA455 Domain (sauditourismguide .com) (malware.rules)
  • 2035830 - ET MALWARE Observed DNS Query to TA455 Domain (updateservices .co) (malware.rules)
  • 2035831 - ET MALWARE Observed DNS Query to TA455 Domain (microsoftcdn .co) (malware.rules)
  • 2035832 - ET MALWARE Observed DNS Query to TA455 Domain (office-shop .me) (malware.rules)
  • 2035833 - ET MALWARE Observed DNS Query to TA455 Domain (sharepointnotify .com) (malware.rules)
  • 2035835 - ET MALWARE Observed DNS Query to TA455 Domain (savemoneytrick .com) (malware.rules)
  • 2035836 - ET MALWARE Observed DNS Query to TA455 Domain (microsoftedgesh .info) (malware.rules)
  • 2035837 - ET MALWARE Observed DNS Query to TA455 Domain (outlookdelivery .com) (malware.rules)
  • 2035838 - ET MALWARE Observed DNS Query to TA455 Domain (remgrogroup .com) (malware.rules)
  • 2035839 - ET MALWARE Observed DNS Query to TA455 Domain (onedriveupdate .net) (malware.rules)
  • 2035840 - ET MALWARE Observed DNS Query to TA455 Domain (getadobe .ddns .net) (malware.rules)
  • 2035841 - ET MALWARE Observed DNS Query to TA455 Domain (googleservices .co) (malware.rules)
  • 2035842 - ET MALWARE Observed DNS Query to TA455 Domain (librarycollection .org) (malware.rules)
  • 2035843 - ET MALWARE Observed DNS Query to TA455 Domain (freechess .live) (malware.rules)
  • 2035845 - ET MALWARE Observed DNS Query to TA455 Domain (applytalents .com) (malware.rules)
  • 2035846 - ET MALWARE Observed DNS Query to TA455 Domain (updateddns .ddns .net) (malware.rules)
  • 2035848 - ET MALWARE Observed DNS Query to TA455 Domain (appslocallogin .online) (malware.rules)
  • 2035850 - ET MALWARE Observed DNS Query to TA455 Domain (funnychess .online) (malware.rules)
  • 2035851 - ET MALWARE Observed DNS Query to TA455 Domain (talent-recruitment .org) (malware.rules)
  • 2035853 - ET MALWARE Observed DNS Query to TA455 Domain (updatedns .ddns .net) (malware.rules)
  • 2035854 - ET MALWARE Observed DNS Query to TA455 Domain (thefreemovies .net) (malware.rules)
  • 2035855 - ET MALWARE Observed DNS Query to TA455 Domain (talktalky .azurewebsites .net) (malware.rules)
  • 2035856 - ET MALWARE Observed DNS Query to TA455 Domain (etisalatonline .com) (malware.rules)
  • 2035877 - ET MALWARE Observed DNS Query to Winnti Domain (malware.rules)
  • 2035899 - ET MALWARE Colibri Loader Domain in DNS Lookup (securetunnel .co) (malware.rules)
  • 2037130 - ET MALWARE Observed DNS Query to DarkCrystal Rat Domain (datagroup .ddns .net) (2022-06-27) (malware.rules)
  • 2038720 - ET MALWARE Observed DNS Query to TA444 Domain (share .anobaka .info) (malware.rules)
  • 2038721 - ET MALWARE Observed DNS Query to TA444 Domain (vote .anobaka .info) (malware.rules)
  • 2038722 - ET MALWARE Observed DNS Query to TA444 Domain (cloud .wpic .ink) (malware.rules)
  • 2039071 - ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (market .contradecapital .com) (malware.rules)
  • 2045291 - ET MALWARE CloudAtlas APT Related Domain in DNS Lookup (malware.rules)
  • 2851364 - ETPRO MALWARE Observed DNS Query to TA453 Domain (malware.rules)
  • 2851396 - ETPRO MALWARE Suspicious Domain (records .hibiscus .live) in TLS SNI (malware.rules)
  • 2851397 - ETPRO MALWARE Suspicious Domain (backup .latestsyn .xyz) in TLS SNI (malware.rules)
  • 2851398 - ETPRO MALWARE Observed DNS Query to Likely Kaspov Domain (malware.rules)
  • 2851399 - ETPRO MALWARE Observed DNS Query to Likely Kaspov Domain (malware.rules)
  • 2851574 - ETPRO MALWARE Observed Qbot Domain (multiconstruction .net in TLS SNI) (malware.rules)

Removed rules:

  • 2028781 - ET JA3 Hash - [Abuse.ch] Possible Adware (ja3.rules)