Ruleset Update Summary - 2023/08/03 - v10387

rulesbot · August 3, 2023, 8:44pm

Summary:

41 new OPEN, 44 new PRO (41 + 3)

All ETOPEN and ETPRO customers, Please be aware that tomorrow, August 4th, 2023 is a ProofPoint company holiday. As such, there will be no rule release that day. Thank you for your continued patronage and support.

Added rules:

Open:

2047022 - ET INFO DYNAMIC_DNS Query to a *.tipoiti .com .ar Domain (info.rules)
2047023 - ET INFO DYNAMIC_DNS HTTP Request to a *.tipoiti .com .ar Domain (info.rules)
2047024 - ET INFO DYNAMIC_DNS Query to a *.gpk .si Domain (info.rules)
2047025 - ET INFO DYNAMIC_DNS HTTP Request to a *.gpk .si Domain (info.rules)
2047026 - ET INFO DYNAMIC_DNS Query to a *.flamex .hm Domain (info.rules)
2047027 - ET INFO DYNAMIC_DNS HTTP Request to a *.flamex .hm Domain (info.rules)
2047028 - ET MALWARE IcedID CnC Domain in DNS Lookup (ultrafoks .com) (malware.rules)
2047029 - ET MALWARE IcedID CnC Domain in DNS Lookup (pireltotus .com) (malware.rules)
2047030 - ET MALWARE Observed IcedID Domain (ultrafoks .com in TLS SNI) (malware.rules)
2047031 - ET MALWARE Observed IcedID Domain (pireltotus .com in TLS SNI) (malware.rules)
2047032 - ET MALWARE Suspected Donot Group Related Activity (POST) (malware.rules)
2047033 - ET MALWARE Donot Group Related Activity (Response) (malware.rules)
2047034 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (justhost .bedro .cloud) (info.rules)
2047035 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (secure .anudeep .me) (info.rules)
2047036 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .jupitrdns .net) (info.rules)
2047037 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns-free .link) (info.rules)
2047038 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .arroudlohgpg .site) (info.rules)
2047039 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .electrotm .org) (info.rules)
2047040 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .wibenson .cloud) (info.rules)
2047041 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (adguard .streamlas .fr) (info.rules)
2047042 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (ns2 .flodns .net) (info.rules)
2047043 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .laison .ltd) (info.rules)
2047044 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .sitdns .com) (info.rules)
2047045 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (chandr1000 .net) (info.rules)
2047046 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (everovpn .co) (info.rules)
2047047 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (adb .aadityakushwaha .com) (info.rules)
2047048 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .sarak .as) (info.rules)
2047049 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (adg .yybyy .wiki) (info.rules)
2047050 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (eth .link) (info.rules)
2047051 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (cloud .198 .games) (info.rules)
2047052 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .wang .art) (info.rules)
2047053 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (agh .printk .info) (info.rules)
2047054 - ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35078 Check/Exploitation Attempt (web_specific_apps.rules)
2047055 - ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35082 Check/Exploitation Attempt (web_specific_apps.rules)
2047056 - ET WEB_SPECIFIC_APPS Chamilo CMS wsConvertPpt Command Injection Attempt (CVE-2023-34960) (web_specific_apps.rules)
2047057 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .excluded .everyadpaysmefirst .com) (malware.rules)
2047058 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .excluded .everyadpaysmefirst .com) (malware.rules)
2047059 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (chestedband .org) (exploit_kit.rules)
2047060 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (limonpart .org) (exploit_kit.rules)
2047061 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (chestedband .org) (exploit_kit.rules)
2047062 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (limonpart .org) (exploit_kit.rules)

Pro:

2854977 - ETPRO INFO MeshCentral Default TLS Certificate (info.rules)
2854978 - ETPRO INFO MeshCentral WebSocket Request (info.rules)
2854979 - ETPRO MALWARE PS1/p0stP4r4m Host Fingerprint Exfil (POST) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/08/01 - v10385 Ruleset Updates	359	August 1, 2023
Ruleset Update Summary - 2023/07/31 - v10384 Ruleset Updates	448	July 31, 2023
Ruleset Update Summary - 2023/08/02 - v10386 Ruleset Updates	337	August 2, 2023
Ruleset Update Summary - 2023/05/25 - v10332 Ruleset Updates	279	May 25, 2023
Ruleset Update Summary - 2023/05/24 - v10331 Ruleset Updates	285	May 24, 2023

Ruleset Update Summary - 2023/08/03 - v10387

Summary:

Added rules:

Open:

Pro:

Related Topics