Summary:
41 new OPEN, 44 new PRO (41 + 3)
All ETOPEN and ETPRO customers, Please be aware that tomorrow, August 4th, 2023 is a ProofPoint company holiday. As such, there will be no rule release that day. Thank you for your continued patronage and support.
Added rules:
Open:
- 2047022 - ET INFO DYNAMIC_DNS Query to a *.tipoiti .com .ar Domain (info.rules)
- 2047023 - ET INFO DYNAMIC_DNS HTTP Request to a *.tipoiti .com .ar Domain (info.rules)
- 2047024 - ET INFO DYNAMIC_DNS Query to a *.gpk .si Domain (info.rules)
- 2047025 - ET INFO DYNAMIC_DNS HTTP Request to a *.gpk .si Domain (info.rules)
- 2047026 - ET INFO DYNAMIC_DNS Query to a *.flamex .hm Domain (info.rules)
- 2047027 - ET INFO DYNAMIC_DNS HTTP Request to a *.flamex .hm Domain (info.rules)
- 2047028 - ET MALWARE IcedID CnC Domain in DNS Lookup (ultrafoks .com) (malware.rules)
- 2047029 - ET MALWARE IcedID CnC Domain in DNS Lookup (pireltotus .com) (malware.rules)
- 2047030 - ET MALWARE Observed IcedID Domain (ultrafoks .com in TLS SNI) (malware.rules)
- 2047031 - ET MALWARE Observed IcedID Domain (pireltotus .com in TLS SNI) (malware.rules)
- 2047032 - ET MALWARE Suspected Donot Group Related Activity (POST) (malware.rules)
- 2047033 - ET MALWARE Donot Group Related Activity (Response) (malware.rules)
- 2047034 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (justhost .bedro .cloud) (info.rules)
- 2047035 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (secure .anudeep .me) (info.rules)
- 2047036 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .jupitrdns .net) (info.rules)
- 2047037 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns-free .link) (info.rules)
- 2047038 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .arroudlohgpg .site) (info.rules)
- 2047039 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .electrotm .org) (info.rules)
- 2047040 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .wibenson .cloud) (info.rules)
- 2047041 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (adguard .streamlas .fr) (info.rules)
- 2047042 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (ns2 .flodns .net) (info.rules)
- 2047043 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .laison .ltd) (info.rules)
- 2047044 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .sitdns .com) (info.rules)
- 2047045 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (chandr1000 .net) (info.rules)
- 2047046 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (everovpn .co) (info.rules)
- 2047047 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (adb .aadityakushwaha .com) (info.rules)
- 2047048 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .sarak .as) (info.rules)
- 2047049 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (adg .yybyy .wiki) (info.rules)
- 2047050 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (eth .link) (info.rules)
- 2047051 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (cloud .198 .games) (info.rules)
- 2047052 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .wang .art) (info.rules)
- 2047053 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (agh .printk .info) (info.rules)
- 2047054 - ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35078 Check/Exploitation Attempt (web_specific_apps.rules)
- 2047055 - ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35082 Check/Exploitation Attempt (web_specific_apps.rules)
- 2047056 - ET WEB_SPECIFIC_APPS Chamilo CMS wsConvertPpt Command Injection Attempt (CVE-2023-34960) (web_specific_apps.rules)
- 2047057 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .excluded .everyadpaysmefirst .com) (malware.rules)
- 2047058 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .excluded .everyadpaysmefirst .com) (malware.rules)
- 2047059 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (chestedband .org) (exploit_kit.rules)
- 2047060 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (limonpart .org) (exploit_kit.rules)
- 2047061 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (chestedband .org) (exploit_kit.rules)
- 2047062 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (limonpart .org) (exploit_kit.rules)
Pro:
- 2854977 - ETPRO INFO MeshCentral Default TLS Certificate (info.rules)
- 2854978 - ETPRO INFO MeshCentral WebSocket Request (info.rules)
- 2854979 - ETPRO MALWARE PS1/p0stP4r4m Host Fingerprint Exfil (POST) (malware.rules)