Summary:
4 new OPEN, 22 new PRO (4 + 18)
Thanks @suyog41
Added rules:
Open:
- 2047678 - ET MALWARE Malicious Powershell Activity (GET) (malware.rules)
- 2047679 - ET MALWARE Python Stealer/Clipper Related Domain in DNS Lookup (kekwltd .ru) (malware.rules)
- 2047680 - ET MALWARE Observed Python Stealer/Clipper Related Domain (kekwltd .ru in TLS SNI) (malware.rules)
- 2047681 - ET MALWARE Spark RAT CnC Checkin (POST) (malware.rules)
Pro:
- 2855132 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2855133 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2855134 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2855135 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2855136 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2855137 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
- 2855138 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2855139 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
- 2855140 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
- 2855141 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2855142 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2855143 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2855144 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2855145 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2855146 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2855147 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2855148 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2855151 - ETPRO MALWARE Spark RAT User-Agent Observed (malware.rules)
Disabled and modified rules:
- 2035771 - ET MALWARE Spytector Domain DNS Lookup (mail .spytector .com) (malware.rules)
- 2035778 - ET MALWARE Pegasus Domain in DNS Lookup (al-taleanewsonline .net) (malware.rules)
- 2035781 - ET MALWARE Pegasus Domain in DNS Lookup (alrainew .com) (malware.rules)
- 2035944 - ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain (malware.rules)
- 2035945 - ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain (malware.rules)
- 2036321 - ET MALWARE 000Stealer Data Exfiltration M2 (malware.rules)
- 2036322 - ET MALWARE Observed DNS Query to Certishell Domain (forummanazera .sk) (malware.rules)
- 2036323 - ET MALWARE Observed DNS Query to Certishell Domain (reality .skarabeus .sk) (malware.rules)
- 2036324 - ET MALWARE Observed DNS Query to Certishell Domain (msrousinov .cz) (malware.rules)
- 2036364 - ET MALWARE Innostealer Domain in DNS Lookup (windows-11info .com) (malware.rules)
- 2036366 - ET MALWARE Innostealer Domain (windows11-upgrade .com) in TLS SNI (malware.rules)
- 2036367 - ET MALWARE Innostealer Domain (windows-11info .com) in TLS SNI (malware.rules)
- 2036368 - ET MALWARE Innostealer Domain (windows11-infoserver .com) in TLS SNI (malware.rules)
- 2036396 - ET MALWARE TraderTraitor CnC Domain (tokenais .com) in DNS Lookup (malware.rules)
- 2036397 - ET MALWARE TraderTraitor CnC Domain (aideck .net) in DNS Lookup (malware.rules)
- 2036398 - ET MALWARE TraderTraitor CnC Domain (www .esilet .com) in DNS Lookup (malware.rules)
- 2036403 - ET MALWARE Observed TraderTraitor Domain (tokenais .com) in TLS SNI (malware.rules)
- 2036404 - ET MALWARE Observed TraderTraitor Domain (aideck .net) in TLS SNI (malware.rules)
- 2036405 - ET MALWARE Observed TraderTraitor Domain (www .esilet .com) in TLS SNI (malware.rules)
- 2036480 - ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (shopingchina .net) (malware.rules)
- 2036483 - ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (rootkit .tools) (malware.rules)
- 2036495 - ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (linux .wy01 .com) (malware.rules)
- 2036542 - ET MALWARE Eternity Stealer Data Exfiltration Activity (malware.rules)
- 2036610 - ET MALWARE BlueShtorm Infostealer Data Exfiltration (malware.rules)
- 2036958 - ET MALWARE Win32/Gomorrah Stealer Data Exfiltration (malware.rules)
- 2037091 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Steam_htmlcache.txt) (hunting.rules)
- 2038585 - ET MALWARE DonotGroup APT Related Domain in DNS Lookup (worldpro .buzz) (malware.rules)
- 2038586 - ET MALWARE DonotGroup APT Related Domain in DNS Lookup (doctorstrange .buzz) (malware.rules)
- 2038664 - ET MALWARE Win32/Caypnamer.A RAT CnC Initial Checkin (malware.rules)
- 2038703 - ET ADWARE_PUP MuLauncher Telemetry Gathering Attempt (adware_pup.rules)
- 2038947 - ET MALWARE Win32/Cryptbot V2 Data Exfiltration Attempt (malware.rules)
- 2039061 - ET MALWARE Chaos Botnet CnC Domain (xiaomai233 .f3322 .net) in DNS Lookup (malware.rules)
- 2039062 - ET MALWARE Chaos Botnet CnC Domain (bb .hash3688 .com) in DNS Lookup (malware.rules)
- 2039099 - ET MALWARE AllcomeClipper CnC Domain (dba692117be7b6d3480fe5220fdd58b38bf .xyz) in DNS Lookup (malware.rules)
- 2039177 - ET MALWARE Mekotio Banking Trojan CnC Domain (zautoservice .eu) in DNS Lookup (malware.rules)
- 2039415 - ET MALWARE MSSQL maggie backdoor Query Observed (other functions) (malware.rules)
- 2039532 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (advanced-ip-scaner .com) (malware.rules)
- 2039723 - ET MALWARE Win32\Cryptbot CnC Domain (towcqx32 .top) in DNS Lookup (malware.rules)
- 2039725 - ET MALWARE Win32\Cryptbot CnC Domain (suqzyt03 .top) in DNS Lookup (malware.rules)
- 2039733 - ET MALWARE Win32\Cryptbot CnC Domain (kyrjwt45 .top) in DNS Lookup (malware.rules)
- 2039735 - ET MALWARE Win32\Cryptbot CnC Domain (suqycd05 .top) in DNS Lookup (malware.rules)
- 2039736 - ET MALWARE Win32\Cryptbot CnC Domain (suqoyw07 .top) in DNS Lookup (malware.rules)
- 2039775 - ET MALWARE Laplas Clipper - Regex CnC Request (malware.rules)
- 2039776 - ET MALWARE Laplas Clipper - SetOnline CnC Checkin (malware.rules)
- 2039777 - ET MALWARE Laplas Clipper - GetAddress CnC Checkin (malware.rules)
- 2039796 - ET INFO External File Sharing Service in DNS Lookup (sharefile .com) (info.rules)
- 2039829 - ET MOBILE_MALWARE Android/ShartBot CNC Domain (cdopea .store) in DNS Lookup (mobile_malware.rules)
- 2041668 - ET MALWARE Bitter APT CnC Domain (mobisharestock .com) in DNS Lookup (malware.rules)
- 2041669 - ET MALWARE Bitter APT CnC Domain (updnangelgroup .com) in DNS Lookup (malware.rules)
- 2041929 - ET MALWARE Confucious APT CnC Domain (microsoftonedriver .com) in DNS Lookup (malware.rules)
- 2042521 - ET MALWARE Observed BatLoader Domain (cloudsteamview .com) in TLS SNI (malware.rules)
- 2042522 - ET MALWARE Observed BatLoader Domain (installationupgrade6 .com) in TLS SNI (malware.rules)
- 2044052 - ET MALWARE Ice Breaker Backdoor CnC Domain (xn–screnshot-jib .net) in DNS Lookup (malware.rules)
- 2044173 - ET MALWARE Cobalt Strike CnC Domain (cdcgov .us) in DNS Lookup (malware.rules)
- 2044175 - ET MALWARE Havoc RAT CnC Domain (zh .googlecdnb .tk) in DNS Lookup (malware.rules)
- 2044313 - ET MALWARE Cobalt Strike CnC Domain (csc .zte .com .cn .wswebpic .com) in DNS Lookup (malware.rules)
- 2044343 - ET MALWARE EvilExtractor Stealer CnC Domain (evilextractor .com) in DNS Lookup (malware.rules)
- 2044362 - ET MALWARE Win32/S1deload Stealer CnC Domain (shopproxy .live) in DNS Lookup (malware.rules)
- 2044400 - ET MALWARE IcedID CnC Domain (neonmilkustaers .com) in DNS Lookup (malware.rules)
- 2044451 - ET MALWARE Lockbit Ransomware Related Domain (poliovocalist .com) in DNS Lookup (malware.rules)
- 2044511 - ET MALWARE SYS01 Information Stealer CnC Domain (makananwisata .com) in DNS Lookup (malware.rules)
- 2044513 - ET MALWARE SYS01 Information Stealer CnC Domain (rapadtrai .com) in DNS Lookup (malware.rules)
- 2044514 - ET MALWARE SYS01 Information Stealer CnC Domain (baglamanotalari .com) in DNS Lookup (malware.rules)
- 2044583 - ET MALWARE Win32/Root Finder Stealer Sending System Information via Telegram (GET) (malware.rules)
- 2044584 - ET MALWARE Win32/AMGO Keylogger - Keylogger Started Message via Telegram (POST) (malware.rules)
- 2044656 - ET MALWARE Wintern Vivern CnC Domain (bugiplaysec .com) in DNS Lookup (malware.rules)
- 2044657 - ET MALWARE Wintern Vivern CnC Domain (marakanas .com) in DNS Lookup (malware.rules)
- 2044658 - ET MALWARE Wintern Vivern CnC Domain (ocs-romastassec .com) in DNS Lookup (malware.rules)
- 2044659 - ET MALWARE Wintern Vivern CnC Domain (troadsecow .com) in DNS Lookup (malware.rules)
- 2044661 - ET MALWARE Wintern Vivern CnC Domain (security-ocsp .com) in DNS Lookup (malware.rules)
- 2044698 - ET MALWARE Observed DNS Query to Gamaredon Domain (makasd .ru) (malware.rules)
- 2044699 - ET MALWARE Observed DNS Query to Gamaredon Domain (gojoxa .ru) (malware.rules)
- 2044744 - ET MALWARE SOMNIRECORD Backdoor PROBE Command in DNS Query (malware.rules)
- 2044746 - ET MALWARE SOMNIRECORD Backdoor DATA Command in DNS Query (malware.rules)
- 2044842 - ET MALWARE DBatLoader CnC Domain (silverline .com .sg) in DNS Lookup (malware.rules)
- 2045109 - ET MALWARE Observed DNS Query to TA444 Domain (nbright .best) (malware.rules)
- 2045110 - ET MALWARE FROZENBARENTS (SANDWORM) APT Related Domain in DNS Lookup (cpcpipe .org) (malware.rules)
- 2045111 - ET MALWARE FROZENBARENTS (SANDWORM) APT Related Domain in DNS Lookup (ukroboronprom .com .ukr .pm) (malware.rules)
- 2045112 - ET MALWARE FROZENBARENTS (SANDWORM) APT Related Domain in DNS Lookup (cpcpipe .com) (malware.rules)
- 2045188 - ET MALWARE Gamaredon APT Domain in DNS Lookup (ruizchris .ru) (malware.rules)
- 2045189 - ET MALWARE Gamaredon APT Domain in DNS Lookup (valasati .ru) (malware.rules)
- 2045190 - ET MALWARE Gamaredon APT Domain in DNS Lookup (ayarimar .ru) (malware.rules)
- 2045191 - ET MALWARE Gamaredon APT Domain in DNS Lookup (nutriag .ru) (malware.rules)
- 2045192 - ET MALWARE Gamaredon APT Domain in DNS Lookup (vilaverde .ru) (malware.rules)
- 2045193 - ET MALWARE Gamaredon APT Domain in DNS Lookup (fortunyzo .ru) (malware.rules)
- 2045194 - ET MALWARE Gamaredon APT Domain in DNS Lookup (dussaut .ru) (malware.rules)
- 2045195 - ET MALWARE Gamaredon APT Domain in DNS Lookup (samiseto .ru) (malware.rules)
- 2045196 - ET MALWARE Gamaredon APT Domain in DNS Lookup (boraito .ru) (malware.rules)
- 2045197 - ET MALWARE Gamaredon APT Domain in DNS Lookup (enokida .ru) (malware.rules)
- 2045198 - ET MALWARE Gamaredon APT Domain in DNS Lookup (kaigitang .ru) (malware.rules)
- 2045227 - ET MALWARE Gamaredon APT Domain in DNS Lookup (nahalx .ru) (malware.rules)
- 2045228 - ET MALWARE Gamaredon APT Domain in DNS Lookup (baraslx .ru) (malware.rules)
- 2045248 - ET MALWARE Gamaredon APT Domain in DNS Lookup (decorous .ru) (malware.rules)
- 2045249 - ET MALWARE Gamaredon APT Domain in DNS Lookup (judicious .ru) (malware.rules)
- 2045250 - ET MALWARE Gamaredon APT Domain in DNS Lookup (succinct .ru) (malware.rules)
- 2045251 - ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup (yrhsywu2009 .zapto .org) (malware.rules)
- 2045252 - ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup (vpn729380678 .softether .net) (malware.rules)
- 2045253 - ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup (saspecialforces .co .za) (malware.rules)
- 2045739 - ET MALWARE Fake Quickbooks Domain in DNS Lookup (quickbooks12 .hopto .org) (malware.rules)
- 2045740 - ET MALWARE Fake Quickbooks Domain in DNS Lookup (findproadvisors .com) (malware.rules)
- 2045741 - ET MALWARE Fake Quickbooks Domain in DNS Lookup (quickbooks149 .hopto .org) (malware.rules)
- 2045834 - ET MALWARE Observed DNS Query to Gamaredon Domain (mbiziso .ru) (malware.rules)
- 2045835 - ET MALWARE Observed DNS Query to Gamaredon Domain (kontarso .ru) (malware.rules)
- 2045836 - ET MALWARE Observed DNS Query to Gamaredon Domain (koseyso .ru) (malware.rules)
- 2045837 - ET MALWARE Observed DNS Query to Gamaredon Domain (menesso .ru) (malware.rules)
- 2045838 - ET MALWARE Observed DNS Query to Gamaredon Domain (kuaashiso .ru) (malware.rules)
- 2045839 - ET MALWARE Observed DNS Query to Gamaredon Domain (lizimbaso .ru) (malware.rules)
- 2045840 - ET MALWARE Observed DNS Query to Gamaredon Domain (maatso .ru) (malware.rules)
- 2045842 - ET MALWARE CloudWizard APT Related Domain in DNS Lookup (curveroad .com) (malware.rules)
- 2046080 - ET MALWARE Gamaredon Domain in DNS Lookup (havxcq .ru) (malware.rules)
- 2046081 - ET MALWARE Gamaredon Domain in DNS Lookup (ozaharso .ru) (malware.rules)
- 2046082 - ET MALWARE Gamaredon Domain in DNS Lookup (okparaso .ru) (malware.rules)
- 2046083 - ET MALWARE Gamaredon Domain in DNS Lookup (omariso .ru) (malware.rules)
- 2046084 - ET MALWARE Gamaredon Domain in DNS Lookup (ozirisso .ru) (malware.rules)
- 2046085 - ET MALWARE Gamaredon Domain in DNS Lookup (remmaoso .ru) (malware.rules)
- 2046086 - ET MALWARE Gamaredon Domain in DNS Lookup (oddzhiso .ru) (malware.rules)
- 2046087 - ET MALWARE Gamaredon Domain in DNS Lookup (itoram .ru) (malware.rules)
- 2046088 - ET MALWARE Gamaredon Domain in DNS Lookup (rvawc .ru) (malware.rules)
- 2046089 - ET MALWARE Gamaredon Domain in DNS Lookup (gajasx .ru) (malware.rules)
- 2046090 - ET MALWARE Gamaredon Domain in DNS Lookup (xopekar .ru) (malware.rules)
- 2046091 - ET MALWARE Gamaredon Domain in DNS Lookup (nalfas .ru) (malware.rules)
- 2046092 - ET MALWARE Gamaredon Domain in DNS Lookup (blootundicht .ru) (malware.rules)
- 2046093 - ET MALWARE Gamaredon Domain in DNS Lookup (tulocal .ru) (malware.rules)
- 2046094 - ET MALWARE Gamaredon Domain in DNS Lookup (boptizol .ru) (malware.rules)
- 2046095 - ET MALWARE Gamaredon Domain in DNS Lookup (yorisant .ru) (malware.rules)
- 2046096 - ET MALWARE Gamaredon Domain in DNS Lookup (viratuk .ru) (malware.rules)
- 2046097 - ET MALWARE Gamaredon Domain in DNS Lookup (reposant .ru) (malware.rules)
- 2046213 - ET MALWARE Gamaredon Domain in DNS Lookup (gawsxc .ru) (malware.rules)
- 2046214 - ET MALWARE Gamaredon Domain in DNS Lookup (perccottuspi .ru) (malware.rules)
- 2046215 - ET MALWARE Gamaredon Domain in DNS Lookup (razuiso .ru) (malware.rules)
- 2046216 - ET MALWARE Gamaredon Domain in DNS Lookup (dzhabrailho .ru) (malware.rules)
- 2046217 - ET MALWARE Gamaredon Domain in DNS Lookup (tispai .ru) (malware.rules)
- 2046218 - ET MALWARE Gamaredon Domain in DNS Lookup (reyyfadsf .ru) (malware.rules)
- 2046219 - ET MALWARE Gamaredon Domain in DNS Lookup (dumerilipi .ru) (malware.rules)
- 2046220 - ET MALWARE Gamaredon Domain in DNS Lookup (bladefishpi .ru) (malware.rules)
- 2046221 - ET MALWARE Gamaredon Domain in DNS Lookup (spatulapi .ru) (malware.rules)
- 2046222 - ET MALWARE Gamaredon Domain in DNS Lookup (gawcq .ru) (malware.rules)
- 2046223 - ET MALWARE Gamaredon Domain in DNS Lookup (agonepi .ru) (malware.rules)
- 2046224 - ET MALWARE Gamaredon Domain in DNS Lookup (albacorepi .ru) (malware.rules)
- 2853775 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
- 2853776 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
- 2853777 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
- 2853781 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
- 2853798 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
- 2853799 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
- 2853800 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)