Ruleset Update Summary - 2023/09/01 - v10408

Summary:

28 new OPEN, 61 new PRO (28 + 33)

Thanks kevin, ross, @fr0s7_, @suyog41, @watchtowrcyber, @alizthehax0r


Added rules:

Open:

  • 2047865 - ET INFO External IP Address Lookup Domain SSL Cert (geodatatool .com) (info.rules)
  • 2047866 - ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI) (info.rules)
  • 2047867 - ET EXPLOIT Junos OS - Unauthenticated Arbitrary File Upload Attempt (CVE-2023-36846 CVE-2023-36847) (exploit.rules)
  • 2047868 - ET EXPLOIT Junos OS - Successful Unauthenticated Arbitrary File Upload Attempt (CVE-2023-36846 CVE-2023-36847) (exploit.rules)
  • 2047869 - ET EXPLOIT Junos OS - Unauthenticated PHPRC Environmental Variable Modification M1 (CVE-2023-36844 CVE-2023-36845) (exploit.rules)
  • 2047870 - ET EXPLOIT Junos OS - Unauthenticated PHPRC Environmental Variable Modification M2 (CVE-2023-36844 CVE-2023-36845) (exploit.rules)
  • 2047871 - ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io) (info.rules)
  • 2047872 - ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host) (info.rules)
  • 2047873 - ET MALWARE IcedID CnC Domain in DNS Lookup (ewacootili .com) (malware.rules)
  • 2047874 - ET INFO DYNAMIC_DNS Query to a *.focusmarketing .us Domain (info.rules)
  • 2047875 - ET INFO DYNAMIC_DNS HTTP Request to a *.focusmarketing .us Domain (info.rules)
  • 2047876 - ET MALWARE IcedID CnC Domain in DNS Lookup (oopscokir .com) (malware.rules)
  • 2047877 - ET MALWARE Observed IcedID Domain (ewacootili .com in TLS SNI) (malware.rules)
  • 2047878 - ET MALWARE Observed IcedID Domain (oopscokir .com in TLS SNI) (malware.rules)
  • 2047879 - ET INFO External IP Address Lookup Domain in DNS Lookup (geodatatool .com) (info.rules)
  • 2047880 - ET MOBILE_MALWARE Android/InfamousChisel.InfoStealer APT28/SANDWORM Data Exfiltration (mobile_malware.rules)
  • 2047881 - ET MALWARE TA409 Related DNS Lookup (navercorp .ru) (malware.rules)
  • 2047882 - ET MALWARE Observed TA409 Related Domain (navercorp .ru in TLS SNI) (malware.rules)
  • 2047883 - ET MALWARE LNK/Konni APT CnC Checkin (GET) (malware.rules)
  • 2047884 - ET MALWARE Raspberry Robin CnC Domain in DNS Lookup (w0 .pm) (malware.rules)
  • 2047885 - ET MALWARE Observed Raspberry Robin Domain (w0 .pm in TLS SNI) (malware.rules)
  • 2047886 - ET PHISHING Facebook Credential Phish Landing Page 2023-09-01 (phishing.rules)
  • 2047887 - ET INFO Commonly Abused Domain in TLS SNI (one-click .cc) (info.rules)
  • 2047888 - ET INFO Commonly Abused Domain in TLS SNI (freeclickr .com) (info.rules)
  • 2047889 - ET MALWARE SocGholish Domain in DNS Lookup (standard .architech3 .com) (malware.rules)
  • 2047890 - ET MALWARE SocGholish Domain in TLS SNI (standard .architech3 .com) (malware.rules)
  • 2047891 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (pwwqkppwqkezqer .site) (exploit_kit.rules)
  • 2047892 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (pwwqkppwqkezqer .site) (exploit_kit.rules)

Pro:

  • 2855198 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2855199 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855200 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855201 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2855202 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2855203 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2855204 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2855205 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2855206 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2855207 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2855208 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2855209 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2855210 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2855211 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2855212 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855213 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855214 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2855215 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2855216 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2855217 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2855218 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2855219 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2855220 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2855221 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2855222 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2855223 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2855224 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
  • 2855225 - ETPRO MALWARE zgRAT CnC Checkin (malware.rules)
  • 2855226 - ETPRO MALWARE PS1/Redpill Post-Exploitation Kit Fetch (GET) (malware.rules)
  • 2855227 - ETPRO MALWARE PS1/Redpill Post-Exploitation Module Fetch (GET) M1 (malware.rules)
  • 2855228 - ETPRO MALWARE PS1/Redpill Post-Exploitation Module Fetch (GET) M2 (malware.rules)
  • 2855229 - ETPRO MALWARE PS1/Redpill Post-Exploitation Module Fetch (GET) M3 (malware.rules)
  • 2855230 - ETPRO MALWARE Raspberry Robin CnC Checkin (GET) (malware.rules)

Disabled and modified rules:

  • 2031281 - ET CURRENT_EVENTS [Fireeye] Backdoor.DNS.BEACON.[CSBundle DNS] (current_events.rules)

Removed rules:

  • 2845167 - ETPRO POLICY External IP Address Lookup Domain SSL Cert (geodatatool .com) (policy.rules)
  • 2851058 - ETPRO INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI) (info.rules)