Ruleset Update Summary - 2023/09/05 - v10410

Ruleset Updates
1

Summary:

26 new OPEN, 31 new PRO (26 + 5)

Thanks @uptycs, @ViriBack, @Jane_0sint, @SecurityJoes

Added rules:

Open:

  • 2047901 - ET MALWARE UAC-0173 Related Domain in DNS Lookup (filetransrediremin .com) (malware.rules)
  • 2047902 - ET MALWARE UAC-0173 Related Domain in DNS Lookup (minijusfil .com) (malware.rules)
  • 2047903 - ET MALWARE Observed UAC-0173 Related Domain (minijusfil .com in TLS SNI) (malware.rules)
  • 2047904 - ET MALWARE Observed UAC-0173 Related Domain (filetransrediremin .com in TLS SNI) (malware.rules)
  • 2047905 - ET MALWARE Win32/Stealerium CnC Payload Request (GET) (malware.rules)
  • 2047906 - ET MALWARE TA444 CnC Domain in DNS Lookup (datasend .fun) (malware.rules)
  • 2047907 - ET MALWARE TA444 CnC Domain in DNS Lookup (cryptowave .capital) (malware.rules)
  • 2047908 - ET MALWARE TA444 CnC Domain in DNS Lookup (trustmeeting .online) (malware.rules)
  • 2047909 - ET MALWARE TA444 CnC Domain in DNS Lookup (ubi-safemeeting .online) (malware.rules)
  • 2047910 - ET MALWARE TA444 CnC Domain in DNS Lookup (video-meet .xyz) (malware.rules)
  • 2047911 - ET MALWARE TA444 CnC Domain in DNS Lookup (ubi-safemeeting .live) (malware.rules)
  • 2047912 - ET MALWARE TA444 CnC Domain in DNS Lookup (internal-meeting .online) (malware.rules)
  • 2047913 - ET MALWARE Observed TA444 Domain (trustmeeting .online in TLS SNI) (malware.rules)
  • 2047914 - ET MALWARE Observed TA444 Domain (ubi-safemeeting .live in TLS SNI) (malware.rules)
  • 2047915 - ET MALWARE Observed TA444 Domain (video-meet .xyz in TLS SNI) (malware.rules)
  • 2047916 - ET MALWARE Observed TA444 Domain (internal-meeting .online in TLS SNI) (malware.rules)
  • 2047917 - ET MALWARE Observed TA444 Domain (ubi-safemeeting .online in TLS SNI) (malware.rules)
  • 2047918 - ET MALWARE Observed TA444 Domain (cryptowave .capital in TLS SNI) (malware.rules)
  • 2047919 - ET MALWARE Observed TA444 Domain (datasend .fun in TLS SNI) (malware.rules)
  • 2047920 - ET WEB_SPECIFIC_APPS Inductive Automation remoteSystemID Check (CVE-2023-39476) (web_specific_apps.rules)
  • 2047921 - ET MALWARE [ANY.RUN] Echida Botnet Check-In M1 (malware.rules)
  • 2047922 - ET MALWARE [ANY.RUN] Echida Botnet Check-In M2 (malware.rules)
  • 2047923 - ET WEB_SPECIFIC_APPS MinIO Information Disclosure Attempt (CVE-2023-28432) (web_specific_apps.rules)
  • 2047924 - ET WEB_SPECIFIC_APPS Successful MinIO Information Disclosure Attempt (CVE-2023-28432) (web_specific_apps.rules)
  • 2047925 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (marcborowy .com) (exploit_kit.rules)
  • 2047926 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (marcborowy .com) (exploit_kit.rules)

Pro:

  • 2833038 - ETPRO HUNTING Possibly Obfuscated Payload - CharCode HTTP Inbound in JavaScript (hunting.rules)
  • 2855231 - ETPRO MALWARE PS1/Suspected TA450 CnC Checkin (POST) (malware.rules)
  • 2855236 - ETPRO EXPLOIT_KIT Fake Browser Update Lure Request (exploit_kit.rules)
  • 2855237 - ETPRO EXPLOIT_KIT Fake Browser Update Request M1 (exploit_kit.rules)
  • 2855238 - ETPRO EXPLOIT_KIT Fake Browser Update Request M2 (exploit_kit.rules)

Removed rules:

  • 2833038 - ETPRO ATTACK_RESPONSE Possibly Obfuscated Payload - CharCode HTTP Inbound in JavaScript (attack_response.rules)