Ruleset Update Summary - 2023/09/11 - v10414

Ruleset Updates
1

Summary:

45 new OPEN, 48 new PRO (45 + 3)

Thanks @tiresearch1

Added rules:

Open:

  • 2047992 - ET INFO PhishingBox Landing Page - Phishing Simulation (info.rules)
  • 2047993 - ET INFO PhishingBox Landing Page - Phishing Simulation (info.rules)
  • 2047994 - ET USER_AGENTS Observed Reconnaissance Related UA (user_agents.rules)
  • 2047995 - ET MALWARE DNS Query to TA444 Domain (updatecheck .store) (malware.rules)
  • 2047996 - ET MALWARE DNS Query to TA444 Domain (updatecheck .site) (malware.rules)
  • 2047997 - ET MALWARE DNS Query to TA444 Domain (antiviruscheck .store) (malware.rules)
  • 2047998 - ET MALWARE DNS Query to TA444 Domain (waitingfor .cfd) (malware.rules)
  • 2047999 - ET MALWARE DNS Query to TA444 Domain (antifirmware .store) (malware.rules)
  • 2048000 - ET MALWARE DNS Query to TA444 Domain (alwayswait .site) (malware.rules)
  • 2048001 - ET MALWARE DNS Query to TA444 Domain (unbelievableresult .site) (malware.rules)
  • 2048002 - ET MALWARE DNS Query to TA444 Domain (antiviruscheck .site) (malware.rules)
  • 2048003 - ET MALWARE DNS Query to TA444 Domain (remoteproweb .cfd) (malware.rules)
  • 2048004 - ET MALWARE DNS Query to TA444 Domain (auditprovidre .store) (malware.rules)
  • 2048005 - ET MALWARE DNS Query to TA444 Domain (alwayswait .online) (malware.rules)
  • 2048006 - ET MALWARE DNS Query to TA444 Domain (auditprovidre .site) (malware.rules)
  • 2048007 - ET MALWARE DNS Query to TA444 Domain (antifirmware .site) (malware.rules)
  • 2048008 - ET MALWARE DNS Query to TA444 Domain (auditprovidre .online) (malware.rules)
  • 2048009 - ET MALWARE DNS Query to TA444 Domain (unbelievableresult .store) (malware.rules)
  • 2048010 - ET MALWARE DNS Query to TA444 Domain (systemupdate .site) (malware.rules)
  • 2048011 - ET MALWARE DNS Query to TA444 Domain (newcoming .cfd) (malware.rules)
  • 2048012 - ET MALWARE DNS Query to TA444 Domain (systemupdate .store) (malware.rules)
  • 2048013 - ET MALWARE DNS Query to TA444 Domain (antifirmware .online) (malware.rules)
  • 2048014 - ET MALWARE Observed TA444 Domain (updatecheck .store in TLS SNI) (malware.rules)
  • 2048015 - ET MALWARE Observed TA444 Domain (updatecheck .site in TLS SNI) (malware.rules)
  • 2048016 - ET MALWARE Observed TA444 Domain (antiviruscheck .store in TLS SNI) (malware.rules)
  • 2048017 - ET MALWARE Observed TA444 Domain (waitingfor .cfd in TLS SNI) (malware.rules)
  • 2048018 - ET MALWARE Observed TA444 Domain (antifirmware .store in TLS SNI) (malware.rules)
  • 2048019 - ET MALWARE Observed TA444 Domain (alwayswait .site in TLS SNI) (malware.rules)
  • 2048020 - ET MALWARE Observed TA444 Domain (unbelievableresult .site in TLS SNI) (malware.rules)
  • 2048021 - ET MALWARE Observed TA444 Domain (antiviruscheck .site in TLS SNI) (malware.rules)
  • 2048022 - ET MALWARE Observed TA444 Domain (remoteproweb .cfd in TLS SNI) (malware.rules)
  • 2048023 - ET MALWARE Observed TA444 Domain (auditprovidre .store in TLS SNI) (malware.rules)
  • 2048024 - ET MALWARE Observed TA444 Domain (alwayswait .online in TLS SNI) (malware.rules)
  • 2048025 - ET MALWARE Observed TA444 Domain (auditprovidre .site in TLS SNI) (malware.rules)
  • 2048026 - ET MALWARE Observed TA444 Domain (antifirmware .site in TLS SNI) (malware.rules)
  • 2048027 - ET MALWARE Observed TA444 Domain (auditprovidre .online in TLS SNI) (malware.rules)
  • 2048028 - ET MALWARE Observed TA444 Domain (unbelievableresult .store in TLS SNI) (malware.rules)
  • 2048029 - ET MALWARE Observed TA444 Domain (systemupdate .site in TLS SNI) (malware.rules)
  • 2048030 - ET MALWARE Observed TA444 Domain (newcoming .cfd in TLS SNI) (malware.rules)
  • 2048031 - ET MALWARE Observed TA444 Domain (systemupdate .store in TLS SNI) (malware.rules)
  • 2048032 - ET MALWARE Observed TA444 Domain (antifirmware .online in TLS SNI) (malware.rules)
  • 2048033 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (whitedrill .org) (exploit_kit.rules)
  • 2048034 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (whitedrill .org) (exploit_kit.rules)
  • 2048035 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (cristinaamaro .com) (exploit_kit.rules)
  • 2048036 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (cristinaamaro .com) (exploit_kit.rules)

Pro:

  • 2855245 - ETPRO MALWARE Agent Tesla Exfil via SMTP (malware.rules)
  • 2855246 - ETPRO EXPLOIT_KIT RogueRaticate Inject M1 (exploit_kit.rules)
  • 2855247 - ETPRO EXPLOIT_KIT RogueRaticate Inject M2 (exploit_kit.rules)

Modified inactive rules:

  • 2017064 - ET EXPLOIT_KIT Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity (exploit_kit.rules)

Disabled and modified rules:

  • 2018228 - ET MALWARE Possible PlugX Common Header Struct (malware.rules)
  • 2046205 - ET MALWARE Stealth Soldier Backdoor Related Domain in DNS Lookup (filestoragehub .live) (malware.rules)