Summary:
17 new OPEN, 18 new PRO (17 + 1)
Thanks @x3ph1, @SentinelOne, @TrendMicro
Added rules:
Open:
- 2048100 - ET POLICY Observed MSI Download (policy.rules)
- 2048101 - ET MALWARE Atomic MacOS Stealer CnC Domain in DNS Lookup (maybe .host) (malware.rules)
- 2048102 - ET MALWARE Observed Atomic MacOS Stealer Domain (maybe .host in TLS SNI) (malware.rules)
- 2048103 - ET MALWARE Atomic MacOS Stealer CnC Exfil (POST) (malware.rules)
- 2048104 - ET MALWARE Earth Lusca/SprySOCKS CnC Domain in DNS Lookup (malware.rules)
- 2048105 - ET MALWARE Earth Lusca/SprySOCKS CnC Domain in DNS Lookup (malware.rules)
- 2048106 - ET MALWARE Transparent Tribe/CapraRAT CnC Domain in DNS Lookup (malware.rules)
- 2048107 - ET MALWARE Transparent Tribe/CapraRAT CnC Domain in DNS Lookup (malware.rules)
- 2048108 - ET MALWARE Transparent Tribe/CapraRAT CnC Domain in DNS Lookup (malware.rules)
- 2048109 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (greedyclowns .org) (exploit_kit.rules)
- 2048110 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (greedyclowns .org) (exploit_kit.rules)
- 2048111 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (mansaentertainment .com) (exploit_kit.rules)
- 2048112 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (mansaentertainment .com) (exploit_kit.rules)
- 2048113 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (import19ksnx9ajsn .com) (exploit_kit.rules)
- 2048114 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (import19ksnx9ajsn .com) (exploit_kit.rules)
- 2048115 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .layout .oystergardens .us) (malware.rules)
- 2048116 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .layout .oystergardens .us) (malware.rules)
Pro:
- 2855263 - ETPRO MALWARE Successful Banking Credential Phish 2023-09-18 (malware.rules)
Modified inactive rules:
- 2044665 - ET INFO Outbound SMB NTLM Auth Attempt to External Address (info.rules)
Removed rules:
- 2832259 - ETPRO POLICY Observed MSI Download (policy.rules)