Ruleset Update Summary - 2023/09/22 - v10423

rulesbot · September 22, 2023, 9:27pm

Summary:

74 new OPEN, 79 new PRO (74 + 5)

Thanks @Unit42_Intel, @SentinelOne

Added rules:

Open:

2048147 - ET PHISHING TOAD Domain in DNS Lookup (athelp .live) (phishing.rules)
2048148 - ET PHISHING TOAD Domain in DNS Lookup (login .pcsystem247 .cc) (phishing.rules)
2048149 - ET PHISHING TOAD Domain in DNS Lookup (jxhelp .cc) (phishing.rules)
2048150 - ET PHISHING TOAD Domain in DNS Lookup (mghelp .live) (phishing.rules)
2048151 - ET PHISHING TOAD Domain in DNS Lookup (wdhelp .us) (phishing.rules)
2048152 - ET PHISHING TOAD Domain in DNS Lookup (support7 .cc) (phishing.rules)
2048153 - ET PHISHING TOAD Domain in DNS Lookup (wdhelp .live) (phishing.rules)
2048154 - ET PHISHING TOAD Domain in DNS Lookup (mta-sts .gub .bio) (phishing.rules)
2048155 - ET PHISHING TOAD Domain in DNS Lookup (kbhelp .info) (phishing.rules)
2048156 - ET PHISHING TOAD Domain in DNS Lookup (axhelp .live) (phishing.rules)
2048157 - ET PHISHING TOAD Domain in DNS Lookup (helpsystem .cc) (phishing.rules)
2048158 - ET PHISHING TOAD Domain in DNS Lookup (mail .retfaqboos .site) (phishing.rules)
2048159 - ET PHISHING TOAD Domain in DNS Lookup (gbhelp .live) (phishing.rules)
2048160 - ET PHISHING TOAD Domain in DNS Lookup (gbhelp .cc) (phishing.rules)
2048161 - ET PHISHING TOAD Domain in DNS Lookup (gchelp .info) (phishing.rules)
2048162 - ET PHISHING TOAD Domain in DNS Lookup (jxhelp .us) (phishing.rules)
2048163 - ET PHISHING TOAD Domain in DNS Lookup (cxhelp .us) (phishing.rules)
2048164 - ET PHISHING TOAD Domain in DNS Lookup (retfaqboos .site) (phishing.rules)
2048165 - ET PHISHING TOAD Domain in DNS Lookup (mail .mrree .gub .bio) (phishing.rules)
2048166 - ET PHISHING TOAD Domain in DNS Lookup (dfhelp .cc) (phishing.rules)
2048167 - ET PHISHING TOAD Domain in DNS Lookup (pcsystem247 .cc) (phishing.rules)
2048168 - ET PHISHING TOAD Domain in DNS Lookup (pxhelp .us) (phishing.rules)
2048169 - ET PHISHING TOAD Domain in DNS Lookup (amz34 .us) (phishing.rules)
2048170 - ET PHISHING TOAD Domain in DNS Lookup (emv1 .gub .bio) (phishing.rules)
2048171 - ET PHISHING TOAD Domain in DNS Lookup (mchelp .cc) (phishing.rules)
2048172 - ET PHISHING TOAD Domain in DNS Lookup (login .helpsystem .cc) (phishing.rules)
2048173 - ET PHISHING TOAD Domain in DNS Lookup (jxhelp .info) (phishing.rules)
2048174 - ET PHISHING TOAD Domain in DNS Lookup (33 .gub .bio) (phishing.rules)
2048175 - ET PHISHING TOAD Domain in DNS Lookup (dbhelp .info) (phishing.rules)
2048176 - ET PHISHING TOAD Domain in DNS Lookup (gub .bio) (phishing.rules)
2048177 - ET PHISHING TOAD Domain in DNS Lookup (lbhelp .us) (phishing.rules)
2048178 - ET PHISHING TOAD Domain in DNS Lookup (mshelp58 .us) (phishing.rules)
2048179 - ET PHISHING TOAD Domain in DNS Lookup (cashapphelp19 .us) (phishing.rules)
2048180 - ET PHISHING Observed TOAD Domain (login .helpsystem .cc in TLS SNI) (phishing.rules)
2048181 - ET PHISHING Observed TOAD Domain (gbhelp .cc in TLS SNI) (phishing.rules)
2048182 - ET PHISHING Observed TOAD Domain (lbhelp .us in TLS SNI) (phishing.rules)
2048183 - ET PHISHING Observed TOAD Domain (wdhelp .us in TLS SNI) (phishing.rules)
2048184 - ET PHISHING Observed TOAD Domain (mchelp .cc in TLS SNI) (phishing.rules)
2048185 - ET PHISHING Observed TOAD Domain (kbhelp .info in TLS SNI) (phishing.rules)
2048186 - ET PHISHING Observed TOAD Domain (mta-sts .gub .bio in TLS SNI) (phishing.rules)
2048187 - ET PHISHING Observed TOAD Domain (amz34 .us in TLS SNI) (phishing.rules)
2048188 - ET PHISHING Observed TOAD Domain (login .pcsystem247 .cc in TLS SNI) (phishing.rules)
2048189 - ET PHISHING Observed TOAD Domain (gbhelp .live in TLS SNI) (phishing.rules)
2048190 - ET PHISHING Observed TOAD Domain (dbhelp .info in TLS SNI) (phishing.rules)
2048191 - ET PHISHING Observed TOAD Domain (jxhelp .info in TLS SNI) (phishing.rules)
2048192 - ET PHISHING Observed TOAD Domain (axhelp .live in TLS SNI) (phishing.rules)
2048193 - ET PHISHING Observed TOAD Domain (jxhelp .us in TLS SNI) (phishing.rules)
2048194 - ET PHISHING Observed TOAD Domain (cashapphelp19 .us in TLS SNI) (phishing.rules)
2048195 - ET PHISHING Observed TOAD Domain (jxhelp .cc in TLS SNI) (phishing.rules)
2048196 - ET PHISHING Observed TOAD Domain (pcsystem247 .cc in TLS SNI) (phishing.rules)
2048197 - ET PHISHING Observed TOAD Domain (athelp .live in TLS SNI) (phishing.rules)
2048198 - ET PHISHING Observed TOAD Domain (wdhelp .live in TLS SNI) (phishing.rules)
2048199 - ET PHISHING Observed TOAD Domain (gub .bio in TLS SNI) (phishing.rules)
2048200 - ET PHISHING Observed TOAD Domain (mail .retfaqboos .site in TLS SNI) (phishing.rules)
2048201 - ET PHISHING Observed TOAD Domain (mghelp .live in TLS SNI) (phishing.rules)
2048202 - ET PHISHING Observed TOAD Domain (support7 .cc in TLS SNI) (phishing.rules)
2048203 - ET PHISHING Observed TOAD Domain (33 .gub .bio in TLS SNI) (phishing.rules)
2048204 - ET PHISHING Observed TOAD Domain (mail .mrree .gub .bio in TLS SNI) (phishing.rules)
2048205 - ET PHISHING Observed TOAD Domain (pxhelp .us in TLS SNI) (phishing.rules)
2048206 - ET PHISHING Observed TOAD Domain (emv1 .gub .bio in TLS SNI) (phishing.rules)
2048207 - ET PHISHING Observed TOAD Domain (helpsystem .cc in TLS SNI) (phishing.rules)
2048208 - ET PHISHING Observed TOAD Domain (retfaqboos .site in TLS SNI) (phishing.rules)
2048209 - ET PHISHING Observed TOAD Domain (cxhelp .us in TLS SNI) (phishing.rules)
2048210 - ET PHISHING Observed TOAD Domain (gchelp .info in TLS SNI) (phishing.rules)
2048211 - ET PHISHING Observed TOAD Domain (mshelp58 .us in TLS SNI) (phishing.rules)
2048212 - ET PHISHING Observed TOAD Domain (dfhelp .cc in TLS SNI) (phishing.rules)
2048213 - ET EXPLOIT Potential Adobe Experience Manager (AEM) Dispatcher Bypass Attempt (exploit.rules)
2048214 - ET MALWARE Sandman APT LuaDream Backdoor Domain in DNS Lookup (ssl .explorecell .com) (malware.rules)
2048215 - ET MALWARE Sandman APT LuaDream Backdoor Domain in DNS Lookup (mode .encagil .com) (malware.rules)
2048216 - ET MALWARE Observed Sandman APT LuaDream Backdoor Domain (ssl .explorecell .com) in TLS SNI (malware.rules)
2048217 - ET MALWARE Observed Sandman APT LuaDream Backdoor Domain (mode .encagil .com) in TLS SNI (malware.rules)
2048218 - ET MALWARE Stately Taurus APT Toneshell Backdoor Domain in DNS Lookup (www .uvfr43p .com) (malware.rules)
2048219 - ET MALWARE Stately Taurus APT Related Domain in DNS Lookup (Feed-5613 .coderformylife .info) (malware.rules)
2048220 - ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (3a7ee) (exploit_kit.rules)

Pro:

2855276 - ETPRO ATTACK_RESPONSE Responder Basic Authentication HTTP Response (attack_response.rules)
2855277 - ETPRO ATTACK_RESPONSE Responder NTLM Authentication HTTP Response M2 (attack_response.rules)
2855278 - ETPRO INFO NTLM Authentication Message Type 1 to External Host (Possible NTLM Hash Theft) (info.rules)
2855279 - ETPRO ATTACK_RESPONSE Responder NTLM Authentication HTTP Response M3 (attack_response.rules)
2855280 - ETPRO INFO NTLM Authentication Message Type 2 From External Host (Possible NTLM Hash Theft) (info.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/08/10 - v10391 Ruleset Updates	248	August 10, 2023
Ruleset Update Summary - 2023/10/24 - v10447 Ruleset Updates	349	October 24, 2023
Ruleset Update Summary - 2023/10/13 - v10439 Ruleset Updates	333	October 13, 2023
Ruleset Update Summary - 2023/10/03 - v10431 Ruleset Updates	234	October 3, 2023
Ruleset Update Summary - 2023/09/25 - v10424 Ruleset Updates	278	September 25, 2023

Ruleset Update Summary - 2023/09/22 - v10423

Summary:

Added rules:

Open:

Pro:

Related topics