Ruleset Update Summary - 2023/09/27 - v10426

Ruleset Updates
1

Summary:

41 new OPEN, 62 new PRO (41 + 21)

Thanks @LabsSentinel

Added rules:

Open:

  • 2048276 - ET MALWARE IcedID CnC Domain in DNS Lookup (skrgerona .com) (malware.rules)
  • 2048277 - ET MALWARE IcedID CnC Domain in DNS Lookup (restohalto .site) (malware.rules)
  • 2048278 - ET MALWARE IcedID CnC Domain in DNS Lookup (majzolimka .com) (malware.rules)
  • 2048279 - ET MALWARE IcedID CnC Domain in DNS Lookup (minutozhart .online) (malware.rules)
  • 2048280 - ET MALWARE IcedID CnC Domain in DNS Lookup (awindakizend .com) (malware.rules)
  • 2048281 - ET INFO DYNAMIC_DNS Query to a *.opensrc .mx Domain (info.rules)
  • 2048282 - ET INFO DYNAMIC_DNS HTTP Request to a *.opensrc .mx Domain (info.rules)
  • 2048283 - ET INFO DYNAMIC_DNS Query to a *.ec .gy Domain (info.rules)
  • 2048284 - ET INFO DYNAMIC_DNS HTTP Request to a *.ec .gy Domain (info.rules)
  • 2048285 - ET INFO DYNAMIC_DNS Query to a *.justlearning .net Domain (info.rules)
  • 2048286 - ET INFO DYNAMIC_DNS HTTP Request to a *.justlearning .net Domain (info.rules)
  • 2048287 - ET INFO DYNAMIC_DNS Query to a *.smathis .com Domain (info.rules)
  • 2048288 - ET INFO DYNAMIC_DNS HTTP Request to a *.smathis .com Domain (info.rules)
  • 2048289 - ET INFO DYNAMIC_DNS Query to a *.jcho .com Domain (info.rules)
  • 2048290 - ET INFO DYNAMIC_DNS HTTP Request to a *.jcho .com Domain (info.rules)
  • 2048291 - ET INFO DYNAMIC_DNS Query to a *.prasbharapolresbojonegoro .or .id Domain (info.rules)
  • 2048292 - ET INFO DYNAMIC_DNS HTTP Request to a *.prasbharapolresbojonegoro .or .id Domain (info.rules)
  • 2048293 - ET INFO DYNAMIC_DNS Query to a *.ianrossi .com Domain (info.rules)
  • 2048294 - ET INFO DYNAMIC_DNS HTTP Request to a *.ianrossi .com Domain (info.rules)
  • 2048295 - ET INFO DYNAMIC_DNS Query to a *.gonnadoo .com Domain (info.rules)
  • 2048296 - ET INFO DYNAMIC_DNS HTTP Request to a *.gonnadoo .com Domain (info.rules)
  • 2048297 - ET INFO DYNAMIC_DNS Query to a *.treetech .tw Domain (info.rules)
  • 2048298 - ET INFO DYNAMIC_DNS HTTP Request to a *.treetech .tw Domain (info.rules)
  • 2048299 - ET INFO DYNAMIC_DNS Query to a *.gfickt .de Domain (info.rules)
  • 2048300 - ET INFO DYNAMIC_DNS HTTP Request to a *.gfickt .de Domain (info.rules)
  • 2048301 - ET INFO DYNAMIC_DNS Query to a *.eupla .com Domain (info.rules)
  • 2048302 - ET INFO DYNAMIC_DNS HTTP Request to a *.eupla .com Domain (info.rules)
  • 2048303 - ET INFO DYNAMIC_DNS Query to a *.silexcorp .com .ar Domain (info.rules)
  • 2048304 - ET INFO DYNAMIC_DNS HTTP Request to a *.silexcorp .com .ar Domain (info.rules)
  • 2048305 - ET INFO DYNAMIC_DNS Query to a *.soapagent .com Domain (info.rules)
  • 2048306 - ET INFO DYNAMIC_DNS HTTP Request to a *.soapagent .com Domain (info.rules)
  • 2048307 - ET INFO DYNAMIC_DNS Query to a *.clickit .com Domain (info.rules)
  • 2048308 - ET INFO DYNAMIC_DNS HTTP Request to a *.clickit .com Domain (info.rules)
  • 2048309 - ET INFO DYNAMIC_DNS Query to a *.samoobrona .one .pl Domain (info.rules)
  • 2048310 - ET INFO DYNAMIC_DNS HTTP Request to a *.samoobrona .one .pl Domain (info.rules)
  • 2048311 - ET MALWARE Observed Malicious SSL Cert (Cobalt Strike) (malware.rules)
  • 2048312 - ET MALWARE PeepingTitle Backdoor Related Activity (malware.rules)
  • 2048313 - ET INFO URL Shortening Domain in DNS Lookup (urlbae .com) (info.rules)
  • 2048314 - ET INFO Observed URL Shortening Service Domain in TLS SNI (urlbae .com) (info.rules)
  • 2048315 - ET MALWARE TA444 MacOS/ProcessRequest CnC Checkin (malware.rules)
  • 2048316 - ET MALWARE TA444 MacOS/ProcessRequest CnC Domain in DNS Lookup (swissborg .blog) (malware.rules)

Pro:

  • 2855294 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855295 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855296 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2855297 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2855298 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2855299 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2855300 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2855301 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2855302 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2855303 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855304 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855305 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2855306 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2855307 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2855308 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2855309 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2855310 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2855311 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2855312 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2855313 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2855314 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Modified inactive rules:

  • 2020030 - ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 2 (malware.rules)

Disabled and modified rules:

  • 2048241 - ET MALWARE Possible ToneShell CnC Checkin M1 (malware.rules)
  • 2855185 - ETPRO CURRENT_EVENTS Commonly Abused Domain Domain in DNS Lookup (current_events.rules)
  • 2855186 - ETPRO CURRENT_EVENTS Observed Commonly Abused Domain in TLS SNI (current_events.rules)