Ruleset Update Summary - 2023/10/19 - v10445

rulesbot · October 19, 2023, 8:54pm

Summary:

71 new OPEN, 82 new PRO (71 + 11)

Thanks @reecdeep, @RecordedFuture

Due to a company holiday there will be no rule release Friday, October 20, 2023

Added rules:

Open:

2048652 - ET MALWARE Observed Glupteba CnC Domain (statsexplorer .org in TLS SNI) (malware.rules)
2048653 - ET MALWARE Observed Glupteba CnC Domain (filesdumpplace .org in TLS SNI) (malware.rules)
2048654 - ET MALWARE Observed Glupteba CnC Domain (dumperstats .org in TLS SNI) (malware.rules)
2048655 - ET MALWARE Observed Glupteba CnC Domain (thestatsfiles .ru in TLS SNI) (malware.rules)
2048656 - ET MALWARE Observed Glupteba CnC Domain (realupdate .ru in TLS SNI) (malware.rules)
2048657 - ET MALWARE Observed Glupteba CnC Domain (parrotcare .net in TLS SNI) (malware.rules)
2048658 - ET MALWARE Observed Glupteba CnC Domain (mypushtimes .net in TLS SNI) (malware.rules)
2048659 - ET MALWARE Observed Glupteba CnC Domain (safarimexican .net in TLS SNI) (malware.rules)
2048660 - ET MALWARE Observed Glupteba CnC Domain (rentalhousezz .net in TLS SNI) (malware.rules)
2048661 - ET MALWARE Win32/Common RAT CnC Activity (GET) (malware.rules)
2048662 - ET MALWARE Win32/Common RAT Host Checkin (GET) (malware.rules)
2048663 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL-2488 Default Cert Subject Common Name (scada.rules)
2048664 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL-2488 Default Cert Issuer Common Name (scada.rules)
2048665 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL Telnet Activity (scada.rules)
2048666 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL Telnet Elevated Access (scada.rules)
2048667 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL 2032 Processor Telnet Banner (scada.rules)
2048668 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL Calibration Access Level Login Success (scada.rules)
2048669 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - Access Change (scada.rules)
2048670 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - Change working directory 2701 (scada.rules)
2048671 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - Current directory /SEL-2701 (scada.rules)
2048672 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - DNPMAP.TXT File Download Attempt (scada.rules)
2048673 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - STOR SET_DNP1.TXT File Upload Attempt (scada.rules)
2048674 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - SET_ File Upload Attempt (scada.rules)
2048675 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - User ACC Login Attempt (scada.rules)
2048676 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - Default Password otter (scada.rules)
2048677 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - DNPMAP.TXT File Upload Attempt (scada.rules)
2048678 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - ERR.TXT File Download Attempt (scada.rules)
2048679 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - SET_DNP1.TXT File Download Attempt (scada.rules)
2048680 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - SET_ File Download Attempt (scada.rules)
2048681 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - Default User Account FTPUSER Login Attempt (scada.rules)
2048682 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - Default User Account Password TAIL Login Attempt (scada.rules)
2048683 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL FTP Server Activity - SEL-751A FTP Banner Observed (scada.rules)
2048684 - ET SCADA [nsacyber/ELITEWOLF] Possible Siemens S7-1200 Unauthorized Access Attempt - Request for /Images/CPU1200/ (scada.rules)
2048685 - ET SCADA [nsacyber/ELITEWOLF] Possible Siemens S7-1200 Unauthorized Access Attempt - Request for /CSS/S7Web.css (scada.rules)
2048686 - ET SCADA [nsacyber/ELITEWOLF] Siemens S7-1200 Default X509 Certificate String (scada.rules)
2048687 - ET SCADA [nsacyber/ELITEWOLF] Siemens S7-1200 Default Cert Subject Common Name (scada.rules)
2048688 - ET SCADA [nsacyber/ELITEWOLF] Siemens S7-1200 Default Cert Issuer Common Name (scada.rules)
2048689 - ET SCADA [nsacyber/ELITEWOLF] Siemens S7 Redpoint NSE Request CPU Function Read SZL attempt (scada.rules)
2048690 - ET SCADA [nsacyber/ELITEWOLF] Tridium NiagaraAX Default X509 Certificate String (scada.rules)
2048691 - ET SCADA [nsacyber/ELITEWOLF] Tridium NiagaraAX Default Cert Subject Common Name (scada.rules)
2048692 - ET SCADA [nsacyber/ELITEWOLF] Tridium NiagaraAX Default Cert Issuer Common Name (scada.rules)
2048693 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .result .garrettcountygranfondo .org) (malware.rules)
2048694 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .result .garrettcountygranfondo .org) (malware.rules)
2048695 - ET MALWARE TA401 Domain in DNS Lookup (isabeljwade .icu) (malware.rules)
2048696 - ET MALWARE TA401 Domain in DNS Lookup (francescatmorrison .icu) (malware.rules)
2048697 - ET MALWARE TA401 Domain in DNS Lookup (jayyburrows .icu) (malware.rules)
2048698 - ET MALWARE TA401 Domain in DNS Lookup (jessicakphillips .icu) (malware.rules)
2048699 - ET MALWARE TA401 Domain in TLS SNI (isabeljwade .icu) (malware.rules)
2048700 - ET MALWARE TA401 Domain in TLS SNI (francescatmorrison .icu) (malware.rules)
2048701 - ET MALWARE TA401 Domain in TLS SNI (jayyburrows .icu) (malware.rules)
2048702 - ET MALWARE TA401 Domain in TLS SNI (jessicakphillips .icu) (malware.rules)
2048703 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (alqassam .ps) (malware.rules)
2048704 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (nikanps .top) (malware.rules)
2048705 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (hamrah .nikanps .top) (malware.rules)
2048706 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (modir .nikanps .top) (malware.rules)
2048707 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (admin .nikanps .top) (malware.rules)
2048708 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (user .nikanps .top) (malware.rules)
2048709 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (nikanpsx .top) (malware.rules)
2048710 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (hz .nikanpsx .top) (malware.rules)
2048711 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (nikanpsx .hopto .org) (malware.rules)
2048712 - ET MALWARE HAMAS affiliated Domain in TLS SNI (alqassam .ps) (malware.rules)
2048713 - ET MALWARE HAMAS affiliated Domain in TLS SNI (nikanps .top) (malware.rules)
2048714 - ET MALWARE HAMAS affiliated Domain in TLS SNI (hamrah .nikanps .top) (malware.rules)
2048715 - ET MALWARE HAMAS affiliated Domain in TLS SNI (modir .nikanps .top) (malware.rules)
2048716 - ET MALWARE HAMAS affiliated Domain in TLS SNI (admin .nikanps .top) (malware.rules)
2048717 - ET MALWARE HAMAS affiliated Domain in TLS SNI (user .nikanps .top) (malware.rules)
2048718 - ET MALWARE HAMAS affiliated Domain in TLS SNI (nikanpsx .top) (malware.rules)
2048719 - ET MALWARE HAMAS affiliated Domain in TLS SNI (hz .nikanpsx .top) (malware.rules)
2048720 - ET MALWARE HAMAS affiliated Domain in TLS SNI (nikanpsx .hopto .org) (malware.rules)
2048721 - ET SCADA [nsacyber/ELITEWOLF] Tridium NiagaraN4 Default X509 Certificate String (scada.rules)
2048722 - ET SCADA [nsacyber/ELITEWOLF] Tridium NiagaraN4 Default Cert Subject Common Name (scada.rules)

Pro:

2855435 - ETPRO MALWARE Win32/TA402 Checkin (malware.rules)
2855436 - ETPRO MALWARE Win32/TA402 Checkin M2 (malware.rules)
2855437 - ETPRO MALWARE TA402 CnC Domain in DNS Lookup (malware.rules)
2855438 - ETPRO MALWARE Observed TA402 Domain in TLS SNI (malware.rules)
2855439 - ETPRO ATTACK_RESPONSE Dump SAM Script Retrieval (attack_response.rules)
2855440 - ETPRO ATTACK_RESPONSE Suspected Reflective Loader Powershell Script Retrieval (attack_response.rules)
2855441 - ETPRO ATTACK_RESPONSE Reflective Loader Powershell Script Retrieval (attack_response.rules)
2855442 - ETPRO ATTACK_RESPONSE Environmental Reconnaissance Powershell Script Retrieval (attack_response.rules)
2855443 - ETPRO ATTACK_RESPONSE Environmental Reconnaissance Powershell Script Retrieval (attack_response.rules)
2855444 - ETPRO ATTACK_RESPONSE Environmental Reconnaissance Powershell Script Retrieval (attack_response.rules)
2855445 - ETPRO MALWARE DarkGate Payload Inbound (malware.rules)

Modified inactive rules:

2028371 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update (ja3.rules)
2028375 - ET JA3 Hash - Possible Malware - Java Based RAT (ja3.rules)
2028380 - ET JA3 Hash - Possible Malware - Neutrino (ja3.rules)
2028391 - ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex (ja3.rules)
2028395 - ET JA3 Hash - Possible Malware - Various Eitest (ja3.rules)
2030366 - ET JA3 HASH - Possible POSHC2 Client CnC (ja3.rules)
2030367 - ET JA3 HASH - Possible POSHC2 Server Response (ja3.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/08/22 - v10672 Ruleset Updates	68	August 22, 2024
Ruleset Update Summary - 2023/09/05 - v10410 Ruleset Updates	283	September 5, 2023
Ruleset Update Summary - 2022/12/28 - v10206 Ruleset Updates	318	December 28, 2022
Ruleset Update Summary - 2023/10/02 - v10430 Ruleset Updates	271	October 2, 2023
Ruleset Update Summary - 2023/08/29 - v10405 Ruleset Updates	270	August 29, 2023

Ruleset Update Summary - 2023/10/19 - v10445

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics