Ruleset Update Summary - 2023/10/23 - v10446

rulesbot · October 23, 2023, 8:56pm

Summary:

40 new OPEN, 42 new PRO (40 + 2)

Thanks @naumovax, @foxit, @SI_FalconTeam

Added rules:

Open:

2048723 - ET MALWARE Fake Chrome Landing Domain Activity (chromiumbase .site) (malware.rules)
2048724 - ET MALWARE Fake Chrome Landing Domain Activity (chromiumtxt .space) (malware.rules)
2048725 - ET MALWARE Fake Chrome Landing Domain Activity (chromiumlink .site) (malware.rules)
2048726 - ET INFO Commonly Abused WordPress Application Related Domain in DNS Lookup (dreamwp .com) (info.rules)
2048727 - ET MALWARE IcedID Related Loader Domain in DNS Lookup (malware.rules)
2048728 - ET MALWARE Observed IcedID Loader Related Domain in TLS SNI (malware.rules)
2048729 - ET MALWARE IcedID Loader Related Domain in DNS Lookup (malware.rules)
2048730 - ET MALWARE Observed IcedID Related Loader Domain in TLS SNI (malware.rules)
2048731 - ET MALWARE IcedID Loader Related Domain in DNS Lookup (malware.rules)
2048732 - ET MALWARE Observed IcedID Loader Related Domain in TLS SNI (malware.rules)
2048733 - ET MALWARE IcedID Loader Related Domain in DNS Lookup (malware.rules)
2048734 - ET MALWARE Observed IcedID Loader Related Domain in TLS SNI (malware.rules)
2048735 - ET MALWARE IcedID Loader Related Activity (POST) (malware.rules)
2048736 - ET MALWARE PovertyStealer Exfiltration M3 (malware.rules)
2048737 - ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Outbound) M2 (exploit.rules)
2048738 - ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Inbound) M2 (exploit.rules)
2048739 - ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Outbound) M1 (exploit.rules)
2048740 - ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Inbound) M1 (exploit.rules)
2048741 - ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Outbound) M2 (exploit.rules)
2048742 - ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Inbound) M2 (exploit.rules)
2048743 - ET SCADA [nsacyber/ELITEWOLF] Tridium NiagaraN4 Default Cert Issuer Common Name (scada.rules)
2048744 - ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara4 Default X509 Certificate String (scada.rules)
2048745 - ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara4 Default Cert Subject Common Name (scada.rules)
2048746 - ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara4 Default Cert Issuer Common Name (scada.rules)
2048747 - ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara Default X509 Certificate (scada.rules)
2048748 - ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara Default Cert Subject Common Name (scada.rules)
2048749 - ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara Default Cert Issuer Common Name (scada.rules)
2048750 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (zxcdota2huysasi .com) (exploit_kit.rules)
2048751 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (rentfrejob .com) (exploit_kit.rules)
2048752 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (neurotonix–buy .us) (exploit_kit.rules)
2048753 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (zxcdota2huysasi .com) (exploit_kit.rules)
2048754 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (rentfrejob .com) (exploit_kit.rules)
2048755 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (neurotonix–buy .us) (exploit_kit.rules)
2048756 - ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (212bb) (exploit_kit.rules)
2048757 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (implacavelvideos .com) (exploit_kit.rules)
2048758 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (kgscrew .com) (exploit_kit.rules)
2048759 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (implacavelvideos .com) (exploit_kit.rules)
2048760 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kgscrew .com) (exploit_kit.rules)
2048761 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (metallife .org) (exploit_kit.rules)
2048762 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (metallife .org) (exploit_kit.rules)

Pro:

2855464 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 (malware.rules)
2855465 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 (malware.rules)

Disabled and modified rules:

2045795 - ET MALWARE SparkRAT Related Domain in DNS Lookup (gwekekccef .webull .day) (malware.rules)
2048568 - ET INFO IPFS File Service Domain in DNS Lookup (nftstorage .link) (info.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/08/29 - v10405 Ruleset Updates	271	August 29, 2023
Ruleset Update Summary - 2023/10/16 - v10442 Ruleset Updates	362	October 16, 2023
Ruleset Update Summary - 2023/07/18 - v10374 Ruleset Updates	231	July 18, 2023
Ruleset Update Summary - 2023/09/19 - v10420 Ruleset Updates	265	September 19, 2023
Ruleset Update Summary - 2023/11/22 - v10471 Ruleset Updates	351	November 22, 2023

Ruleset Update Summary - 2023/10/23 - v10446

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related topics