Summary:
40 new OPEN, 42 new PRO (40 + 2)
Thanks @naumovax, @foxit, @SI_FalconTeam
Added rules:
Open:
- 2048723 - ET MALWARE Fake Chrome Landing Domain Activity (chromiumbase .site) (malware.rules)
- 2048724 - ET MALWARE Fake Chrome Landing Domain Activity (chromiumtxt .space) (malware.rules)
- 2048725 - ET MALWARE Fake Chrome Landing Domain Activity (chromiumlink .site) (malware.rules)
- 2048726 - ET INFO Commonly Abused WordPress Application Related Domain in DNS Lookup (dreamwp .com) (info.rules)
- 2048727 - ET MALWARE IcedID Related Loader Domain in DNS Lookup (malware.rules)
- 2048728 - ET MALWARE Observed IcedID Loader Related Domain in TLS SNI (malware.rules)
- 2048729 - ET MALWARE IcedID Loader Related Domain in DNS Lookup (malware.rules)
- 2048730 - ET MALWARE Observed IcedID Related Loader Domain in TLS SNI (malware.rules)
- 2048731 - ET MALWARE IcedID Loader Related Domain in DNS Lookup (malware.rules)
- 2048732 - ET MALWARE Observed IcedID Loader Related Domain in TLS SNI (malware.rules)
- 2048733 - ET MALWARE IcedID Loader Related Domain in DNS Lookup (malware.rules)
- 2048734 - ET MALWARE Observed IcedID Loader Related Domain in TLS SNI (malware.rules)
- 2048735 - ET MALWARE IcedID Loader Related Activity (POST) (malware.rules)
- 2048736 - ET MALWARE PovertyStealer Exfiltration M3 (malware.rules)
- 2048737 - ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Outbound) M2 (exploit.rules)
- 2048738 - ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Inbound) M2 (exploit.rules)
- 2048739 - ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Outbound) M1 (exploit.rules)
- 2048740 - ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Inbound) M1 (exploit.rules)
- 2048741 - ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Outbound) M2 (exploit.rules)
- 2048742 - ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Inbound) M2 (exploit.rules)
- 2048743 - ET SCADA [nsacyber/ELITEWOLF] Tridium NiagaraN4 Default Cert Issuer Common Name (scada.rules)
- 2048744 - ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara4 Default X509 Certificate String (scada.rules)
- 2048745 - ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara4 Default Cert Subject Common Name (scada.rules)
- 2048746 - ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara4 Default Cert Issuer Common Name (scada.rules)
- 2048747 - ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara Default X509 Certificate (scada.rules)
- 2048748 - ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara Default Cert Subject Common Name (scada.rules)
- 2048749 - ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara Default Cert Issuer Common Name (scada.rules)
- 2048750 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (zxcdota2huysasi .com) (exploit_kit.rules)
- 2048751 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (rentfrejob .com) (exploit_kit.rules)
- 2048752 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (neurotonix–buy .us) (exploit_kit.rules)
- 2048753 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (zxcdota2huysasi .com) (exploit_kit.rules)
- 2048754 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (rentfrejob .com) (exploit_kit.rules)
- 2048755 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (neurotonix–buy .us) (exploit_kit.rules)
- 2048756 - ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (212bb) (exploit_kit.rules)
- 2048757 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (implacavelvideos .com) (exploit_kit.rules)
- 2048758 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (kgscrew .com) (exploit_kit.rules)
- 2048759 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (implacavelvideos .com) (exploit_kit.rules)
- 2048760 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kgscrew .com) (exploit_kit.rules)
- 2048761 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (metallife .org) (exploit_kit.rules)
- 2048762 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (metallife .org) (exploit_kit.rules)
Pro:
- 2855464 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 (malware.rules)
- 2855465 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 (malware.rules)
Disabled and modified rules:
- 2045795 - ET MALWARE SparkRAT Related Domain in DNS Lookup (gwekekccef .webull .day) (malware.rules)
- 2048568 - ET INFO IPFS File Service Domain in DNS Lookup (nftstorage .link) (info.rules)