Ruleset Update Summary - 2023/10/30 - v10452

Ruleset Updates
1

Summary:

68 new OPEN, 69 new PRO (68 + 1)

Thanks @SI_FalconTeam, @Horizon3ai, @ginkgo_g

Added rules:

Open:

  • 2048933 - ET MALWARE Suspected Bumblebee Loader Activity (malware.rules)
  • 2048934 - ET INFO Cisco IOS XE Web Server Auth From Suspicious Username (cisco_support) (CVE-2023-20198) (Inbound) (info.rules)
  • 2048935 - ET HUNTING Cisco IOS XE Web Server Auth From Suspicious Username (cisco_support) (CVE-2023-20198) (Outbound) (hunting.rules)
  • 2048936 - ET HUNTING Suspicious Cisco Privilege Level 15 in HTTP Header (Inbound) (hunting.rules)
  • 2048937 - ET HUNTING Suspicious Cisco Privilege Level 15 in HTTP Header (Outbound) (hunting.rules)
  • 2048938 - ET HUNTING Cisco IOS XE Web Server Auth From Suspicious Username (cisco_tac_admin) (CVE-2023-20198) (Inbound) (hunting.rules)
  • 2048939 - ET HUNTING Cisco IOS XE Web Server Auth From Suspicious Username (cisco_tac_admin) (CVE-2023-20198) (Outbound) (hunting.rules)
  • 2048940 - ET EXPLOIT Cisco IOS XE Web Server Possible Authentication Bypass Attempt (CVE-2023-20198) (Outbound) (exploit.rules)
  • 2048941 - ET EXPLOIT Cisco IOS XE Web Server Possible Authentication Bypass Attempt (CVE-2023-20198) (Inbound) (exploit.rules)
  • 2048942 - ET INFO Cisco IOS XE Web Server execCLI in SOAP (CVE-2023-20198) (Outbound) (info.rules)
  • 2048943 - ET INFO Cisco IOS XE Web Server execCLI in SOAP (CVE-2023-20198) (Inbound) (info.rules)
  • 2048944 - ET INFO Cisco IOS XE Web Server Config Change in SOAP (CVE-2023-20198) (Outbound) (info.rules)
  • 2048945 - ET INFO Cisco IOS XE Web Server Config Change in SOAP (CVE-2023-20198) (Inbound) (info.rules)
  • 2048946 - ET PHISHING Generic Phish Landing Page (2023-10-30) (phishing.rules)
  • 2048947 - ET ADWARE_PUP Observed DNS Query to PC Optimizer Software Domain (fortect .com) (adware_pup.rules)
  • 2048948 - ET ADWARE_PUP Observed PC Optimizer Software Domain (fortect .com in TLS SNI) (adware_pup.rules)
  • 2048949 - ET MALWARE Possible Konni RAT Related Activity Observed (malware.rules)
  • 2048950 - ET MALWARE Possible Konni RAT Domain in DNS Lookup (documentoffice .club) (malware.rules)
  • 2048951 - ET MALWARE TA444 Domain in DNS Lookup (cisco-webex .online) (malware.rules)
  • 2048952 - ET MALWARE TA444 Domain in DNS Lookup (video-meet .team) (malware.rules)
  • 2048953 - ET MALWARE TA444 Domain in DNS Lookup (internal .group .link-net .publicvm .com) (malware.rules)
  • 2048954 - ET MALWARE TA444 Domain in DNS Lookup (docshared .col-link .linkpc .net) (malware.rules)
  • 2048955 - ET MALWARE TA444 Domain in DNS Lookup (on-global .xyz) (malware.rules)
  • 2048956 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .pd .linkpc .net) (malware.rules)
  • 2048957 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .ddns .net) (malware.rules)
  • 2048958 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .deck .linkpc .net) (malware.rules)
  • 2048959 - ET MALWARE TA444 Domain in DNS Lookup (indaddy .xyz) (malware.rules)
  • 2048960 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .tech .linkpc .net) (malware.rules)
  • 2048961 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .presentations .life) (malware.rules)
  • 2048962 - ET MALWARE TA444 Domain in DNS Lookup (doc .global-link .run .place) (malware.rules)
  • 2048963 - ET MALWARE TA444 Domain in DNS Lookup (internalpdfviewer .ddns .net) (malware.rules)
  • 2048964 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .zapto .org) (malware.rules)
  • 2048965 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .serveirc .com) (malware.rules)
  • 2048966 - ET MALWARE TA444 Domain in DNS Lookup (www .bitscrunch .co) (malware.rules)
  • 2048967 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .im .linkpc .net) (malware.rules)
  • 2048968 - ET MALWARE TA444 Domain in DNS Lookup (voldemort .myvnc .com) (malware.rules)
  • 2048969 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunchtech .linkpc .net) (malware.rules)
  • 2048970 - ET MALWARE TA444 Domain in DNS Lookup (nor-health .xyz) (malware.rules)
  • 2048971 - ET MALWARE TA444 Domain in DNS Lookup (document .shared-link .line .pm) (malware.rules)
  • 2048972 - ET MALWARE TA444 Domain in TLS SNI (cisco-webex .online) (malware.rules)
  • 2048973 - ET MALWARE TA444 Domain in TLS SNI (video-meet .team) (malware.rules)
  • 2048974 - ET MALWARE TA444 Domain in TLS SNI (internal .group .link-net .publicvm .com) (malware.rules)
  • 2048975 - ET MALWARE TA444 Domain in TLS SNI (docshared .col-link .linkpc .net) (malware.rules)
  • 2048976 - ET MALWARE TA444 Domain in TLS SNI (on-global .xyz) (malware.rules)
  • 2048977 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .pd .linkpc .net) (malware.rules)
  • 2048978 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .ddns .net) (malware.rules)
  • 2048979 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .deck .linkpc .net) (malware.rules)
  • 2048980 - ET MALWARE TA444 Domain in TLS SNI (indaddy .xyz) (malware.rules)
  • 2048981 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .tech .linkpc .net) (malware.rules)
  • 2048982 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .presentations .life) (malware.rules)
  • 2048983 - ET MALWARE TA444 Domain in TLS SNI (doc .global-link .run .place) (malware.rules)
  • 2048984 - ET MALWARE TA444 Domain in TLS SNI (internalpdfviewer .ddns .net) (malware.rules)
  • 2048985 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .zapto .org) (malware.rules)
  • 2048986 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .serveirc .com) (malware.rules)
  • 2048987 - ET MALWARE TA444 Domain in TLS SNI (www .bitscrunch .co) (malware.rules)
  • 2048988 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .im .linkpc .net) (malware.rules)
  • 2048989 - ET MALWARE TA444 Domain in TLS SNI (voldemort .myvnc .com) (malware.rules)
  • 2048990 - ET MALWARE TA444 Domain in TLS SNI (bitscrunchtech .linkpc .net) (malware.rules)
  • 2048991 - ET MALWARE TA444 Domain in TLS SNI (nor-health .xyz) (malware.rules)
  • 2048992 - ET MALWARE TA444 Domain in TLS SNI (document .shared-link .line .pm) (malware.rules)
  • 2048993 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (cinaprofilm .com) (exploit_kit.rules)
  • 2048994 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (cinaprofilm .com) (exploit_kit.rules)
  • 2048995 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (bingbuy .com) (exploit_kit.rules)
  • 2048996 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (bingbuy .com) (exploit_kit.rules)
  • 2048997 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (frightysever .org) (exploit_kit.rules)
  • 2048998 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (bigbricks .org) (exploit_kit.rules)
  • 2048999 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (frightysever .org) (exploit_kit.rules)
  • 2049000 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (bigbricks .org (exploit_kit.rules)

Pro:

  • 2855505 - ETPRO MALWARE Lumma Stealer Related Activity (malware.rules)

Modified inactive rules:

  • 2048737 - ET EXPLOIT Cisco IOS XE Web Server Auth Bypass (CVE-2023-20198) (Outbound) M2 (exploit.rules)
  • 2048738 - ET EXPLOIT Cisco IOS XE Web Server Auth Bypass (CVE-2023-20198) (Inbound) M2 (exploit.rules)