Ruleset Update Summary - 2023/11/01 - v10455

rulesbot · November 1, 2023, 10:21pm

Summary:

38 new OPEN, 40 new PRO (38 + 2)

Thanks @elasticseclabs, @leak_ix, @cpresearch

Added rules:

Open:

2049007 - ET EXPLOIT Cisco IOS XE Web UI Command Injection Vulnerability (CVE-2023-20273) (exploit.rules)
2049008 - ET INFO Apache ActiveMQ Instance - Vulnerable to CVE-2023-46604 - Remote Instance (info.rules)
2049009 - ET INFO Apache ActiveMQ Instance - Vulnerable to CVE-2023-46604 - Local Instance (info.rules)
2049010 - ET WEB_SERVER Tunna Variant Webshell Activity (web_server.rules)
2049011 - ET WEB_SERVER Suspected FOXSHELL Variant Webshell Activity (web_server.rules)
2049012 - ET WEB_SERVER Suspected FOXSHELL Variant Webshell Activity (web_server.rules)
2049013 - ET MALWARE DNS Query to SockRacket/KANDYKORN Domain (tp-globa .xyz) (malware.rules)
2049014 - ET MALWARE DNS Query to SockRacket/KANDYKORN Domain (bitscrunnch .linkpc .net) (malware.rules)
2049015 - ET MALWARE Observed SockRacket/KANDYKORN Domain (tp-globa .xyz in TLS SNI) (malware.rules)
2049016 - ET MALWARE Observed SockRacket/KANDYKORN Domain (bitscrunnch .linkpc .net in TLS SNI) (malware.rules)
2049017 - ET MALWARE Malicious SockRacket/KANDYKORN SSL Certificate Detected (malware.rules)
2049018 - ET MALWARE DNS Query to SockRacket/KANDYKORN Domain (datasend .linkpc .net) (malware.rules)
2049019 - ET MALWARE DNS Query to SockRacket/KANDYKORN Domain (coupang-networks .pics) (malware.rules)
2049020 - ET MALWARE DNS Query to SockRacket/KANDYKORN Domain (docsendinfo .linkpc .net) (malware.rules)
2049021 - ET MALWARE DNS Query to SockRacket/KANDYKORN Domain (exodus .linkpc .net) (malware.rules)
2049022 - ET MALWARE DNS Query to SockRacket/KANDYKORN Domain (jobintro .linkpc .net) (malware.rules)
2049023 - ET MALWARE DNS Query to SockRacket/KANDYKORN Domain (docsenddata .linkpc .net) (malware.rules)
2049024 - ET MALWARE DNS Query to SockRacket/KANDYKORN Domain (bitscrunnch .run .place) (malware.rules)
2049025 - ET MALWARE DNS Query to SockRacket/KANDYKORN Domain (jobdescription .linkpc .net) (malware.rules)
2049026 - ET MALWARE Observed SockRacket/KANDYKORN Domain (datasend .linkpc .net in TLS SNI) (malware.rules)
2049027 - ET MALWARE Observed SockRacket/KANDYKORN Domain (coupang-networks .pics in TLS SNI) (malware.rules)
2049028 - ET MALWARE Observed SockRacket/KANDYKORN Domain (docsendinfo .linkpc .net in TLS SNI) (malware.rules)
2049029 - ET MALWARE Observed SockRacket/KANDYKORN Domain (exodus .linkpc .net in TLS SNI) (malware.rules)
2049030 - ET MALWARE Observed SockRacket/KANDYKORN Domain (jobintro .linkpc .net in TLS SNI) (malware.rules)
2049031 - ET MALWARE Observed SockRacket/KANDYKORN Domain (docsenddata .linkpc .net in TLS SNI) (malware.rules)
2049032 - ET MALWARE Observed SockRacket/KANDYKORN Domain (bitscrunnch .run .place in TLS SNI) (malware.rules)
2049033 - ET MALWARE Observed SockRacket/KANDYKORN Domain (jobdescription .linkpc .net in TLS SNI) (malware.rules)
2049034 - ET MALWARE SockRacket/KANDYKORN Client Connect (Random Number) (malware.rules)
2049035 - ET MALWARE SockRacket/KANDYKORN CnC Response (Nonce) (malware.rules)
2049036 - ET MALWARE SockRacket/KANDYKORN Client Challenge (malware.rules)
2049037 - ET MALWARE SockRacket/KANDYKORN CnC Response (malware.rules)
2049038 - ET MALWARE Agent Tesla Base64 Encoded Payload In Image (malware.rules)
2049039 - ET MALWARE GCleaner Downloader IP Address Retrieval Attempt M2 (malware.rules)
2049040 - ET MALWARE GCleaner Downloader Activity M11 (malware.rules)
2049041 - ET MALWARE Win32/Unknown CnC Domain in DNS Lookup (hackermania .org) (malware.rules)
2049042 - ET MALWARE Win32/Unknown Domain (hackermania .org) in TLS SNI (malware.rules)
2049043 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (vibedroom .org) (exploit_kit.rules)
2049044 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (vibedroom .org) (exploit_kit.rules)

Pro:

2855515 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2855516 - ETPRO EXPLOIT_KIT RogueRaticate POST to .CSS (exploit_kit.rules)

Disabled and modified rules:

2849318 - ETPRO PHISHING Successful RBFCU Phish 2021-07-16 (phishing.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/05/21 - v10600 Ruleset Updates	227	May 21, 2024
Ruleset Update Summary - 2023/10/30 - v10452 Ruleset Updates	526	October 30, 2023
Ruleset Update Summary - 2023/10/31 - v10454 Ruleset Updates	298	October 31, 2023
Ruleset Update Summary - 2023/11/02 - v10456 Ruleset Updates	377	November 2, 2023
Ruleset Update Summary - 2023/11/03 - v10457 Ruleset Updates	301	November 3, 2023

Ruleset Update Summary - 2023/11/01 - v10455

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related topics