Ruleset Update Summary - 2023/11/16 - v10467

Ruleset Updates
1

Summary:

34 new OPEN, 36 new PRO (34 + 2)

Thanks @CISACyber, @eSentire, @h2jazi

Added rules:

Open:

  • 2030575 - ET INFO EXE File Download Request via Discord (info.rules)
  • 2049217 - ET INFO DYNAMIC_DNS Query to a *.bestoftheat .com Domain (info.rules)
  • 2049218 - ET INFO DYNAMIC_DNS HTTP Request to a *.bestoftheat .com Domain (info.rules)
  • 2049219 - ET INFO DYNAMIC_DNS Query to a *.efxs .ca Domain (info.rules)
  • 2049220 - ET INFO DYNAMIC_DNS HTTP Request to a *.efxs .ca Domain (info.rules)
  • 2049221 - ET MALWARE QuickBooks Pop-Up Scam - Request for QB Download Locations (malware.rules)
  • 2049222 - ET MALWARE QuickBooks Pop-Up Scam - Download Locations Response (malware.rules)
  • 2049223 - ET MALWARE QuickBooks Pop-Up Scam - Checkin Response (malware.rules)
  • 2049224 - ET MALWARE QuickBooks Pop-Up Scam - Pop-Up Details Request (malware.rules)
  • 2049225 - ET MALWARE QuickBooks Pop-Up Scam - Pop-Up Details Response (malware.rules)
  • 2049226 - ET MALWARE QuickBooks Pop-Up Scam - Checkin (malware.rules)
  • 2049227 - ET INFO RAR File Download Request via Discord (info.rules)
  • 2049228 - ET HUNTING Redirect to Discord Attachment Download (hunting.rules)
  • 2049229 - ET INFO ZIP File Download Request via Discord (info.rules)
  • 2049230 - ET INFO DLL File Download Request via Discord (info.rules)
  • 2049231 - ET MALWARE Suspected IcedID Alive Request (GET) (malware.rules)
  • 2049232 - ET MALWARE IcedID Alive Response (malware.rules)
  • 2049233 - ET MALWARE Suspected IcedID 404 Response (malware.rules)
  • 2049234 - ET HUNTING Suspected Malicious Powershell Script (Inbound) (hunting.rules)
  • 2049235 - ET MALWARE DNS Query to Scattered Spider Domain (victimname-sso .com (malware.rules)
  • 2049236 - ET MALWARE DNS Query to Scattered Spider Domain (victimname-servicedesk .com (malware.rules)
  • 2049237 - ET MALWARE DNS Query to Scattered Spider Domain (victimname-okta .com (malware.rules)
  • 2049238 - ET MALWARE Observed Scattered Spider Domain (victimname-sso .com in TLS SNI) (malware.rules)
  • 2049239 - ET MALWARE Observed Scattered Spider Domain (victimname-servicedesk .com in TLS SNI) (malware.rules)
  • 2049240 - ET MALWARE Observed Scattered Spider Domain (victimname-okta .com in TLS SNI) (malware.rules)
  • 2049241 - ET MALWARE DNS Query to Malicious Domain (drive-google-com .tk) (malware.rules)
  • 2049242 - ET MALWARE Observed Malicious Domain (drive-google-com .tk in TLS SNI) (malware.rules)
  • 2049243 - ET PHISHING Obfuscated Javascript which POST Credentials to Undisclosed Webpage (phishing.rules)
  • 2049244 - ET INFO Observed Free Hosting Domain (infinityfreeapp .com) in DNS Lookup (info.rules)
  • 2049245 - ET INFO Observed Free Hosting Domain (infinityfreeapp .com) in TLS SNI (info.rules)
  • 2049246 - ET HUNTING 302 Redirect to run .mocky .io (hunting.rules)
  • 2049247 - ET WEB_SPECIFIC_APPS MagnusBilling icepay.php democ Parameter Command Inject Attempt (CVE-2023-30258) (web_specific_apps.rules)
  • 2049248 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (longlakeweb .com) (exploit_kit.rules)
  • 2049249 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (longlakeweb .com) (exploit_kit.rules)

Pro:

  • 2855816 - ETPRO EXPLOIT Apache ActiveMQ Remote Code Execution Attempt (CVE-2023-46604) (exploit.rules)
  • 2855817 - ETPRO EXPLOIT Adobe ColdFusion Improper Input Validation Exploit Attempt (CVE-2023-44355) (exploit.rules)

Removed rules:

  • 2030575 - ET POLICY EXE File Downloaded from Discord (policy.rules)