Ruleset Update Summary - 2023/11/29 - v10475

Summary:

22 new OPEN, 23 new PRO (22 + 1)

Thanks @Jane_0sint


Added rules:

Open:

  • 2044933 - ET MALWARE RaccoonStealer Admin Console Inbound (malware.rules)
  • 2044963 - ET MALWARE Win32/StormKitty CnC Telegram Notification M1 (malware.rules)
  • 2044964 - ET MALWARE Win32/StormKitty CnC Telegram Notification M2 (malware.rules)
  • 2045000 - ET MALWARE RedLine Stealer - CheckConnect Response (malware.rules)
  • 2045001 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound (malware.rules)
  • 2045005 - ET MALWARE Win32/LeftHook Stealer Payload Inbound (malware.rules)
  • 2045006 - ET MALWARE Win32/LeftHook Stealer - CnC Response (get_socket) (malware.rules)
  • 2049385 - ET EXPLOIT Successful Apache ActiveMQ Remote Code Execution (CVE-2023-46604) (exploit.rules)
  • 2049386 - ET WEB_SPECIFIC_APPS Jiecheng Management Information System CWSFinanceCommon SQL injection (web_specific_apps.rules)
  • 2049387 - ET ATTACK_RESPONSE Possible /etc/shadow via HTTP M1 (attack_response.rules)
  • 2049388 - ET ATTACK_RESPONSE Possible /etc/shadow via HTTP M2 (attack_response.rules)
  • 2049389 - ET ATTACK_RESPONSE Possible /etc/shadow via HTTP M3 (attack_response.rules)
  • 2049390 - ET ATTACK_RESPONSE Possible /etc/shadow via HTTP M4 (attack_response.rules)
  • 2049391 - ET ATTACK_RESPONSE Possible arp command output via HTTP (Linux Style) (attack_response.rules)
  • 2049392 - ET ATTACK_RESPONSE Possible arp command output via HTTP (Windows Style) (attack_response.rules)
  • 2049393 - ET ATTACK_RESPONSE Possible arp command output via HTTP (MacOS Style) (attack_response.rules)
  • 2049394 - ET MALWARE Marai Variant Activity (Inbound) (malware.rules)
  • 2049395 - ET INFO Observed DNS Over HTTPS Domain (sundalandia .pp .ua in TLS SNI) (info.rules)
  • 2049396 - ET INFO Observed DNS Over HTTPS Domain (paranoia .mydns .network in TLS SNI) (info.rules)
  • 2049397 - ET MALWARE [ANY.RUN] Socks5Systemz TCP Backconnect Client Traffic (malware.rules)
  • 2049398 - ET MALWARE WebDAV Retrieving .vbs from .url M1 (CVE-2023-36025) (malware.rules)
  • 2049399 - ET MALWARE WebDAV Retrieving .vbs from .url M2 (CVE-2023-36025) (malware.rules)

Pro:

  • 2855875 - ETPRO MALWARE Suspected TA407 Related Domain in DNS Query (malware.rules)

Disabled and modified rules:

  • 2825567 - ETPRO MALWARE Possible Panda Banker DGA Lets Encrypt SSL Cert (malware.rules)

Removed rules:

  • 2044933 - ET ATTACK_RESPONSE RaccoonStealer Admin Console Inbound (attack_response.rules)
  • 2044963 - ET ATTACK_RESPONSE Win32/StormKitty CnC Telegram Notification M1 (attack_response.rules)
  • 2044964 - ET ATTACK_RESPONSE Win32/StormKitty CnC Telegram Notification M2 (attack_response.rules)
  • 2045000 - ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response (attack_response.rules)
  • 2045001 - ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound (attack_response.rules)
  • 2045005 - ET ATTACK_RESPONSE Win32/LeftHook Stealer Payload Inbound (attack_response.rules)
  • 2045006 - ET ATTACK_RESPONSE Win32/LeftHook Stealer - CnC Response (get_socket) (attack_response.rules)