Ruleset Update Summary - 2023/12/06 - v10480

Ruleset Updates
1

Summary:

113 new OPEN, 121 new PRO (113 + 8)

Thanks @SlowMist_Team

Added rules:

Open:

  • 2049501 - ET MALWARE DNS Query to Teal Kurma Domain (anfturkce .news) (malware.rules)
  • 2049502 - ET MALWARE DNS Query to Teal Kurma Domain (al-marsad .co) (malware.rules)
  • 2049503 - ET MALWARE DNS Query to Teal Kurma Domain (nmcbcd .live) (malware.rules)
  • 2049504 - ET MALWARE DNS Query to Teal Kurma Domain (aws .systemctl .network) (malware.rules)
  • 2049505 - ET MALWARE DNS Query to Teal Kurma Domain (querryfiles .com) (malware.rules)
  • 2049506 - ET MALWARE DNS Query to Teal Kurma Domain (ybcd .tech) (malware.rules)
  • 2049507 - ET MALWARE DNS Query to Teal Kurma Domain (ud .ybcd .tech) (malware.rules)
  • 2049508 - ET MALWARE DNS Query to Teal Kurma Domain (systemctl .network) (malware.rules)
  • 2049509 - ET MALWARE DNS Query to Teal Kurma Domain (alhurra .online) (malware.rules)
  • 2049510 - ET MALWARE DNS Query to Teal Kurma Domain (upt .mcsoft .org) (malware.rules)
  • 2049511 - ET MALWARE DNS Query to Teal Kurma Domain (lo0 .systemctl .network) (malware.rules)
  • 2049512 - ET MALWARE DNS Query to Teal Kurma Domain (eth0 .secrsys .net) (malware.rules)
  • 2049513 - ET MALWARE DNS Query to Teal Kurma Domain (dhcp .systemctl .network) (malware.rules)
  • 2049514 - ET MALWARE Observed Teal Kurma Domain (anfturkce .news in TLS SNI) (malware.rules)
  • 2049515 - ET MALWARE Observed Teal Kurma Domain (al-marsad .co in TLS SNI) (malware.rules)
  • 2049516 - ET MALWARE Observed Teal Kurma Domain (ud .ybcd .tech in TLS SNI) (malware.rules)
  • 2049517 - ET MALWARE Observed Teal Kurma Domain (alhurra .online in TLS SNI) (malware.rules)
  • 2049518 - ET MALWARE Observed Teal Kurma Domain (systemctl .network in TLS SNI) (malware.rules)
  • 2049519 - ET MALWARE Observed Teal Kurma Domain (ybcd .tech in TLS SNI) (malware.rules)
  • 2049520 - ET MALWARE Observed Teal Kurma Domain (querryfiles .com in TLS SNI) (malware.rules)
  • 2049521 - ET MALWARE Observed Teal Kurma Domain (lo0 .systemctl .network in TLS SNI) (malware.rules)
  • 2049522 - ET MALWARE Observed Teal Kurma Domain (upt .mcsoft .org in TLS SNI) (malware.rules)
  • 2049523 - ET MALWARE Observed Teal Kurma Domain (aws .systemctl .network in TLS SNI) (malware.rules)
  • 2049524 - ET MALWARE Observed Teal Kurma Domain (dhcp .systemctl .network in TLS SNI) (malware.rules)
  • 2049525 - ET MALWARE Observed Teal Kurma Domain (nmcbcd .live in TLS SNI) (malware.rules)
  • 2049526 - ET MALWARE Observed Teal Kurma Domain (eth0 .secrsys .net in TLS SNI) (malware.rules)
  • 2049527 - ET MALWARE SnappyTCP Reverse Shell Header Value Observed (malware.rules)
  • 2049528 - ET MALWARE SnappyTCP Reverse Shell Client Checkin M1 (malware.rules)
  • 2049529 - ET MALWARE SnappyTCP Reverse Shell Client Checkin M2 (malware.rules)
  • 2049530 - ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M1 (web_specific_apps.rules)
  • 2049531 - ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M2 (web_specific_apps.rules)
  • 2049532 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .cloudid .coffeeonboard .com) (malware.rules)
  • 2049533 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .cloudid .coffeeonboard .com) (malware.rules)
  • 2049534 - ET PHISHING TA444 Domain in DNS Lookup (team-meet .xyz) (phishing.rules)
  • 2049535 - ET PHISHING TA444 Domain in DNS Lookup (team-meeting .pro) (phishing.rules)
  • 2049536 - ET PHISHING TA444 Domain in DNS Lookup (onelao .line .pm) (phishing.rules)
  • 2049537 - ET PHISHING TA444 Domain in DNS Lookup (tiena .einei .line .pm) (phishing.rules)
  • 2049538 - ET PHISHING TA444 Domain in DNS Lookup (meetingverse .app) (phishing.rules)
  • 2049539 - ET PHISHING TA444 Domain in DNS Lookup (ovcloud .online) (phishing.rules)
  • 2049540 - ET PHISHING TA444 Domain in DNS Lookup (online-processing .online) (phishing.rules)
  • 2049541 - ET PHISHING TA444 Domain in DNS Lookup (meeting-online .site) (phishing.rules)
  • 2049542 - ET PHISHING TA444 Domain in DNS Lookup (group-meeting .team) (phishing.rules)
  • 2049543 - ET PHISHING TA444 Domain in DNS Lookup (group-meeting .online) (phishing.rules)
  • 2049544 - ET PHISHING TA444 Domain in DNS Lookup (privymeet .com) (phishing.rules)
  • 2049545 - ET PHISHING TA444 Domain in DNS Lookup (naverk .myvnc .com) (phishing.rules)
  • 2049546 - ET PHISHING TA444 Domain in DNS Lookup (blackleopard .myvnc .com) (phishing.rules)
  • 2049547 - ET PHISHING TA444 Domain in DNS Lookup (bitscrunch .myvnc .com) (phishing.rules)
  • 2049548 - ET PHISHING TA444 Domain in DNS Lookup (skyboxdrive .cloud) (phishing.rules)
  • 2049549 - ET PHISHING TA444 Domain in DNS Lookup (meetcentralhub .online) (phishing.rules)
  • 2049550 - ET PHISHING TA444 Domain in DNS Lookup (team-meeting .xyz) (phishing.rules)
  • 2049551 - ET PHISHING TA444 Domain in DNS Lookup (syncmeet .online) (phishing.rules)
  • 2049552 - ET PHISHING TA444 Domain in DNS Lookup (online-meeting .team) (phishing.rules)
  • 2049553 - ET PHISHING TA444 Domain in DNS Lookup (safemeeting .online) (phishing.rules)
  • 2049554 - ET PHISHING TA444 Domain in DNS Lookup (team-meet .online) (phishing.rules)
  • 2049555 - ET PHISHING TA444 Domain in DNS Lookup (videomeethub .online) (phishing.rules)
  • 2049556 - ET PHISHING TA444 Domain in DNS Lookup (myself .hopto .org) (phishing.rules)
  • 2049557 - ET PHISHING TA444 Domain in DNS Lookup (manchestercity .work .gd) (phishing.rules)
  • 2049558 - ET PHISHING TA444 Domain in DNS Lookup (dubai .network .cloud .doc-shared .linkpc .net) (phishing.rules)
  • 2049559 - ET PHISHING TA444 Domain in DNS Lookup (group .evalaskatours .com) (phishing.rules)
  • 2049560 - ET PHISHING TA444 Domain in DNS Lookup (internal .bounceme .net) (phishing.rules)
  • 2049561 - ET PHISHING TA444 Domain in DNS Lookup (mclearoptical .com) (phishing.rules)
  • 2049562 - ET PHISHING TA444 Domain in DNS Lookup (pdf .cisco-webex .online) (phishing.rules)
  • 2049563 - ET PHISHING TA444 Domain in DNS Lookup (support .cisco-webex .online) (phishing.rules)
  • 2049564 - ET PHISHING TA444 Domain in DNS Lookup (docshared .col-link .linkpc .net) (phishing.rules)
  • 2049565 - ET PHISHING TA444 Domain in DNS Lookup (bitscrunch .presentations .life) (phishing.rules)
  • 2049566 - ET PHISHING TA444 Domain in DNS Lookup (bitscrunch .pd .linkpc .net) (phishing.rules)
  • 2049567 - ET PHISHING TA444 Domain in DNS Lookup (on-global .xyz) (phishing.rules)
  • 2049568 - ET PHISHING TA444 Domain in DNS Lookup (internal .group .link-net .publicvm .com) (phishing.rules)
  • 2049569 - ET PHISHING TA444 Domain in DNS Lookup (j-ic .co .intneral-document-he-gr-me .run .place) (phishing.rules)
  • 2049570 - ET PHISHING TA444 Domain in DNS Lookup (bitscrunch .im .linkpc .net) (phishing.rules)
  • 2049571 - ET PHISHING TA444 Domain in DNS Lookup (doc .global-link .run .place) (phishing.rules)
  • 2049572 - ET PHISHING TA444 Domain in DNS Lookup (bitscrunch .deck .linkpc .net) (phishing.rules)
  • 2049573 - ET PHISHING TA444 Domain in DNS Lookup (bitscrunch .co) (phishing.rules)
  • 2049574 - ET PHISHING TA444 Domain in TLS SNI (team-meet .xyz) (phishing.rules)
  • 2049575 - ET PHISHING TA444 Domain in TLS SNI (team-meeting .pro) (phishing.rules)
  • 2049576 - ET PHISHING TA444 Domain in TLS SNI (onelao .line .pm) (phishing.rules)
  • 2049577 - ET PHISHING TA444 Domain in TLS SNI (tiena .einei .line .pm) (phishing.rules)
  • 2049578 - ET PHISHING TA444 Domain in TLS SNI (meetingverse .app) (phishing.rules)
  • 2049579 - ET PHISHING TA444 Domain in TLS SNI (ovcloud .online) (phishing.rules)
  • 2049580 - ET PHISHING TA444 Domain in TLS SNI (online-processing .online) (phishing.rules)
  • 2049581 - ET PHISHING TA444 Domain in TLS SNI (meeting-online .site) (phishing.rules)
  • 2049582 - ET PHISHING TA444 Domain in TLS SNI (group-meeting .team) (phishing.rules)
  • 2049583 - ET PHISHING TA444 Domain in TLS SNI (group-meeting .online) (phishing.rules)
  • 2049584 - ET PHISHING TA444 Domain in TLS SNI (privymeet .com) (phishing.rules)
  • 2049585 - ET PHISHING TA444 Domain in TLS SNI (naverk .myvnc .com) (phishing.rules)
  • 2049586 - ET PHISHING TA444 Domain in TLS SNI (blackleopard .myvnc .com) (phishing.rules)
  • 2049587 - ET PHISHING TA444 Domain in TLS SNI (bitscrunch .myvnc .com) (phishing.rules)
  • 2049588 - ET PHISHING TA444 Domain in TLS SNI (skyboxdrive .cloud) (phishing.rules)
  • 2049589 - ET PHISHING TA444 Domain in TLS SNI (meetcentralhub .online) (phishing.rules)
  • 2049590 - ET PHISHING TA444 Domain in TLS SNI (team-meeting .xyz) (phishing.rules)
  • 2049591 - ET PHISHING TA444 Domain in TLS SNI (syncmeet .online) (phishing.rules)
  • 2049592 - ET PHISHING TA444 Domain in TLS SNI (online-meeting .team) (phishing.rules)
  • 2049593 - ET PHISHING TA444 Domain in TLS SNI (safemeeting .online) (phishing.rules)
  • 2049594 - ET PHISHING TA444 Domain in TLS SNI (team-meet .online) (phishing.rules)
  • 2049595 - ET PHISHING TA444 Domain in TLS SNI (videomeethub .online) (phishing.rules)
  • 2049596 - ET PHISHING TA444 Domain in TLS SNI (myself .hopto .org) (phishing.rules)
  • 2049597 - ET PHISHING TA444 Domain in TLS SNI (manchestercity .work .gd) (phishing.rules)
  • 2049598 - ET PHISHING TA444 Domain in TLS SNI (dubai .network .cloud .doc-shared .linkpc .net) (phishing.rules)
  • 2049599 - ET PHISHING TA444 Domain in TLS SNI (group .evalaskatours .com) (phishing.rules)
  • 2049600 - ET PHISHING TA444 Domain in TLS SNI (internal .bounceme .net) (phishing.rules)
  • 2049601 - ET PHISHING TA444 Domain in TLS SNI (mclearoptical .com) (phishing.rules)
  • 2049602 - ET PHISHING TA444 Domain in TLS SNI (pdf .cisco-webex .online) (phishing.rules)
  • 2049603 - ET PHISHING TA444 Domain in TLS SNI (support .cisco-webex .online) (phishing.rules)
  • 2049604 - ET PHISHING TA444 Domain in TLS SNI (docshared .col-link .linkpc .net) (phishing.rules)
  • 2049605 - ET PHISHING TA444 Domain in TLS SNI (bitscrunch .presentations .life) (phishing.rules)
  • 2049606 - ET PHISHING TA444 Domain in TLS SNI (bitscrunch .pd .linkpc .net) (phishing.rules)
  • 2049607 - ET PHISHING TA444 Domain in TLS SNI (on-global .xyz) (phishing.rules)
  • 2049608 - ET PHISHING TA444 Domain in TLS SNI (internal .group .link-net .publicvm .com) (phishing.rules)
  • 2049609 - ET PHISHING TA444 Domain in TLS SNI (j-ic .co .intneral-document-he-gr-me .run .place) (phishing.rules)
  • 2049610 - ET PHISHING TA444 Domain in TLS SNI (bitscrunch .im .linkpc .net) (phishing.rules)
  • 2049611 - ET PHISHING TA444 Domain in TLS SNI (doc .global-link .run .place) (phishing.rules)
  • 2049612 - ET PHISHING TA444 Domain in TLS SNI (bitscrunch .deck .linkpc .net) (phishing.rules)
  • 2049613 - ET PHISHING TA444 Domain in TLS SNI (bitscrunch .co) (phishing.rules)

Pro:

  • 2855897 - ETPRO CURRENT_EVENTS Commonly Abused File Hosting Domain in DNS Lookup (current_events.rules)
  • 2855898 - ETPRO CURRENT_EVENTS Observed Commonly Abused File Hosting Domain in TLS SNI (current_events.rules)
  • 2855899 - ETPRO MALWARE Win32/Unknown Loader Retrieving Files (GET) (malware.rules)
  • 2855900 - ETPRO MALWARE DBatLoader Bot Registration (malware.rules)
  • 2855901 - ETPRO MALWARE DNS Query to DBatLoader Related Domain (malware.rules)
  • 2855902 - ETPRO MALWARE Observed DBatLoader Domain in TLS SNI (malware.rules)
  • 2855903 - ETPRO MALWARE DNS Query to Abused File Hosting Domain (malware.rules)
  • 2855904 - ETPRO MALWARE Abused File Hosting Domain in TLS SNI (malware.rules)

Enabled and modified rules:

  • 2047863 - ET MALWARE SocGholish Domain in DNS Lookup (assay .porchlightcommunity .org) (malware.rules)
  • 2047864 - ET MALWARE SocGholish Domain in TLS SNI (assay .porchlightcommunity .org) (malware.rules)

Disabled and modified rules:

  • 2012090 - ET SHELLCODE Possible Call with No Offset TCP Shellcode (shellcode.rules)
  • 2046240 - ET MALWARE SocGholish Domain in DNS Lookup (names .expressyourselfesthetics .com) (malware.rules)
  • 2046631 - ET MALWARE SocGholish Domain in DNS Lookup (artwork .siddavisart .com) (malware.rules)
  • 2048448 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (amazonascash .com) (exploit_kit.rules)
  • 2048449 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (profille-cex-io .com) (exploit_kit.rules)
  • 2048450 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (raloco .com) (exploit_kit.rules)
  • 2048451 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (amazonascash .com) (exploit_kit.rules)
  • 2048452 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (profille-cex-io .com) (exploit_kit.rules)
  • 2048453 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (raloco .com) (exploit_kit.rules)
  • 2048454 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (christopherchabannes .com) (exploit_kit.rules)
  • 2048455 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (onlinecasinopinup .xyz) (exploit_kit.rules)
  • 2048456 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (s127581-statspixel .com) (exploit_kit.rules)
  • 2048457 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (christopherchabannes .com) (exploit_kit.rules)
  • 2048458 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (onlinecasinopinup .xyz) (exploit_kit.rules)
  • 2048459 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (s127581-statspixel .com) (exploit_kit.rules)
  • 2048465 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fablane .com) (exploit_kit.rules)
  • 2048466 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (residencialcasabrasileira .com) (exploit_kit.rules)
  • 2048467 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (fablane .com) (exploit_kit.rules)
  • 2048468 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (residencialcasabrasileira .com) (exploit_kit.rules)
  • 2048489 - ET MALWARE Observed IcedID CnC Domain (mestorycallin .com in TLS SNI) (malware.rules)
  • 2048490 - ET MALWARE Observed IcedID CnC Domain (carsfootyelo .com in TLS SNI) (malware.rules)