Ruleset Update Summary - 2023/12/18 - v10488

Ruleset Updates
1

Summary:

13 new OPEN, 18 new PRO (13 + 5)

Thanks @suyog41

Added rules:

Open:

  • 2039596 - ET EXPLOIT Possible VMWare NSX Manager Remote Code Execution Exploit Attempt (CVE-2021-39144) (exploit.rules)
  • 2049716 - ET MALWARE Win32/GoPix Stealer Activity (POST) (malware.rules)
  • 2049717 - ET MALWARE Qbot Related Activity (POST) (malware.rules)
  • 2049718 - ET MALWARE Win32/Blacklegion Ransomware CnC Checkin (malware.rules)
  • 2049719 - ET MALWARE Win32/Blacklegion Ransomware CnC Response (malware.rules)
  • 2049720 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (circuspride .org) (exploit_kit.rules)
  • 2049721 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (circuspride .org) (exploit_kit.rules)
  • 2049722 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lindarealtytulum .com) (exploit_kit.rules)
  • 2049723 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fulfillityourself .com) (exploit_kit.rules)
  • 2049724 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lindarealtytulum .com) (exploit_kit.rules)
  • 2049725 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (fulfillityourself .com) (exploit_kit.rules)
  • 2049726 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .scheme .corycabana .net) (malware.rules)
  • 2049727 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .scheme .corycabana .net) (malware.rules)

Pro:

  • 2855987 - ETPRO MALWARE Win32/WRONGSPATULA Server Test Message (malware.rules)
  • 2855988 - ETPRO MALWARE Win32/WRONGSPATULA Server Encrypt Message (malware.rules)
  • 2855989 - ETPRO MALWARE Win32/WRONGSPATULA CnC Domain in DNS Lookup (malware.rules)
  • 2855990 - ETPRO MALWARE Observed Win32/WRONGSPATULA Domain in TLS SNI (malware.rules)
  • 2855991 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Enabled and modified rules:

  • 2049662 - ET PHISHING Tycoon Landing Page (phishing.rules)

Disabled and modified rules:

  • 2024693 - ET ADWARE_PUP Win32/LoadMoney Adware Activity (adware_pup.rules)
  • 2025303 - ET ADWARE_PUP Win32/LoadMoney Adware Activity M2 (adware_pup.rules)
  • 2025578 - ET MALWARE InfoBot Sending LAN Details (malware.rules)
  • 2026100 - ET MALWARE Aura Ransomware User-Agent (malware.rules)
  • 2026471 - ET MALWARE Kraken Ransomware Start Activity 1 (malware.rules)
  • 2026472 - ET MALWARE [PTsecurity] Kraken Ransomware Start Activity 2 (malware.rules)
  • 2830822 - ETPRO MALWARE Observed MalDoc Retrieving EXE Payload 2018-05-14 (malware.rules)
  • 2831359 - ETPRO MALWARE ProjectHook POS CnC Keep-Alive (malware.rules)
  • 2831784 - ETPRO MALWARE Hawkeye Keylogger SMTP Checkin M3 (malware.rules)
  • 2832030 - ETPRO MALWARE SYSCON Data Exfil via FTP (malware.rules)
  • 2832075 - ETPRO ADWARE_PUP Win32/FileTour Adware Activity (adware_pup.rules)
  • 2832076 - ETPRO MALWARE MSIL/Debirne Backdoor CnC Checkin (malware.rules)
  • 2832078 - ETPRO MALWARE MalDoc Requesting Ursnif Payload 2018-08-06 (malware.rules)
  • 2832098 - ETPRO MALWARE MSIL/Crimson CnC Checkin (malware.rules)
  • 2832134 - ETPRO MALWARE Observed BR.Stealer CnC Domain (irrory .com in TLS SNI) (malware.rules)
  • 2832139 - ETPRO MALWARE Win32/Gomez Backdoor CnC Activity (malware.rules)
  • 2832141 - ETPRO MALWARE MSIL/Agent.BNB CnC Checkin via FTP (malware.rules)
  • 2832419 - ETPRO MALWARE Win32/Engr Wiz CnC Activity 2 (malware.rules)
  • 2832504 - ETPRO MALWARE MSIL/SeekerBot IRC Checkin (malware.rules)
  • 2832561 - ETPRO MALWARE Win32/Zpevdo.A Retrieving Payload (malware.rules)
  • 2832761 - ETPRO MALWARE MSIL/AcouKitty Stealer CnC Checkin 1 (malware.rules)
  • 2832764 - ETPRO MALWARE MSIL/AcouKitty Stealer Keep-Alive (malware.rules)
  • 2832789 - ETPRO MALWARE Ursnif Loader Activity 2018-09-25 (malware.rules)
  • 2832851 - ETPRO MALWARE MSIL/Agent.BLB Checkin via FTP (malware.rules)

Removed rules:

  • 2039596 - ET MALWARE Possible VMWare NSX Manager Remote Code Execution Exploit Attempt (CVE-2021-39144) (malware.rules)