Ruleset Update Summary - 2023/12/26 - v10493

Summary:

25 new OPEN, 25 new PRO (25 + 0)


Added rules:

Open:

  • 2049833 - ET PHISHING Lucy Security - Phishing Landing Page M3 (phishing.rules)
  • 2049834 - ET INFO Lucy Security - Awareness Landing Page M2 (info.rules)
  • 2049835 - ET PHISHING Lucy Security - Phishing to Awareness Landing Page (phishing.rules)
  • 2049836 - ET MALWARE Lumma Stealer Related Activity (malware.rules)
  • 2049837 - ET MALWARE Suspected PrivateLoader Activity (POST) (malware.rules)
  • 2049838 - ET MALWARE Observed Lumma Stealer Related Domain (agedelayglacierwe .pw in TLS SNI) (malware.rules)
  • 2049839 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (agedelayglacierwe .pw) (malware.rules)
  • 2049840 - ET INFO URI Shortening Service Domain in DNS Lookup (cli .re) (info.rules)
  • 2049841 - ET INFO Observed URI Shortening Service Domain (cli .re in TLS SNI) (info.rules)
  • 2049842 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (chincenterblandwka .pw) (malware.rules)
  • 2049843 - ET MALWARE Observed Lumma Stealer Related Domain (chincenterblandwka .pw in TLS SNI) (malware.rules)
  • 2049844 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (neighborhoodfeelsa .fun) (malware.rules)
  • 2049845 - ET MALWARE Observed Lumma Stealer Related Domain (neighborhoodfeelsa .fun in TLS SNI) (malware.rules)
  • 2049846 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .places .creeksidehuntingpreserve .com) (malware.rules)
  • 2049847 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .places .creeksidehuntingpreserve .com) (malware.rules)
  • 2049848 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (proexbit .com) (exploit_kit.rules)
  • 2049849 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (onlinesavingsjournal .com) (exploit_kit.rules)
  • 2049850 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (proximaideia .com) (exploit_kit.rules)
  • 2049851 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (realestateagentnorfolkvirginia .com) (exploit_kit.rules)
  • 2049852 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (polatliems .com) (exploit_kit.rules)
  • 2049853 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (proexbit .com) (exploit_kit.rules)
  • 2049854 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (onlinesavingsjournal .com) (exploit_kit.rules)
  • 2049855 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (proximaideia .com) (exploit_kit.rules)
  • 2049856 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (realestateagentnorfolkvirginia .com) (exploit_kit.rules)
  • 2049857 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (polatliems .com) (exploit_kit.rules)

Disabled and modified rules:

  • 2029104 - ET MALWARE Win32/Snatch Ransomware - Encryption Finished (malware.rules)
  • 2029148 - ET MALWARE Win32/Unk.BrowserStealer Data Exfil M2 (malware.rules)
  • 2048311 - ET MALWARE Observed Malicious SSL Cert (Cobalt Strike) (malware.rules)
  • 2839523 - ETPRO MALWARE Win32/Metamorfo Style CnC Activity (malware.rules)
  • 2839626 - ETPRO MALWARE Win32/SageRunex CnC Activity (malware.rules)
  • 2839787 - ETPRO MALWARE Win32/Unk.Ransomware Retreiving External IP Address (malware.rules)
  • 2839876 - ETPRO MALWARE Win32/Cyborg Keylogger FTP STOR Command (malware.rules)
  • 2839878 - ETPRO MALWARE Win32/AgentTesla FTP STOR Command M2 (malware.rules)
  • 2839921 - ETPRO MALWARE Cyborg Keylogger Checkin via FTP (malware.rules)
  • 2839922 - ETPRO MALWARE Cyborg Keylogger FTP STOR Command (malware.rules)
  • 2839923 - ETPRO MALWARE Win32/Tdata Stealer CnC Checkin (malware.rules)
  • 2839954 - ETPRO MALWARE Win32/Aspire Stealer CnC Checkin (malware.rules)
  • 2840030 - ETPRO MALWARE Sifrelendi Ransomware Checkin via FTP (malware.rules)
  • 2840168 - ETPRO HUNTING Observed Powershell Keylogging Code Inbound (hunting.rules)
  • 2840169 - ETPRO MALWARE Win32/Various Ransomware CnC Activity (malware.rules)

Removed rules:

  • 2855505 - ETPRO MALWARE Lumma Stealer Related Activity (malware.rules)