Ruleset Update Summary - 2024/01/03 - v10498

Summary:

9 new OPEN, 10 new PRO (9 + 1)

Thanks @suyog41, @Unit42_Intel


Added rules:

Open:

  • 2049897 - ET HUNTING Query to IP Check Tool With Minimal Headers (ip .tool .chinaz .com (hunting.rules)
  • 2049898 - ET MALWARE Suspected Generic PHP Backdoor Activity M1 (malware.rules)
  • 2049899 - ET MALWARE Suspected Generic PHP Backdoor Activity M2 (malware.rules)
  • 2049900 - ET MALWARE Generic PHP Backdoor CnC Response (malware.rules)
  • 2049901 - ET MALWARE Ducktail APT Style Payload Request (malware.rules)
  • 2049902 - ET MALWARE Agrius Group ASPXSpy Webshell Connection Inbound M1 (malware.rules)
  • 2049903 - ET MALWARE Agrius Group ASPXSpy Webshell Connection Inbound M2 (malware.rules)
  • 2049904 - ET MALWARE Agrius Group Webshell File Upload Attempt (malware.rules)
  • 2049905 - ET MALWARE Agrius Group Webshell Command Execution Attempt (malware.rules)

Pro:

  • 2856082 - ETPRO MALWARE ZPHP NetSupport RAT Loader (malware.rules)

Modified inactive rules:

  • 2009701 - ET DOS DNS BIND 9 Dynamic Update DoS attempt (dos.rules)

Disabled and modified rules:

  • 2016463 - ET MALWARE Fake IBM SSL Cert APT1 (malware.rules)
  • 2031435 - ET MALWARE AHK.CREDSTEALER.A CnC Exfil (malware.rules)
  • 2033659 - ET MALWARE Win32/TrickBot CnC Initial Checkin M2 (malware.rules)
  • 2049445 - ET INFO Observed DNS Over HTTPS Domain (agh .kul-lippek .de in TLS SNI) (info.rules)
  • 2049446 - ET INFO Observed DNS Over HTTPS Domain (agh .workfordemo .co .in in TLS SNI) (info.rules)
  • 2844885 - ETPRO MALWARE Win32/Zpevdo.B Variant CnC Checkin (malware.rules)
  • 2844997 - ETPRO MALWARE Observed Possible Zloader CnC SSL Cert Inbound (malware.rules)
  • 2845409 - ETPRO MALWARE MSIL/JjnnoBot CnC Checkin (malware.rules)
  • 2845410 - ETPRO MALWARE MSIL/JjnnoBot CnC Requesting Command (malware.rules)
  • 2845411 - ETPRO MALWARE Unk.MSI.Loader CnC Activity (malware.rules)
  • 2845965 - ETPRO MALWARE Win32/Chapak.emqd Stealer Exfiltrating System Information (malware.rules)