Ruleset Update Summary - 2024/01/12 - v10506

rulesbot · January 12, 2024, 9:39pm

Summary:

52 new OPEN, 58 new PRO (52 + 6)

Thanks @naumovax, @SonicWall, @NSFOCUS_Intl, @attcyber, @siderafer

Added rules:

Open:

2050021 - ET INFO Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain (info.rules)
2050022 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pwc) (malware.rules)
2050023 - ET MALWARE Observed Lumma Stealer Related Domain (recessionconceptjetwe .pwc in TLS SNI) (malware.rules)
2050024 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pwc) (malware.rules)
2050025 - ET MALWARE Observed Lumma Stealer Related Domain (recessionconceptjetwe .pwc in TLS SNI) (malware.rules)
2050026 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (copyexpertisesausewaverw .site) (malware.rules)
2050027 - ET MALWARE Observed Lumma Stealer Related Domain (copyexpertisesausewaverw .site in TLS SNI) (malware.rules)
2050028 - ET WEB_SERVER Suspected HrServ Webshell Related Activity M1 (web_server.rules)
2050029 - ET WEB_SERVER Suspected HrServ Webshell Related Activity M2 (web_server.rules)
2050030 - ET INFO Observed DNS Over HTTPS Domain (www .maxfong .cc in TLS SNI) (info.rules)
2050031 - ET INFO Observed DNS Over HTTPS Domain (ns .sblnetwork .co .id in TLS SNI) (info.rules)
2050032 - ET INFO Observed DNS Over HTTPS Domain (clearweb .woodbridge .club in TLS SNI) (info.rules)
2050033 - ET INFO Observed DNS Over HTTPS Domain (local .sufly .top in TLS SNI) (info.rules)
2050034 - ET INFO Observed DNS Over HTTPS Domain (ns .lov .host in TLS SNI) (info.rules)
2050035 - ET INFO Observed DNS Over HTTPS Domain (surt .ovh in TLS SNI) (info.rules)
2050036 - ET INFO Observed DNS Over HTTPS Domain (ad .257053 .xyz in TLS SNI) (info.rules)
2050037 - ET INFO Observed DNS Over HTTPS Domain (v2 .xx3210766 .live in TLS SNI) (info.rules)
2050038 - ET INFO Observed DNS Over HTTPS Domain (shijiu .asia in TLS SNI) (info.rules)
2050039 - ET INFO Observed DNS Over HTTPS Domain (dns .sbstructure .ir in TLS SNI) (info.rules)
2050040 - ET INFO Observed DNS Over HTTPS Domain (dns .superstefan .win in TLS SNI) (info.rules)
2050041 - ET INFO Observed DNS Over HTTPS Domain (dns .albony .xyz in TLS SNI) (info.rules)
2050042 - ET INFO Observed DNS Over HTTPS Domain (d2 .shabi .icu in TLS SNI) (info.rules)
2050043 - ET INFO Observed DNS Over HTTPS Domain (free .sootoon .xyz in TLS SNI) (info.rules)
2050044 - ET INFO Observed DNS Over HTTPS Domain (dns .trifanov-online .ru in TLS SNI) (info.rules)
2050045 - ET INFO Observed DNS Over HTTPS Domain (res .zijji .com in TLS SNI) (info.rules)
2050046 - ET INFO Observed DNS Over HTTPS Domain (dns .888654 .xyz in TLS SNI) (info.rules)
2050047 - ET INFO Observed DNS Over HTTPS Domain (dns .sainternet .xyz in TLS SNI) (info.rules)
2050048 - ET INFO Observed DNS Over HTTPS Domain (vanced .sytes .net in TLS SNI) (info.rules)
2050049 - ET INFO Observed DNS Over HTTPS Domain (dns .wahr .top in TLS SNI) (info.rules)
2050050 - ET INFO Observed DNS Over HTTPS Domain (ymjx .shimmerl .top in TLS SNI) (info.rules)
2050051 - ET MALWARE Jupyter Stealer CnC Checkin M2 (malware.rules)
2050052 - ET MALWARE Win32/Rust Miner CnC Activity (malware.rules)
2050053 - ET MALWARE HailBot CnC Domain in DNS Lookup (asdsdfjsdfsd .indy) (malware.rules)
2050054 - ET MALWARE HailBot CnC Domain in DNS Lookup (jiggaboo .oss) (malware.rules)
2050055 - ET MALWARE HailBot CnC Domain in DNS Lookup (pposdif .parody) (malware.rules)
2050056 - ET MALWARE HailBot CnC Domain in DNS Lookup (sfdopospdofpsdo .dyn) (malware.rules)
2050057 - ET MALWARE HailBot CnC Domain in DNS Lookup (wendykortiz .gopher) (malware.rules)
2050058 - ET MALWARE HailBot CnC Domain in DNS Lookup (yoursocuteong .dyn) (malware.rules)
2050059 - ET MALWARE Observed HailBot Domain (asdsdfjsdfsd .indy in TLS SNI) (malware.rules)
2050060 - ET MALWARE Observed HailBot Domain (jiggaboo .oss in TLS SNI) (malware.rules)
2050061 - ET MALWARE Observed HailBot Domain (pposdif .parody in TLS SNI) (malware.rules)
2050062 - ET MALWARE Observed HailBot Domain (sfdopospdofpsdo .dyn in TLS SNI) (malware.rules)
2050063 - ET MALWARE Observed HailBot Domain (wendykortiz .gopher in TLS SNI) (malware.rules)
2050064 - ET MALWARE Observed HailBot Domain (yoursocuteong .dyn in TLS SNI) (malware.rules)
2050065 - ET MALWARE HailBot Server Response (malware.rules)
2050066 - ET MALWARE Hailbot CnC Checkin (malware.rules)
2050067 - ET WEB_SPECIFIC_APPS Apache OFBiz Authentication Bypass Vulnerability (CVE-2023-49070) (web_specific_apps.rules)
2050068 - ET WEB_SPECIFIC_APPS Apache OFBiz Authentication Bypass Vulnerability Check (CVE-2023-51467) (web_specific_apps.rules)
2050069 - ET WEB_SPECIFIC_APPS Apache OFBiz Authentication Bypass (CVE-2023-51467) M1 (web_specific_apps.rules)
2050070 - ET WEB_SPECIFIC_APPS Apache OFBiz Authentication Bypass (CVE-2023-51467) M2 (web_specific_apps.rules)
2050071 - ET MALWARE SocGholish Domain in DNS Lookup (surprise .refillpantrysd .com) (malware.rules)
2050072 - ET MALWARE SocGholish Domain in TLS SNI (surprise .refillpantrysd .com) (malware.rules)

Pro:

2856147 - ETPRO MALWARE Amadey CnC Activity M3 (malware.rules)
2856148 - ETPRO MALWARE Amadey CnC Activity M4 (malware.rules)
2856149 - ETPRO MALWARE Amadey CnC Activity M5 (malware.rules)
2856150 - ETPRO MALWARE Amadey CnC Activity M6 (malware.rules)
2856151 - ETPRO MALWARE Amadey CnC Activity M7 (malware.rules)
2856152 - ETPRO MALWARE Ameday CnC Response M2 (malware.rules)

Disabled and modified rules:

2047897 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (darkmansion .org) (exploit_kit.rules)
2047898 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (darkmansion .org) (exploit_kit.rules)
2049090 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (andreeasasser .com) (exploit_kit.rules)
2049091 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (addisonlynch .com) (exploit_kit.rules)
2049092 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (andreeasasser .com) (exploit_kit.rules)
2049093 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (addisonlynch .com) (exploit_kit.rules)
2049094 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (izikatka0010 .com) (exploit_kit.rules)
2049095 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (izikatka0010 .com) (exploit_kit.rules)
2049125 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .caching .oysterfloats .com) (malware.rules)
2049126 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .caching .oysterfloats .com) (malware.rules)
2049145 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (cwgmanagementllc .com) (exploit_kit.rules)
2049146 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (cwgmanagementllc .com) (exploit_kit.rules)
2804108 - ETPRO MALWARE SHeur4.JEK Checkin (malware.rules)

Removed rules:

2834818 - ETPRO POLICY Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain (policy.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/03/25 - v10559 Ruleset Updates	253	March 25, 2024
Ruleset Update Summary - 2024/04/30 - v10586 Ruleset Updates	134	April 30, 2024
Ruleset Update Summary - 2024/02/05 - v10524 Ruleset Updates	423	February 5, 2024
Ruleset Update Summary - 2024/01/05 - v10500 Ruleset Updates	514	January 5, 2024
Ruleset Update Summary - 2024/02/09 - v10528 Ruleset Updates	505	February 9, 2024

Ruleset Update Summary - 2024/01/12 - v10506

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related Topics