Summary:
52 new OPEN, 58 new PRO (52 + 6)
Thanks @naumovax, @SonicWall, @NSFOCUS_Intl, @attcyber, @siderafer
Added rules:
Open:
- 2050021 - ET INFO Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain (info.rules)
- 2050022 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pwc) (malware.rules)
- 2050023 - ET MALWARE Observed Lumma Stealer Related Domain (recessionconceptjetwe .pwc in TLS SNI) (malware.rules)
- 2050024 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pwc) (malware.rules)
- 2050025 - ET MALWARE Observed Lumma Stealer Related Domain (recessionconceptjetwe .pwc in TLS SNI) (malware.rules)
- 2050026 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (copyexpertisesausewaverw .site) (malware.rules)
- 2050027 - ET MALWARE Observed Lumma Stealer Related Domain (copyexpertisesausewaverw .site in TLS SNI) (malware.rules)
- 2050028 - ET WEB_SERVER Suspected HrServ Webshell Related Activity M1 (web_server.rules)
- 2050029 - ET WEB_SERVER Suspected HrServ Webshell Related Activity M2 (web_server.rules)
- 2050030 - ET INFO Observed DNS Over HTTPS Domain (www .maxfong .cc in TLS SNI) (info.rules)
- 2050031 - ET INFO Observed DNS Over HTTPS Domain (ns .sblnetwork .co .id in TLS SNI) (info.rules)
- 2050032 - ET INFO Observed DNS Over HTTPS Domain (clearweb .woodbridge .club in TLS SNI) (info.rules)
- 2050033 - ET INFO Observed DNS Over HTTPS Domain (local .sufly .top in TLS SNI) (info.rules)
- 2050034 - ET INFO Observed DNS Over HTTPS Domain (ns .lov .host in TLS SNI) (info.rules)
- 2050035 - ET INFO Observed DNS Over HTTPS Domain (surt .ovh in TLS SNI) (info.rules)
- 2050036 - ET INFO Observed DNS Over HTTPS Domain (ad .257053 .xyz in TLS SNI) (info.rules)
- 2050037 - ET INFO Observed DNS Over HTTPS Domain (v2 .xx3210766 .live in TLS SNI) (info.rules)
- 2050038 - ET INFO Observed DNS Over HTTPS Domain (shijiu .asia in TLS SNI) (info.rules)
- 2050039 - ET INFO Observed DNS Over HTTPS Domain (dns .sbstructure .ir in TLS SNI) (info.rules)
- 2050040 - ET INFO Observed DNS Over HTTPS Domain (dns .superstefan .win in TLS SNI) (info.rules)
- 2050041 - ET INFO Observed DNS Over HTTPS Domain (dns .albony .xyz in TLS SNI) (info.rules)
- 2050042 - ET INFO Observed DNS Over HTTPS Domain (d2 .shabi .icu in TLS SNI) (info.rules)
- 2050043 - ET INFO Observed DNS Over HTTPS Domain (free .sootoon .xyz in TLS SNI) (info.rules)
- 2050044 - ET INFO Observed DNS Over HTTPS Domain (dns .trifanov-online .ru in TLS SNI) (info.rules)
- 2050045 - ET INFO Observed DNS Over HTTPS Domain (res .zijji .com in TLS SNI) (info.rules)
- 2050046 - ET INFO Observed DNS Over HTTPS Domain (dns .888654 .xyz in TLS SNI) (info.rules)
- 2050047 - ET INFO Observed DNS Over HTTPS Domain (dns .sainternet .xyz in TLS SNI) (info.rules)
- 2050048 - ET INFO Observed DNS Over HTTPS Domain (vanced .sytes .net in TLS SNI) (info.rules)
- 2050049 - ET INFO Observed DNS Over HTTPS Domain (dns .wahr .top in TLS SNI) (info.rules)
- 2050050 - ET INFO Observed DNS Over HTTPS Domain (ymjx .shimmerl .top in TLS SNI) (info.rules)
- 2050051 - ET MALWARE Jupyter Stealer CnC Checkin M2 (malware.rules)
- 2050052 - ET MALWARE Win32/Rust Miner CnC Activity (malware.rules)
- 2050053 - ET MALWARE HailBot CnC Domain in DNS Lookup (asdsdfjsdfsd .indy) (malware.rules)
- 2050054 - ET MALWARE HailBot CnC Domain in DNS Lookup (jiggaboo .oss) (malware.rules)
- 2050055 - ET MALWARE HailBot CnC Domain in DNS Lookup (pposdif .parody) (malware.rules)
- 2050056 - ET MALWARE HailBot CnC Domain in DNS Lookup (sfdopospdofpsdo .dyn) (malware.rules)
- 2050057 - ET MALWARE HailBot CnC Domain in DNS Lookup (wendykortiz .gopher) (malware.rules)
- 2050058 - ET MALWARE HailBot CnC Domain in DNS Lookup (yoursocuteong .dyn) (malware.rules)
- 2050059 - ET MALWARE Observed HailBot Domain (asdsdfjsdfsd .indy in TLS SNI) (malware.rules)
- 2050060 - ET MALWARE Observed HailBot Domain (jiggaboo .oss in TLS SNI) (malware.rules)
- 2050061 - ET MALWARE Observed HailBot Domain (pposdif .parody in TLS SNI) (malware.rules)
- 2050062 - ET MALWARE Observed HailBot Domain (sfdopospdofpsdo .dyn in TLS SNI) (malware.rules)
- 2050063 - ET MALWARE Observed HailBot Domain (wendykortiz .gopher in TLS SNI) (malware.rules)
- 2050064 - ET MALWARE Observed HailBot Domain (yoursocuteong .dyn in TLS SNI) (malware.rules)
- 2050065 - ET MALWARE HailBot Server Response (malware.rules)
- 2050066 - ET MALWARE Hailbot CnC Checkin (malware.rules)
- 2050067 - ET WEB_SPECIFIC_APPS Apache OFBiz Authentication Bypass Vulnerability (CVE-2023-49070) (web_specific_apps.rules)
- 2050068 - ET WEB_SPECIFIC_APPS Apache OFBiz Authentication Bypass Vulnerability Check (CVE-2023-51467) (web_specific_apps.rules)
- 2050069 - ET WEB_SPECIFIC_APPS Apache OFBiz Authentication Bypass (CVE-2023-51467) M1 (web_specific_apps.rules)
- 2050070 - ET WEB_SPECIFIC_APPS Apache OFBiz Authentication Bypass (CVE-2023-51467) M2 (web_specific_apps.rules)
- 2050071 - ET MALWARE SocGholish Domain in DNS Lookup (surprise .refillpantrysd .com) (malware.rules)
- 2050072 - ET MALWARE SocGholish Domain in TLS SNI (surprise .refillpantrysd .com) (malware.rules)
Pro:
- 2856147 - ETPRO MALWARE Amadey CnC Activity M3 (malware.rules)
- 2856148 - ETPRO MALWARE Amadey CnC Activity M4 (malware.rules)
- 2856149 - ETPRO MALWARE Amadey CnC Activity M5 (malware.rules)
- 2856150 - ETPRO MALWARE Amadey CnC Activity M6 (malware.rules)
- 2856151 - ETPRO MALWARE Amadey CnC Activity M7 (malware.rules)
- 2856152 - ETPRO MALWARE Ameday CnC Response M2 (malware.rules)
Disabled and modified rules:
- 2047897 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (darkmansion .org) (exploit_kit.rules)
- 2047898 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (darkmansion .org) (exploit_kit.rules)
- 2049090 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (andreeasasser .com) (exploit_kit.rules)
- 2049091 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (addisonlynch .com) (exploit_kit.rules)
- 2049092 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (andreeasasser .com) (exploit_kit.rules)
- 2049093 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (addisonlynch .com) (exploit_kit.rules)
- 2049094 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (izikatka0010 .com) (exploit_kit.rules)
- 2049095 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (izikatka0010 .com) (exploit_kit.rules)
- 2049125 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .caching .oysterfloats .com) (malware.rules)
- 2049126 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .caching .oysterfloats .com) (malware.rules)
- 2049145 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (cwgmanagementllc .com) (exploit_kit.rules)
- 2049146 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (cwgmanagementllc .com) (exploit_kit.rules)
- 2804108 - ETPRO MALWARE SHeur4.JEK Checkin (malware.rules)
Removed rules:
- 2834818 - ETPRO POLICY Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain (policy.rules)