Summary:
33 new OPEN, 51 new PRO (33 + 18)
Added rules:
Open:
- 2050073 - ET HUNTING bmp File Request Returning Encoded File (hunting.rules)
- 2050074 - ET INFO File Sharing Service CnC Domain in DNS Lookup (drive .filen .io) (info.rules)
- 2050075 - ET INFO Observed File Sharing Service Domain (drive .filen .io in TLS SNI) (info.rules)
- 2050076 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (contextsuffreintymore .fun) (malware.rules)
- 2050077 - ET MALWARE Observed Lumma Stealer Related Domain (contextsuffreintymore .fun in TLS SNI) (malware.rules)
- 2050078 - ET MALWARE BackConnect CnC Activity (Set Sleep Timer) (malware.rules)
- 2050079 - ET MALWARE BackConnect CnC Activity (Bot Task Request) M1 (malware.rules)
- 2050080 - ET MALWARE BackConnect CnC Activity (Bot Task Request) M2 (malware.rules)
- 2050081 - ET MALWARE BackConnect CnC Activity (Bot Error) M1 (malware.rules)
- 2050082 - ET MALWARE BackConnect CnC Activity (Bot Error) M2 (malware.rules)
- 2050083 - ET MALWARE BackConnect CnC Activity (Bot Reconnect) M1 (malware.rules)
- 2050084 - ET MALWARE BackConnect CnC Activity (Start SOCKS) M1 (malware.rules)
- 2050085 - ET MALWARE BackConnect CnC Activity (Start SOCKS) M2 (malware.rules)
- 2050086 - ET MALWARE BackConnect CnC Activity (Start VNC) M1 (malware.rules)
- 2050087 - ET MALWARE BackConnect CnC Activity (Start VNC) M2 (malware.rules)
- 2050088 - ET MALWARE BackConnect CnC Activity (Start VNC) M3 (malware.rules)
- 2050089 - ET MALWARE BackConnect CnC Activity (Start VNC) M4 (malware.rules)
- 2050090 - ET MALWARE BackConnect CnC Activity (Start File Manager) M1 (malware.rules)
- 2050091 - ET MALWARE BackConnect CnC Activity (Start File Manager) M2 (malware.rules)
- 2050092 - ET MALWARE BackConnect CnC Activity (Start Reverse Shell) M1 (malware.rules)
- 2050093 - ET MALWARE BackConnect CnC Activity (Start Reverse Shell) M2 (malware.rules)
- 2050094 - ET MALWARE BackConnect CnC Activity (Bot Reconnect) M2 (malware.rules)
- 2050095 - ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M1 (web_specific_apps.rules)
- 2050096 - ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M2 (web_specific_apps.rules)
- 2050097 - ET WEB_SPECIFIC_APPS Gitlab Account Takeover Attempt (CVE-2023-7028) (web_specific_apps.rules)
- 2050098 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (debasesingle .life) (exploit_kit.rules)
- 2050099 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (frenchpies .org) (exploit_kit.rules)
- 2050100 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (debasesingle .life) (exploit_kit.rules)
- 2050101 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (frenchpies .org) (exploit_kit.rules)
- 2050102 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (scorelineupdate .com) (exploit_kit.rules)
- 2050103 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (phinetik .com) (exploit_kit.rules)
- 2050104 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (scorelineupdate .com) (exploit_kit.rules)
- 2050105 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (phinetik .com) (exploit_kit.rules)
Pro:
- 2856153 - ETPRO MALWARE Cobalt Strike Related Domain in DNS Lookup (malware.rules)
- 2856154 - ETPRO MALWARE Observed Cobalt Strike Related Domain in TLS SNI (malware.rules)
- 2856155 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2856160 - ETPRO MALWARE Suspected TA453 Domain in DNS Lookup (malware.rules)
- 2856161 - ETPRO MALWARE Suspected TA453 Domain in TLS SNI (malware.rules)
- 2856162 - ETPRO PHISHING Suspected TA453 Domain in DNS Lookup (phishing.rules)
- 2856163 - ETPRO PHISHING Suspected TA453 Domain in DNS Lookup (phishing.rules)
- 2856164 - ETPRO PHISHING Suspected TA453 Domain in DNS Lookup (phishing.rules)
- 2856165 - ETPRO PHISHING Suspected TA453 Domain in DNS Lookup (phishing.rules)
- 2856166 - ETPRO PHISHING Suspected TA453 Domain in DNS Lookup (phishing.rules)
- 2856167 - ETPRO PHISHING Suspected TA453 Domain in DNS Lookup (phishing.rules)
- 2856168 - ETPRO PHISHING Suspected TA453 Domain in TLS SNI (phishing.rules)
- 2856169 - ETPRO PHISHING Suspected TA453 Domain in TLS SNI (phishing.rules)
- 2856170 - ETPRO PHISHING Suspected TA453 Domain in TLS SNI (phishing.rules)
- 2856171 - ETPRO PHISHING Suspected TA453 Domain in TLS SNI (phishing.rules)
- 2856172 - ETPRO PHISHING Suspected TA453 Domain in TLS SNI (phishing.rules)
- 2856173 - ETPRO PHISHING Suspected TA453 Domain in TLS SNI (phishing.rules)
- 2856174 - ETPRO MALWARE Win32/T34 Loader Download Request (malware.rules)
Modified inactive rules:
- 2840657 - ETPRO MALWARE ELF/Matryosh (Moobot) Variant Payload Delivery Attempt via ADB (malware.rules)
Disabled and modified rules:
- 2048601 - ET INFO Observed DNS Over HTTPS Domain (pi1 .node15 .com in TLS SNI) (info.rules)
- 2048602 - ET INFO Observed DNS Over HTTPS Domain (dnstls .mobik .com in TLS SNI) (info.rules)
- 2048603 - ET INFO Observed DNS Over HTTPS Domain (dns .b612 .me in TLS SNI) (info.rules)
- 2048608 - ET INFO Observed DNS Over HTTPS Domain (rayneau .fr in TLS SNI) (info.rules)
- 2048609 - ET INFO Observed DNS Over HTTPS Domain (dns .kernel-error .de in TLS SNI) (info.rules)
- 2048610 - ET INFO Observed DNS Over HTTPS Domain (dukun .de in TLS SNI) (info.rules)
- 2048612 - ET INFO Observed DNS Over HTTPS Domain (dns .decloudus .com in TLS SNI) (info.rules)
- 2048621 - ET INFO Observed DNS Over HTTPS Domain (dns .molinero .dev in TLS SNI) (info.rules)
- 2048622 - ET INFO Observed DNS Over HTTPS Domain (doh .luigi .nexific .it in TLS SNI) (info.rules)
- 2050024 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pwc) (malware.rules)
- 2050025 - ET MALWARE Observed Lumma Stealer Related Domain (recessionconceptjetwe .pwc in TLS SNI) (malware.rules)
- 2804455 - ETPRO ADWARE_PUP Adware.Downware.23 Install (adware_pup.rules)
- 2804574 - ETPRO MALWARE Win32/Heckyebo.A User-Agent (malware.rules)