Ruleset Update Summary - 2024/01/17 - v10508

Ruleset Updates
1

Summary:

33 new OPEN, 35 new PRO (33 + 2)

Thanks @1ZRR4H, @Jane0sint, @ViriBack

Added rules:

Open:

  • 2050106 - ET INFO Public File Sharing Service Domain in DNS Lookup (bashupload .com) (info.rules)
  • 2050107 - ET INFO Observed Public File Sharing Service Domain (bashupload .com in TLS SNI) (info.rules)
  • 2050108 - ET INFO File Upload Activity Response (info.rules)
  • 2050109 - ET MALWARE Win32/Neptune Loader Activity (GET) (malware.rules)
  • 2050110 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In (malware.rules)
  • 2050111 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive (malware.rules)
  • 2050112 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 (malware.rules)
  • 2050113 - ET MALWARE DNS Query to TA453 Domain (coral-polydactyl-dragonfruit .glitch .me) (malware.rules)
  • 2050114 - ET MALWARE DNS Query to TA453 Domain (kwhfibejjyxregxmnpcs .supabase .co) (malware.rules)
  • 2050115 - ET MALWARE DNS Query to TA453 Domain (cloud-document-edit .onrender .com) (malware.rules)
  • 2050116 - ET MALWARE DNS Query to TA453 Domain (ndrrftqrlblfecpupppp .supabase .co) (malware.rules)
  • 2050117 - ET MALWARE DNS Query to TA453 Domain (east-healthy-dress .glitch .me) (malware.rules)
  • 2050118 - ET MALWARE DNS Query to TA453 Domain (epibvgvoszemkwjnplyc .supabase .co) (malware.rules)
  • 2050119 - ET MALWARE Observed TA453 Domain (coral-polydactyl-dragonfruit .glitch .me in TLS SNI) (malware.rules)
  • 2050120 - ET MALWARE Observed TA453 Domain (kwhfibejjyxregxmnpcs .supabase .co in TLS SNI) (malware.rules)
  • 2050121 - ET MALWARE Observed TA453 Domain (cloud-document-edit .onrender .com in TLS SNI) (malware.rules)
  • 2050122 - ET MALWARE Observed TA453 Domain (ndrrftqrlblfecpupppp .supabase .co in TLS SNI) (malware.rules)
  • 2050123 - ET MALWARE Observed TA453 Domain (east-healthy-dress .glitch .me in TLS SNI) (malware.rules)
  • 2050124 - ET MALWARE Observed TA453 Domain (epibvgvoszemkwjnplyc .supabase .co in TLS SNI) (malware.rules)
  • 2050125 - ET INFO DNS Query to Online Application Hosting Domain (supabase .co) (info.rules)
  • 2050126 - ET INFO DNS Query to Online Application Hosting Domain (glitch .me) (info.rules)
  • 2050127 - ET INFO DNS Query to Online Application Hosting Domain (onrender .com) (info.rules)
  • 2050128 - ET INFO Observed Online Application Hosting Domain (glitch .me in TLS SNI) (info.rules)
  • 2050129 - ET INFO Observed Online Application Hosting Domain (onrender .com in TLS SNI) (info.rules)
  • 2050130 - ET INFO Observed Online Application Hosting Domain (supabase .co in TLS SNI) (info.rules)
  • 2050131 - ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) (web_specific_apps.rules)
  • 2050132 - ET INFO URL Shortening Service Domain in DNS Lookup (shorturl .at) (info.rules)
  • 2050133 - ET INFO Observed URL Shortening Service Domain (shorturl .at) in TLS SNI (info.rules)
  • 2050134 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (specialcraftbox .com) (exploit_kit.rules)
  • 2050135 - ET EXPLOIT_KIT Balada Domain in TLS SNI (specialcraftbox .com) (exploit_kit.rules)
  • 2050136 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (colorschemeas .com) (exploit_kit.rules)
  • 2050137 - ET EXPLOIT_KIT Balada Domain in TLS SNI (colorschemeas .com) (exploit_kit.rules)
  • 2050138 - ET EXPLOIT_KIT Balada JavaScript Inject (exploit_kit.rules)

Pro:

  • 2856175 - ETPRO MALWARE Suspected FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
  • 2856176 - ETPRO MALWARE Observed Suspected FIN7/Carbanak Related Domain in TLS SNI (malware.rules)

Disabled and modified rules:

  • 2046098 - ET MALWARE SocGholish Domain in DNS Lookup (stockroom .baybeboutiquellc .com) (malware.rules)
  • 2049179 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ilokod .com) (exploit_kit.rules)
  • 2049180 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (louisianaworkingdogs .com) (exploit_kit.rules)
  • 2049181 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ilokod .com) (exploit_kit.rules)
  • 2049182 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (louisianaworkingdogs .com) (exploit_kit.rules)
  • 2049248 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (longlakeweb .com) (exploit_kit.rules)
  • 2049249 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (longlakeweb .com) (exploit_kit.rules)
  • 2049293 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .sync .oystergardens .club) (malware.rules)
  • 2049294 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .sync .oystergardens .club) (malware.rules)
  • 2049532 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .cloudid .coffeeonboard .com) (malware.rules)
  • 2049533 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .cloudid .coffeeonboard .com) (malware.rules)
  • 2049635 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .settings .oysterfloats .org) (malware.rules)
  • 2049636 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .settings .oysterfloats .org) (malware.rules)
  • 2049726 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .scheme .corycabana .net) (malware.rules)
  • 2856079 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)