Summary:
90 new OPEN, 91 new PRO (90 + 1)
Thanks @malwrhunterteam, @Jane_0sint, @varonis, @Horizon3ai
Added rules:
Open:
- 2050376 - ET INFO Observed DNS Over HTTPS Domain (dns .milangeorge .com in TLS SNI) (info.rules)
- 2050377 - ET INFO Observed DNS Over HTTPS Domain (adguard .sparshbajaj .me in TLS SNI) (info.rules)
- 2050378 - ET INFO Observed DNS Over HTTPS Domain (dns .jhangy .us in TLS SNI) (info.rules)
- 2050379 - ET INFO Observed DNS Over HTTPS Domain (dns .scuola .org in TLS SNI) (info.rules)
- 2050380 - ET INFO Observed DNS Over HTTPS Domain (adguard .shutgaming .net in TLS SNI) (info.rules)
- 2050381 - ET INFO Observed DNS Over HTTPS Domain (dns .influa-dev .fr in TLS SNI) (info.rules)
- 2050382 - ET INFO Observed DNS Over HTTPS Domain (dns .just-hosting .net in TLS SNI) (info.rules)
- 2050383 - ET INFO Observed DNS Over HTTPS Domain (www .inpssh .online in TLS SNI) (info.rules)
- 2050384 - ET INFO Observed DNS Over HTTPS Domain (adg .siudzinski .net in TLS SNI) (info.rules)
- 2050385 - ET INFO Observed DNS Over HTTPS Domain (dns .indybanipal .com in TLS SNI) (info.rules)
- 2050386 - ET INFO Observed DNS Over HTTPS Domain (dns .keskonet .com in TLS SNI) (info.rules)
- 2050387 - ET INFO Observed DNS Over HTTPS Domain (orpi .privado .ovh in TLS SNI) (info.rules)
- 2050388 - ET INFO Observed DNS Over HTTPS Domain (dns .txq .life in TLS SNI) (info.rules)
- 2050389 - ET INFO Observed DNS Over HTTPS Domain (adguard .kiboko .it in TLS SNI) (info.rules)
- 2050390 - ET INFO Observed DNS Over HTTPS Domain (dns .rhscz .eu in TLS SNI) (info.rules)
- 2050391 - ET INFO Observed DNS Over HTTPS Domain (dns .henek .ovh in TLS SNI) (info.rules)
- 2050392 - ET INFO Observed DNS Over HTTPS Domain (dns .wryhf .net in TLS SNI) (info.rules)
- 2050393 - ET INFO Observed DNS Over HTTPS Domain (www .pukanuragan .ru in TLS SNI) (info.rules)
- 2050394 - ET INFO Observed DNS Over HTTPS Domain (dns .ithg .ru in TLS SNI) (info.rules)
- 2050395 - ET INFO Observed DNS Over HTTPS Domain (dns .internal .hosmatic .com in TLS SNI) (info.rules)
- 2050396 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (racerecessionrestrai .site) (malware.rules)
- 2050397 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cooperatecliqueobstac .site) (malware.rules)
- 2050398 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (braidfadefriendklypk .site) (malware.rules)
- 2050399 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (vesselspeedcrosswakew .site) (malware.rules)
- 2050400 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (communicationinchoicer .site) (malware.rules)
- 2050401 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (carvewomanflavourwop .site) (malware.rules)
- 2050402 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (retainfactorypunishjkw .site) (malware.rules)
- 2050403 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (willpoweragreebokkskiew .site) (malware.rules)
- 2050404 - ET MALWARE Observed Lumma Stealer Related Domain (willpoweragreebokkskiew .site in TLS SNI) (malware.rules)
- 2050405 - ET MALWARE Observed Lumma Stealer Related Domain (braidfadefriendklypk .site in TLS SNI) (malware.rules)
- 2050406 - ET MALWARE Observed Lumma Stealer Related Domain (racerecessionrestrai .site in TLS SNI) (malware.rules)
- 2050407 - ET MALWARE Observed Lumma Stealer Related Domain (vesselspeedcrosswakew .site in TLS SNI) (malware.rules)
- 2050408 - ET MALWARE Observed Lumma Stealer Related Domain (brickabsorptiondullyi .site in TLS SNI) (malware.rules)
- 2050409 - ET MALWARE Observed Lumma Stealer Related Domain (retainfactorypunishjkw .site in TLS SNI) (malware.rules)
- 2050410 - ET MALWARE Observed Lumma Stealer Related Domain (communicationinchoicer .site in TLS SNI) (malware.rules)
- 2050411 - ET MALWARE Observed Lumma Stealer Related Domain (willpoweragreebokkskiew .site in TLS SNI) (malware.rules)
- 2050412 - ET MALWARE Observed Lumma Stealer Related Domain (carvewomanflavourwop .site in TLS SNI) (malware.rules)
- 2050413 - ET MALWARE Observed Lumma Stealer Related Domain (vesselspeedcrosswakew .site in TLS SNI) (malware.rules)
- 2050414 - ET MALWARE Observed Lumma Stealer Related Domain (cooperatecliqueobstac .site in TLS SNI) (malware.rules)
- 2050415 - ET MALWARE Observed Lumma Stealer Related Domain (racerecessionrestrai .site in TLS SNI) (malware.rules)
- 2050416 - ET MALWARE Observed Lumma Stealer Related Domain (braidfadefriendklypk .site in TLS SNI) (malware.rules)
- 2050417 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (gearboomchocolateowfs .site) (malware.rules)
- 2050418 - ET MALWARE Observed Lumma Stealer Related Domain (gearboomchocolateowfs .site in TLS SNI) (malware.rules)
- 2050419 - ET MALWARE [ANY.RUN] RadX RAT Check-In (POST) (malware.rules)
- 2050420 - ET MALWARE [ANY.RUN] RadX RAT Keep-Alive Activity (POST) (malware.rules)
- 2050421 - ET MALWARE Win32/Cobalt Strike CnC Activity M1 (malware.rules)
- 2050422 - ET MALWARE Win32/Cobalt Strike CnC Activity M2 (malware.rules)
- 2050423 - ET PHISHING Successful Metamask PassPhrase Phish 2024-01-24 (phishing.rules)
- 2050424 - ET PHISHING Metamask Credential Phish Landing Page 2024-01-24 (phishing.rules)
- 2050425 - ET WEB_CLIENT Request for search-ms file extension - Possible NTLM Hash Leak Attempt Attempt (web_client.rules)
- 2050426 - ET SMTP Message Containing search-ms URI With subquery Parameter In Message Body - Possible NTLM Hash Leak Attempt (smtp.rules)
- 2050427 - ET SMTP Message Containing search-ms URI With crumb location Parameter In Message Body - Possible NTLM Hash Leak Attempt (smtp.rules)
- 2050428 - ET SMTP Message Containing Windows Performance Analyzer URI In Message Body - Possible NTLM Hash Leak Attempt (smtp.rules)
- 2050429 - ET WEB_SPECIFIC_APPS Server Response Containing search-ms URI With subquery Parameter - Possible NTLM Hash Leak Attempt (web_specific_apps.rules)
- 2050430 - ET WEB_SPECIFIC_APPS Server Response Containing search-ms URI With crumb location Parameter - Possible NTLM Hash Leak Attempt (web_specific_apps.rules)
- 2050431 - ET WEB_SPECIFIC_APPS Server Response Containing Windows Performance Analyzer URI - Possible NTLM Hash Leak Attempt (web_specific_apps.rules)
- 2050432 - ET HUNTING External SMB ANDX Request for Outlook Calendar Invite File (.ics) - Possible NTLM Hash Leak Attempt (hunting.rules)
- 2050433 - ET EXPLOIT Possible Malicious x-sharing-config-url SMTP header observed (CVE-2023-35636) (exploit.rules)
- 2050434 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - GET Request M1 (CVE-2024-0204) (web_specific_apps.rules)
- 2050435 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - GET Request M2 (CVE-2024-0204) (web_specific_apps.rules)
- 2050436 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - POST Request M1 (CVE-2024-0204) (web_specific_apps.rules)
- 2050437 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - POST Request M2 (CVE-2024-0204) (web_specific_apps.rules)
- 2050438 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (climosfevelt .com) (exploit_kit.rules)
- 2050439 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (climosfevelt .com) (exploit_kit.rules)
- 2050440 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (iredelltx .com) (exploit_kit.rules)
- 2050441 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (acuiplast .com) (exploit_kit.rules)
- 2050442 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (binder-sa .com) (exploit_kit.rules)
- 2050443 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (ficinity .com) (exploit_kit.rules)
- 2050444 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (iredelltx .com) (exploit_kit.rules)
- 2050445 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (acuiplast .com) (exploit_kit.rules)
- 2050446 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (binder-sa .com) (exploit_kit.rules)
- 2050447 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (ficinity .com) (exploit_kit.rules)
- 2050448 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (cachetransferjs .com) (exploit_kit.rules)
- 2050449 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (cachewebspace .com) (exploit_kit.rules)
- 2050450 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (googlecloudad .com) (exploit_kit.rules)
- 2050451 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (googlecloudns .com) (exploit_kit.rules)
- 2050452 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (ping .cachespace .net) (exploit_kit.rules)
- 2050453 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (sync .webappclick .net) (exploit_kit.rules)
- 2050454 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (storage .webfiledata .com) (exploit_kit.rules)
- 2050455 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (webcachedata .com) (exploit_kit.rules)
- 2050456 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (webdataspace .com) (exploit_kit.rules)
- 2050457 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (cachetransferjs .com) (exploit_kit.rules)
- 2050458 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (cachewebspace .com) (exploit_kit.rules)
- 2050459 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (googlecloudad .com) (exploit_kit.rules)
- 2050460 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (googlecloudns .com) (exploit_kit.rules)
- 2050461 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (ping .cachespace .net) (exploit_kit.rules)
- 2050462 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (sync .webappclick .net) (exploit_kit.rules)
- 2050463 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (storage .webfiledata .com) (exploit_kit.rules)
- 2050464 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (webcachedata .com) (exploit_kit.rules)
- 2050465 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (webdataspace .com) (exploit_kit.rules)
Pro:
- 2856238 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (exploit_kit.rules)
Modified inactive rules:
- 2003925 - ET USER_AGENTS WebHack Control Center User-Agent Outbound (WHCC/) (user_agents.rules)
Disabled and modified rules:
- 2032681 - ET PHISHING Possible Successful Generic Phish 2016-05-26 (phishing.rules)
- 2827118 - ETPRO MALWARE Volk-Botnet Downloader Retrieving Payload (malware.rules)