Ruleset Update Summary - 2024/01/24 - v10513

rulesbot · January 24, 2024, 10:57pm

Summary:

90 new OPEN, 91 new PRO (90 + 1)

Thanks @malwrhunterteam, @Jane_0sint, @varonis, @Horizon3ai

Added rules:

Open:

2050376 - ET INFO Observed DNS Over HTTPS Domain (dns .milangeorge .com in TLS SNI) (info.rules)
2050377 - ET INFO Observed DNS Over HTTPS Domain (adguard .sparshbajaj .me in TLS SNI) (info.rules)
2050378 - ET INFO Observed DNS Over HTTPS Domain (dns .jhangy .us in TLS SNI) (info.rules)
2050379 - ET INFO Observed DNS Over HTTPS Domain (dns .scuola .org in TLS SNI) (info.rules)
2050380 - ET INFO Observed DNS Over HTTPS Domain (adguard .shutgaming .net in TLS SNI) (info.rules)
2050381 - ET INFO Observed DNS Over HTTPS Domain (dns .influa-dev .fr in TLS SNI) (info.rules)
2050382 - ET INFO Observed DNS Over HTTPS Domain (dns .just-hosting .net in TLS SNI) (info.rules)
2050383 - ET INFO Observed DNS Over HTTPS Domain (www .inpssh .online in TLS SNI) (info.rules)
2050384 - ET INFO Observed DNS Over HTTPS Domain (adg .siudzinski .net in TLS SNI) (info.rules)
2050385 - ET INFO Observed DNS Over HTTPS Domain (dns .indybanipal .com in TLS SNI) (info.rules)
2050386 - ET INFO Observed DNS Over HTTPS Domain (dns .keskonet .com in TLS SNI) (info.rules)
2050387 - ET INFO Observed DNS Over HTTPS Domain (orpi .privado .ovh in TLS SNI) (info.rules)
2050388 - ET INFO Observed DNS Over HTTPS Domain (dns .txq .life in TLS SNI) (info.rules)
2050389 - ET INFO Observed DNS Over HTTPS Domain (adguard .kiboko .it in TLS SNI) (info.rules)
2050390 - ET INFO Observed DNS Over HTTPS Domain (dns .rhscz .eu in TLS SNI) (info.rules)
2050391 - ET INFO Observed DNS Over HTTPS Domain (dns .henek .ovh in TLS SNI) (info.rules)
2050392 - ET INFO Observed DNS Over HTTPS Domain (dns .wryhf .net in TLS SNI) (info.rules)
2050393 - ET INFO Observed DNS Over HTTPS Domain (www .pukanuragan .ru in TLS SNI) (info.rules)
2050394 - ET INFO Observed DNS Over HTTPS Domain (dns .ithg .ru in TLS SNI) (info.rules)
2050395 - ET INFO Observed DNS Over HTTPS Domain (dns .internal .hosmatic .com in TLS SNI) (info.rules)
2050396 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (racerecessionrestrai .site) (malware.rules)
2050397 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cooperatecliqueobstac .site) (malware.rules)
2050398 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (braidfadefriendklypk .site) (malware.rules)
2050399 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (vesselspeedcrosswakew .site) (malware.rules)
2050400 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (communicationinchoicer .site) (malware.rules)
2050401 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (carvewomanflavourwop .site) (malware.rules)
2050402 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (retainfactorypunishjkw .site) (malware.rules)
2050403 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (willpoweragreebokkskiew .site) (malware.rules)
2050404 - ET MALWARE Observed Lumma Stealer Related Domain (willpoweragreebokkskiew .site in TLS SNI) (malware.rules)
2050405 - ET MALWARE Observed Lumma Stealer Related Domain (braidfadefriendklypk .site in TLS SNI) (malware.rules)
2050406 - ET MALWARE Observed Lumma Stealer Related Domain (racerecessionrestrai .site in TLS SNI) (malware.rules)
2050407 - ET MALWARE Observed Lumma Stealer Related Domain (vesselspeedcrosswakew .site in TLS SNI) (malware.rules)
2050408 - ET MALWARE Observed Lumma Stealer Related Domain (brickabsorptiondullyi .site in TLS SNI) (malware.rules)
2050409 - ET MALWARE Observed Lumma Stealer Related Domain (retainfactorypunishjkw .site in TLS SNI) (malware.rules)
2050410 - ET MALWARE Observed Lumma Stealer Related Domain (communicationinchoicer .site in TLS SNI) (malware.rules)
2050411 - ET MALWARE Observed Lumma Stealer Related Domain (willpoweragreebokkskiew .site in TLS SNI) (malware.rules)
2050412 - ET MALWARE Observed Lumma Stealer Related Domain (carvewomanflavourwop .site in TLS SNI) (malware.rules)
2050413 - ET MALWARE Observed Lumma Stealer Related Domain (vesselspeedcrosswakew .site in TLS SNI) (malware.rules)
2050414 - ET MALWARE Observed Lumma Stealer Related Domain (cooperatecliqueobstac .site in TLS SNI) (malware.rules)
2050415 - ET MALWARE Observed Lumma Stealer Related Domain (racerecessionrestrai .site in TLS SNI) (malware.rules)
2050416 - ET MALWARE Observed Lumma Stealer Related Domain (braidfadefriendklypk .site in TLS SNI) (malware.rules)
2050417 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (gearboomchocolateowfs .site) (malware.rules)
2050418 - ET MALWARE Observed Lumma Stealer Related Domain (gearboomchocolateowfs .site in TLS SNI) (malware.rules)
2050419 - ET MALWARE [ANY.RUN] RadX RAT Check-In (POST) (malware.rules)
2050420 - ET MALWARE [ANY.RUN] RadX RAT Keep-Alive Activity (POST) (malware.rules)
2050421 - ET MALWARE Win32/Cobalt Strike CnC Activity M1 (malware.rules)
2050422 - ET MALWARE Win32/Cobalt Strike CnC Activity M2 (malware.rules)
2050423 - ET PHISHING Successful Metamask PassPhrase Phish 2024-01-24 (phishing.rules)
2050424 - ET PHISHING Metamask Credential Phish Landing Page 2024-01-24 (phishing.rules)
2050425 - ET WEB_CLIENT Request for search-ms file extension - Possible NTLM Hash Leak Attempt Attempt (web_client.rules)
2050426 - ET SMTP Message Containing search-ms URI With subquery Parameter In Message Body - Possible NTLM Hash Leak Attempt (smtp.rules)
2050427 - ET SMTP Message Containing search-ms URI With crumb location Parameter In Message Body - Possible NTLM Hash Leak Attempt (smtp.rules)
2050428 - ET SMTP Message Containing Windows Performance Analyzer URI In Message Body - Possible NTLM Hash Leak Attempt (smtp.rules)
2050429 - ET WEB_SPECIFIC_APPS Server Response Containing search-ms URI With subquery Parameter - Possible NTLM Hash Leak Attempt (web_specific_apps.rules)
2050430 - ET WEB_SPECIFIC_APPS Server Response Containing search-ms URI With crumb location Parameter - Possible NTLM Hash Leak Attempt (web_specific_apps.rules)
2050431 - ET WEB_SPECIFIC_APPS Server Response Containing Windows Performance Analyzer URI - Possible NTLM Hash Leak Attempt (web_specific_apps.rules)
2050432 - ET HUNTING External SMB ANDX Request for Outlook Calendar Invite File (.ics) - Possible NTLM Hash Leak Attempt (hunting.rules)
2050433 - ET EXPLOIT Possible Malicious x-sharing-config-url SMTP header observed (CVE-2023-35636) (exploit.rules)
2050434 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - GET Request M1 (CVE-2024-0204) (web_specific_apps.rules)
2050435 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - GET Request M2 (CVE-2024-0204) (web_specific_apps.rules)
2050436 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - POST Request M1 (CVE-2024-0204) (web_specific_apps.rules)
2050437 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - POST Request M2 (CVE-2024-0204) (web_specific_apps.rules)
2050438 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (climosfevelt .com) (exploit_kit.rules)
2050439 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (climosfevelt .com) (exploit_kit.rules)
2050440 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (iredelltx .com) (exploit_kit.rules)
2050441 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (acuiplast .com) (exploit_kit.rules)
2050442 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (binder-sa .com) (exploit_kit.rules)
2050443 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (ficinity .com) (exploit_kit.rules)
2050444 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (iredelltx .com) (exploit_kit.rules)
2050445 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (acuiplast .com) (exploit_kit.rules)
2050446 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (binder-sa .com) (exploit_kit.rules)
2050447 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (ficinity .com) (exploit_kit.rules)
2050448 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (cachetransferjs .com) (exploit_kit.rules)
2050449 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (cachewebspace .com) (exploit_kit.rules)
2050450 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (googlecloudad .com) (exploit_kit.rules)
2050451 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (googlecloudns .com) (exploit_kit.rules)
2050452 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (ping .cachespace .net) (exploit_kit.rules)
2050453 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (sync .webappclick .net) (exploit_kit.rules)
2050454 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (storage .webfiledata .com) (exploit_kit.rules)
2050455 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (webcachedata .com) (exploit_kit.rules)
2050456 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (webdataspace .com) (exploit_kit.rules)
2050457 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (cachetransferjs .com) (exploit_kit.rules)
2050458 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (cachewebspace .com) (exploit_kit.rules)
2050459 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (googlecloudad .com) (exploit_kit.rules)
2050460 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (googlecloudns .com) (exploit_kit.rules)
2050461 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (ping .cachespace .net) (exploit_kit.rules)
2050462 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (sync .webappclick .net) (exploit_kit.rules)
2050463 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (storage .webfiledata .com) (exploit_kit.rules)
2050464 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (webcachedata .com) (exploit_kit.rules)
2050465 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (webdataspace .com) (exploit_kit.rules)

Pro:

2856238 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (exploit_kit.rules)

Modified inactive rules:

2003925 - ET USER_AGENTS WebHack Control Center User-Agent Outbound (WHCC/) (user_agents.rules)

Disabled and modified rules:

2032681 - ET PHISHING Possible Successful Generic Phish 2016-05-26 (phishing.rules)
2827118 - ETPRO MALWARE Volk-Botnet Downloader Retrieving Payload (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/01/31 - v10520 Ruleset Updates	339	January 31, 2024
Ruleset Update Summary - 2024/07/18 - v10648 Ruleset Updates	66	July 18, 2024
Ruleset Update Summary - 2023/10/26 - v10449 Ruleset Updates	288	October 26, 2023
Ruleset Update Summary - 2023/12/04 - v10478 Ruleset Updates	479	December 4, 2023
Ruleset Update Summary - 2023/10/10 - v10436 Ruleset Updates	345	October 10, 2023

Ruleset Update Summary - 2024/01/24 - v10513

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Related Topics