Ruleset Update Summary - 2024/01/25 - v10514

rulesbot · January 25, 2024, 9:45pm

Summary:

40 new OPEN, 40 new PRO (40 + 0)

Thanks @cyberamateur, @AttackerKB, @ESET

Added rules:

Open:

2050466 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (brickabsorptiondullyi .site) (malware.rules)
2050467 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (crisisestimatehealtwh .site) (malware.rules)
2050468 - ET MALWARE Observed Lumma Stealer Related Domain (crisisestimatehealtwh .site in TLS SNI) (malware.rules)
2050469 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (consciouosoepewmausj .site) (malware.rules)
2050470 - ET MALWARE Observed Lumma Stealer Related Domain (consciouosoepewmausj .site in TLS SNI) (malware.rules)
2050471 - ET INFO Observed DNS Over HTTPS Domain (cynntex .fun in TLS SNI) (info.rules)
2050472 - ET INFO Observed DNS Over HTTPS Domain (dns .tb4 .me in TLS SNI) (info.rules)
2050473 - ET INFO Observed DNS Over HTTPS Domain (dns .f97 .xyz in TLS SNI) (info.rules)
2050474 - ET INFO Observed DNS Over HTTPS Domain (dns .simplylinux .ch in TLS SNI) (info.rules)
2050475 - ET INFO Observed DNS Over HTTPS Domain (dns .unx .io in TLS SNI) (info.rules)
2050476 - ET INFO Observed DNS Over HTTPS Domain (admin .homedns .uk in TLS SNI) (info.rules)
2050477 - ET INFO Observed DNS Over HTTPS Domain (dns .thebuckners .org in TLS SNI) (info.rules)
2050478 - ET INFO Observed DNS Over HTTPS Domain (dns .hujiayucc .cn in TLS SNI) (info.rules)
2050479 - ET INFO Observed DNS Over HTTPS Domain (zuhause .webteufel .net in TLS SNI) (info.rules)
2050480 - ET INFO Observed DNS Over HTTPS Domain (adguard .sscw .win in TLS SNI) (info.rules)
2050481 - ET INFO Observed DNS Over HTTPS Domain (timedns .org in TLS SNI) (info.rules)
2050482 - ET INFO Observed DNS Over HTTPS Domain (ychen .gq in TLS SNI) (info.rules)
2050483 - ET INFO Observed DNS Over HTTPS Domain (dns .sstomp .nl in TLS SNI) (info.rules)
2050484 - ET INFO Observed DNS Over HTTPS Domain (ads .hunga1k47 .com in TLS SNI) (info.rules)
2050485 - ET INFO Observed DNS Over HTTPS Domain (dns .huseynov .work in TLS SNI) (info.rules)
2050486 - ET INFO Observed DNS Over HTTPS Domain (sdns22 .gkonuralp .com in TLS SNI) (info.rules)
2050487 - ET INFO Observed DNS Over HTTPS Domain (tokyodns .songnguyen .name .vn in TLS SNI) (info.rules)
2050488 - ET INFO Observed DNS Over HTTPS Domain (dash .flylcc .cc in TLS SNI) (info.rules)
2050489 - ET INFO Observed DNS Over HTTPS Domain (portal .iddqd .uk in TLS SNI) (info.rules)
2050490 - ET INFO Observed DNS Over HTTPS Domain (doh .infracell .net in TLS SNI) (info.rules)
2050491 - ET INFO DNS Query to Document Management Domain (virtualcabinet .com) (info.rules)
2050492 - ET INFO Observed Document Management Domain (virtualcabinet .com in TLS SNI) (info.rules)
2050493 - ET PHISHING DNS Query to TOAD Domain (desktool .buzz) (phishing.rules)
2050494 - ET PHISHING Observed TOAD Domain (desktool .buzz in TLS SNI) (phishing.rules)
2050495 - ET PHISHING DNS Query to TOAD Domain (mvhelp .cc) (phishing.rules)
2050496 - ET PHISHING Observed TOAD Domain (mvhelp .cc in TLS SNI) (phishing.rules)
2050497 - ET MALWARE nspx30 Backdoor Trigger Response Observed (malware.rules)
2050498 - ET MALWARE nspx30 Orchestrator CnC Checkin (malware.rules)
2050499 - ET WEB_SPECIFIC_APPS Apache Kafka UI Unsanitized Groovy Script Filter Remote Code Execution Attempt (CVE-2023-52251) (web_specific_apps.rules)
2050500 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (visitclouds .com) (exploit_kit.rules)
2050501 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (visitclouds .com) (exploit_kit.rules)
2050502 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (mwasro .com) (exploit_kit.rules)
2050503 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (mwasro .com) (exploit_kit.rules)
2050504 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (lightsteper .com) (exploit_kit.rules)
2050505 - ET EXPLOIT_KIT Balada Domain in TLS SNI (lightsteper .com) (exploit_kit.rules)

Disabled and modified rules:

2016212 - ET MALWARE BroBot POST (malware.rules)
2050413 - ET MALWARE Observed Lumma Stealer Related Domain (vesselspeedcrosswakew .site in TLS SNI) (malware.rules)
2050415 - ET MALWARE Observed Lumma Stealer Related Domain (racerecessionrestrai .site in TLS SNI) (malware.rules)
2050416 - ET MALWARE Observed Lumma Stealer Related Domain (braidfadefriendklypk .site in TLS SNI) (malware.rules)
2805864 - ETPRO MOBILE_MALWARE Android/Adware.BatteryDoctor.F Checkin (mobile_malware.rules)
2805922 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.Biige.a Checkin (mobile_malware.rules)
2806053 - ETPRO ADWARE_PUP ADWARE/InstallCore.Gen Checkin (adware_pup.rules)
2806062 - ETPRO POLICY Windows Hosts File Download (Brazilian Portuguese) (policy.rules)
2806076 - ETPRO MALWARE Win32/Carberp.A Checkin 3 (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/01/22 - v10511 Ruleset Updates	439	January 22, 2024
Ruleset Update Summary - 2024/03/11 - v10549 Ruleset Updates	933	March 11, 2024
Ruleset Update Summary - 2024/03/08 - v10548 Ruleset Updates	239	March 8, 2024
Ruleset Update Summary - 2024/05/15 - v10596 Ruleset Updates	191	May 15, 2024
Ruleset Update Summary - 2024/03/25 - v10559 Ruleset Updates	302	March 25, 2024

Ruleset Update Summary - 2024/01/25 - v10514

Summary:

Added rules:

Open:

Disabled and modified rules:

Related topics