Ruleset Update Summary - 2024/01/26 - v10515

rulesbot · January 26, 2024, 9:28pm

Summary:

11 new OPEN, 21 new PRO (11 + 10)

Thanks @anyrun_app, @rmceoin

Added rules:

Open:

2050506 - ET INFO DYNAMIC_DNS HTTP Request to a *.airdns .org Domain (info.rules)
2050507 - ET INFO DYNAMIC_DNS Query to a *.airdns .org Domain (info.rules)
2050508 - ET INFO DYNAMIC_DNS Query to a *.darkworlds .org Domain (info.rules)
2050509 - ET INFO DYNAMIC_DNS HTTP Request to a *.darkworlds .org Domain (info.rules)
2050510 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (blitz .ahadns .com) (info.rules)
2050511 - ET MALWARE Earth Preta PUBLOAD Activity M2 (malware.rules)
2050512 - ET MALWARE Earth Preta PUBLOAD Activity M3 (malware.rules)
2050513 - ET INFO Pastebin-like Service Domain in DNS Lookup (termbin .com) (info.rules)
2050514 - ET INFO Pastebin-like Service Observed in TLS SNI (termbin .com) (info.rules)
2050515 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (lookup-domain .com) (exploit_kit.rules)
2050516 - ET EXPLOIT_KIT Balada Domain in TLS SNI (lookup-domain .com) (exploit_kit.rules)

Pro:

2856251 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2856252 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2856253 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2856254 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2856255 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2856256 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2856257 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2856261 - ETPRO MALWARE TA422 WebDav Landing Page M1 (malware.rules)
2856262 - ETPRO MALWARE TA422 WebDav Landing Page M2 (malware.rules)
2856263 - ETPRO MALWARE TA422 CMD Download (malware.rules)

Modified inactive rules:

2832561 - ETPRO MALWARE Win32/Zpevdo.A Retrieving Payload (malware.rules)

Disabled and modified rules:

2044956 - ET MALWARE Donot Domain in DNS Lookup (dripgift .live) (malware.rules)
2045097 - ET MALWARE Observed DNSQuery to TA444 Domain (altair-vc .co .uk) (malware.rules)
2046896 - ET MALWARE DNS Query for IcedID Domain (magiketchinn .com) (malware.rules)
2046897 - ET MALWARE DNS Query for IcedID Domain (flarkonafaero .com) (malware.rules)
2046899 - ET MALWARE DNS Query for IcedID Domain (magizanqomo .com) (malware.rules)
2046901 - ET MALWARE Observed IcedID Domain (flarkonafaero .com in TLS SNI) (malware.rules)
2046903 - ET MALWARE Observed IcedID Domain (lohmotarufos .com in TLS SNI) (malware.rules)
2046904 - ET MALWARE Observed IcedID Domain (filtaferamoza .com in TLS SNI) (malware.rules)
2046905 - ET MALWARE Observed IcedID Domain (magizanqomo .com in TLS SNI) (malware.rules)
2046906 - ET MALWARE Observed IcedID Domain (magiketchinn .com in TLS SNI) (malware.rules)
2047121 - ET MALWARE DNS Query for TA401 Controlled Domain (cryptoanalyzetech .com) (malware.rules)
2049064 - ET MALWARE DNS Query to IcedID Domain (asleytomafa .com) (malware.rules)
2049067 - ET MALWARE DNS Query to IcedID Domain (grafielucho .com) (malware.rules)
2049110 - ET MALWARE Observed Lazarus Domain (online-meeting .team in TLS SNI) (malware.rules)
2049111 - ET MALWARE Observed Lazarus Domain (safemeeting .online in TLS SNI) (malware.rules)
2049133 - ET ADWARE_PUP DNS Query to Seetrol RAT Domain (seetrol .com) (adware_pup.rules)
2049134 - ET ADWARE_PUP DNS Query to Seetrol RAT Domain (seetrol .kr) (adware_pup.rules)
2049172 - ET MALWARE DNS Query to Remcos Domain (retghrtgwtrgtg .bounceme .net) (malware.rules)
2049173 - ET MALWARE DNS Query to Remcos Domain (listpoints .online) (malware.rules)
2049174 - ET MALWARE DNS Query to Remcos Domain (listpoints .click) (malware.rules)
2049175 - ET MALWARE Observed Remcos Domain (retghrtgwtrgtg .bounceme .net in TLS SNI) (malware.rules)
2049176 - ET MALWARE Observed Remcos Domain (listpoints .online in TLS SNI) (malware.rules)
2049177 - ET MALWARE Observed Remcos Domain (listpoints .click in TLS SNI) (malware.rules)
2049743 - ET MALWARE DNS Query to UAC-0177 Domain (ssl2 .in) (malware.rules)
2049744 - ET MALWARE DNS Query to UAC-0177 Domain (ssl4 .site) (malware.rules)
2049745 - ET MALWARE DNS Query to UAC-0177 Domain (getssl .ink) (malware.rules)
2049746 - ET MALWARE DNS Query to UAC-0177 Domain (personlog .in) (malware.rules)
2049747 - ET MALWARE DNS Query to UAC-0177 Domain (ssl2 .link) (malware.rules)
2049748 - ET MALWARE DNS Query to UAC-0177 Domain (authssl .online) (malware.rules)
2049749 - ET MALWARE DNS Query to UAC-0177 Domain (ssl1 .site) (malware.rules)
2049750 - ET MALWARE DNS Query to UAC-0177 Domain (hsts .online) (malware.rules)
2049751 - ET MALWARE DNS Query to UAC-0177 Domain (authssl .in) (malware.rules)
2049752 - ET MALWARE DNS Query to UAC-0177 Domain (ssl2 .online) (malware.rules)
2049754 - ET MALWARE DNS Query to UAC-0177 Domain (goaccount .link) (malware.rules)
2049755 - ET MALWARE DNS Query to UAC-0177 Domain (ssl2 .site) (malware.rules)
2049756 - ET MALWARE DNS Query to UAC-0177 Domain (ssl1 .online) (malware.rules)
2049758 - ET MALWARE DNS Query to UAC-0177 Domain (certifiedauth .in) (malware.rules)
2049759 - ET MALWARE DNS Query to UAC-0177 Domain (authssl .link) (malware.rules)
2049760 - ET MALWARE DNS Query to UAC-0177 Domain (connectssl .in) (malware.rules)
2049761 - ET MALWARE DNS Query to UAC-0177 Domain (getssl .click) (malware.rules)
2049762 - ET MALWARE DNS Query to UAC-0177 Domain (ssl3 .site) (malware.rules)
2049763 - ET MALWARE DNS Query to UAC-0177 Domain (ssl3 .online) (malware.rules)
2049764 - ET MALWARE DNS Query to UAC-0177 Domain (exmo .day) (malware.rules)
2049765 - ET MALWARE DNS Query to UAC-0177 Domain (authcheck .in) (malware.rules)
2049766 - ET MALWARE DNS Query to UAC-0177 Domain (ssl4 .online) (malware.rules)
2049767 - ET MALWARE DNS Query to UAC-0177 Domain (authssl .org) (malware.rules)
2049768 - ET MALWARE Observed UAC-0177 Domain (ssl2 .in in TLS SNI) (malware.rules)
2049769 - ET MALWARE Observed UAC-0177 Domain (ssl4 .site in TLS SNI) (malware.rules)
2049770 - ET MALWARE Observed UAC-0177 Domain (getssl .ink in TLS SNI) (malware.rules)
2049771 - ET MALWARE Observed UAC-0177 Domain (personlog .in in TLS SNI) (malware.rules)
2049772 - ET MALWARE Observed UAC-0177 Domain (ssl2 .link in TLS SNI) (malware.rules)
2049773 - ET MALWARE Observed UAC-0177 Domain (authssl .online in TLS SNI) (malware.rules)
2049774 - ET MALWARE Observed UAC-0177 Domain (ssl1 .site in TLS SNI) (malware.rules)
2049775 - ET MALWARE Observed UAC-0177 Domain (hsts .online in TLS SNI) (malware.rules)
2049776 - ET MALWARE Observed UAC-0177 Domain (authssl .in in TLS SNI) (malware.rules)
2049777 - ET MALWARE Observed UAC-0177 Domain (ssl2 .online in TLS SNI) (malware.rules)
2049778 - ET MALWARE Observed UAC-0177 Domain (authssl .site in TLS SNI) (malware.rules)
2049779 - ET MALWARE Observed UAC-0177 Domain (goaccount .link in TLS SNI) (malware.rules)
2049780 - ET MALWARE Observed UAC-0177 Domain (ssl2 .site in TLS SNI) (malware.rules)
2049781 - ET MALWARE Observed UAC-0177 Domain (ssl1 .online in TLS SNI) (malware.rules)
2049782 - ET MALWARE Observed UAC-0177 Domain (passport2 .zip in TLS SNI) (malware.rules)
2049783 - ET MALWARE Observed UAC-0177 Domain (certifiedauth .in in TLS SNI) (malware.rules)
2049784 - ET MALWARE Observed UAC-0177 Domain (authssl .link in TLS SNI) (malware.rules)
2049785 - ET MALWARE Observed UAC-0177 Domain (connectssl .in in TLS SNI) (malware.rules)
2049786 - ET MALWARE Observed UAC-0177 Domain (getssl .click in TLS SNI) (malware.rules)
2049787 - ET MALWARE Observed UAC-0177 Domain (ssl3 .site in TLS SNI) (malware.rules)
2049788 - ET MALWARE Observed UAC-0177 Domain (ssl3 .online in TLS SNI) (malware.rules)
2049789 - ET MALWARE Observed UAC-0177 Domain (exmo .day in TLS SNI) (malware.rules)
2049790 - ET MALWARE Observed UAC-0177 Domain (authcheck .in in TLS SNI) (malware.rules)
2049791 - ET MALWARE Observed UAC-0177 Domain (ssl4 .online in TLS SNI) (malware.rules)
2049792 - ET MALWARE Observed UAC-0177 Domain (authssl .org in TLS SNI) (malware.rules)
2854780 - ETPRO PHISHING Phishing Domain in DNS Lookup (phishing.rules)
2855533 - ETPRO MALWARE LockBit Domain in DNS Lookup (malware.rules)
2855534 - ETPRO MALWARE Observed LockBit Domain in TLS SNI (malware.rules)
2855541 - ETPRO PHISHING Observed TOAD Domain in TLS SNI (phishing.rules)
2855546 - ETPRO MALWARE DNS Query to Remcos Domain (malware.rules)
2855547 - ETPRO MALWARE Observed Remcos Domain in TLS SNI (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/05/03 - v10315 Ruleset Updates	353	May 3, 2023
Ruleset Update Summary - 2024/06/10 - v10613 Ruleset Updates	149	June 10, 2024
Ruleset Update Summary - 2024/06/03 - v10608 Ruleset Updates	208	June 3, 2024
Ruleset Update Summary - 2023/05/17 - v10325 Ruleset Updates	291	May 17, 2023
Ruleset Update Summary - 2023/08/29 - v10405 Ruleset Updates	268	August 29, 2023

Ruleset Update Summary - 2024/01/26 - v10515

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Related Topics