Ruleset Update Summary - 2024/01/31 - v10520

rulesbot · January 31, 2024, 10:29pm

Summary:

51 new OPEN, 52 new PRO (51 + 1)

Thanks @Synacktiv, @zscaler, @Mandiant

Added rules:

Open:

2050607 - ET INFO Observed DNS Over HTTPS Domain (filter .das .sch .id in TLS SNI) (info.rules)
2050608 - ET INFO Observed DNS Over HTTPS Domain (tienpham .id .vn in TLS SNI) (info.rules)
2050609 - ET INFO Observed DNS Over HTTPS Domain (dns .tryk .app in TLS SNI) (info.rules)
2050610 - ET INFO Observed DNS Over HTTPS Domain in TLS SNI (info.rules)
2050611 - ET INFO Observed DNS Over HTTPS Domain (dns-fr-psv1 .cloudsides .com in TLS SNI) (info.rules)
2050612 - ET INFO Observed DNS Over HTTPS Domain (los .conana .info in TLS SNI) (info.rules)
2050613 - ET INFO Observed DNS Over HTTPS Domain (block .coconut .id in TLS SNI) (info.rules)
2050614 - ET INFO Observed DNS Over HTTPS Domain (fezgate .ovh in TLS SNI) (info.rules)
2050615 - ET INFO Observed DNS Over HTTPS Domain (quic .lol in TLS SNI) (info.rules)
2050616 - ET INFO Observed DNS Over HTTPS Domain (uradoori .org in TLS SNI) (info.rules)
2050617 - ET INFO Observed DNS Over HTTPS Domain (jp .conana .info in TLS SNI) (info.rules)
2050618 - ET INFO Observed DNS Over HTTPS Domain (adguard .gewete .cloud in TLS SNI) (info.rules)
2050619 - ET INFO Observed DNS Over HTTPS Domain (www .chungocoai .name .vn in TLS SNI) (info.rules)
2050620 - ET INFO Observed DNS Over HTTPS Domain (takhtakh .domyah .net in TLS SNI) (info.rules)
2050621 - ET INFO Observed DNS Over HTTPS Domain (dns .haboy .top in TLS SNI) (info.rules)
2050622 - ET INFO Observed DNS Over HTTPS Domain (dns .skrep .in in TLS SNI) (info.rules)
2050623 - ET INFO Observed DNS Over HTTPS Domain (naganohara-yoimiya .momokko .moe in TLS SNI) (info.rules)
2050624 - ET INFO Observed DNS Over HTTPS Domain (socolov .home .ro in TLS SNI) (info.rules)
2050625 - ET INFO Observed DNS Over HTTPS Domain (shield1 .eranext .net in TLS SNI) (info.rules)
2050626 - ET INFO Observed DNS Over HTTPS Domain (ikarosalpha .xyz in TLS SNI) (info.rules)
2050627 - ET INFO Observed DNS Over HTTPS Domain (dns .354688 .xyz in TLS SNI) (info.rules)
2050628 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fantasticabnormally .shop) (malware.rules)
2050629 - ET MALWARE Observed Lumma Stealer Related Domain (fantasticabnormally .shop in TLS SNI) (malware.rules)
2050630 - ET MALWARE DNS Query to Malicious Domain (pdfmicrosoft .ddns .net) (malware.rules)
2050631 - ET MALWARE Observed Malicious Domain (pdfmicrosoft .ddns .net in TLS SNI) (malware.rules)
2050632 - ET INFO Observed File Hosting Service Domain (zohopublic .eu) in DNS Lookup (info.rules)
2050633 - ET INFO Observed File Hosting Service Domain (zohopublic .eu) in TLS SNI (info.rules)
2050634 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (farstream .org) (malware.rules)
2050635 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (sysupdates .org) (malware.rules)
2050636 - ET MALWARE Observed KrustyLoader Domain (farstream .org) in TLS SNI (malware.rules)
2050637 - ET MALWARE Observed KrustyLoader Domain (sysupdates .org) in TLS SNI (malware.rules)
2050638 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (be-at-home .s3 .ap-northeast-2 .amazonaws .com) (malware.rules)
2050639 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (bbr-promo .s3 .amazonaws .com) (malware.rules)
2050640 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (bigtimeassets .s3 .amazonaws .com) (malware.rules)
2050641 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (acapros-app .s3-us-west-2 .amazonaws .com) (malware.rules)
2050642 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (beansdeals-static .s3 .amazonaws .com) (malware.rules)
2050643 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (bringthenoiseappnew .s3 .amazonaws .com) (malware.rules)
2050644 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (2261992 .s3 .amazonaws .com) (malware.rules)
2050645 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (ahha-asset .s3 .ap-northeast-2 .amazonaws .com) (malware.rules)
2050646 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (breaknlinks .s3 .amazonaws .com) (malware.rules)
2050647 - ET MALWARE HTTP POST with Suspicious User-Agent Observed - Possible ZLoader Activity M1 (malware.rules)
2050648 - ET MALWARE HTTP POST with Suspicious User-Agent Observed - Possible ZLoader Activity M2 (malware.rules)
2050649 - ET MALWARE LIGHTWIRE Web Shell Activity Observed (malware.rules)
2050650 - ET MALWARE CHAINLINE Web Shell Activity Observed (malware.rules)
2050651 - ET MALWARE FRAMEREST Web Shell Activity Observed (malware.rules)
2050652 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (statisticsong .com) (exploit_kit.rules)
2050653 - ET EXPLOIT_KIT Balada Domain in TLS SNI (statisticsong .com) (exploit_kit.rules)
2050654 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gigeconomycase .com) (exploit_kit.rules)
2050655 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (pngairservices .com) (exploit_kit.rules)
2050656 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gigeconomycase .com) (exploit_kit.rules)
2050657 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (pngairservices .com) (exploit_kit.rules)

Pro:

2856275 - ETPRO INFO StellaBrowser User-Agent (info.rules)

Modified inactive rules:

2050597 - ET MALWARE [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta) M1 (malware.rules)

Disabled and modified rules:

2049268 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gpksanfrancisco .com) (exploit_kit.rules)
2049269 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (forumsecrets .com) (exploit_kit.rules)
2049270 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gpksanfrancisco .com) (exploit_kit.rules)
2049271 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (forumsecrets .com) (exploit_kit.rules)
2049289 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (midatlanticlabel .com) (exploit_kit.rules)
2049290 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (midatlanticlabel .com) (exploit_kit.rules)
2049291 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (thebestthings1337 .online) (exploit_kit.rules)
2049292 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (thebestthings1337 .online) (exploit_kit.rules)
2049310 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (jagernaut .com) (exploit_kit.rules)
2049311 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (jagernaut .com) (exploit_kit.rules)
2049312 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (excellentpatterns .com) (exploit_kit.rules)
2049313 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (excellentpatterns .com) (exploit_kit.rules)
2049381 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (nelubelei .com) (exploit_kit.rules)
2049382 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (informativosatelital .com) (exploit_kit.rules)
2049383 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (nelubelei .com) (exploit_kit.rules)
2049384 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (informativosatelital .com) (exploit_kit.rules)
2049414 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (paradoxmarine .com) (exploit_kit.rules)
2049415 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (paradoxmarine .com) (exploit_kit.rules)
2855353 - ETPRO MALWARE Malicious Chrome Extension CnC Domain in DNS Lookup (malware.rules)
2855354 - ETPRO MALWARE Observed Malicious Chrome Extension Domain in TLS SNI (malware.rules)
2856100 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2856155 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/01/24 - v10513 Ruleset Updates	215	January 24, 2024
Ruleset Update Summary - 2023/10/26 - v10449 Ruleset Updates	230	October 26, 2023
Ruleset Update Summary - 2023/12/04 - v10478 Ruleset Updates	409	December 4, 2023
Ruleset Update Summary - 2023/10/10 - v10436 Ruleset Updates	311	October 10, 2023
Ruleset Update Summary - 2024/04/10 - v10572 Ruleset Updates	163	April 10, 2024

Ruleset Update Summary - 2024/01/31 - v10520

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Related Topics