Ruleset Update Summary - 2024/02/01 - v10521

Summary:

27 new OPEN, 33 new PRO (27 + 6)

Thanks @0XYC


Added rules:

Open:

  • 2050658 - ET WEB_CLIENT Zimbra zauthtoken Value Extraction Script Requested (Inbound) (web_client.rules)
  • 2050659 - ET WEB_CLIENT Zimbra zauthtoken Exfil Domain in DNS Lookup (zimbrauser .me) (web_client.rules)
  • 2050660 - ET WEB_CLIENT Observed Zimbra zauthtoken Exfil Domain (zimbrauser .me in TLS SNI) (web_client.rules)
  • 2050661 - ET INFO URL Shortening Service Domain in DNS Lookup (ddsl .me) (info.rules)
  • 2050662 - ET INFO Observed URL Shortening Service Domain (ddsl .me in TLS SNI) (info.rules)
  • 2050663 - ET INFO URL Shortening/File Sharing Service Domain in DNS Lookup (d .pr) (info.rules)
  • 2050664 - ET INFO Observed URL Shortening/File Sharing Service Domain (d .pr in TLS SNI) (info.rules)
  • 2050665 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (knonkcdalfyhitt .shop) (malware.rules)
  • 2050666 - ET MALWARE Observed Lumma Stealer Related Domain (knonkcdalfyhitt .shop in TLS SNI) (malware.rules)
  • 2050667 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (birdvigorousedetertyw .shop) (malware.rules)
  • 2050668 - ET MALWARE Observed Lumma Stealer Related Domain (birdvigorousedetertyw .shop in TLS SNI) (malware.rules)
  • 2050669 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (telldruggcommitetter .shop) (malware.rules)
  • 2050670 - ET MALWARE Observed Lumma Stealer Related Domain (telldruggcommitetter .shop in TLS SNI) (malware.rules)
  • 2050671 - ET INFO Observed DNS Over HTTPS Domain (yunyun .is .my .waifu .cz in TLS SNI) (info.rules)
  • 2050672 - ET INFO Observed DNS Over HTTPS Domain (megumin .is .my .waifu .cz in TLS SNI) (info.rules)
  • 2050673 - ET INFO Observed DNS Over HTTPS Domain (aqua .is .my .waifu .cz in TLS SNI) (info.rules)
  • 2050674 - ET INFO Observed DNS Over HTTPS Domain (ns .data .haus in TLS SNI) (info.rules)
  • 2050675 - ET INFO Observed DNS Over HTTPS Domain (doh .dns-ga .de in TLS SNI) (info.rules)
  • 2050676 - ET MALWARE Suspected TA451 Related FalseFont Backdoor Activity M4 (malware.rules)
  • 2050677 - ET MALWARE Suspected TA451 Related FalseFont Backdoor Activity M5 (malware.rules)
  • 2050678 - ET MALWARE Suspected TA451 Related FalseFont Backdoor Response (malware.rules)
  • 2050679 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (cdn3-jquery .info) (exploit_kit.rules)
  • 2050680 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (telotrace .com) (exploit_kit.rules)
  • 2050681 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (cdn3-jquery .info) (exploit_kit.rules)
  • 2050682 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (telotrace .com) (exploit_kit.rules)
  • 2050683 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (eeatgoodx .com) (exploit_kit.rules)
  • 2050684 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (eeatgoodx .com) (exploit_kit.rules)

Pro:

  • 2856276 - ETPRO MALWARE Hello2Malware Downloader CnC Domain in DNS Lookup (malware.rules)
  • 2856277 - ETPRO MALWARE Observed Hello2Malware Domain in TLS SNI (malware.rules)
  • 2856278 - ETPRO MALWARE Hello2Malware Downloader - Response (malware.rules)
  • 2856279 - ETPRO MALWARE FireStealer Exfil Activity (malware.rules)
  • 2856280 - ETPRO MALWARE Fake Microsoft Teams Domain in DNS Lookup (msteams .link) (malware.rules)
  • 2856281 - ETPRO MALWARE Observed Fake Microsoft Teams Domain (msteams .link in TLS SNI) (malware.rules)

Disabled and modified rules:

  • 2016871 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4. (policy.rules)
  • 2016880 - ET HUNTING Suspicious Windows NT version 0 User-Agent (hunting.rules)