Ruleset Update Summary - 2024/02/27 - v10541

Ruleset Updates
1

Summary:

18 new OPEN, 18 new PRO (18 + 0)

Thanks @ViriBack, @zscaler

Added rules:

Open:

  • 2051116 - ET INFO Outbound SMB2 NTLM Auth Attempt to External Address (info.rules)
  • 2051117 - ET HUNTING Suspected Andariel/TA430 Related Domain in TLS SNI (hunting.rules)
  • 2051118 - ET HUNTING Suspected Andariel/TA430 Related Domain in TLS SNI (hunting.rules)
  • 2051119 - ET MALWARE Win32/MarioLoader CnC Activity (POST) M1 (malware.rules)
  • 2051120 - ET MALWARE Win32/MarioLoader Payload Request (GET) (malware.rules)
  • 2051121 - ET MALWARE Win32/MarioLoader CnC Activity (POST) M2 (malware.rules)
  • 2051122 - ET MALWARE Unknown Powershell Malvertising Payload CnC Checkin (malware.rules)
  • 2051123 - ET MALWARE Malvertising Related Domain in DNS Lookup (hmgcyberschools .com) (malware.rules)
  • 2051124 - ET MALWARE Malvertising Related Domain in DNS Lookup (darknetlinks .wiki) (malware.rules)
  • 2051125 - ET MALWARE Malvertising Related Domain in DNS Lookup (legit .onelink .me) (malware.rules)
  • 2051126 - ET MALWARE Malvertising Related Domain in DNS Lookup (healthbeautycosmetics .com) (malware.rules)
  • 2051127 - ET MALWARE Observed Malvertising Related Domain (hmgcyberschools .com) in TLS SNI (malware.rules)
  • 2051128 - ET MALWARE Observed Malvertising Related Domain (darknetlinks .wiki) in TLS SNI (malware.rules)
  • 2051129 - ET MALWARE Observed Malvertising Related Domain (legit .onelink .me) in TLS SNI (malware.rules)
  • 2051130 - ET MALWARE Observed Malvertising Related Domain (healthbeautycosmetics .com) in TLS SNI (malware.rules)
  • 2051131 - ET MALWARE Wineloader CnC Checkin (malware.rules)
  • 2051132 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (egisela .com) (exploit_kit.rules)
  • 2051133 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (egisela .com) (exploit_kit.rules)

Modified inactive rules:

  • 2010697 - ET HUNTING Suspicious User-Agent Beginning with digits - Likely spyware/trojan (hunting.rules)
  • 2012848 - ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI (mobile_malware.rules)
  • 2014795 - ET MALWARE W32/Syndicasec.Backdoor Client POST CMD result (malware.rules)
  • 2015535 - ET MALWARE ZeroAccess HTTP GET request (malware.rules)
  • 2016952 - ET EXPLOIT_KIT Probable Nuclear exploit kit landing page (exploit_kit.rules)
  • 2017706 - ET EXPLOIT_KIT Possible Sweet Orange IE Payload Request (exploit_kit.rules)
  • 2019544 - ET EXPLOIT_KIT Possible Sweet Orange Flash/IE Payload Request (exploit_kit.rules)
  • 2019752 - ET EXPLOIT Possible Sweet Orange CVE-2014-6332 Payload Request (exploit.rules)
  • 2020300 - ET EXPLOIT_KIT DRIVEBY Nuclear EK Exploit Struct Jan 23 2015 (exploit_kit.rules)
  • 2022572 - ET MALWARE Andromeda Download (set) (malware.rules)
  • 2022666 - ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Mar 27 (exploit_kit.rules)
  • 2022682 - ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Mar 27 M2 (exploit_kit.rules)
  • 2022771 - ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016 (exploit_kit.rules)
  • 2022891 - ET MALWARE Unknown Botnet Checkin (malware.rules)
  • 2026460 - ET MALWARE Possible Locky JS Downloading Payload (malware.rules)
  • 2803305 - ETPRO MALWARE Common Downloader Header Pattern H (malware.rules)
  • 2809906 - ETPRO MALWARE Dridex Post Checkin Activity 5 (malware.rules)
  • 2815667 - ETPRO PHISHING Ezweb123 Phishing (set) Jan 8 (phishing.rules)
  • 2815668 - ETPRO PHISHING Ezweb123.com Phishing Landing Jan 8 (phishing.rules)
  • 2815749 - ETPRO EXPLOIT_KIT Nuclear EK Payload Jan 12 2016 M2 (exploit_kit.rules)
  • 2815750 - ETPRO EXPLOIT_KIT Nuclear EK Payload Jan 12 2016 M3 (exploit_kit.rules)
  • 2815751 - ETPRO EXPLOIT_KIT Nuclear EK Payload Jan 12 2016 M4 (exploit_kit.rules)
  • 2815752 - ETPRO EXPLOIT_KIT Nuclear EK Payload Jan 12 2016 M5 (exploit_kit.rules)
  • 2815753 - ETPRO EXPLOIT_KIT Nuclear EK Payload Jan 12 2016 M6 (exploit_kit.rules)
  • 2815754 - ETPRO EXPLOIT_KIT Nuclear EK Payload Jan 12 2016 M7 (exploit_kit.rules)
  • 2815755 - ETPRO EXPLOIT_KIT Nuclear EK Payload Jan 12 2016 M8 (exploit_kit.rules)
  • 2815756 - ETPRO EXPLOIT_KIT Nuclear EK Payload Jan 12 2016 M9 (exploit_kit.rules)
  • 2815823 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash Exploit M3 with URI Primer (exploit_kit.rules)
  • 2815824 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash Exploit M4 with URI Primer (exploit_kit.rules)
  • 2815830 - ETPRO PHISHING Ezweb123.com Phishing Landing Jan 15 (phishing.rules)
  • 2815831 - ETPRO PHISHING Form Submission to Ezweb123.com - Possible Successful Phish Jan 15 (phishing.rules)
  • 2815891 - ETPRO PHISHING Phishing Landing via Ezweb123.com Jan 22 (phishing.rules)
  • 2815892 - ETPRO PHISHING Phishing Landing via Stinge.com (set) Jan 22 (phishing.rules)
  • 2815893 - ETPRO PHISHING Phishing Landing via Stinge.com Jan 22 M1 (phishing.rules)
  • 2815894 - ETPRO PHISHING Phishing Landing via Stinge.com Jan 22 M2 (phishing.rules)
  • 2815895 - ETPRO PHISHING Phishing Landing via Stinge.com Jan 22 M3 (phishing.rules)
  • 2815896 - ETPRO PHISHING Phishing Landing via Jimdo.com (set) Jan 22 (phishing.rules)
  • 2815897 - ETPRO PHISHING Phishing Landing via Jimdo.com Jan 22 M1 (phishing.rules)
  • 2815898 - ETPRO PHISHING Phishing Landing via Jimdo.com Jan 22 M2 (phishing.rules)
  • 2815899 - ETPRO PHISHING Phishing Landing via Jimdo.com Jan 22 M3 (phishing.rules)
  • 2815907 - ETPRO PHISHING Phishing Landing via Webeden.co.uk Jan 22 M2 (phishing.rules)
  • 2815908 - ETPRO PHISHING Phishing Landing via Webeden.co.uk Jan 22 M3 (phishing.rules)
  • 2815962 - ETPRO PHISHING Phishing Landing via Webeden.co.uk Jan 26 M2 (phishing.rules)
  • 2815964 - ETPRO PHISHING Phishing Landing via Jimdo.com Jan 26 M2 (phishing.rules)
  • 2815965 - ETPRO PHISHING Phishing Landing via Stinge.com Jan 26 M2 (phishing.rules)
  • 2815966 - ETPRO PHISHING Phishing Landing via Ezweb123.com Jan 26 M2 (phishing.rules)
  • 2815967 - ETPRO PHISHING Successful Jimdo Phishing Jan 26 (phishing.rules)
  • 2815981 - ETPRO PHISHING Phishing Landing via Jimdo.com Jan 26 M1 (phishing.rules)
  • 2815982 - ETPRO PHISHING Phishing Landing via Stinge.com Jan 26 M1 (phishing.rules)
  • 2815983 - ETPRO PHISHING Phishing Landing via Ezweb123.com Jan 26 M1 (phishing.rules)
  • 2816022 - ETPRO EXPLOIT_KIT Nuclear EK Landing Jan 29 M1 (exploit_kit.rules)
  • 2816044 - ETPRO PHISHING Lloyds Bank Phishing Landing Feb 1 (phishing.rules)
  • 2816068 - ETPRO EXPLOIT_KIT Nuclear EK Landing T2 Feb 03 2016 (exploit_kit.rules)
  • 2816078 - ETPRO WEB_CLIENT TorrentLocker Localization Redirect Feb 3 (web_client.rules)
  • 2816097 - ETPRO MALWARE Win32/Rogue Browser Extension Installer Checkin (malware.rules)
  • 2816183 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.hf Checkin (mobile_malware.rules)
  • 2816290 - ETPRO PHISHING Igg.biz Phishing Redirector (set) Feb 17 (phishing.rules)
  • 2816404 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Feb 26 2016 (web_client.rules)
  • 2816489 - ETPRO PHISHING Possible Apple Phishing Folder Structure Mar 2 (phishing.rules)
  • 2816598 - ETPRO PHISHING Possible Phishing Landing Obfuscation Mar 9 (phishing.rules)
  • 2816606 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Mar 09 (web_client.rules)
  • 2816645 - ETPRO PHISHING FR Gmail Phishing Landing Mar 14 (phishing.rules)
  • 2816725 - ETPRO MALWARE Win32/Unknown CnC (upload) (malware.rules)
  • 2816809 - ETPRO MALWARE PhilBot/Toshliph Checkin GET 2 (malware.rules)
  • 2816837 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Mar 30 M3 (web_client.rules)
  • 2816840 - ETPRO PHISHING Phishing Landing via MyFreeSites.com Mar 31 M1 (phishing.rules)
  • 2816842 - ETPRO PHISHING Phishing Landing via MyFreeSites.com Mar 31 M3 (phishing.rules)
  • 2816843 - ETPRO PHISHING Successful MyFreeSites.com Phish Mar 31 (phishing.rules)
  • 2816902 - ETPRO PHISHING OWA Phishing Landing Apr 4 M1 (phishing.rules)
  • 2819662 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Apr 11 M1 (web_client.rules)
  • 2819663 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Apr 11 M2 (web_client.rules)
  • 2819784 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Apr 13 2016 (web_client.rules)
  • 2819810 - ETPRO PHISHING Adobe Shared Document Phishing Landing Apr 15 (phishing.rules)
  • 2819811 - ETPRO PHISHING Successful Adobe Shared Document Phish M1 Apr 15 (phishing.rules)
  • 2820027 - ETPRO MALWARE Unknown Checkin (malware.rules)
  • 2820036 - ETPRO PHISHING Generic Email Credential Phish Landing Page 2016-06-03 (phishing.rules)
  • 2820063 - ETPRO EXPLOIT_KIT Magnitude EK Payload May 04 2016 (exploit_kit.rules)
  • 2820248 - ETPRO PHISHING Adobe Document Base64 Phishing Landing May 16 (phishing.rules)
  • 2820333 - ETPRO PHISHING Tripod/Lycos Spanish Webmail Phishing Landing Page May 24 M2 (phishing.rules)
  • 2820352 - ETPRO PHISHING Excel Phishing Landing Page May 25 (phishing.rules)
  • 2820378 - ETPRO WEB_CLIENT Evil Redirector to EK May 27 2016 (web_client.rules)
  • 2820452 - ETPRO PHISHING Versobank Phishing Landing Jun 2 (phishing.rules)
  • 2820491 - ETPRO PHISHING Northwell Health Phishing Landing Jun 6 (phishing.rules)
  • 2820529 - ETPRO PHISHING Paypal Phishing Landing Redirect Jun 8 (phishing.rules)
  • 2820615 - ETPRO PHISHING Suspicious Domain - Possible Apple Phishing Jun 14 (phishing.rules)
  • 2820653 - ETPRO EXPLOIT PHP File Upload GLOBAL Variable Overwrite Vulnerability (exploit.rules)
  • 2820656 - ETPRO EXPLOIT ASN.1 Buffer Overflow Attempt (exploit.rules)
  • 2820733 - ETPRO PHISHING Dropbox Shared Document Phishing Landing Jun 17 (phishing.rules)
  • 2820755 - ETPRO EXPLOIT_KIT Sundown EK Payload June 20 2016 M1 (exploit_kit.rules)
  • 2820807 - ETPRO PHISHING H&M Revenue Phishing Landing Jun 22 (phishing.rules)
  • 2820808 - ETPRO PHISHING Successful H&M Revenue Phish Jun 22 M1 (phishing.rules)
  • 2820811 - ETPRO PHISHING Phishing Landing via my-free.website Jun 21 M1 (phishing.rules)
  • 2820812 - ETPRO PHISHING Phishing Landing via my-free.website Jun 21 M2 (phishing.rules)
  • 2820813 - ETPRO PHISHING Phishing Landing via my-free.website Jun 21 M3 (phishing.rules)
  • 2820814 - ETPRO PHISHING Phishing Landing via my-free.website Jun 21 M4 (phishing.rules)
  • 2820815 - ETPRO PHISHING Phishing Landing via my-free.website Jun 21 M5 (phishing.rules)
  • 2820816 - ETPRO PHISHING Data Submitted to my-free.website - Possible Phishing (phishing.rules)
  • 2820856 - ETPRO PHISHING Phishing Landing via yolasite.com Jun 24 M2 (phishing.rules)
  • 2820857 - ETPRO PHISHING Phishing Landing via yolasite.com Jun 24 M3 (phishing.rules)
  • 2820858 - ETPRO PHISHING Phishing Landing via yolasite.com Jun 24 M4 (phishing.rules)
  • 2820859 - ETPRO PHISHING Phishing Landing via yolasite.com Jun 24 M5 (phishing.rules)
  • 2820860 - ETPRO PHISHING Phishing Landing via yolasite.com Jun 24 M6 (phishing.rules)
  • 2820889 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Cloudatlas.a Checkin (mobile_malware.rules)
  • 2820923 - ETPRO PHISHING Phishing Landing via udo.photo Jun 28 M1 (phishing.rules)
  • 2820924 - ETPRO PHISHING Phishing Landing via udo.photo Jun 28 M2 (phishing.rules)
  • 2820926 - ETPRO PHISHING Phishing Landing via ulcraft.com Jun 28 M1 (phishing.rules)
  • 2820928 - ETPRO PHISHING Phishing Landing via biennale.info Jun 28 M1 (phishing.rules)
  • 2820929 - ETPRO PHISHING Phishing Landing via biennale.info Jun 28 M2 (phishing.rules)
  • 2820931 - ETPRO PHISHING Phishing Landing via topstyle.me Jun 28 M1 (phishing.rules)
  • 2820932 - ETPRO PHISHING Phishing Landing via topstyle.me Jun 28 M2 (phishing.rules)
  • 2820988 - ETPRO EXPLOIT_KIT Sundown/Xer EK Landing M2 Jul 06 2016 (exploit_kit.rules)

Disabled and modified rules:

  • 2050341 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (demonstratorleasheropw .site) (malware.rules)
  • 2050342 - ET MALWARE Observed Lumma Stealer Related Domain (demonstratorleasheropw .site in TLS SNI) (malware.rules)
  • 2050343 - ET INFO Observed DNS Over HTTPS Domain (adguard-home .server-on .net in TLS SNI) (info.rules)
  • 2050345 - ET INFO Observed DNS Over HTTPS Domain (dns .skrzypiec .pl in TLS SNI) (info.rules)
  • 2050347 - ET INFO Observed DNS Over HTTPS Domain (dns .retakecs .com in TLS SNI) (info.rules)
  • 2050349 - ET INFO Observed DNS Over HTTPS Domain (h .gjrick .tw in TLS SNI) (info.rules)
  • 2050351 - ET INFO Observed DNS Over HTTPS Domain (dns .korzhyk .pp .ua in TLS SNI) (info.rules)
  • 2050352 - ET INFO Observed DNS Over HTTPS Domain (adguardo .jimtay .uk in TLS SNI) (info.rules)
  • 2050354 - ET INFO Observed DNS Over HTTPS Domain (adguard .rennes .despagne .net in TLS SNI) (info.rules)
  • 2050355 - ET INFO Observed DNS Over HTTPS Domain (dns1 .klcd .eu in TLS SNI) (info.rules)
  • 2050357 - ET INFO Observed DNS Over HTTPS Domain (dns2 .klcd .eu in TLS SNI) (info.rules)
  • 2050376 - ET INFO Observed DNS Over HTTPS Domain (dns .milangeorge .com in TLS SNI) (info.rules)
  • 2050378 - ET INFO Observed DNS Over HTTPS Domain (dns .jhangy .us in TLS SNI) (info.rules)
  • 2050381 - ET INFO Observed DNS Over HTTPS Domain (dns .influa-dev .fr in TLS SNI) (info.rules)
  • 2050382 - ET INFO Observed DNS Over HTTPS Domain (dns .just-hosting .net in TLS SNI) (info.rules)
  • 2050384 - ET INFO Observed DNS Over HTTPS Domain (adg .siudzinski .net in TLS SNI) (info.rules)
  • 2050386 - ET INFO Observed DNS Over HTTPS Domain (dns .keskonet .com in TLS SNI) (info.rules)
  • 2050389 - ET INFO Observed DNS Over HTTPS Domain (adguard .kiboko .it in TLS SNI) (info.rules)
  • 2050390 - ET INFO Observed DNS Over HTTPS Domain (dns .rhscz .eu in TLS SNI) (info.rules)
  • 2050392 - ET INFO Observed DNS Over HTTPS Domain (dns .wryhf .net in TLS SNI) (info.rules)
  • 2050393 - ET INFO Observed DNS Over HTTPS Domain (www .pukanuragan .ru in TLS SNI) (info.rules)
  • 2050394 - ET INFO Observed DNS Over HTTPS Domain (dns .ithg .ru in TLS SNI) (info.rules)
  • 2050395 - ET INFO Observed DNS Over HTTPS Domain (dns .internal .hosmatic .com in TLS SNI) (info.rules)
  • 2050471 - ET INFO Observed DNS Over HTTPS Domain (cynntex .fun in TLS SNI) (info.rules)
  • 2050472 - ET INFO Observed DNS Over HTTPS Domain (dns .tb4 .me in TLS SNI) (info.rules)
  • 2050476 - ET INFO Observed DNS Over HTTPS Domain (admin .homedns .uk in TLS SNI) (info.rules)
  • 2050482 - ET INFO Observed DNS Over HTTPS Domain (ychen .gq in TLS SNI) (info.rules)
  • 2050483 - ET INFO Observed DNS Over HTTPS Domain (dns .sstomp .nl in TLS SNI) (info.rules)
  • 2050486 - ET INFO Observed DNS Over HTTPS Domain (sdns22 .gkonuralp .com in TLS SNI) (info.rules)
  • 2050487 - ET INFO Observed DNS Over HTTPS Domain (tokyodns .songnguyen .name .vn in TLS SNI) (info.rules)
  • 2050488 - ET INFO Observed DNS Over HTTPS Domain (dash .flylcc .cc in TLS SNI) (info.rules)
  • 2050489 - ET INFO Observed DNS Over HTTPS Domain (portal .iddqd .uk in TLS SNI) (info.rules)
  • 2050490 - ET INFO Observed DNS Over HTTPS Domain (doh .infracell .net in TLS SNI) (info.rules)