Ruleset Update Summary - 2024/02/29 - v10543

Ruleset Updates
1

Summary:

289 new OPEN, 289 new PRO (289 + 0)

Thanks @mandiant, @Jane_0sint

To all Emerging Threats customers: Please be aware that Friday, March 1st, 2024 is a Proofpoint company holiday. As a result, there will be no new rule release that day. Rule releases will commence the next business day, Monday, March 4th, 2024.

Added rules:

Open:

  • 2051153 - ET MALWARE TA430/Andariel NukeSped Backdoor Variant Activity M1 (malware.rules)
  • 2051154 - ET MALWARE TA430/Andariel NukeSped Backdoor Variant Activity M2 (malware.rules)
  • 2051155 - ET MALWARE TA430/Andariel NukeSped Backdoor Variant Server Response M1 (malware.rules)
  • 2051156 - ET MALWARE TA430/Andariel NukeSped Backdoor Variant Server Response M2 (malware.rules)
  • 2051157 - ET PHISHING Savvy Seahorse CNAME TDS Related Domain in DNS Lookup (b36cname .site) (phishing.rules)
  • 2051158 - ET PHISHING Savvy Seahorse CNAME TDS Related Domain in DNS Lookup (getyourapi .site) (phishing.rules)
  • 2051159 - ET MALWARE DNS Query to TA455 Domain (xboxplayservice .com) (malware.rules)
  • 2051160 - ET MALWARE Observed TA455 Domain in TLS SNI (vsliveagent .com) (malware.rules)
  • 2051161 - ET MALWARE Observed TA455 Domain in TLS SNI (xboxplayservice .com) (malware.rules)
  • 2051162 - ET PHISHING DNS Query to TA455 Domain (teledyneflir.com .de) (phishing.rules)
  • 2051163 - ET PHISHING DNS Query to TA455 Domain (1stemployer .com) (phishing.rules)
  • 2051164 - ET MALWARE Observed TA455 Domain in TLS SNI (teledyneflir.com .de) (malware.rules)
  • 2051165 - ET MALWARE Observed TA455 Domain in TLS SNI (1stemployer .com) (malware.rules)
  • 2051166 - ET PHISHING DNS Query to TA455 Domain (vsliveagent .com) (phishing.rules)
  • 2051167 - ET PHISHING DNS Query to UNC1549/TA455 Domain (qaquestionsapi .azurewebsites .net) (phishing.rules)
  • 2051168 - ET PHISHING DNS Query to UNC1549/TA455 Domain (vscodeupdater .azurewebsites .net) (phishing.rules)
  • 2051169 - ET PHISHING DNS Query to UNC1549/TA455 Domain (helicoptersahtests .azurewebsites .net) (phishing.rules)
  • 2051170 - ET PHISHING DNS Query to UNC1549/TA455 Domain (airconnectionsapi .azurewebsites .net) (phishing.rules)
  • 2051171 - ET PHISHING DNS Query to UNC1549/TA455 Domain (regionuaequestions .azurewebsites .net) (phishing.rules)
  • 2051172 - ET PHISHING DNS Query to UNC1549/TA455 Domain (testmanagementapisjson .azurewebsites .net) (phishing.rules)
  • 2051173 - ET PHISHING DNS Query to UNC1549/TA455 Domain (blognewsalphaapijson .azurewebsites .net) (phishing.rules)
  • 2051174 - ET PHISHING DNS Query to UNC1549/TA455 Domain (iaidevrssfeed .cloudapp .azure .com) (phishing.rules)
  • 2051175 - ET PHISHING DNS Query to UNC1549/TA455 Domain (notebooktextcheckings .azurewebsites .net) (phishing.rules)
  • 2051176 - ET PHISHING DNS Query to UNC1549/TA455 Domain (apphrquizapi .azurewebsites .net) (phishing.rules)
  • 2051177 - ET PHISHING DNS Query to UNC1549/TA455 Domain (onequestionsapi .azurewebsites .net) (phishing.rules)
  • 2051178 - ET PHISHING DNS Query to UNC1549/TA455 Domain (notebooktextchecking .azurewebsites .net) (phishing.rules)
  • 2051179 - ET PHISHING DNS Query to UNC1549/TA455 Domain (onequestionsapicheck .azurewebsites .net) (phishing.rules)
  • 2051180 - ET PHISHING DNS Query to UNC1549/TA455 Domain (questionsapplicationbackup .azurewebsites .net) (phishing.rules)
  • 2051181 - ET PHISHING DNS Query to UNC1549/TA455 Domain (arquestionsapi .azurewebsites .net) (phishing.rules)
  • 2051182 - ET PHISHING DNS Query to UNC1549/TA455 Domain (customercareservice .azurewebsites .net) (phishing.rules)
  • 2051183 - ET PHISHING DNS Query to UNC1549/TA455 Domain (uaeaircheckon .azurewebsites .net) (phishing.rules)
  • 2051184 - ET PHISHING DNS Query to UNC1549/TA455 Domain (blogvolleyballstatus .azurewebsites .net) (phishing.rules)
  • 2051185 - ET PHISHING DNS Query to UNC1549/TA455 Domain (iaidevrssfeed .centralus .cloudapp .azure .com) (phishing.rules)
  • 2051186 - ET PHISHING DNS Query to UNC1549/TA455 Domain (emiratescheckapi .azurewebsites .net) (phishing.rules)
  • 2051187 - ET PHISHING DNS Query to UNC1549/TA455 Domain (notebooktexts .azurewebsites .net) (phishing.rules)
  • 2051188 - ET PHISHING DNS Query to UNC1549/TA455 Domain (questionsurveyapp .azurewebsites .net) (phishing.rules)
  • 2051189 - ET PHISHING DNS Query to UNC1549/TA455 Domain (quiztestapplication .azurewebsites .net) (phishing.rules)
  • 2051190 - ET PHISHING DNS Query to UNC1549/TA455 Domain (manpowerfeedapijson .azurewebsites .net) (phishing.rules)
  • 2051191 - ET PHISHING DNS Query to UNC1549/TA455 Domain (engineeringrssfeed .azurewebsites .net) (phishing.rules)
  • 2051192 - ET PHISHING DNS Query to UNC1549/TA455 Domain (airconnectionapi .azurewebsites .net) (phishing.rules)
  • 2051193 - ET PHISHING DNS Query to UNC1549/TA455 Domain (javaruntime .azurewebsites .net) (phishing.rules)
  • 2051194 - ET PHISHING DNS Query to UNC1549/TA455 Domain (coffeeonlineshop .azurewebsites .net) (phishing.rules)
  • 2051195 - ET PHISHING DNS Query to UNC1549/TA455 Domain (onequestions .azurewebsites .net) (phishing.rules)
  • 2051196 - ET PHISHING DNS Query to UNC1549/TA455 Domain (javaruntimestestapi .azurewebsites .net) (phishing.rules)
  • 2051197 - ET PHISHING DNS Query to UNC1549/TA455 Domain (logupdatemanagementapijson .azurewebsites .net) (phishing.rules)
  • 2051198 - ET PHISHING DNS Query to UNC1549/TA455 Domain (iaidevrssfeedp .cloudapp .azure .com) (phishing.rules)
  • 2051199 - ET PHISHING DNS Query to UNC1549/TA455 Domain (qaquestions .azurewebsites .net) (phishing.rules)
  • 2051200 - ET PHISHING DNS Query to UNC1549/TA455 Domain (roadmapselector .azurewebsites .net) (phishing.rules)
  • 2051201 - ET PHISHING DNS Query to UNC1549/TA455 Domain (homefurniture .azurewebsites .net) (phishing.rules)
  • 2051202 - ET PHISHING DNS Query to UNC1549/TA455 Domain (engineeringssfeed .azurewebsites .net) (phishing.rules)
  • 2051203 - ET PHISHING DNS Query to UNC1549/TA455 Domain (blogvolleyballstatusapi .azurewebsites .net) (phishing.rules)
  • 2051204 - ET PHISHING DNS Query to UNC1549/TA455 Domain (integratedblognewsapi .azurewebsites .com) (phishing.rules)
  • 2051205 - ET PHISHING DNS Query to UNC1549/TA455 Domain (technewsblogapi .azurewebsites .net) (phishing.rules)
  • 2051206 - ET PHISHING DNS Query to UNC1549/TA455 Domain (airgadgetsolutions .azurewebsites .net) (phishing.rules)
  • 2051207 - ET PHISHING DNS Query to UNC1549/TA455 Domain (emiratescheckapijson .azurewebsites .net) (phishing.rules)
  • 2051208 - ET PHISHING DNS Query to UNC1549/TA455 Domain (qaquestionapi .azurewebsites .net) (phishing.rules)
  • 2051209 - ET PHISHING DNS Query to UNC1549/TA455 Domain (airgadgetsolution .azurewebsites .net) (phishing.rules)
  • 2051210 - ET PHISHING DNS Query to UNC1549/TA455 Domain (iaidevrssfeed .centrualus .cloudapp .azure .com) (phishing.rules)
  • 2051211 - ET PHISHING DNS Query to UNC1549/TA455 Domain (surveyappquery .azurewebsites .net) (phishing.rules)
  • 2051212 - ET PHISHING DNS Query to UNC1549/TA455 Domain (boeisurveyapplications .azurewebsites .net) (phishing.rules)
  • 2051213 - ET PHISHING DNS Query to UNC1549/TA455 Domain (jupyternotebookcollection .azurewebsites .net) (phishing.rules)
  • 2051214 - ET PHISHING DNS Query to UNC1549/TA455 Domain (helicopterahtest .azurewebsites .net) (phishing.rules)
  • 2051215 - ET PHISHING DNS Query to UNC1549/TA455 Domain (hrapplicationtest .azurewebsites .net) (phishing.rules)
  • 2051216 - ET PHISHING DNS Query to UNC1549/TA455 Domain (altnametestapi .azurewebsites .net) (phishing.rules)
  • 2051217 - ET PHISHING DNS Query to UNC1549/TA455 Domain (identifycheckapplication .azurewebsites .net) (phishing.rules)
  • 2051218 - ET PHISHING DNS Query to UNC1549/TA455 Domain (ilengineeringrssfeed .azurewebsites .net) (phishing.rules)
  • 2051219 - ET PHISHING DNS Query to UNC1549/TA455 Domain (manpowerfeedapi .azurewebsites .net) (phishing.rules)
  • 2051220 - ET PHISHING DNS Query to UNC1549/TA455 Domain (integratedblognewfeed .azurewebsites .net) (phishing.rules)
  • 2051221 - ET PHISHING DNS Query to UNC1549/TA455 Domain (workersquestionsapi .azurewebsites .net) (phishing.rules)
  • 2051222 - ET PHISHING DNS Query to UNC1549/TA455 Domain (javaruntimeversionchecking .azurewebsites .net) (phishing.rules)
  • 2051223 - ET PHISHING DNS Query to UNC1549/TA455 Domain (optionalapplication .azurewebsites .net) (phishing.rules)
  • 2051224 - ET PHISHING DNS Query to UNC1549/TA455 Domain (connectairapijson .azurewebsites .net) (phishing.rules)
  • 2051225 - ET PHISHING DNS Query to UNC1549/TA455 Domain (flighthelicopterahtest .azurewebsites .net) (phishing.rules)
  • 2051226 - ET PHISHING DNS Query to UNC1549/TA455 Domain (integratedblognewsapi .azurewebsites .net) (phishing.rules)
  • 2051227 - ET PHISHING DNS Query to UNC1549/TA455 Domain (customercareserviceapi .azurewebsites .net) (phishing.rules)
  • 2051228 - ET PHISHING DNS Query to UNC1549/TA455 Domain (notebooktextcheckings .com) (phishing.rules)
  • 2051229 - ET PHISHING DNS Query to UNC1549/TA455 Domain (exchtestcheckingapihealth .azurewebsites .net) (phishing.rules)
  • 2051230 - ET PHISHING DNS Query to UNC1549/TA455 Domain (surveyonlinetest .azurewebsites .net) (phishing.rules)
  • 2051231 - ET PHISHING DNS Query to UNC1549/TA455 Domain (questionsdatabases .azurewebsites .net) (phishing.rules)
  • 2051232 - ET PHISHING DNS Query to UNC1549/TA455 Domain (questionsapplicationapijson .azurewebsites .net) (phishing.rules)
  • 2051233 - ET PHISHING DNS Query to UNC1549/TA455 Domain (humanresourcesapijson .azurewebsites .net) (phishing.rules)
  • 2051234 - ET PHISHING DNS Query to UNC1549/TA455 Domain (openapplicationcheck .azurewebsites .net) (phishing.rules)
  • 2051235 - ET PHISHING DNS Query to UNC1549/TA455 Domain (logsapimanagement .azurewebsites .net) (phishing.rules)
  • 2051236 - ET PHISHING DNS Query to UNC1549/TA455 Domain (workersquestionsjson .azurewebsites .net) (phishing.rules)
  • 2051237 - ET PHISHING DNS Query to UNC1549/TA455 Domain (browsercheckap .azurewebsites .net) (phishing.rules)
  • 2051238 - ET PHISHING DNS Query to UNC1549/TA455 Domain (checkapicountryquestionsjson .azurewebsites .net) (phishing.rules)
  • 2051239 - ET PHISHING DNS Query to UNC1549/TA455 Domain (integratedblognews .azurewebsites .net) (phishing.rules)
  • 2051240 - ET PHISHING DNS Query to UNC1549/TA455 Domain (changequestionstypeapi .azurewebsites .net) (phishing.rules)
  • 2051241 - ET PHISHING DNS Query to UNC1549/TA455 Domain (intengineeringrssfeed .azurewebsites .net) (phishing.rules)
  • 2051242 - ET PHISHING DNS Query to UNC1549/TA455 Domain (cashcloudservices .com) (phishing.rules)
  • 2051243 - ET PHISHING DNS Query to UNC1549/TA455 Domain (questionsurveyappserver .azurewebsites .net) (phishing.rules)
  • 2051244 - ET PHISHING DNS Query to UNC1549/TA455 Domain (audiomanagerapi .azurewebsites .net) (phishing.rules)
  • 2051245 - ET PHISHING DNS Query to UNC1549/TA455 Domain (coffeeonlineshoping .azurewebsites .net) (phishing.rules)
  • 2051246 - ET PHISHING DNS Query to UNC1549/TA455 Domain (exchtestcheckingapi .azurewebsites .net) (phishing.rules)
  • 2051247 - ET PHISHING DNS Query to UNC1549/TA455 Domain (surveyonlinetestapi .azurewebsites .net) (phishing.rules)
  • 2051248 - ET PHISHING DNS Query to UNC1549/TA455 Domain (personalizationsurvey .azurewebsites .net) (phishing.rules)
  • 2051249 - ET PHISHING DNS Query to UNC1549/TA455 Domain (questionsapplicationapi .azurewebsites .net) (phishing.rules)
  • 2051250 - ET PHISHING DNS Query to UNC1549/TA455 Domain (turkairline .azurewebsites .net) (phishing.rules)
  • 2051251 - ET PHISHING DNS Query to UNC1549/TA455 Domain (identifycheckingapplications .azurewebsites .net) (phishing.rules)
  • 2051252 - ET PHISHING DNS Query to UNC1549/TA455 Domain (testquestionapplicationapi .azurewebsites .net) (phishing.rules)
  • 2051253 - ET PHISHING DNS Query to UNC1549/TA455 Domain (tnlsowki .westus3 .cloudapp .azure .com) (phishing.rules)
  • 2051254 - ET PHISHING DNS Query to UNC1549/TA455 Domain (registerinsurance .azurewebsites .net) (phishing.rules)
  • 2051255 - ET PHISHING DNS Query to UNC1549/TA455 Domain (hiringarabicregion .azurewebsites .net) (phishing.rules)
  • 2051256 - ET PHISHING DNS Query to UNC1549/TA455 Domain (countrybasedquestions .azurewebsites .net) (phishing.rules)
  • 2051257 - ET PHISHING DNS Query to UNC1549/TA455 Domain (apphrquestion .azurewebsites .net) (phishing.rules)
  • 2051258 - ET PHISHING DNS Query to UNC1549/TA455 Domain (javaruntimetestapi .azurewebsites .net) (phishing.rules)
  • 2051259 - ET PHISHING DNS Query to UNC1549/TA455 Domain (browsercheckingapi .azurewebsites .net) (phishing.rules)
  • 2051260 - ET PHISHING DNS Query to UNC1549/TA455 Domain (logupdatemanagementapi .azurewebsites .net) (phishing.rules)
  • 2051261 - ET PHISHING DNS Query to UNC1549/TA455 Domain (qaquestionsapijson .azurewebsites .net) (phishing.rules)
  • 2051262 - ET PHISHING DNS Query to UNC1549/TA455 Domain (sportblogs .azurewebsites .net) (phishing.rules)
  • 2051263 - ET PHISHING DNS Query to UNC1549/TA455 Domain (changequestiontypesapi .azurewebsites .net) (phishing.rules)
  • 2051264 - ET PHISHING DNS Query to UNC1549/TA455 Domain (intergratedblognewsapi .azurewebsites .net) (phishing.rules)
  • 2051265 - ET PHISHING DNS Query to UNC1549/TA455 Domain (queryfindquestions .azurewebsites .net) (phishing.rules)
  • 2051266 - ET PHISHING DNS Query to UNC1549/TA455 Domain (queryquestions .azurewebsites .net) (phishing.rules)
  • 2051267 - ET PHISHING DNS Query to UNC1549/TA455 Domain (checkapicountryquestions .azurewebsites .net) (phishing.rules)
  • 2051268 - ET PHISHING DNS Query to UNC1549/TA455 Domain (audioservicetestapi .azurewebsites .net) (phishing.rules)
  • 2051269 - ET PHISHING DNS Query to UNC1549/TA455 Domain (workersquestions .azurewebsites .net) (phishing.rules)
  • 2051270 - ET PHISHING DNS Query to UNC1549/TA455 Domain (uaeairchecks .azurewebsites .net) (phishing.rules)
  • 2051271 - ET PHISHING DNS Query to UNC1549/TA455 Domain (jupyternotebookscollection .azurewebsites .net) (phishing.rules)
  • 2051272 - ET PHISHING DNS Query to UNC1549/TA455 Domain (refaeldevrssfeed .centralus .cloudapp .azure .com) (phishing.rules)
  • 2051273 - ET PHISHING DNS Query to UNC1549/TA455 Domain (apphrquestions .azurewebsites .net) (phishing.rules)
  • 2051274 - ET PHISHING DNS Query to UNC1549/TA455 Domain (personalitytestquestionapi .azurewebsites .net) (phishing.rules)
  • 2051275 - ET PHISHING DNS Query to UNC1549/TA455 Domain (tnlsowkis .westus3 .cloudapp .azure .com) (phishing.rules)
  • 2051276 - ET PHISHING DNS Query to UNC1549/TA455 Domain (humanresourcesapi .azurewebsites .net) (phishing.rules)
  • 2051277 - ET PHISHING DNS Query to UNC1549/TA455 Domain (checkservicecustomerapi .azurewebsites .net) (phishing.rules)
  • 2051278 - ET PHISHING DNS Query to UNC1549/TA455 Domain (testtesttes .azurewebsites .net) (phishing.rules)
  • 2051279 - ET PHISHING DNS Query to UNC1549/TA455 Domain (humanresourcesapiquiz .azurewebsites .net) (phishing.rules)
  • 2051280 - ET PHISHING DNS Query to UNC1549/TA455 Domain (jupyternotebookcollections .com) (phishing.rules)
  • 2051281 - ET PHISHING DNS Query to UNC1549/TA455 Domain (jupyternotebookcollections .azurewebsites .net) (phishing.rules)
  • 2051282 - ET PHISHING DNS Query to UNC1549/TA455 Domain (helicopterahtests .azurewebsites .net) (phishing.rules)
  • 2051283 - ET PHISHING DNS Query to UNC1549/TA455 Domain (changequestiontypes .azurewebsites .net) (phishing.rules)
  • 2051284 - ET PHISHING DNS Query to UNC1549/TA455 Domain (testmanagementapi1 .azurewebsites .net) (phishing.rules)
  • 2051285 - ET PHISHING DNS Query to UNC1549/TA455 Domain (browsercheckjson .azurewebsites .net) (phishing.rules)
  • 2051286 - ET PHISHING DNS Query to UNC1549/TA455 Domain (answerssurveytest .azurewebsites .net) (phishing.rules)
  • 2051287 - ET PHISHING DNS Query to UNC1549/TA455 Domain (airconnectionsapijson .azurewebsites .net) (phishing.rules)
  • 2051288 - ET PHISHING DNS Query to UNC1549/TA455 Domain (changequestionstypejsonapi .azurewebsites .net) (phishing.rules)
  • 2051289 - ET PHISHING DNS Query to UNC1549/TA455 Domain (marineblogapi .azurewebsites .net) (phishing.rules)
  • 2051290 - ET PHISHING DNS Query to UNC1549/TA455 Domain (logsapimanagements .azurewebsites .net) (phishing.rules)
  • 2051291 - ET PHISHING DNS Query to UNC1549/TA455 Domain (javaruntimeversioncheckingapi .azurewebsites .net) (phishing.rules)
  • 2051292 - ET PHISHING DNS Query to UNC1549/TA455 Domain (identifycheckapplications .azurewebsites .net) (phishing.rules)
  • 2051293 - ET PHISHING DNS Query to UNC1549/TA455 Domain (connectionhandlerapi .azurewebsites .net) (phishing.rules)
  • 2051294 - ET PHISHING DNS Query to UNC1549/TA455 Domain (testmanagementapis .azurewebsites .net) (phishing.rules)
  • 2051295 - ET PHISHING DNS Query to UNC1549/TA455 Domain (tiappschecktest .azurewebsites .net) (phishing.rules)
  • 2051296 - ET PHISHING DNS Query to UNC1549/TA455 Domain (arquestions .azurewebsites .net) (phishing.rules)
  • 2051297 - ET PHISHING DNS Query to UNC1549/TA455 Domain (roadmapselectorapi .azurewebsites .net) (phishing.rules)
  • 2051298 - ET PHISHING DNS Query to UNC1549/TA455 Domain (birngthemhomenow .co .il) (phishing.rules)
  • 2051299 - ET MALWARE Observed UNC1549/TA455 Domain (qaquestionsapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051300 - ET MALWARE Observed UNC1549/TA455 Domain (vscodeupdater .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051301 - ET MALWARE Observed UNC1549/TA455 Domain (helicoptersahtests .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051302 - ET MALWARE Observed UNC1549/TA455 Domain (airconnectionsapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051303 - ET MALWARE Observed UNC1549/TA455 Domain (regionuaequestions .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051304 - ET MALWARE Observed UNC1549/TA455 Domain (testmanagementapisjson .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051305 - ET MALWARE Observed UNC1549/TA455 Domain (blognewsalphaapijson .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051306 - ET MALWARE Observed UNC1549/TA455 Domain (iaidevrssfeed .cloudapp .azure .com in TLS SNI) (malware.rules)
  • 2051307 - ET MALWARE Observed UNC1549/TA455 Domain (notebooktextcheckings .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051308 - ET MALWARE Observed UNC1549/TA455 Domain (apphrquizapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051309 - ET MALWARE Observed UNC1549/TA455 Domain (onequestionsapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051310 - ET MALWARE Observed UNC1549/TA455 Domain (notebooktextchecking .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051311 - ET MALWARE Observed UNC1549/TA455 Domain (onequestionsapicheck .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051312 - ET MALWARE Observed UNC1549/TA455 Domain (questionsapplicationbackup .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051313 - ET MALWARE Observed UNC1549/TA455 Domain (arquestionsapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051314 - ET MALWARE Observed UNC1549/TA455 Domain (customercareservice .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051315 - ET MALWARE Observed UNC1549/TA455 Domain (uaeaircheckon .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051316 - ET MALWARE Observed UNC1549/TA455 Domain (blogvolleyballstatus .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051317 - ET MALWARE Observed UNC1549/TA455 Domain (iaidevrssfeed .centralus .cloudapp .azure .com in TLS SNI) (malware.rules)
  • 2051318 - ET MALWARE Observed UNC1549/TA455 Domain (emiratescheckapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051319 - ET MALWARE Observed UNC1549/TA455 Domain (notebooktexts .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051320 - ET MALWARE Observed UNC1549/TA455 Domain (questionsurveyapp .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051321 - ET MALWARE Observed UNC1549/TA455 Domain (quiztestapplication .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051322 - ET MALWARE Observed UNC1549/TA455 Domain (manpowerfeedapijson .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051323 - ET MALWARE Observed UNC1549/TA455 Domain (engineeringrssfeed .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051324 - ET MALWARE Observed UNC1549/TA455 Domain (airconnectionapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051325 - ET MALWARE Observed UNC1549/TA455 Domain (javaruntime .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051326 - ET MALWARE Observed UNC1549/TA455 Domain (coffeeonlineshop .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051327 - ET MALWARE Observed UNC1549/TA455 Domain (onequestions .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051328 - ET MALWARE Observed UNC1549/TA455 Domain (javaruntimestestapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051329 - ET MALWARE Observed UNC1549/TA455 Domain (logupdatemanagementapijson .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051330 - ET MALWARE Observed UNC1549/TA455 Domain (iaidevrssfeedp .cloudapp .azure .com in TLS SNI) (malware.rules)
  • 2051331 - ET MALWARE Observed UNC1549/TA455 Domain (qaquestions .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051332 - ET MALWARE Observed UNC1549/TA455 Domain (roadmapselector .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051333 - ET MALWARE Observed UNC1549/TA455 Domain (homefurniture .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051334 - ET MALWARE Observed UNC1549/TA455 Domain (engineeringssfeed .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051335 - ET MALWARE Observed UNC1549/TA455 Domain (blogvolleyballstatusapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051336 - ET MALWARE Observed UNC1549/TA455 Domain (integratedblognewsapi .azurewebsites .com in TLS SNI) (malware.rules)
  • 2051337 - ET MALWARE Observed UNC1549/TA455 Domain (technewsblogapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051338 - ET MALWARE Observed UNC1549/TA455 Domain (airgadgetsolutions .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051339 - ET MALWARE Observed UNC1549/TA455 Domain (emiratescheckapijson .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051340 - ET MALWARE Observed UNC1549/TA455 Domain (qaquestionapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051341 - ET MALWARE Observed UNC1549/TA455 Domain (airgadgetsolution .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051342 - ET MALWARE Observed UNC1549/TA455 Domain (iaidevrssfeed .centrualus .cloudapp .azure .com in TLS SNI) (malware.rules)
  • 2051343 - ET MALWARE Observed UNC1549/TA455 Domain (surveyappquery .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051344 - ET MALWARE Observed UNC1549/TA455 Domain (boeisurveyapplications .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051345 - ET MALWARE Observed UNC1549/TA455 Domain (jupyternotebookcollection .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051346 - ET MALWARE Observed UNC1549/TA455 Domain (helicopterahtest .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051347 - ET MALWARE Observed UNC1549/TA455 Domain (hrapplicationtest .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051348 - ET MALWARE Observed UNC1549/TA455 Domain (altnametestapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051349 - ET MALWARE Observed UNC1549/TA455 Domain (identifycheckapplication .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051350 - ET MALWARE Observed UNC1549/TA455 Domain (ilengineeringrssfeed .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051351 - ET MALWARE Observed UNC1549/TA455 Domain (manpowerfeedapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051352 - ET MALWARE Observed UNC1549/TA455 Domain (integratedblognewfeed .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051353 - ET MALWARE Observed UNC1549/TA455 Domain (workersquestionsapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051354 - ET MALWARE Observed UNC1549/TA455 Domain (javaruntimeversionchecking .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051355 - ET MALWARE Observed UNC1549/TA455 Domain (optionalapplication .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051356 - ET MALWARE Observed UNC1549/TA455 Domain (connectairapijson .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051357 - ET MALWARE Observed UNC1549/TA455 Domain (flighthelicopterahtest .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051358 - ET MALWARE Observed UNC1549/TA455 Domain (integratedblognewsapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051359 - ET MALWARE Observed UNC1549/TA455 Domain (customercareserviceapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051360 - ET MALWARE Observed UNC1549/TA455 Domain (notebooktextcheckings .com in TLS SNI) (malware.rules)
  • 2051361 - ET MALWARE Observed UNC1549/TA455 Domain (exchtestcheckingapihealth .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051362 - ET MALWARE Observed UNC1549/TA455 Domain (surveyonlinetest .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051363 - ET MALWARE Observed UNC1549/TA455 Domain (questionsdatabases .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051364 - ET MALWARE Observed UNC1549/TA455 Domain (questionsapplicationapijson .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051365 - ET MALWARE Observed UNC1549/TA455 Domain (humanresourcesapijson .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051366 - ET MALWARE Observed UNC1549/TA455 Domain (openapplicationcheck .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051367 - ET MALWARE Observed UNC1549/TA455 Domain (logsapimanagement .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051368 - ET MALWARE Observed UNC1549/TA455 Domain (workersquestionsjson .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051369 - ET MALWARE Observed UNC1549/TA455 Domain (browsercheckap .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051370 - ET MALWARE Observed UNC1549/TA455 Domain (checkapicountryquestionsjson .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051371 - ET MALWARE Observed UNC1549/TA455 Domain (integratedblognews .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051372 - ET MALWARE Observed UNC1549/TA455 Domain (changequestionstypeapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051373 - ET MALWARE Observed UNC1549/TA455 Domain (cashcloudservices .com in TLS SNI) (malware.rules)
  • 2051374 - ET MALWARE Observed UNC1549/TA455 Domain (questionsurveyappserver .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051375 - ET MALWARE Observed UNC1549/TA455 Domain (audiomanagerapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051376 - ET MALWARE Observed UNC1549/TA455 Domain (coffeeonlineshoping .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051377 - ET MALWARE Observed UNC1549/TA455 Domain (exchtestcheckingapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051378 - ET MALWARE Observed UNC1549/TA455 Domain (surveyonlinetestapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051379 - ET MALWARE Observed UNC1549/TA455 Domain (personalizationsurvey .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051380 - ET MALWARE Observed UNC1549/TA455 Domain (questionsapplicationapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051381 - ET MALWARE Observed UNC1549/TA455 Domain (turkairline .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051382 - ET MALWARE Observed UNC1549/TA455 Domain (identifycheckingapplications .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051383 - ET MALWARE Observed UNC1549/TA455 Domain (testquestionapplicationapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051384 - ET MALWARE Observed UNC1549/TA455 Domain (tnlsowki .westus3 .cloudapp .azure .com in TLS SNI) (malware.rules)
  • 2051385 - ET MALWARE Observed UNC1549/TA455 Domain (registerinsurance .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051386 - ET MALWARE Observed UNC1549/TA455 Domain (hiringarabicregion .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051387 - ET MALWARE Observed UNC1549/TA455 Domain (countrybasedquestions .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051388 - ET MALWARE Observed UNC1549/TA455 Domain (apphrquestion .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051389 - ET MALWARE Observed UNC1549/TA455 Domain (javaruntimetestapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051390 - ET MALWARE Observed UNC1549/TA455 Domain (browsercheckingapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051391 - ET MALWARE Observed UNC1549/TA455 Domain (logupdatemanagementapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051392 - ET MALWARE Observed UNC1549/TA455 Domain (qaquestionsapijson .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051393 - ET MALWARE Observed UNC1549/TA455 Domain (sportblogs .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051394 - ET MALWARE Observed UNC1549/TA455 Domain (changequestiontypesapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051395 - ET MALWARE Observed UNC1549/TA455 Domain (intergratedblognewsapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051396 - ET MALWARE Observed UNC1549/TA455 Domain (queryfindquestions .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051397 - ET MALWARE Observed UNC1549/TA455 Domain (queryquestions .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051398 - ET MALWARE Observed UNC1549/TA455 Domain (checkapicountryquestions .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051399 - ET MALWARE Observed UNC1549/TA455 Domain (audioservicetestapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051400 - ET MALWARE Observed UNC1549/TA455 Domain (workersquestions .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051401 - ET MALWARE Observed UNC1549/TA455 Domain (uaeairchecks .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051402 - ET MALWARE Observed UNC1549/TA455 Domain (jupyternotebookscollection .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051403 - ET MALWARE Observed UNC1549/TA455 Domain (refaeldevrssfeed .centralus .cloudapp .azure .com in TLS SNI) (malware.rules)
  • 2051404 - ET MALWARE Observed UNC1549/TA455 Domain (apphrquestions .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051405 - ET MALWARE Observed UNC1549/TA455 Domain (personalitytestquestionapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051406 - ET MALWARE Observed UNC1549/TA455 Domain (tnlsowkis .westus3 .cloudapp .azure .com in TLS SNI) (malware.rules)
  • 2051407 - ET MALWARE Observed UNC1549/TA455 Domain (humanresourcesapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051408 - ET MALWARE Observed UNC1549/TA455 Domain (checkservicecustomerapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051409 - ET MALWARE Observed UNC1549/TA455 Domain (testtesttes .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051410 - ET MALWARE Observed UNC1549/TA455 Domain (humanresourcesapiquiz .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051411 - ET MALWARE Observed UNC1549/TA455 Domain (jupyternotebookcollections .com in TLS SNI) (malware.rules)
  • 2051412 - ET MALWARE Observed UNC1549/TA455 Domain (jupyternotebookcollections .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051413 - ET MALWARE Observed UNC1549/TA455 Domain (helicopterahtests .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051414 - ET MALWARE Observed UNC1549/TA455 Domain (changequestiontypes .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051415 - ET MALWARE Observed UNC1549/TA455 Domain (testmanagementapi1 .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051416 - ET MALWARE Observed UNC1549/TA455 Domain (browsercheckjson .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051417 - ET MALWARE Observed UNC1549/TA455 Domain (answerssurveytest .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051418 - ET MALWARE Observed UNC1549/TA455 Domain (airconnectionsapijson .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051419 - ET MALWARE Observed UNC1549/TA455 Domain (changequestionstypejsonapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051420 - ET MALWARE Observed UNC1549/TA455 Domain (marineblogapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051421 - ET MALWARE Observed UNC1549/TA455 Domain (logsapimanagements .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051422 - ET MALWARE Observed UNC1549/TA455 Domain (javaruntimeversioncheckingapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051423 - ET MALWARE Observed UNC1549/TA455 Domain (identifycheckapplications .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051424 - ET MALWARE Observed UNC1549/TA455 Domain (connectionhandlerapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051425 - ET MALWARE Observed UNC1549/TA455 Domain (testmanagementapis .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051426 - ET MALWARE Observed UNC1549/TA455 Domain (tiappschecktest .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051427 - ET MALWARE Observed UNC1549/TA455 Domain (arquestions .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051428 - ET MALWARE Observed UNC1549/TA455 Domain (roadmapselectorapi .azurewebsites .net in TLS SNI) (malware.rules)
  • 2051429 - ET MALWARE Observed UNC1549/TA455 Domain (birngthemhomenow .co .il in TLS SNI) (malware.rules)
  • 2051430 - ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) (info.rules)
  • 2051431 - ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI (info.rules)
  • 2051432 - ET INFO [ANY.RUN] Impacket Framework Default SMB Server GUID Detected (info.rules)
  • 2051433 - ET INFO Impacket Framework Default SMB NTLMSSP Challenge (info.rules)
  • 2051434 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (africanbeatmaker .com) (exploit_kit.rules)
  • 2051435 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (aiifolrida .com) (exploit_kit.rules)
  • 2051436 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (amarod .com) (exploit_kit.rules)
  • 2051437 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (auburnartwalk .com) (exploit_kit.rules)
  • 2051438 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (africanbeatmaker .com) (exploit_kit.rules)
  • 2051439 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (aiifolrida .com) (exploit_kit.rules)
  • 2051440 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (amarod .com) (exploit_kit.rules)
  • 2051441 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (auburnartwalk .com) (exploit_kit.rules)

Modified inactive rules:

  • 2001539 - ET ADWARE_PUP Spyspotter.com Access Likely Spyware (adware_pup.rules)
  • 2003341 - ET ADWARE_PUP Baidu.com Spyware Bar Pulling Content (adware_pup.rules)
  • 2003578 - ET ADWARE_PUP Baidu.com Spyware Bar Pulling Data (adware_pup.rules)
  • 2008500 - ET ADWARE_PUP Sogou.com Spyware User-Agent (SogouIMEMiniSetup) (adware_pup.rules)
  • 2011988 - ET EXPLOIT_KIT Phoenix-style Exploit Kit Java Request with semicolon in URI (exploit_kit.rules)
  • 2015019 - ET MALWARE W32/Icoo CnC Checkin (malware.rules)
  • 2015783 - ET EXPLOIT_KIT BegOp Exploit Kit Payload (exploit_kit.rules)
  • 2017125 - ET WEB_CLIENT Probable FlimKit Redirect July 10 2013 (web_client.rules)
  • 2019343 - ET CURRENT_EVENTS FAKEIE 11.0 Minimal Headers (flowbit set) (current_events.rules)
  • 2020984 - ET EXPLOIT_KIT Fiesta EK PDF Exploit Apr 23 2015 (exploit_kit.rules)
  • 2023352 - ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 19 2016 (exploit_kit.rules)
  • 2023353 - ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 19 2016 T2 (exploit_kit.rules)
  • 2023757 - ET WEB_CLIENT Fake AV Phone Scam Landing Jan 24 (web_client.rules)
  • 2024059 - ET PHISHING Successful iCloud Phish Mar 15 2017 (phishing.rules)
  • 2024277 - ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M1 (web_specific_apps.rules)
  • 2024428 - ET ADWARE_PUP InstallCore Variant CnC Checkin (adware_pup.rules)
  • 2024441 - ET MALWARE Tinba CnC Checkin (malware.rules)
  • 2024679 - ET MALWARE Win32/Unk.Bot CnC Checkin (malware.rules)
  • 2803734 - ETPRO MALWARE TrojanProxy.Ukstories.e User-Agent (mcsmss) (malware.rules)
  • 2803790 - ETPRO ADWARE_PUP Win32/Gabpath User-Agent (FPUpdater) (adware_pup.rules)
  • 2803805 - ETPRO MALWARE Win32/Hermes.B@mm User-Agent (Hermes) (malware.rules)
  • 2803809 - ETPRO ADWARE_PUP Win32/Adware.GabPath.BM User-Agent (Blammi) (adware_pup.rules)
  • 2803832 - ETPRO ADWARE_PUP Win32/Adware.GabPath.CB User-Agent (FPInstaller) (adware_pup.rules)
  • 2803839 - ETPRO ADWARE_PUP Adware.Win32/Gabpath User-Agent (BMRecover) (adware_pup.rules)
  • 2803872 - ETPRO ADWARE_PUP AdWare.Win32.Gabpath User-Agent (OCInstaller) (adware_pup.rules)
  • 2803873 - ETPRO ADWARE_PUP AdWare.Win32.Gabpath User-Agent (Oncues) (adware_pup.rules)
  • 2803885 - ETPRO MALWARE Win32/Calelk.C User-Agent (Informer) (malware.rules)
  • 2803900 - ETPRO MALWARE Sasfis/Atraps.AVWU/AMTU.Proxy Contacting CnC via Googleusercontent Translate (malware.rules)
  • 2803931 - ETPRO ADWARE_PUP W32/Gabpath.A.gen!Eldorado User-Agent (OCRecover) (adware_pup.rules)
  • 2803934 - ETPRO MALWARE Backdoor.Win32.Sheldor.dt User-Agent (x3) (malware.rules)
  • 2803947 - ETPRO ADWARE_PUP Win32/Gabpath User-Agent (WhereSphere) (adware_pup.rules)
  • 2803949 - ETPRO ADWARE_PUP Win32/Jinzie User-Agent (PopRocks) (adware_pup.rules)
  • 2803954 - ETPRO MALWARE Win32.Malware.XGW@aSlsEHbG User-Agent (olesio) (malware.rules)
  • 2803995 - ETPRO MALWARE Win32/Kryptik.UNM User-Agent (bansol) (malware.rules)
  • 2804002 - ETPRO MALWARE Win32/Rimecud.A User-Agent (stalone) (malware.rules)
  • 2804009 - ETPRO MALWARE Backdoor.Win32/Hanove.A User-Agent (SIMPLE) (malware.rules)
  • 2804023 - ETPRO MALWARE Win32/Rimecud.A User-Agent (chuck) (malware.rules)
  • 2804025 - ETPRO MALWARE Win32/Kryptik.UNM User-Agent (wolf) (malware.rules)
  • 2804036 - ETPRO MALWARE Win32/Kryptik.UNM User-Agent (dieter) (malware.rules)
  • 2804037 - ETPRO MALWARE Generic.Malware.dld!!.9C8D00AA User-Agent (*!%) (malware.rules)
  • 2804038 - ETPRO MALWARE Generic.Malware.dld!!.9C8D00AA User-Agent (microsoft.com) (malware.rules)
  • 2804049 - ETPRO MALWARE Win32/Malushka.A User-Agent (netboom) (malware.rules)
  • 2804057 - ETPRO MALWARE Win32/Rimecud.A User-Agent (solders) (malware.rules)
  • 2804058 - ETPRO MALWARE W32/Rimecud.gen.cr User-Agent (goci) (malware.rules)
  • 2804060 - ETPRO MALWARE Win32/Rimecud.A User-Agent (cadara) (malware.rules)
  • 2804068 - ETPRO MALWARE Trojan.Win32.Agent2.lpa User-Agent (Ali) (malware.rules)
  • 2804069 - ETPRO MALWARE Trojan.Win32.Agent2.lpa User-Agent (Exp) (malware.rules)
  • 2804081 - ETPRO MALWARE Trojan-Dropper.Win32.Injector.uua User-Agent (google___) (malware.rules)
  • 2804104 - ETPRO ADWARE_PUP AdWare.Win32.EzSearch.g User-Agent (WindowEzSearch) - Likely Trojan (adware_pup.rules)
  • 2804114 - ETPRO USER_AGENTS User-Agent (Mozila Firefox) (user_agents.rules)
  • 2804115 - ETPRO USER_AGENTS User-Agent (Mozilla/4.0 competible) (user_agents.rules)
  • 2804168 - ETPRO INFO DYNAMIC_DNS HTTP Request to a *.ddns.mobi Domain (info.rules)
  • 2804216 - ETPRO ADWARE_PUP AdWare.Win32.SmartSearch!IK User-Agent (SmartSearch) (adware_pup.rules)
  • 2804218 - ETPRO ADWARE_PUP AdWare.Win32.Wizpop User-Agent (WizSearch) (adware_pup.rules)
  • 2804219 - ETPRO ADWARE_PUP Adware.SearchGuard User-Agent (searchguard) (adware_pup.rules)
  • 2804385 - ETPRO MALWARE Win32/SouGouDownloader.A User-Agent (SouGouDownloader) (malware.rules)
  • 2804403 - ETPRO MALWARE Trojan.Win32.Menti.kgbj User-Agent (malware.rules)
  • 2804410 - ETPRO MALWARE Win32/Banload.AGV User-Agent (BOTPA5BG8S) (malware.rules)
  • 2804411 - ETPRO MALWARE Trojan.Win32.Swisyn.mtz User-Agent (SALLAMAILZILLA) (malware.rules)
  • 2804526 - ETPRO MALWARE Trojan-Dropper.Win32.Dapato.aafb User-Agent (cibabam) (malware.rules)
  • 2804536 - ETPRO ADWARE_PUP Adware.EoRezo.T User-Agent (EoEngine) (adware_pup.rules)
  • 2804695 - ETPRO MALWARE Hutizu Rootkit Checkin User-Agent (malware.rules)
  • 2804734 - ETPRO USER_AGENTS User-Agent (GPRemove) (user_agents.rules)
  • 2804747 - ETPRO MALWARE Rogue.Win32/Onescan User-Agent (fileboan_install) (malware.rules)
  • 2804997 - ETPRO MALWARE Trojan/Swisyn.wvn User-Agent (Injection) (malware.rules)
  • 2805021 - ETPRO ADWARE_PUP Adware.CasinoClient User-Agent(caszx) (adware_pup.rules)
  • 2805036 - ETPRO MALWARE TrojanDownloader.Banload.brce Checkin (malware.rules)
  • 2805109 - ETPRO MALWARE Win32/Hupigon.DZ User-Agent (IEFILES.INS) (malware.rules)
  • 2805290 - ETPRO MALWARE Win32/VBInject.QW User-Agent (Sek8War) (malware.rules)
  • 2805401 - ETPRO MALWARE Variant.Barys.4238 User-Agent (malware.rules)
  • 2805569 - ETPRO ADWARE_PUP Win32/Adware.Kraddare.FS User-Agent(inter) (adware_pup.rules)
  • 2812237 - ETPRO PHISHING Possible Successful Generic Phish July 28 (phishing.rules)
  • 2814349 - ETPRO WEB_CLIENT Possible Microsoft Edge XSS Filter Bypass (CVE-2015-6058) (web_client.rules)
  • 2815805 - ETPRO EXPLOIT_KIT Possible Nuclear EK Landing URI Struct Jan 14 M2 (exploit_kit.rules)
  • 2815806 - ETPRO EXPLOIT_KIT Possible Nuclear EK Landing URI Struct Jan 14 M3 (exploit_kit.rules)
  • 2815951 - ETPRO PHISHING Successful Suntrust Bank Phish M2 Jan 25 2016 (phishing.rules)
  • 2816085 - ETPRO ADWARE_PUP MSIL/Adload.AT Beacon (adware_pup.rules)
  • 2816905 - ETPRO PHISHING Bradesco Bank Phishing Landing Apr 5 2016 (phishing.rules)
  • 2819782 - ETPRO MALWARE CrimeScene Mailer Requesting Config (malware.rules)
  • 2819807 - ETPRO PHISHING Redirect to Adobe Shared Document Phishing M1 Apr 15 2016 (phishing.rules)
  • 2819808 - ETPRO PHISHING Redirect to Adobe Shared Document Phishing M2 Apr 15 2016 (phishing.rules)
  • 2820855 - ETPRO PHISHING Phishing Landing via yolasite.com Jun 24 M1 (phishing.rules)
  • 2822552 - ETPRO PHISHING Successful Gmail Phish Oct 10 2016 (phishing.rules)
  • 2822584 - ETPRO MALWARE Ursnif Variant CnC Beacon 6 (malware.rules)
  • 2822661 - ETPRO PHISHING Successful Alibaba Phish M1 Oct 17 2016 (phishing.rules)
  • 2823077 - ETPRO EXPLOIT_KIT GreenFlash SunDown EK Flash Exploit (exploit_kit.rules)
  • 2823079 - ETPRO MALWARE APT28 DealersChoice CnC Beacon M2 (malware.rules)
  • 2823333 - ETPRO EXPLOIT_KIT Possible Evil Redirect to EK or Other Nov 17 2016 (exploit_kit.rules)
  • 2823339 - ETPRO EXPLOIT_KIT Sundown/Xer EK Landing Page Nov 17 2016 (exploit_kit.rules)
  • 2823363 - ETPRO MALWARE Locky CnC Checkin Nov 18 2016 (malware.rules)
  • 2823516 - ETPRO PHISHING Successful Banco do Brasil Phish M3 Nov 29 2016 (phishing.rules)
  • 2823520 - ETPRO MALWARE MalDoc Request for Payload Nov 28 2016 (malware.rules)
  • 2823539 - ETPRO EXPLOIT_KIT Evil scriptjs Redirect to EK Nov 29 2016 (exploit_kit.rules)
  • 2823551 - ETPRO PHISHING Successful Paypal Phish Nov 30 2016 (phishing.rules)
  • 2823569 - ETPRO EXPLOIT_KIT Sednit EK Reporting System Info Dec 01 2016 (exploit_kit.rules)
  • 2823601 - ETPRO PHISHING Phishing Landing via imcreator.com / imxprs.com Dec 02 2016 (phishing.rules)
  • 2823603 - ETPRO MALWARE MSIL.Unknown Checkin (malware.rules)
  • 2823860 - ETPRO PHISHING Drivesafe.org.uk Phishing Landing Dec 13 2016 (phishing.rules)
  • 2823948 - ETPRO MALWARE Unknown Checkin (malware.rules)
  • 2823975 - ETPRO PHISHING Successful International Card Services Phish M1 Dec 20 2016 (phishing.rules)
  • 2824284 - ETPRO PHISHING Phishing Landing Checking Browser/OS/Platform Phish Jan 09 2017 (phishing.rules)
  • 2824551 - ETPRO EXPLOIT_KIT SunDown EK Landing Jan 20 2016 M2 (exploit_kit.rules)
  • 2824749 - ETPRO PHISHING Successful Apple iCloud Phish M2 Feb 02 2017 (phishing.rules)
  • 2824776 - ETPRO EXPLOIT_KIT SunDown EK Flash Exploit Dec 13 2016 M2 (exploit_kit.rules)
  • 2824778 - ETPRO EXPLOIT_KIT Possible EITest SocEng Chrome Fonts DL Feb 06 M2 (exploit_kit.rules)
  • 2824910 - ETPRO EXPLOIT_KIT Possible Secondary SunDown EK Landing URI Struct Jan 05 2017 (exploit_kit.rules)
  • 2825010 - ETPRO PHISHING Successful Generic Personalized Email Phish Feb 16 2017 (phishing.rules)
  • 2825098 - ETPRO PHISHING Successful Google Drive Phish Feb 22 2017 (phishing.rules)
  • 2825235 - ETPRO MALWARE Win32/Unk.Downloader Retrieving Payload Mar 3 2017 (malware.rules)
  • 2825295 - ETPRO MALWARE MSIL/Neptune Reporting System Information (malware.rules)
  • 2825314 - ETPRO PHISHING Successful Office 365 Encrypted Mail Phish Mar 09 2017 (phishing.rules)
  • 2825960 - ETPRO PHISHING Successful Blockchain Phish Apr 13 2017 (phishing.rules)
  • 2826133 - ETPRO EXPLOIT_KIT Astrum EK Activity M1 Apr 26 2017 (exploit_kit.rules)
  • 2826134 - ETPRO EXPLOIT_KIT Astrum EK Activity M2 Apr 26 2017 (exploit_kit.rules)
  • 2826159 - ETPRO PHISHING Possible Successful Credential Phish via JS Form in PDF Apr 27 2017 (phishing.rules)
  • 2826472 - ETPRO PHISHING Successful Google Antispam Phish (RU) May 22 2017 (phishing.rules)
  • 2826817 - ETPRO MALWARE W97M.Downloader attempting to retrieve payload (malware.rules)
  • 2826892 - ETPRO PHISHING Successful Paypal Phish (DE) Jun 26 2017 (phishing.rules)
  • 2826923 - ETPRO PHISHING Successful Apple Phish Jun 28 2017 (phishing.rules)
  • 2827027 - ETPRO MALWARE Unknown CnC Beacon (malware.rules)
  • 2827259 - ETPRO MALWARE MalDoc Retrieving Payload July 20 2017 M1 (malware.rules)
  • 2827374 - ETPRO MALWARE Win32/CoinMiner.ALH CnC Checkin Attempt (malware.rules)
  • 2827775 - ETPRO MALWARE MSIL/CA MacroBot CnC Activity (malware.rules)
  • 2828108 - ETPRO MALWARE Win32/Agent.SUP CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2050582 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bombertublestylebanws .fun) (malware.rules)
  • 2050607 - ET INFO Observed DNS Over HTTPS Domain (filter .das .sch .id in TLS SNI) (info.rules)
  • 2050611 - ET INFO Observed DNS Over HTTPS Domain (dns-fr-psv1 .cloudsides .com in TLS SNI) (info.rules)
  • 2050612 - ET INFO Observed DNS Over HTTPS Domain (los .conana .info in TLS SNI) (info.rules)
  • 2050613 - ET INFO Observed DNS Over HTTPS Domain (block .coconut .id in TLS SNI) (info.rules)
  • 2050614 - ET INFO Observed DNS Over HTTPS Domain (fezgate .ovh in TLS SNI) (info.rules)
  • 2050616 - ET INFO Observed DNS Over HTTPS Domain (uradoori .org in TLS SNI) (info.rules)
  • 2050617 - ET INFO Observed DNS Over HTTPS Domain (jp .conana .info in TLS SNI) (info.rules)
  • 2050618 - ET INFO Observed DNS Over HTTPS Domain (adguard .gewete .cloud in TLS SNI) (info.rules)
  • 2050621 - ET INFO Observed DNS Over HTTPS Domain (dns .haboy .top in TLS SNI) (info.rules)
  • 2050623 - ET INFO Observed DNS Over HTTPS Domain (naganohara-yoimiya .momokko .moe in TLS SNI) (info.rules)
  • 2050624 - ET INFO Observed DNS Over HTTPS Domain (socolov .home .ro in TLS SNI) (info.rules)
  • 2050625 - ET INFO Observed DNS Over HTTPS Domain (shield1 .eranext .net in TLS SNI) (info.rules)