Ruleset Update Summary - 2024/03/05 - v10545

Ruleset Updates
1

Summary:

29 new OPEN, 36 new PRO (29 + 7)

Thanks @RussianPanda9xx, @Jane0sint

Added rules:

Open:

  • 2051468 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (developmentalveiop .homes) (malware.rules)
  • 2051469 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (unhappytidydryypwto .shop) (malware.rules)
  • 2051470 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lighterepisodeheighte .fun) (malware.rules)
  • 2051471 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bleednumberrottern .homes) (malware.rules)
  • 2051472 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (princeaccessiblepo .shop) (malware.rules)
  • 2051473 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun) (malware.rules)
  • 2051474 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (hunterstrawmersp .homes) (malware.rules)
  • 2051475 - ET MALWARE Observed Lumma Stealer Related Domain (developmentalveiop .homes in TLS SNI) (malware.rules)
  • 2051476 - ET MALWARE Observed Lumma Stealer Related Domain (unhappytidydryypwto .shop in TLS SNI) (malware.rules)
  • 2051477 - ET MALWARE Observed Lumma Stealer Related Domain (lighterepisodeheighte .fun in TLS SNI) (malware.rules)
  • 2051478 - ET MALWARE Observed Lumma Stealer Related Domain (bleednumberrottern .homes in TLS SNI) (malware.rules)
  • 2051479 - ET MALWARE Observed Lumma Stealer Related Domain (princeaccessiblepo .shop in TLS SNI) (malware.rules)
  • 2051480 - ET MALWARE Observed Lumma Stealer Related Domain (edurestunningcrackyow .fun in TLS SNI) (malware.rules)
  • 2051481 - ET MALWARE Observed Lumma Stealer Related Domain (hunterstrawmersp .homes in TLS SNI) (malware.rules)
  • 2051482 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (problemregardybuiwo .funj) (malware.rules)
  • 2051483 - ET MALWARE Observed Lumma Stealer Related Domain (problemregardybuiwo .funj in TLS SNI) (malware.rules)
  • 2051484 - ET INFO DNS Query to 2zie File Sharing Service (2zie .com) (info.rules)
  • 2051485 - ET INFO Observed File Sharing Domain (2zie .com in TLS SNI) (info.rules)
  • 2051486 - ET INFO DNS Query to Data Storage Service (s3 .tebi .io) (info.rules)
  • 2051487 - ET INFO Observed Data Storage Service Domain (s3 .tebi .io in TLS SNI) (info.rules)
  • 2051488 - ET INFO Marketing Agency Domain in DNS Lookup (pixelprohn .com) (info.rules)
  • 2051489 - ET INFO Observed Marketing Agency Domain (pixelprohn .com in TLS SNI) (info.rules)
  • 2051490 - ET MALWARE [ANY.RUN] PlanetStealer CnC Checkin (malware.rules)
  • 2051491 - ET MALWARE PlanetStealer CnC Checkin - Server Response (malware.rules)
  • 2051492 - ET MALWARE PlanetStealer Data Exfiltration Attempt (malware.rules)
  • 2051493 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (apicachebot .com) (exploit_kit.rules)
  • 2051494 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (apicachebot .com) (exploit_kit.rules)
  • 2051495 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .distributors .commdistinc .com) (malware.rules)
  • 2051496 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .distributors .commdistinc .com) (malware.rules)

Pro:

  • 2856442 - ETPRO MALWARE TA399 Related Domain in DNS Lookup (malware.rules)
  • 2856443 - ETPRO MALWARE Observed TA399 Related Domain in TLS SNI (malware.rules)
  • 2856456 - ETPRO MALWARE NetSupport RAT CnC Domain in DNS Lookup (malware.rules)
  • 2856457 - ETPRO MALWARE NetSupport RAT CnC Domain in DNS Lookup (malware.rules)
  • 2856458 - ETPRO MALWARE Observed NetSupport RAT CnC Domain in TLS SNI (malware.rules)
  • 2856459 - ETPRO MALWARE Observed NetSupport RAT CnC Domain in TLS SNI (malware.rules)
  • 2856460 - ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (ec9cc) (web_client.rules)

Modified active rules:

  • 2029829 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
  • 2029830 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
  • 2029831 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
  • 2029832 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
  • 2029833 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
  • 2029835 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
  • 2029836 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
  • 2030586 - ET USER_AGENTS Observed Suspicious UA (.NET Framework Client) (user_agents.rules)
  • 2031147 - ET WEB_SPECIFIC_APPS Oracle WebLogic RCE Shell Inbound M2 (CVE-2020-14882) (web_specific_apps.rules)
  • 2031259 - ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2 (exploit.rules)
  • 2031436 - ET MALWARE Possible MSIL/Solorigate.G!dha/SUPERNOVA Webshell Access Request (malware.rules)
  • 2032746 - ET MALWARE Cobalt Strike Malleable C2 (QiHoo Profile) (malware.rules)
  • 2033658 - ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2 (malware.rules)
  • 2034874 - ET HUNTING Possible cs2nginx Proxy Redirect (hunting.rules)
  • 2046918 - ET MALWARE NanoCore RAT CnC 28 (malware.rules)
  • 2047064 - ET INFO External IP Check Domain in DNS Lookup (api .ipapi .com) (info.rules)
  • 2047065 - ET INFO Observed External IP Check Domain (api .ipapi .com in TLS SNI) (info.rules)
  • 2047079 - ET INFO External IP Check Domain in DNS Lookup (ip .cn) (info.rules)
  • 2047080 - ET INFO Observed External IP Lookup Domain (ip .cn in TLS SNI) (info.rules)
  • 2047081 - ET INFO External IP Check Domain in DNS Lookup (ip .me) (info.rules)
  • 2047082 - ET INFO Observed External IP Lookup Domain (ip .me in TLS SNI) (info.rules)
  • 2049465 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metasupport .com) (malware.rules)
  • 2049466 - ET MALWARE Observed Suspected TA453 Related Domain (metasupport .com in TLS SNI) (malware.rules)
  • 2050659 - ET WEB_CLIENT Zimbra zauthtoken Exfil Domain in DNS Lookup (zimbrauser .me) (web_client.rules)
  • 2050660 - ET WEB_CLIENT Observed Zimbra zauthtoken Exfil Domain (zimbrauser .me in TLS SNI) (web_client.rules)
  • 2050661 - ET INFO URL Shortening Service Domain in DNS Lookup (ddsl .me) (info.rules)
  • 2050662 - ET INFO Observed URL Shortening Service Domain (ddsl .me in TLS SNI) (info.rules)
  • 2050663 - ET INFO URL Shortening/File Sharing Service Domain in DNS Lookup (d .pr) (info.rules)
  • 2050664 - ET INFO Observed URL Shortening/File Sharing Service Domain (d .pr in TLS SNI) (info.rules)
  • 2050671 - ET INFO Observed DNS Over HTTPS Domain (yunyun .is .my .waifu .cz in TLS SNI) (info.rules)
  • 2050672 - ET INFO Observed DNS Over HTTPS Domain (megumin .is .my .waifu .cz in TLS SNI) (info.rules)
  • 2050673 - ET INFO Observed DNS Over HTTPS Domain (aqua .is .my .waifu .cz in TLS SNI) (info.rules)
  • 2050675 - ET INFO Observed DNS Over HTTPS Domain (doh .dns-ga .de in TLS SNI) (info.rules)
  • 2050688 - ET INFO URL Shortening Service Domain in DNS Lookup (fancli .com) (info.rules)
  • 2050689 - ET INFO Observed URL Shortening Service Domain (fancli .com in TLS SNI) (info.rules)
  • 2050690 - ET INFO URL Shortening Service Domain in DNS Lookup (pimlm .com) (info.rules)
  • 2050691 - ET INFO Observed URL Shortening Service Domain (pimlm .com in TLS SNI) (info.rules)
  • 2840117 - ETPRO HUNTING Base64 Encoded EXE Content-Type Mismatch (audio/mpeg) (hunting.rules)
  • 2841878 - ETPRO MALWARE Observed Office Doc with Reversed Strings Inbound (malware.rules)
  • 2842058 - ETPRO MALWARE MalDoc Retrieving Payload 2020-04-16 M1 (malware.rules)
  • 2842152 - ETPRO MALWARE Win32/Vollgar RAT CnC Checkin (malware.rules)
  • 2842256 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin (malware.rules)
  • 2842539 - ETPRO HUNTING Suspicious Directory in URI String (wpcontent) (hunting.rules)
  • 2842563 - ETPRO HUNTING EXE Request to NOIP DynDNS Domain (hunting.rules)
  • 2843207 - ETPRO MALWARE ToxicEye Stealer Command via Telegram (starting autostealer) (malware.rules)
  • 2843208 - ETPRO MALWARE ToxicEye Stealer Command via Telegram (uploading file) (malware.rules)
  • 2843473 - ETPRO USER_AGENTS Observed Suspicious UA (Downloader500) (user_agents.rules)
  • 2843622 - ETPRO MALWARE Likely Evil Powershell Inbound (Invoke-Mimikatz) (malware.rules)
  • 2843799 - ETPRO MALWARE Observed Kerber0sB0t User-Agent (malware.rules)
  • 2843800 - ETPRO MALWARE Win32/Kerber0sB0t CnC Activity (malware.rules)
  • 2843856 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 (malware.rules)
  • 2844925 - ETPRO ADWARE_PUP Observed Suspicious UA (HaxRebornLoader) (adware_pup.rules)
  • 2845138 - ETPRO MALWARE Cobalt Strike Malleable C2 (Pingan Profile) (malware.rules)
  • 2845168 - ETPRO MALWARE Cobalt Strike Malleable C2 (JQuery Profile) M3 (malware.rules)
  • 2845291 - ETPRO POLICY HTTP Request for named PuTTY SCP Client exe (policy.rules)
  • 2845476 - ETPRO MALWARE Reversed Base64 Encoded EXE Inbound (malware.rules)
  • 2845511 - ETPRO MALWARE MuddyWater/SHARPSTATS System Info Exfil (malware.rules)
  • 2845963 - ETPRO MALWARE Cobalt Strike Malleable C2 (Custom Webex Profile) (malware.rules)
  • 2846163 - ETPRO HUNTING Long Strings of Asterisk - Possible Exfil in POST Body (hunting.rules)
  • 2846296 - ETPRO EXPLOIT Joomla CMS 1.7.0-3.9.22 ACL Write/Privilege Escalation (CVE-2020-35616) (exploit.rules)
  • 2847032 - ETPRO MALWARE Win32/Farfli.RSK!MTB CnC Keep-Alive (Outbound) (malware.rules)
  • 2847037 - ETPRO MALWARE ELF/Mirai Variant CnC Activity (malware.rules)
  • 2847277 - ETPRO MALWARE DownDelph CnC Activity (malware.rules)
  • 2847954 - ETPRO MALWARE Cobalt Strike Malleable C2 (Unknown Profile) (malware.rules)
  • 2851401 - ETPRO MOBILE_MALWARE Android.Trojan.Banker.YM Checkin 2 (mobile_malware.rules)
  • 2855897 - ETPRO CURRENT_EVENTS Commonly Abused File Hosting Domain in DNS Lookup (current_events.rules)
  • 2855898 - ETPRO CURRENT_EVENTS Observed Commonly Abused File Hosting Domain in TLS SNI (current_events.rules)

Modified inactive rules:

  • 2003394 - ET USER_AGENTS User Agent Containing http Suspicious - Likely Spyware/Trojan (user_agents.rules)
  • 2007692 - ET MALWARE Basine Trojan Checkin (malware.rules)
  • 2007803 - ET MALWARE Win32.Inject.ql Checkin Post (malware.rules)
  • 2007901 - ET MALWARE Banker.OPX HTTP Checkin (malware.rules)
  • 2008004 - ET MALWARE Win32.Agent.cyt (Or variant) HTTP POST Checkin (2) (malware.rules)
  • 2008353 - ET MALWARE CoreFlooder.Q C&C Checkin (malware.rules)
  • 2008431 - ET MALWARE PWS.Gamania Checkin (malware.rules)
  • 2008662 - ET MALWARE Generic PSW Agent server reply (malware.rules)
  • 2008760 - ET MALWARE Insidebar.co.kr Related Infection Checkin (malware.rules)
  • 2008891 - ET MALWARE MEREDROP/micr0s0fts.cn Related Checkin (malware.rules)
  • 2009004 - ET POLICY Login Credentials Possibly Passed in POST Data (policy.rules)
  • 2009517 - ET MALWARE Qhosts Trojan Check-in (malware.rules)
  • 2009518 - ET MALWARE s4t4n1c Trojan Check-in (malware.rules)
  • 2009812 - ET MALWARE AVKiller with Backdoor checkin (malware.rules)
  • 2009830 - ET MALWARE Win32/Wombot.A checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST (malware.rules)
  • 2010163 - ET MALWARE Glacial Dracon C&C Communication (malware.rules)
  • 2010908 - ET HUNTING Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake (hunting.rules)
  • 2011349 - ET EXPLOIT_KIT DRIVEBY SEO Exploit Kit request for Java exploit (exploit_kit.rules)
  • 2011350 - ET EXPLOIT_KIT DRIVEBY SEO Exploit Kit request for Java and PDF exploits (exploit_kit.rules)
  • 2011402 - ET MALWARE Yoyo-DDoS Bot HTTP Flood Attack Inbound (malware.rules)
  • 2012103 - ET EXPLOIT D-Link bsc_wlan.php Security Bypass (exploit.rules)
  • 2012885 - ET POLICY Http Client Body contains password= in cleartext (policy.rules)
  • 2013166 - ET EXPLOIT 2Wire Password Reset Vulnerability via POST (exploit.rules)
  • 2013351 - ET MALWARE Connectivity Check of Unknown Origin 3 (malware.rules)
  • 2013511 - ET MALWARE Win32/CazinoSilver Checkin (malware.rules)
  • 2013783 - ET MALWARE W32.Duqu UA and Filename Requested (malware.rules)
  • 2013918 - ET EXPLOIT Possible BSNL Router DNS Change Attempt (exploit.rules)
  • 2014152 - ET MALWARE Gozi Checkin to CnC (malware.rules)
  • 2014466 - ET MALWARE Win32.Datamaikon Checkin (malware.rules)
  • 2014777 - ET MALWARE Kazy/Kryptic Checkin with Opera/9 User-Agent (malware.rules)
  • 2015528 - ET MALWARE Win32.Agent2.fher Related User-Agent (Microsoft Internet Updater) (malware.rules)
  • 2016240 - ET EXPLOIT_KIT Impact Exploit Kit Class Download (exploit_kit.rules)
  • 2016721 - ET EXPLOIT_KIT Possible Sakura Jar Download (exploit_kit.rules)
  • 2017546 - ET MALWARE Possible FortDisco POP3 Site list download (malware.rules)
  • 2018300 - ET MALWARE Win32/Stoberox.B (malware.rules)
  • 2018545 - ET EXPLOIT_KIT CottonCastle EK Jar Download Method 2 (exploit_kit.rules)
  • 2020160 - ET WEB_CLIENT Upatre IE Redirector Receiving Payload Jan 9 2015 (web_client.rules)
  • 2020302 - ET MALWARE Dridex Post Checkin Activity 2 (malware.rules)
  • 2020342 - ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 01 2015 M2 (exploit_kit.rules)
  • 2020352 - ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 03 2015 M2 (exploit_kit.rules)
  • 2020354 - ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 03 2015 M2 (exploit_kit.rules)
  • 2021038 - ET EXPLOIT_KIT CottonCastle/Niteris EK POST Beacon April 29 2015 (exploit_kit.rules)
  • 2021043 - ET EXPLOIT_KIT CottonCastle/Niteris EK SWF Exploit April 30 2015 (exploit_kit.rules)
  • 2021044 - ET EXPLOIT_KIT CottonCastle/Niteris EK SWF Exploit April 30 2015 (exploit_kit.rules)
  • 2021064 - ET EXPLOIT_KIT CottonCastle/Niteris EK Receiving Payload May 7 2015 (exploit_kit.rules)
  • 2021216 - ET INFO Executable Downloaded from Google Cloud Storage (info.rules)
  • 2021249 - ET EXPLOIT_KIT Possible Evil Redirector Leading to EK June 11 2015 (exploit_kit.rules)
  • 2021762 - ET EXPLOIT_KIT Spartan EK Secondary Flash Exploit DL (exploit_kit.rules)
  • 2022364 - ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M1 (web_client.rules)
  • 2022365 - ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M2 (web_client.rules)
  • 2022366 - ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M3 (web_client.rules)
  • 2022409 - ET WEB_CLIENT Fake AV Phone Scam Landing Jan 26 2016 (web_client.rules)
  • 2022525 - ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M1 (web_client.rules)
  • 2022526 - ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M2 (web_client.rules)
  • 2022527 - ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M3 (web_client.rules)
  • 2022573 - ET MALWARE Andromeda Download (malware.rules)
  • 2022853 - ET WEB_CLIENT Tech Support Phone Scam Landing M4 Jun 3 (web_client.rules)
  • 2022993 - ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M3 (web_client.rules)
  • 2023051 - ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M1 (web_client.rules)
  • 2023291 - ET MALWARE BleedingLife EK Payload Delivered (malware.rules)
  • 2023480 - ET EXPLOIT_KIT Sundown/Xer EK Landing Jul 06 2016 M1 (exploit_kit.rules)
  • 2023752 - ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jan 20 2017 (web_client.rules)
  • 2800811 - ETPRO MALWARE Trojan.Win32.Infostealer.Nimkey (load) (malware.rules)
  • 2800812 - ETPRO MALWARE Trojan.Win32.Infostealer.Nimkey (upload) (malware.rules)
  • 2800817 - ETPRO MALWARE Win32.Banker.QO Checkin (malware.rules)
  • 2800830 - ETPRO MALWARE Backdoor.Win32.Omexo.C Checkin (malware.rules)
  • 2800964 - ETPRO MALWARE Banker/Banbra.fxe Checkin (malware.rules)
  • 2801242 - ETPRO EXPLOIT CA ARCserve D2D Axis2 Default Credentials (exploit.rules)
  • 2801310 - ETPRO EXPLOIT Oracle GoldenGate Veridata Server XML SOAP Request Buffer Overflow (exploit.rules)
  • 2801368 - ETPRO MALWARE Backdoor.Win32.Talsab.B Reporting Information (malware.rules)
  • 2801426 - ETPRO MALWARE Trojan.Win32.KeyLogger.mww Checkin (malware.rules)
  • 2801428 - ETPRO MALWARE Trojan.Win32.Banker.U Checkin (malware.rules)
  • 2801437 - ETPRO MALWARE Chnsystems.com related trojan checkin (malware.rules)
  • 2801440 - ETPRO MALWARE Trojan.Win32.Tatanarg.A Checkin (malware.rules)
  • 2801635 - ETPRO MALWARE Win32/Rimecud.B Checkin (malware.rules)
  • 2801673 - ETPRO MALWARE Backdoor.Win32.Dtd.A Checkin (malware.rules)
  • 2801966 - ETPRO MALWARE Trojan.Win32.Agent.btm Checkin (malware.rules)
  • 2802919 - ETPRO MALWARE Win32.Banker.bkvg Checkin (malware.rules)
  • 2802996 - ETPRO MALWARE Trojan.Win32.Zboter.E Checkin (malware.rules)
  • 2803021 - ETPRO MALWARE Backdoor.Win32.Ferabsa.A Checkin 2 (malware.rules)
  • 2803097 - ETPRO MALWARE Win32.Cossta.ntv Checkin (malware.rules)
  • 2803123 - ETPRO EXPLOIT IBM Lotus Domino HPRAgentName Parameter Stack Buffer Overflow (exploit.rules)
  • 2803215 - ETPRO MALWARE Win32.Agent.cer Checkin (malware.rules)
  • 2803257 - ETPRO MALWARE Backdoor.Win32.RDPdoor.AE Checkin 2 (malware.rules)
  • 2803258 - ETPRO MALWARE Backdoor.Win32.RDPdoor.AE Checkin 3 (malware.rules)
  • 2803290 - ETPRO WEB_CLIENT Oracle Java Runtime Environment Insecure File Loading (hotspotrc) (web_client.rules)
  • 2803309 - ETPRO MALWARE Win32.Bancos.QSPN Checkin (malware.rules)
  • 2803347 - ETPRO EXPLOIT CA ARCserve D2D GWT RPC Request Credentials Disclosure attempt (exploit.rules)
  • 2803394 - ETPRO MALWARE Trojan.Win32.Banker.BXF Checkin (malware.rules)
  • 2803480 - ETPRO MALWARE Trojan.Win32.Agent.cve Checkin (malware.rules)
  • 2803541 - ETPRO MALWARE Virus.Downloader.Rozena Checkin (malware.rules)
  • 2803547 - ETPRO MALWARE Trojan.Win32.Fucobha.A Checkin 2 (malware.rules)
  • 2803595 - ETPRO WEB_SERVER Microsoft Report Viewer control Cross-Site Scripting 2 (web_server.rules)
  • 2803625 - ETPRO EXPLOIT HP SiteScope integrationViewer Default Credentials 1 (exploit.rules)
  • 2803712 - ETPRO MALWARE Backdoor.Win32.Qinubot.A Checkin 1 (malware.rules)
  • 2803713 - ETPRO MALWARE Backdoor.Win32.Qinubot.A Checkin 2 (malware.rules)
  • 2803755 - ETPRO MALWARE Trojan.Win32.Banker.slrj Checkin 2 (malware.rules)
  • 2803762 - ETPRO MALWARE Backdoor.Win32.Zapchast.qz Checkin 2 (malware.rules)
  • 2803958 - ETPRO EXPLOIT HP Power Manager formExportDataLogs Buffer Overflow (exploit.rules)
  • 2804056 - ETPRO MALWARE Win32/Banload.ADT Checkin (malware.rules)
  • 2804183 - ETPRO MALWARE Trojan-Downloader.Win32.AutoIt.sp Checkin (malware.rules)
  • 2804223 - ETPRO MALWARE Win32/Nuwar.gen!lds Checkin (malware.rules)
  • 2804228 - ETPRO MALWARE Trojan-Banker.Win32.Qhost.miq Checkin (malware.rules)
  • 2804260 - ETPRO MALWARE TrojanDownloader.Win32/Bredolab.AJ Checkin (malware.rules)
  • 2804279 - ETPRO MALWARE Backdoor.Win32/Smadow.gen!B Checkin (malware.rules)
  • 2804289 - ETPRO MALWARE Trojan-Downloader.Win32.FraudLoad.zpaf Checkin (malware.rules)
  • 2804303 - ETPRO MALWARE Win32/Klovbot.B Checkin (malware.rules)
  • 2804513 - ETPRO WEB_SERVER Microsoft SharePoint Server XSS attempt 2 (web_server.rules)
  • 2804605 - ETPRO MALWARE Trojan-Spy.Win32.Agent.byhm Checkin (malware.rules)
  • 2804610 - ETPRO MALWARE Trojan.Win32.Chifrax.dgn Checkin (malware.rules)
  • 2804674 - ETPRO MALWARE Trojan-Downloader.Win32.Delf.dpy Checkin (malware.rules)
  • 2804870 - ETPRO MALWARE Backdoor.Win32.Autocrat.b Checkin (malware.rules)
  • 2804904 - ETPRO MALWARE Trojan.Autoit-124 Checkin (malware.rules)
  • 2804924 - ETPRO MALWARE Trojan-Downloader.Win32.Banload.buij Checkin (malware.rules)
  • 2804974 - ETPRO MALWARE Trojan.Win32.Spy!IK Checkin (malware.rules)
  • 2805237 - ETPRO MALWARE HTTP Request to FinFisher Spy Kit Domain (ff-demo.blogdns.org) (malware.rules)
  • 2805623 - ETPRO MALWARE Win32/Banload.ALA CnC Response (malware.rules)
  • 2805666 - ETPRO MALWARE Trojan-Downloader.Win32.FraudLoad.zdmn Redirection (malware.rules)
  • 2805737 - ETPRO MALWARE Win32.Worm.Winko.I Checkin (malware.rules)
  • 2805824 - ETPRO MALWARE Mal/FakeSg-B Checkin (malware.rules)
  • 2809703 - ETPRO MALWARE INFOSTEALER.LIMITAIL Checkin (malware.rules)
  • 2810409 - ETPRO POLICY ge.tt file download (policy.rules)
  • 2811867 - ETPRO MALWARE Win32/Unknown Checkin (malware.rules)
  • 2811973 - ETPRO MALWARE Win32/Korplug.FO Checkin (malware.rules)
  • 2812068 - ETPRO MALWARE Win32/Ransomware Inbound PowerShell Payload (malware.rules)
  • 2812119 - ETPRO MALWARE Win32/Banload.BBN Checkin (malware.rules)
  • 2814131 - ETPRO MALWARE W32/Unknown.JP Checkin (malware.rules)
  • 2814766 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash Exploit M3 (exploit_kit.rules)
  • 2814898 - ETPRO PHISHING Adobe Shared Document Base64 Phishing Landing Nov 12 (phishing.rules)
  • 2814947 - ETPRO PHISHING Obfuscated JS Xor Phishing Landing Nov 16 (phishing.rules)
  • 2815238 - ETPRO PHISHING Base64 Obfuscated Phishing Landing Dec 8 (phishing.rules)
  • 2815239 - ETPRO MALWARE TA402/Molerats GazaHacker Checkin (malware.rules)
  • 2815681 - ETPRO EXPLOIT_KIT Possible Sundown/Xer EK Payload DL Jan 10 2015 (exploit_kit.rules)
  • 2816291 - ETPRO PHISHING Igg.biz Phishing Redirector Feb 17 (phishing.rules)
  • 2816330 - ETPRO EXPLOIT_KIT Possible Nuclear EK Payload VarLen XOR (Nulls) M2 (exploit_kit.rules)
  • 2816455 - ETPRO PHISHING Successful Apple Phish Mar 1 M4 (phishing.rules)
  • 2816490 - ETPRO PHISHING Apple Phishing Landing Redirect M1 Mar 02 2016 (phishing.rules)
  • 2816640 - ETPRO MALWARE Win32/TrojanDownloader.Banload Downloading Module (malware.rules)
  • 2819882 - ETPRO EXPLOIT_KIT Possible Nuclear EK IE PostBack Response M1 Apr 20 2016 (exploit_kit.rules)
  • 2819900 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Apr 21 2016 (web_client.rules)
  • 2820332 - ETPRO PHISHING Tripod/Lycos Spanish Webmail Phishing Landing Page May 24 M1 (phishing.rules)
  • 2820355 - ETPRO PHISHING Phishing Fake Document Loading Messages May 25 (phishing.rules)
  • 2820463 - ETPRO PHISHING Email Login Phishing Landing Jun 2 (phishing.rules)
  • 2820564 - ETPRO WEB_CLIENT Evil Redirector Leading to EK EITest Jun 10 2016 (No Flash) (web_client.rules)
  • 2820756 - ETPRO EXPLOIT_KIT SunDown EK Payload June 20 2016 M2 (exploit_kit.rules)
  • 2820841 - ETPRO EXPLOIT_KIT SunDown EK Landing June 21 2016 M1 (exploit_kit.rules)
  • 2821014 - ETPRO HUNTING suspicious .CAB containing single executable file inbound (observed in maldoc campaign) (hunting.rules)
  • 2821941 - ETPRO PHISHING Successful FR Paypal Phish Aug 31 2016 (phishing.rules)
  • 2821966 - ETPRO PHISHING Successful Expedia Partner Central Phish Aug 31 2016 (phishing.rules)
  • 2822749 - ETPRO PHISHING Successful NatWest Bank Phish M1 Oct 19 2016 (phishing.rules)
  • 2822750 - ETPRO PHISHING Successful NatWest Bank Phish M2 Oct 19 2016 (phishing.rules)
  • 2822813 - ETPRO PHISHING Successful NAB Bank Phish Oct 21 2016 (phishing.rules)
  • 2822933 - ETPRO PHISHING Paypal Phishing Landing M1 Oct 26 2016 (phishing.rules)
  • 2823254 - ETPRO MALWARE ScanPOS Exfiltrating CC Data (malware.rules)
  • 2823352 - ETPRO PHISHING Successful Sparkasse Bank Phish Nov 18 2016 (phishing.rules)
  • 2823359 - ETPRO PHISHING Office 365 Phishing Landing Nov 18 2016 (phishing.rules)
  • 2823876 - ETPRO PHISHING HM Revenue Phishing Landing Dec 14 2016 (phishing.rules)
  • 2823912 - ETPRO PHISHING Google Drive Phishing Landing Redirect Dec 15 2016 (phishing.rules)
  • 2824404 - ETPRO PHISHING Successful Bank of America Phish Jan 12 2017 (phishing.rules)
  • 2824594 - ETPRO PHISHING Successful Paypal Phish Jan 24 M1 2016 (phishing.rules)
  • 2824946 - ETPRO PHISHING Microsoft Live External Link Phishing Landing Feb 14 2017 (phishing.rules)
  • 2825701 - ETPRO PHISHING Adobe Nested Data URI Phishing Landing Apr 3 2017 (phishing.rules)
  • 2825916 - ETPRO PHISHING Successful Santander Phish Apr 11 2017 (phishing.rules)
  • 2826936 - ETPRO PHISHING Successful Navy Federal Phish Jun 29 2017 (phishing.rules)
  • 2827048 - ETPRO PHISHING Successful Bank of America Phish M1 Jul 07 2017 (phishing.rules)

Disabled and modified rules:

  • 2029291 - ET MALWARE Observed Nemty Ransomware Payment Page (malware.rules)
  • 2029802 - ET MALWARE FTCode Stealer Init Activity (malware.rules)
  • 2033044 - ET MALWARE Malicious Second Stage Payload Inbound 2021-02-19 (malware.rules)
  • 2036308 - ET MALWARE Win32/Blacktech Plead CnC Activity (GET) (malware.rules)
  • 2050628 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fantasticabnormally .shop) (malware.rules)
  • 2050629 - ET MALWARE Observed Lumma Stealer Related Domain (fantasticabnormally .shop in TLS SNI) (malware.rules)
  • 2050665 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (knonkcdalfyhitt .shop) (malware.rules)
  • 2050666 - ET MALWARE Observed Lumma Stealer Related Domain (knonkcdalfyhitt .shop in TLS SNI) (malware.rules)
  • 2050667 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (birdvigorousedetertyw .shop) (malware.rules)
  • 2050668 - ET MALWARE Observed Lumma Stealer Related Domain (birdvigorousedetertyw .shop in TLS SNI) (malware.rules)
  • 2050669 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (telldruggcommitetter .shop) (malware.rules)
  • 2050670 - ET MALWARE Observed Lumma Stealer Related Domain (telldruggcommitetter .shop in TLS SNI) (malware.rules)
  • 2050685 - ET INFO Observed DNS Over HTTPS Domain (ad-dns .lista .my .id in TLS SNI) (info.rules)
  • 2050686 - ET INFO Observed DNS Over HTTPS Domain (uf-dns .lista .my .id in TLS SNI) (info.rules)
  • 2844365 - ETPRO MOBILE_MALWARE Android/KCPro Spyware CnC Activity (mobile_malware.rules)
  • 2845849 - ETPRO MALWARE Win32/Backport Backdoor Checkin via SMTP (malware.rules)
  • 2846265 - ETPRO MALWARE Redline - SendClientInfo Request (malware.rules)
  • 2846661 - ETPRO POLICY External IP Address Lookup (eryaz .net) (policy.rules)
  • 2847257 - ETPRO MALWARE Malicious Second Stage Payload Request 2021-02-23 (malware.rules)
1 Like