Ruleset Update Summary - 2024/03/06 - v10546

rulesbot · March 6, 2024, 9:42pm

Summary:

19 new OPEN, 26 new PRO (19 + 7)

Thanks @rapid7, @TheDFIRReport, @ginkgo

Added rules:

Open:

2051497 - ET MALWARE Suspected Kimsuky APT Related ToddlerShark Activity (POST) (malware.rules)
2051498 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (executivebrakeji .shop) (malware.rules)
2051499 - ET MALWARE Observed Lumma Stealer Related Domain (executivebrakeji .shop in TLS SNI) (malware.rules)
2051500 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (oneclickyporkeiw .fun) (malware.rules)
2051501 - ET MALWARE Observed Lumma Stealer Related Domain (oneclickyporkeiw .fun in TLS SNI) (malware.rules)
2051502 - ET MALWARE TA421 Wineloader CnC Checkin M2 (malware.rules)
2051503 - ET MALWARE TA421 Wineloader CnC Checkin M3 (malware.rules)
2051504 - ET MALWARE TA421 Wineloader CnC Checkin M4 (malware.rules)
2051505 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Vulnerability Check (web_specific_apps.rules)
2051506 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Admin User Creation Attempt (web_specific_apps.rules)
2051507 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Auth Token Creation Attempt (web_specific_apps.rules)
2051508 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) - Vulnerability Check (web_specific_apps.rules)
2051509 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M1 (web_specific_apps.rules)
2051510 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M2 (web_specific_apps.rules)
2051511 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M3 (web_specific_apps.rules)
2051512 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M4 (web_specific_apps.rules)
2051513 - ET MALWARE Bitter APT Related Activity (GET) (malware.rules)
2051514 - ET HUNTING Windows Scheduled Task XML Response from Server (hunting.rules)
2051515 - ET MALWARE Bitter APT Activity - Secondary Payload Retrieval Attempt (malware.rules)

Pro:

2856461 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
2856462 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
2856463 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
2856464 - ETPRO MALWARE Observed Hello2Malware Domain in TLS SNI (malware.rules)
2856465 - ETPRO MALWARE Observed Hello2Malware Domain in TLS SNI (malware.rules)
2856466 - ETPRO MALWARE Observed Hello2Malware Domain in TLS SNI (malware.rules)
2856467 - ETPRO MALWARE Hello2Malware User-Agent Observed (malware.rules)

Disabled and modified rules:

2018385 - ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request 10/4/2014 (malware.rules)
2018396 - ET INFO BrowseTor .onion Proxy Service SSL Cert (info.rules)
2018462 - ET MALWARE W32/Fsysna.Downloader CnC Beacon (malware.rules)
2018477 - ET MALWARE Downloader.Win32.Tesch.A Server CnC Checkin Reply (malware.rules)
2018479 - ET MALWARE Downloader.Win32.Tesch.A Server CnC Sending Executable (malware.rules)
2048695 - ET MALWARE TA401 Domain in DNS Lookup (isabeljwade .icu) (malware.rules)
2048696 - ET MALWARE TA401 Domain in DNS Lookup (francescatmorrison .icu) (malware.rules)
2048697 - ET MALWARE TA401 Domain in DNS Lookup (jayyburrows .icu) (malware.rules)
2048698 - ET MALWARE TA401 Domain in DNS Lookup (jessicakphillips .icu) (malware.rules)
2048699 - ET MALWARE TA401 Domain in TLS SNI (isabeljwade .icu) (malware.rules)
2048700 - ET MALWARE TA401 Domain in TLS SNI (francescatmorrison .icu) (malware.rules)
2048701 - ET MALWARE TA401 Domain in TLS SNI (jayyburrows .icu) (malware.rules)
2048702 - ET MALWARE TA401 Domain in TLS SNI (jessicakphillips .icu) (malware.rules)
2048951 - ET MALWARE TA444 Domain in DNS Lookup (cisco-webex .online) (malware.rules)
2048952 - ET MALWARE TA444 Domain in DNS Lookup (video-meet .team) (malware.rules)
2048953 - ET MALWARE TA444 Domain in DNS Lookup (internal .group .link-net .publicvm .com) (malware.rules)
2048954 - ET MALWARE TA444 Domain in DNS Lookup (docshared .col-link .linkpc .net) (malware.rules)
2048955 - ET MALWARE TA444 Domain in DNS Lookup (on-global .xyz) (malware.rules)
2048956 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .pd .linkpc .net) (malware.rules)
2048957 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .ddns .net) (malware.rules)
2048958 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .deck .linkpc .net) (malware.rules)
2048959 - ET MALWARE TA444 Domain in DNS Lookup (indaddy .xyz) (malware.rules)
2048960 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .tech .linkpc .net) (malware.rules)
2048961 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .presentations .life) (malware.rules)
2048962 - ET MALWARE TA444 Domain in DNS Lookup (doc .global-link .run .place) (malware.rules)
2048963 - ET MALWARE TA444 Domain in DNS Lookup (internalpdfviewer .ddns .net) (malware.rules)
2048964 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .zapto .org) (malware.rules)
2048965 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .serveirc .com) (malware.rules)
2048966 - ET MALWARE TA444 Domain in DNS Lookup (www .bitscrunch .co) (malware.rules)
2048967 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .im .linkpc .net) (malware.rules)
2048968 - ET MALWARE TA444 Domain in DNS Lookup (voldemort .myvnc .com) (malware.rules)
2048969 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunchtech .linkpc .net) (malware.rules)
2048970 - ET MALWARE TA444 Domain in DNS Lookup (nor-health .xyz) (malware.rules)
2048971 - ET MALWARE TA444 Domain in DNS Lookup (document .shared-link .line .pm) (malware.rules)
2048972 - ET MALWARE TA444 Domain in TLS SNI (cisco-webex .online) (malware.rules)
2048973 - ET MALWARE TA444 Domain in TLS SNI (video-meet .team) (malware.rules)
2048974 - ET MALWARE TA444 Domain in TLS SNI (internal .group .link-net .publicvm .com) (malware.rules)
2048975 - ET MALWARE TA444 Domain in TLS SNI (docshared .col-link .linkpc .net) (malware.rules)
2048976 - ET MALWARE TA444 Domain in TLS SNI (on-global .xyz) (malware.rules)
2048977 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .pd .linkpc .net) (malware.rules)
2048978 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .ddns .net) (malware.rules)
2048979 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .deck .linkpc .net) (malware.rules)
2048980 - ET MALWARE TA444 Domain in TLS SNI (indaddy .xyz) (malware.rules)
2048981 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .tech .linkpc .net) (malware.rules)
2048982 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .presentations .life) (malware.rules)
2048983 - ET MALWARE TA444 Domain in TLS SNI (doc .global-link .run .place) (malware.rules)
2048984 - ET MALWARE TA444 Domain in TLS SNI (internalpdfviewer .ddns .net) (malware.rules)
2048985 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .zapto .org) (malware.rules)
2048986 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .serveirc .com) (malware.rules)
2048987 - ET MALWARE TA444 Domain in TLS SNI (www .bitscrunch .co) (malware.rules)
2048988 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .im .linkpc .net) (malware.rules)
2048989 - ET MALWARE TA444 Domain in TLS SNI (voldemort .myvnc .com) (malware.rules)
2048990 - ET MALWARE TA444 Domain in TLS SNI (bitscrunchtech .linkpc .net) (malware.rules)
2048991 - ET MALWARE TA444 Domain in TLS SNI (nor-health .xyz) (malware.rules)
2048992 - ET MALWARE TA444 Domain in TLS SNI (document .shared-link .line .pm) (malware.rules)
2049076 - ET EXPLOIT_KIT ClearFake Fingerprinting Domain in DNS Lookup (stats-tracked .com) (exploit_kit.rules)
2049077 - ET EXPLOIT_KIT ClearFake Fingerprinting Domain in TLS SNI (stats-tracked .com) (exploit_kit.rules)
2049870 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ratingsentry .com) (exploit_kit.rules)
2049871 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ratingsentry .com) (exploit_kit.rules)
2049889 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jennifergalvin .com) (exploit_kit.rules)
2049890 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (kineticwing .com) (exploit_kit.rules)
2049891 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jesusanaya .com) (exploit_kit.rules)
2049892 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (plannedtomatoes .com) (exploit_kit.rules)
2049893 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jennifergalvin .com) (exploit_kit.rules)
2049894 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kineticwing .com) (exploit_kit.rules)
2049895 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jesusanaya .com) (exploit_kit.rules)
2049896 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (plannedtomatoes .com) (exploit_kit.rules)
2050701 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (feturepoudbicchteo .shop) (malware.rules)
2050702 - ET MALWARE Observed Lumma Stealer Related Domain (feturepoudbicchteo .shop in TLS SNI) (malware.rules)
2050703 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (pavementpreferencewjiao .site) (malware.rules)
2050704 - ET MALWARE Observed Lumma Stealer Related Domain (pavementpreferencewjiao .site in TLS SNI) (malware.rules)
2050705 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (despairphtsograpgp .shop) (malware.rules)
2807925 - ETPRO POLICY Win32/WinVNC Activity - Outbound Connection Attempt (policy.rules)
2807955 - ETPRO MALWARE Win32/Injector.Autoit.ZZ (malware.rules)
2807967 - ETPRO MALWARE Backdoor.Win32.Destrukor.20 Checkin (malware.rules)
2808010 - ETPRO ADWARE_PUP Win32.Boaxxe.BL windowsupdate connectivity check (adware_pup.rules)
2808052 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.C Checkin (mobile_malware.rules)
2808064 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.du Checkin (mobile_malware.rules)
2808074 - ETPRO ADWARE_PUP AdWare.Win32.MMag.d Checkin (adware_pup.rules)
2847740 - ETPRO MALWARE Trojan:Script/Phonzy.A!ml CnC Activity M2 (malware.rules)
2847832 - ETPRO MALWARE BazaLoader MalDoc Retrieving Payload (malware.rules)
2856377 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/05/03 - v10589 Ruleset Updates	269	May 3, 2024
Ruleset Update Summary - 2024/03/05 - v10545 Ruleset Updates	714	March 5, 2024
Ruleset Update Summary - 2024/02/16 - v10534 Ruleset Updates	285	February 16, 2024
Ruleset Update Summary - 2024/08/22 - v10672 Ruleset Updates	68	August 22, 2024
Ruleset Update Summary - 2024/06/20 - v10622 Ruleset Updates	154	June 20, 2024

Ruleset Update Summary - 2024/03/06 - v10546

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related Topics