Ruleset Update Summary - 2024/03/06 - v10546

Ruleset Updates
1

Summary:

19 new OPEN, 26 new PRO (19 + 7)

Thanks @rapid7, @TheDFIRReport, @ginkgo

Added rules:

Open:

  • 2051497 - ET MALWARE Suspected Kimsuky APT Related ToddlerShark Activity (POST) (malware.rules)
  • 2051498 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (executivebrakeji .shop) (malware.rules)
  • 2051499 - ET MALWARE Observed Lumma Stealer Related Domain (executivebrakeji .shop in TLS SNI) (malware.rules)
  • 2051500 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (oneclickyporkeiw .fun) (malware.rules)
  • 2051501 - ET MALWARE Observed Lumma Stealer Related Domain (oneclickyporkeiw .fun in TLS SNI) (malware.rules)
  • 2051502 - ET MALWARE TA421 Wineloader CnC Checkin M2 (malware.rules)
  • 2051503 - ET MALWARE TA421 Wineloader CnC Checkin M3 (malware.rules)
  • 2051504 - ET MALWARE TA421 Wineloader CnC Checkin M4 (malware.rules)
  • 2051505 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Vulnerability Check (web_specific_apps.rules)
  • 2051506 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Admin User Creation Attempt (web_specific_apps.rules)
  • 2051507 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Auth Token Creation Attempt (web_specific_apps.rules)
  • 2051508 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) - Vulnerability Check (web_specific_apps.rules)
  • 2051509 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M1 (web_specific_apps.rules)
  • 2051510 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M2 (web_specific_apps.rules)
  • 2051511 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M3 (web_specific_apps.rules)
  • 2051512 - ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M4 (web_specific_apps.rules)
  • 2051513 - ET MALWARE Bitter APT Related Activity (GET) (malware.rules)
  • 2051514 - ET HUNTING Windows Scheduled Task XML Response from Server (hunting.rules)
  • 2051515 - ET MALWARE Bitter APT Activity - Secondary Payload Retrieval Attempt (malware.rules)

Pro:

  • 2856461 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
  • 2856462 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
  • 2856463 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
  • 2856464 - ETPRO MALWARE Observed Hello2Malware Domain in TLS SNI (malware.rules)
  • 2856465 - ETPRO MALWARE Observed Hello2Malware Domain in TLS SNI (malware.rules)
  • 2856466 - ETPRO MALWARE Observed Hello2Malware Domain in TLS SNI (malware.rules)
  • 2856467 - ETPRO MALWARE Hello2Malware User-Agent Observed (malware.rules)

Disabled and modified rules:

  • 2018385 - ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request 10/4/2014 (malware.rules)
  • 2018396 - ET INFO BrowseTor .onion Proxy Service SSL Cert (info.rules)
  • 2018462 - ET MALWARE W32/Fsysna.Downloader CnC Beacon (malware.rules)
  • 2018477 - ET MALWARE Downloader.Win32.Tesch.A Server CnC Checkin Reply (malware.rules)
  • 2018479 - ET MALWARE Downloader.Win32.Tesch.A Server CnC Sending Executable (malware.rules)
  • 2048695 - ET MALWARE TA401 Domain in DNS Lookup (isabeljwade .icu) (malware.rules)
  • 2048696 - ET MALWARE TA401 Domain in DNS Lookup (francescatmorrison .icu) (malware.rules)
  • 2048697 - ET MALWARE TA401 Domain in DNS Lookup (jayyburrows .icu) (malware.rules)
  • 2048698 - ET MALWARE TA401 Domain in DNS Lookup (jessicakphillips .icu) (malware.rules)
  • 2048699 - ET MALWARE TA401 Domain in TLS SNI (isabeljwade .icu) (malware.rules)
  • 2048700 - ET MALWARE TA401 Domain in TLS SNI (francescatmorrison .icu) (malware.rules)
  • 2048701 - ET MALWARE TA401 Domain in TLS SNI (jayyburrows .icu) (malware.rules)
  • 2048702 - ET MALWARE TA401 Domain in TLS SNI (jessicakphillips .icu) (malware.rules)
  • 2048951 - ET MALWARE TA444 Domain in DNS Lookup (cisco-webex .online) (malware.rules)
  • 2048952 - ET MALWARE TA444 Domain in DNS Lookup (video-meet .team) (malware.rules)
  • 2048953 - ET MALWARE TA444 Domain in DNS Lookup (internal .group .link-net .publicvm .com) (malware.rules)
  • 2048954 - ET MALWARE TA444 Domain in DNS Lookup (docshared .col-link .linkpc .net) (malware.rules)
  • 2048955 - ET MALWARE TA444 Domain in DNS Lookup (on-global .xyz) (malware.rules)
  • 2048956 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .pd .linkpc .net) (malware.rules)
  • 2048957 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .ddns .net) (malware.rules)
  • 2048958 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .deck .linkpc .net) (malware.rules)
  • 2048959 - ET MALWARE TA444 Domain in DNS Lookup (indaddy .xyz) (malware.rules)
  • 2048960 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .tech .linkpc .net) (malware.rules)
  • 2048961 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .presentations .life) (malware.rules)
  • 2048962 - ET MALWARE TA444 Domain in DNS Lookup (doc .global-link .run .place) (malware.rules)
  • 2048963 - ET MALWARE TA444 Domain in DNS Lookup (internalpdfviewer .ddns .net) (malware.rules)
  • 2048964 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .zapto .org) (malware.rules)
  • 2048965 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .serveirc .com) (malware.rules)
  • 2048966 - ET MALWARE TA444 Domain in DNS Lookup (www .bitscrunch .co) (malware.rules)
  • 2048967 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .im .linkpc .net) (malware.rules)
  • 2048968 - ET MALWARE TA444 Domain in DNS Lookup (voldemort .myvnc .com) (malware.rules)
  • 2048969 - ET MALWARE TA444 Domain in DNS Lookup (bitscrunchtech .linkpc .net) (malware.rules)
  • 2048970 - ET MALWARE TA444 Domain in DNS Lookup (nor-health .xyz) (malware.rules)
  • 2048971 - ET MALWARE TA444 Domain in DNS Lookup (document .shared-link .line .pm) (malware.rules)
  • 2048972 - ET MALWARE TA444 Domain in TLS SNI (cisco-webex .online) (malware.rules)
  • 2048973 - ET MALWARE TA444 Domain in TLS SNI (video-meet .team) (malware.rules)
  • 2048974 - ET MALWARE TA444 Domain in TLS SNI (internal .group .link-net .publicvm .com) (malware.rules)
  • 2048975 - ET MALWARE TA444 Domain in TLS SNI (docshared .col-link .linkpc .net) (malware.rules)
  • 2048976 - ET MALWARE TA444 Domain in TLS SNI (on-global .xyz) (malware.rules)
  • 2048977 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .pd .linkpc .net) (malware.rules)
  • 2048978 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .ddns .net) (malware.rules)
  • 2048979 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .deck .linkpc .net) (malware.rules)
  • 2048980 - ET MALWARE TA444 Domain in TLS SNI (indaddy .xyz) (malware.rules)
  • 2048981 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .tech .linkpc .net) (malware.rules)
  • 2048982 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .presentations .life) (malware.rules)
  • 2048983 - ET MALWARE TA444 Domain in TLS SNI (doc .global-link .run .place) (malware.rules)
  • 2048984 - ET MALWARE TA444 Domain in TLS SNI (internalpdfviewer .ddns .net) (malware.rules)
  • 2048985 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .zapto .org) (malware.rules)
  • 2048986 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .serveirc .com) (malware.rules)
  • 2048987 - ET MALWARE TA444 Domain in TLS SNI (www .bitscrunch .co) (malware.rules)
  • 2048988 - ET MALWARE TA444 Domain in TLS SNI (bitscrunch .im .linkpc .net) (malware.rules)
  • 2048989 - ET MALWARE TA444 Domain in TLS SNI (voldemort .myvnc .com) (malware.rules)
  • 2048990 - ET MALWARE TA444 Domain in TLS SNI (bitscrunchtech .linkpc .net) (malware.rules)
  • 2048991 - ET MALWARE TA444 Domain in TLS SNI (nor-health .xyz) (malware.rules)
  • 2048992 - ET MALWARE TA444 Domain in TLS SNI (document .shared-link .line .pm) (malware.rules)
  • 2049076 - ET EXPLOIT_KIT ClearFake Fingerprinting Domain in DNS Lookup (stats-tracked .com) (exploit_kit.rules)
  • 2049077 - ET EXPLOIT_KIT ClearFake Fingerprinting Domain in TLS SNI (stats-tracked .com) (exploit_kit.rules)
  • 2049870 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ratingsentry .com) (exploit_kit.rules)
  • 2049871 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ratingsentry .com) (exploit_kit.rules)
  • 2049889 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jennifergalvin .com) (exploit_kit.rules)
  • 2049890 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (kineticwing .com) (exploit_kit.rules)
  • 2049891 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jesusanaya .com) (exploit_kit.rules)
  • 2049892 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (plannedtomatoes .com) (exploit_kit.rules)
  • 2049893 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jennifergalvin .com) (exploit_kit.rules)
  • 2049894 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kineticwing .com) (exploit_kit.rules)
  • 2049895 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jesusanaya .com) (exploit_kit.rules)
  • 2049896 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (plannedtomatoes .com) (exploit_kit.rules)
  • 2050701 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (feturepoudbicchteo .shop) (malware.rules)
  • 2050702 - ET MALWARE Observed Lumma Stealer Related Domain (feturepoudbicchteo .shop in TLS SNI) (malware.rules)
  • 2050703 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (pavementpreferencewjiao .site) (malware.rules)
  • 2050704 - ET MALWARE Observed Lumma Stealer Related Domain (pavementpreferencewjiao .site in TLS SNI) (malware.rules)
  • 2050705 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (despairphtsograpgp .shop) (malware.rules)
  • 2807925 - ETPRO POLICY Win32/WinVNC Activity - Outbound Connection Attempt (policy.rules)
  • 2807955 - ETPRO MALWARE Win32/Injector.Autoit.ZZ (malware.rules)
  • 2807967 - ETPRO MALWARE Backdoor.Win32.Destrukor.20 Checkin (malware.rules)
  • 2808010 - ETPRO ADWARE_PUP Win32.Boaxxe.BL windowsupdate connectivity check (adware_pup.rules)
  • 2808052 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.C Checkin (mobile_malware.rules)
  • 2808064 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.du Checkin (mobile_malware.rules)
  • 2808074 - ETPRO ADWARE_PUP AdWare.Win32.MMag.d Checkin (adware_pup.rules)
  • 2847740 - ETPRO MALWARE Trojan:Script/Phonzy.A!ml CnC Activity M2 (malware.rules)
  • 2847832 - ETPRO MALWARE BazaLoader MalDoc Retrieving Payload (malware.rules)
  • 2856377 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)