Summary:
27 new OPEN, 27 new PRO (27 + 0)
Thanks @KrollWire, @ESET, @XForce
Added rules:
Open:
- 2051516 - ET MALWARE Splinter Red Team Tool Activity (malware.rules)
- 2051517 - ET INFO DNS Related Tools Domain in DNS Lookup (viewdns .net) (info.rules)
- 2051518 - ET INFO Observed DNS Related Tools Domain (viewdns .net in TLS SNI) (info.rules)
- 2051519 - ET MALWARE EvasivePanda/Daggerfly APT CnC Domain in DNS Lookup (devicebug .com) (malware.rules)
- 2051520 - ET MALWARE Observed EvasivePanda/Daggerfly APT Domain (devicebug .com) in TLS SNI (malware.rules)
- 2051521 - ET MALWARE NGC2180/DFKRAT CnC Domain in DNS Lookup (windowscer .shop) (malware.rules)
- 2051522 - ET MALWARE Observed NGC2180/DFKRAT CnC Domain (windowscer .shop) in TLS SNI (malware.rules)
- 2051523 - ET MALWARE DFKRAT CnC Checkin M1 (malware.rules)
- 2051524 - ET MALWARE DFKRAT CnC Checkin M2 (malware.rules)
- 2051525 - ET MALWARE DFKRAT CnC Checkin M3 (malware.rules)
- 2051526 - ET MALWARE FakeExt CnC Domain in DNS Lookup (cdn .jsassets .sbs) (malware.rules)
- 2051527 - ET MALWARE FakeExt CnC Domain in DNS Lookup (fastify .elfaker .workers .dev) (malware.rules)
- 2051528 - ET MALWARE FakeExt CnC Domain in DNS Lookup (prod .jslibrary .sbs) (malware.rules)
- 2051529 - ET MALWARE FakeExt CnC Domain in DNS Lookup (browser .internalfiles .sbs) (malware.rules)
- 2051530 - ET MALWARE FakeExt CnC Domain in DNS Lookup (fastify .sbs) (malware.rules)
- 2051531 - ET MALWARE FakeExt CnC Domain in DNS Lookup (cdn .lll .yachts) (malware.rules)
- 2051532 - ET MALWARE FakeExt CnC Domain in DNS Lookup (jschecks .com) (malware.rules)
- 2051533 - ET MALWARE FakeExt CnC Domain in DNS Lookup (javascrip12 .com) (malware.rules)
- 2051534 - ET MALWARE Observed FakeExt Domain (cdn .jsassets .sbs) in TLS SNI (malware.rules)
- 2051535 - ET MALWARE Observed FakeExt Domain (fastify .elfaker .workers .dev) in TLS SNI (malware.rules)
- 2051536 - ET MALWARE Observed FakeExt Domain (prod .jslibrary .sbs) in TLS SNI (malware.rules)
- 2051537 - ET MALWARE Observed FakeExt Domain (fastify .sbs) in TLS SNI (malware.rules)
- 2051538 - ET MALWARE Observed FakeExt Domain (cdn .lll .yachts) in TLS SNI (malware.rules)
- 2051539 - ET MALWARE Observed FakeExt Domain (screen-security .com) in TLS SNI (malware.rules)
- 2051540 - ET MALWARE Observed FakeExt Domain (jschecks .com) in TLS SNI (malware.rules)
- 2051541 - ET MALWARE Observed FakeExt Domain (javascrip12 .com) in TLS SNI (malware.rules)
- 2051542 - ET MALWARE FakeEXT Data Exfiltration Attempt (malware.rules)
Modified inactive rules:
- 2001628 - ET ATTACK_RESPONSE Outbound PHP Connection (attack_response.rules)
- 2003215 - ET POLICY Pingdom.com Monitoring Node Active (policy.rules)
- 2010721 - ET HUNTING Suspicious Non-Escaping backslash in User-Agent Outbound (hunting.rules)
- 2010722 - ET HUNTING Suspicious Non-Escaping backslash in User-Agent Inbound (hunting.rules)
- 2011583 - ET EXPLOIT Neosploit Exploit Pack Activity Observed (exploit.rules)
- 2011748 - ET GAMES TrackMania Game Launch (games.rules)
- 2011750 - ET GAMES TrackMania Request GetConnectionAndGameParams (games.rules)
- 2011751 - ET GAMES TrackMania Request OpenSession (games.rules)
- 2011753 - ET GAMES TrackMania Request Disconnect (games.rules)
- 2011754 - ET GAMES TrackMania Request GetOnlineProfile (games.rules)
- 2011755 - ET GAMES TrackMania Request GetBuddies (games.rules)
- 2011756 - ET GAMES TrackMania Request SearchNew (games.rules)
- 2011757 - ET GAMES TrackMania Request LiveUpdate (games.rules)
- 2011758 - ET GAMES TrackMania Ad Report (games.rules)
- 2013723 - ET MALWARE Win32/Daemonize Trojan Proxy Initial Checkin (malware.rules)
- 2014107 - ET MALWARE Zeus POST Request to CnC - cookie variation (malware.rules)
- 2018901 - ET MALWARE BITTERBUG Checkin 2 (malware.rules)
- 2019875 - ET MALWARE Possible Dyre SSL Cert Dec 4 2014 (malware.rules)
- 2020351 - ET MALWARE Possible Dridex e-mail inbound (malware.rules)
- 2024260 - ET ADWARE_PUP Win32.LoadMoney User Agent (adware_pup.rules)
- 2801329 - ETPRO MALWARE Trojan.Win32.Delf.MW Checkin 1 (malware.rules)
- 2803463 - ETPRO MALWARE Common Downloader Header Pattern CtHAU (Mozilla 3.0 Indy Library) (malware.rules)
- 2803494 - ETPRO MALWARE Common Downloader POST Header Pattern POST ACtHUCo data= (malware.rules)
- 2804283 - ETPRO MALWARE Backdoor.Hupigon Checkin (malware.rules)
- 2804481 - ETPRO MALWARE Win32/TrojanDownloader.Banload.QFP Checkin (malware.rules)
- 2804643 - ETPRO ADWARE_PUP Win32/Adware.Kraddare.AX Checkin (adware_pup.rules)
- 2804686 - ETPRO MALWARE Win32/Masteseq.AC Checkin (malware.rules)
- 2805220 - ETPRO ADWARE_PUP Win-Adware/KorAd.138208 Checkin (adware_pup.rules)
- 2805234 - ETPRO MALWARE Win32/Banload.AMR Checkin (malware.rules)
- 2805475 - ETPRO ADWARE_PUP AdWare.Win32.DirectDown.A checkin (adware_pup.rules)
- 2805477 - ETPRO MALWARE Virus.Win32.Kate.a Checkin (malware.rules)
- 2814970 - ETPRO MALWARE Variant.Barys.5471 (B) Checkin (malware.rules)
- 2815052 - ETPRO MALWARE Unknown PWS C2 (malware.rules)
- 2815769 - ETPRO MALWARE W32.Blackmoon Uploading Stolen Certificates (malware.rules)
- 2820623 - ETPRO EXPLOIT IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow (CVE-2008-2499) (exploit.rules)
- 2823672 - ETPRO MALWARE LatentBot HTTP POST CnC (malware.rules)
Disabled and modified rules:
- 2018517 - ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234 (dns.rules)
- 2018534 - ET EXPLOIT_KIT CottonCastle EK URI Struct (exploit_kit.rules)
- 2018610 - ET MALWARE Likely CryptoWall .onion Proxy domain in SNI (malware.rules)
- 2018620 - ET MALWARE Downloader.Win32.Tesch.A Bot Command Checkin 2 (malware.rules)
- 2018635 - ET MALWARE Common Upatre Header Structure 2 (malware.rules)
- 2050726 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (samplepoisonbarryntj .shop) (malware.rules)
- 2050727 - ET MALWARE Observed Lumma Stealer Related Domain (samplepoisonbarryntj .shop in TLS SNI) (malware.rules)
- 2050728 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (decorousnumerousieo .shop) (malware.rules)
- 2050729 - ET MALWARE Observed Lumma Stealer Related Domain (decorousnumerousieo .shop in TLS SNI) (malware.rules)
- 2808175 - ETPRO MALWARE Backdoor.DarkMoon C2 Activity (malware.rules)
- 2808186 - ETPRO MALWARE suspicious User-Agent and Request on Unusual Port Win32/Jeefo.A (malware.rules)
- 2808188 - ETPRO MALWARE Win32/Kotan suspicious User-Agent .exe (malware.rules)
- 2808220 - ETPRO MALWARE W32/Redyms.AF Checkin 2 (malware.rules)