Ruleset Update Summary - 2024/03/07 - v10547

rulesbot · March 7, 2024, 10:07pm

Summary:

27 new OPEN, 27 new PRO (27 + 0)

Thanks @KrollWire, @ESET, @XForce

Added rules:

Open:

2051516 - ET MALWARE Splinter Red Team Tool Activity (malware.rules)
2051517 - ET INFO DNS Related Tools Domain in DNS Lookup (viewdns .net) (info.rules)
2051518 - ET INFO Observed DNS Related Tools Domain (viewdns .net in TLS SNI) (info.rules)
2051519 - ET MALWARE EvasivePanda/Daggerfly APT CnC Domain in DNS Lookup (devicebug .com) (malware.rules)
2051520 - ET MALWARE Observed EvasivePanda/Daggerfly APT Domain (devicebug .com) in TLS SNI (malware.rules)
2051521 - ET MALWARE NGC2180/DFKRAT CnC Domain in DNS Lookup (windowscer .shop) (malware.rules)
2051522 - ET MALWARE Observed NGC2180/DFKRAT CnC Domain (windowscer .shop) in TLS SNI (malware.rules)
2051523 - ET MALWARE DFKRAT CnC Checkin M1 (malware.rules)
2051524 - ET MALWARE DFKRAT CnC Checkin M2 (malware.rules)
2051525 - ET MALWARE DFKRAT CnC Checkin M3 (malware.rules)
2051526 - ET MALWARE FakeExt CnC Domain in DNS Lookup (cdn .jsassets .sbs) (malware.rules)
2051527 - ET MALWARE FakeExt CnC Domain in DNS Lookup (fastify .elfaker .workers .dev) (malware.rules)
2051528 - ET MALWARE FakeExt CnC Domain in DNS Lookup (prod .jslibrary .sbs) (malware.rules)
2051529 - ET MALWARE FakeExt CnC Domain in DNS Lookup (browser .internalfiles .sbs) (malware.rules)
2051530 - ET MALWARE FakeExt CnC Domain in DNS Lookup (fastify .sbs) (malware.rules)
2051531 - ET MALWARE FakeExt CnC Domain in DNS Lookup (cdn .lll .yachts) (malware.rules)
2051532 - ET MALWARE FakeExt CnC Domain in DNS Lookup (jschecks .com) (malware.rules)
2051533 - ET MALWARE FakeExt CnC Domain in DNS Lookup (javascrip12 .com) (malware.rules)
2051534 - ET MALWARE Observed FakeExt Domain (cdn .jsassets .sbs) in TLS SNI (malware.rules)
2051535 - ET MALWARE Observed FakeExt Domain (fastify .elfaker .workers .dev) in TLS SNI (malware.rules)
2051536 - ET MALWARE Observed FakeExt Domain (prod .jslibrary .sbs) in TLS SNI (malware.rules)
2051537 - ET MALWARE Observed FakeExt Domain (fastify .sbs) in TLS SNI (malware.rules)
2051538 - ET MALWARE Observed FakeExt Domain (cdn .lll .yachts) in TLS SNI (malware.rules)
2051539 - ET MALWARE Observed FakeExt Domain (screen-security .com) in TLS SNI (malware.rules)
2051540 - ET MALWARE Observed FakeExt Domain (jschecks .com) in TLS SNI (malware.rules)
2051541 - ET MALWARE Observed FakeExt Domain (javascrip12 .com) in TLS SNI (malware.rules)
2051542 - ET MALWARE FakeEXT Data Exfiltration Attempt (malware.rules)

Modified inactive rules:

2001628 - ET ATTACK_RESPONSE Outbound PHP Connection (attack_response.rules)
2003215 - ET POLICY Pingdom.com Monitoring Node Active (policy.rules)
2010721 - ET HUNTING Suspicious Non-Escaping backslash in User-Agent Outbound (hunting.rules)
2010722 - ET HUNTING Suspicious Non-Escaping backslash in User-Agent Inbound (hunting.rules)
2011583 - ET EXPLOIT Neosploit Exploit Pack Activity Observed (exploit.rules)
2011748 - ET GAMES TrackMania Game Launch (games.rules)
2011750 - ET GAMES TrackMania Request GetConnectionAndGameParams (games.rules)
2011751 - ET GAMES TrackMania Request OpenSession (games.rules)
2011753 - ET GAMES TrackMania Request Disconnect (games.rules)
2011754 - ET GAMES TrackMania Request GetOnlineProfile (games.rules)
2011755 - ET GAMES TrackMania Request GetBuddies (games.rules)
2011756 - ET GAMES TrackMania Request SearchNew (games.rules)
2011757 - ET GAMES TrackMania Request LiveUpdate (games.rules)
2011758 - ET GAMES TrackMania Ad Report (games.rules)
2013723 - ET MALWARE Win32/Daemonize Trojan Proxy Initial Checkin (malware.rules)
2014107 - ET MALWARE Zeus POST Request to CnC - cookie variation (malware.rules)
2018901 - ET MALWARE BITTERBUG Checkin 2 (malware.rules)
2019875 - ET MALWARE Possible Dyre SSL Cert Dec 4 2014 (malware.rules)
2020351 - ET MALWARE Possible Dridex e-mail inbound (malware.rules)
2024260 - ET ADWARE_PUP Win32.LoadMoney User Agent (adware_pup.rules)
2801329 - ETPRO MALWARE Trojan.Win32.Delf.MW Checkin 1 (malware.rules)
2803463 - ETPRO MALWARE Common Downloader Header Pattern CtHAU (Mozilla 3.0 Indy Library) (malware.rules)
2803494 - ETPRO MALWARE Common Downloader POST Header Pattern POST ACtHUCo data= (malware.rules)
2804283 - ETPRO MALWARE Backdoor.Hupigon Checkin (malware.rules)
2804481 - ETPRO MALWARE Win32/TrojanDownloader.Banload.QFP Checkin (malware.rules)
2804643 - ETPRO ADWARE_PUP Win32/Adware.Kraddare.AX Checkin (adware_pup.rules)
2804686 - ETPRO MALWARE Win32/Masteseq.AC Checkin (malware.rules)
2805220 - ETPRO ADWARE_PUP Win-Adware/KorAd.138208 Checkin (adware_pup.rules)
2805234 - ETPRO MALWARE Win32/Banload.AMR Checkin (malware.rules)
2805475 - ETPRO ADWARE_PUP AdWare.Win32.DirectDown.A checkin (adware_pup.rules)
2805477 - ETPRO MALWARE Virus.Win32.Kate.a Checkin (malware.rules)
2814970 - ETPRO MALWARE Variant.Barys.5471 (B) Checkin (malware.rules)
2815052 - ETPRO MALWARE Unknown PWS C2 (malware.rules)
2815769 - ETPRO MALWARE W32.Blackmoon Uploading Stolen Certificates (malware.rules)
2820623 - ETPRO EXPLOIT IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow (CVE-2008-2499) (exploit.rules)
2823672 - ETPRO MALWARE LatentBot HTTP POST CnC (malware.rules)

Disabled and modified rules:

2018517 - ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234 (dns.rules)
2018534 - ET EXPLOIT_KIT CottonCastle EK URI Struct (exploit_kit.rules)
2018610 - ET MALWARE Likely CryptoWall .onion Proxy domain in SNI (malware.rules)
2018620 - ET MALWARE Downloader.Win32.Tesch.A Bot Command Checkin 2 (malware.rules)
2018635 - ET MALWARE Common Upatre Header Structure 2 (malware.rules)
2050726 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (samplepoisonbarryntj .shop) (malware.rules)
2050727 - ET MALWARE Observed Lumma Stealer Related Domain (samplepoisonbarryntj .shop in TLS SNI) (malware.rules)
2050728 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (decorousnumerousieo .shop) (malware.rules)
2050729 - ET MALWARE Observed Lumma Stealer Related Domain (decorousnumerousieo .shop in TLS SNI) (malware.rules)
2808175 - ETPRO MALWARE Backdoor.DarkMoon C2 Activity (malware.rules)
2808186 - ETPRO MALWARE suspicious User-Agent and Request on Unusual Port Win32/Jeefo.A (malware.rules)
2808188 - ETPRO MALWARE Win32/Kotan suspicious User-Agent .exe (malware.rules)
2808220 - ETPRO MALWARE W32/Redyms.AF Checkin 2 (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/09/05 - v10410 Ruleset Updates	289	September 5, 2023
Ruleset Update Summary - 2024/07/16 - v10646 Ruleset Updates	79	July 16, 2024
Ruleset Update Summary - 2023/11/22 - v10471 Ruleset Updates	351	November 22, 2023
Ruleset Update Summary - 2023/05/19 - v10327 Ruleset Updates	224	May 19, 2023
Ruleset Update Summary - 2023/04/27 - v10309 Ruleset Updates	292	April 27, 2023

Ruleset Update Summary - 2024/03/07 - v10547

Summary:

Added rules:

Open:

Modified inactive rules:

Disabled and modified rules:

Related topics