Ruleset Update Summary - 2024/04/10 - v10572

Ruleset Updates
1

Summary:

20 new OPEN, 21 new PRO (20 + 1)

Thanks @trendmicro

Added rules:

Open:

  • 2051967 - ET INFO Anonymous File Sharing Service Domain in DNS Lookup (file-drop .cc) (info.rules)
  • 2051968 - ET INFO Observed Anonymous File Sharing Service Domain (file-drop .cc in TLS SNI) (info.rules)
  • 2051969 - ET INFO Observed DNS Over HTTPS Domain (doh .kel .pe in TLS SNI) (info.rules)
  • 2051970 - ET INFO Observed DNS Over HTTPS Domain (dns .caksono .com in TLS SNI) (info.rules)
  • 2051971 - ET INFO Observed DNS Over HTTPS Domain (dns .gamban .com in TLS SNI) (info.rules)
  • 2051972 - ET INFO Observed DNS Over HTTPS Domain (dns .thegoodsource .net in TLS SNI) (info.rules)
  • 2051973 - ET INFO Observed DNS Over HTTPS Domain (dns .sheggi .ch in TLS SNI) (info.rules)
  • 2051974 - ET INFO Observed DNS Over HTTPS Domain (dns .oryxlabs .com in TLS SNI) (info.rules)
  • 2051975 - ET INFO Observed DNS Over HTTPS Domain (dns .koala .us .to in TLS SNI) (info.rules)
  • 2051976 - ET INFO Observed DNS Over HTTPS Domain (doh .kooman .org in TLS SNI) (info.rules)
  • 2051977 - ET INFO Observed DNS Over HTTPS Domain (dns .ezyss .id in TLS SNI) (info.rules)
  • 2051978 - ET INFO Observed DNS Over HTTPS Domain (doh .maskab .com in TLS SNI) (info.rules)
  • 2051979 - ET INFO Observed DNS Over HTTPS Domain (dns .dev-umbrellagov .com in TLS SNI) (info.rules)
  • 2051980 - ET INFO Observed DNS Over HTTPS Domain (dns .levonet .sk in TLS SNI) (info.rules)
  • 2051981 - ET MALWARE Win32/Powershell Loader Related Activity (GET) (malware.rules)
  • 2051982 - ET MALWARE Suspected Trojan-Proxy Web Socket Connection Activity (malware.rules)
  • 2051983 - ET MALWARE 3proxy Backdoor CnC Domain in DNS Lookup (catalog .micrisoftdrivers .com) (malware.rules)
  • 2051984 - ET MALWARE 3proxy Backdoor Domain (catalog .micrisoftdrivers .com) in TLS SNI (malware.rules)
  • 2051985 - ET INFO Phishing Training Domain in DNS Lookup (notifierservice .com) (info.rules)
  • 2051986 - ET INFO Phishing Training Domain (notifierservice .com) in TLS SNI (info.rules)

Pro:

  • 2856593 - ETPRO INFO Red Team Related Tracking Image (info.rules)

Modified inactive rules:

  • 2008521 - ET MALWARE Keylogger Infection Report via POST (malware.rules)
  • 2009388 - ET MALWARE Bredolab Downloader Response Binaries from Controller (malware.rules)
  • 2019720 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019786 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019787 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019810 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019812 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019818 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019819 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2021175 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC) (malware.rules)
  • 2021354 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021397 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC) (malware.rules)
  • 2021417 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2022057 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger) (malware.rules)
  • 2022066 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger) (malware.rules)
  • 2022067 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger) (malware.rules)
  • 2022077 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu) (malware.rules)
  • 2022133 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC) (malware.rules)
  • 2820895 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2820933 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2821878 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2822879 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2823301 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2823537 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2823717 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2823901 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2824231 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2824681 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2824703 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2825041 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)

Disabled and modified rules:

  • 2010514 - ET HUNTING Suspicious HTML Script Tag in 401 Unauthorized Response (External Source) (hunting.rules)
  • 2010519 - ET WEB_SERVER Possible HTTP 405 XSS Attempt (Local Source) (web_server.rules)
  • 2010520 - ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source) (web_client.rules)
  • 2010521 - ET WEB_SERVER Possible HTTP 406 XSS Attempt (Local Source) (web_server.rules)
  • 2010522 - ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source) (web_client.rules)
  • 2010524 - ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source) (web_server.rules)
  • 2010525 - ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source) (web_client.rules)
  • 2010526 - ET WEB_SERVER Possible HTTP 503 XSS Attempt (Internal Source) (web_server.rules)
  • 2010527 - ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source) (web_client.rules)
  • 2010799 - ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt (web_client.rules)
  • 2010883 - ET POLICY PDF File Containing arguments.callee in Cleartext - Likely Hostile (policy.rules)
  • 2010968 - ET WEB_CLIENT Possible Foxit/Adobe PDF Reader Launch Action Remote Code Execution Attempt (web_client.rules)
  • 2018008 - ET MALWARE DNS Query Possible Zbot Infection Query for networksecurityx.hopto.org (malware.rules)
  • 2019788 - ET MALWARE DNS Query for Suspicious cvredirect.no-ip.net Domain - CoinLocker Domain (malware.rules)
  • 2019790 - ET MALWARE DNS Query for Suspicious cvredirect.ddns.net Domain - CoinLocker Domain (malware.rules)
  • 2021938 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2050710 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mysticselect .com) (exploit_kit.rules)
  • 2050711 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (oemmasters .com) (exploit_kit.rules)
  • 2050712 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mysticselect .com) (exploit_kit.rules)
  • 2050713 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (oemmasters .com) (exploit_kit.rules)
  • 2050715 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (share .clickstat360 .com) (exploit_kit.rules)
  • 2050717 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (share .clickstat360 .com) (exploit_kit.rules)
  • 2050724 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .our .openarmscv .org) (malware.rules)
  • 2050725 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .our .openarmscv .org) (malware.rules)
  • 2051578 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fund) (malware.rules)
  • 2051579 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pwf) (malware.rules)
  • 2051580 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lighterepisodeheighte .fund) (malware.rules)
  • 2051581 - ET MALWARE Observed Lumma Stealer Related Domain (edurestunningcrackyow .fund in TLS SNI) (malware.rules)
  • 2051582 - ET MALWARE Observed Lumma Stealer Related Domain (pooreveningfuseor .pwf in TLS SNI) (malware.rules)
  • 2051583 - ET MALWARE Observed Lumma Stealer Related Domain (lighterepisodeheighte .fund in TLS SNI) (malware.rules)
  • 2051585 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fung) (malware.rules)
  • 2051589 - ET MALWARE Observed Lumma Stealer Related Domain (edurestunningcrackyow .fung in TLS SNI) (malware.rules)
  • 2051590 - ET MALWARE Observed Lumma Stealer Related Domain (pooreveningfuseor .pwq in TLS SNI) (malware.rules)
  • 2051593 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pwq) (malware.rules)
  • 2051594 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (scrapedirtyieoqk .shop) (malware.rules)
  • 2051595 - ET MALWARE Observed Lumma Stealer Related Domain (scrapedirtyieoqk .shop in TLS SNI) (malware.rules)
  • 2812512 - ETPRO MALWARE Spammer Win32/Hedsen CnC Beacon (malware.rules)
  • 2812813 - ETPRO MALWARE Backdoor.Telnneru Possible HTTP CnC Beacon 2 (malware.rules)
  • 2814262 - ETPRO MALWARE MSIL/Crimson CnC Client Command (update) (malware.rules)
  • 2814367 - ETPRO MALWARE Win32/Bozok RAT 1.5 Checkin (malware.rules)
  • 2814429 - ETPRO MALWARE Bergard CnC Beacon (malware.rules)
  • 2814440 - ETPRO MALWARE Win32/Bagoox.A Checkin (malware.rules)
  • 2814540 - ETPRO MALWARE JAVA_XPLAT.A RAT CnC (DG response - exception) (malware.rules)
  • 2814541 - ETPRO MALWARE JAVA_XPLAT.A RAT CnC (LGN response) (malware.rules)
  • 2814880 - ETPRO MALWARE W32.Unknown RAT/Keylogger/CoinMiner Checkin (malware.rules)
  • 2835979 - ETPRO MALWARE Unk.CoinMiner Requesting Inf (malware.rules)
  • 2856552 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856553 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)