Ruleset Update Summary - 2024/04/11 - v10573

rulesbot · April 11, 2024, 8:53pm

Summary:

37 new OPEN, 41 new PRO (37 + 4)

Thanks @MsftSecIntel

Added rules:

Open:

2051987 - ET INFO Observed DNS Over HTTPS Domain (dns .keke125 .com in TLS SNI) (info.rules)
2051988 - ET INFO Observed DNS Over HTTPS Domain (dns .lobbygod .com in TLS SNI) (info.rules)
2051989 - ET INFO Observed DNS Over HTTPS Domain (dns .mihanentalpo .me in TLS SNI) (info.rules)
2051990 - ET INFO Observed DNS Over HTTPS Domain (dns .p3k .sk in TLS SNI) (info.rules)
2051991 - ET INFO Observed DNS Over HTTPS Domain (adguard .sealyserver .com in TLS SNI) (info.rules)
2051992 - ET INFO Observed DNS Over HTTPS Domain (dns-cybersec .nordthreatprotection .com in TLS SNI) (info.rules)
2051993 - ET INFO Observed DNS Over HTTPS Domain (dns .neilzone .co .uk in TLS SNI) (info.rules)
2051994 - ET INFO Observed DNS Over HTTPS Domain (dns-malwaresec .nordthreatprotection .com in TLS SNI) (info.rules)
2051995 - ET PHISHING Privnote Landing Page 2024-04-11 (phishing.rules)
2051996 - ET PHISHING Fake Privnote Domain in DNS Lookup (privatemessage .net) (phishing.rules)
2051997 - ET PHISHING Fake Privnote Domain in DNS Lookup (pirvnota .com) (phishing.rules)
2051998 - ET PHISHING Observed Fake Privnote Domain (privatemessage .net in TLS SNI) (phishing.rules)
2051999 - ET PHISHING Observed Fake Privnote Domain (pirvnota .com in TLS SNI) (phishing.rules)
2052000 - ET INFO Free Website Builder/Hosting Domain in DNS Lookup (eventcreate .com) (info.rules)
2052001 - ET INFO Observed Free Website Builder/Hosting Domain (eventcreate .com) in TLS SNI (info.rules)
2052002 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn33 .space) (malware.rules)
2052003 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn32 .space) (malware.rules)
2052004 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn36 .space) (malware.rules)
2052005 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn38 .space) (malware.rules)
2052006 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn37 .space) (malware.rules)
2052007 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn34 .space) (malware.rules)
2052008 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn35 .space) (malware.rules)
2052009 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn31 .space) (malware.rules)
2052010 - ET MALWARE Suspected Fin7 Related Domain (cdn33 .space) in TLS SNI (malware.rules)
2052011 - ET MALWARE Suspected Fin7 Related Domain (cdn32 .space) in TLS SNI (malware.rules)
2052012 - ET MALWARE Suspected Fin7 Related Domain (cdn36 .space) in TLS SNI (malware.rules)
2052013 - ET MALWARE Suspected Fin7 Related Domain (cdn38 .space) in TLS SNI (malware.rules)
2052014 - ET MALWARE Suspected Fin7 Related Domain (cdn37 .space) in TLS SNI (malware.rules)
2052015 - ET MALWARE Suspected Fin7 Related Domain (cdn34 .space) in TLS SNI (malware.rules)
2052016 - ET MALWARE Suspected Fin7 Related Domain (cdn35 .space) in TLS SNI (malware.rules)
2052017 - ET MALWARE Suspected Fin7 Related Domain (cdn31 .space) in TLS SNI (malware.rules)
2052018 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com) (exploit_kit.rules)
2052019 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (apieventemitter .com) (exploit_kit.rules)
2052020 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (infineitsolutions .com) (exploit_kit.rules)
2052021 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gitkonus .com) (exploit_kit.rules)
2052022 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (infineitsolutions .com) (exploit_kit.rules)
2052023 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gitkonus .com) (exploit_kit.rules)

Pro:

2856594 - ETPRO PHISHING Suspected Generic Credential Phish 2024-04-11 (phishing.rules)
2856595 - ETPRO MALWARE Win32/Katastrof Loader Related Activity (GET) (malware.rules)
2856596 - ETPRO MALWARE Win32/Katastrof Loader Related Domain in DNS Lookup (malware.rules)
2856597 - ETPRO MALWARE Observed Win32/Katastrof Loader Related Domain in TLS SNI (malware.rules)

Modified inactive rules:

2019107 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
2019206 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
2019316 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
2019906 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Cridex CnC) (malware.rules)
2020216 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (URLzone CnC) (malware.rules)
2020582 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC) (malware.rules)
2020689 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
2020735 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
2020802 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
2020932 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
2021016 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
2021063 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
2021155 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Yakes CnC) (malware.rules)
2021175 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC) (malware.rules)
2021193 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
2021354 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
2021397 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC) (malware.rules)
2021417 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
2021426 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)
2021427 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
2021446 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
2021828 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC) (malware.rules)
2021842 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC) (malware.rules)
2022133 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC) (malware.rules)
2023347 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
2810108 - ETPRO MALWARE Win32/Spy.Shiz SSL Cert (malware.rules)
2810109 - ETPRO MALWARE Win32/Spy.Shiz SSL Cert (malware.rules)
2810110 - ETPRO MALWARE Win32/Spy.Shiz SSL Cert (malware.rules)
2810987 - ETPRO MALWARE Win32/Spy.Shiz SSL Cert (malware.rules)

Disabled and modified rules:

2006380 - ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted (policy.rules)
2006402 - ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted (policy.rules)
2007650 - ET MALWARE Mac Trojan HTTP Checkin (accept-language violation) (malware.rules)
2022534 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC) (malware.rules)
2022684 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC) (malware.rules)
2022935 - ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M3 (exploit.rules)
2022936 - ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M4 (exploit.rules)
2022937 - ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M3 (exploit.rules)
2022938 - ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M4 (exploit.rules)
2051618 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (herdbescuitinjurywu .shop) (malware.rules)
2814533 - ETPRO MALWARE JAVA_XPLAT.A RAT CnC (LGN - name/group/version) (malware.rules)
2814534 - ETPRO MALWARE JAVA_XPLAT.A RAT CnC (CM - run command) (malware.rules)
2814535 - ETPRO MALWARE JAVA_XPLAT.A RAT CnC (DN - download) (malware.rules)
2814536 - ETPRO MALWARE JAVA_XPLAT.A RAT CnC (FM - manage file) (malware.rules)
2814537 - ETPRO MALWARE JAVA_XPLAT.A RAT CnC (LN.T - close connection) (malware.rules)
2814538 - ETPRO MALWARE JAVA_XPLAT.A RAT CnC (LN.RST - reset connection) (malware.rules)
2814539 - ETPRO MALWARE JAVA_XPLAT.A RAT CnC (STS - NOP) (malware.rules)
2816329 - ETPRO EXPLOIT_KIT Possible Magnitude EK Flash Exploit URI Struct Feb 19 2016 (exploit_kit.rules)
2816656 - ETPRO MALWARE MSIL/StealerReborn PWS Exfil via FTP (malware.rules)
2816664 - ETPRO MALWARE MSIL/Bladabindi Variant Backdoor CnC Checkin (malware.rules)
2816738 - ETPRO MALWARE Bladabindi/njRat Variant CnC Checkin (malware.rules)
2821087 - ETPRO WEB_CLIENT MS Edge OOB Read Vulnerability (CVE-2016-3277) (web_client.rules)
2821199 - ETPRO MALWARE MSIL/Bladabindi/njRAT Variant Keepalive Ping (Maadawy) (malware.rules)
2821694 - ETPRO MALWARE Bladabindi/njRAT Variant CnC Checkin (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/12/04 - v10478 Ruleset Updates	411	December 4, 2023
Ruleset Update Summary - 2024/01/24 - v10513 Ruleset Updates	217	January 24, 2024
Ruleset Update Summary - 2024/02/08 - v10527 Ruleset Updates	290	February 8, 2024
Ruleset Update Summary - 2023/10/10 - v10436 Ruleset Updates	311	October 10, 2023
Ruleset Update Summary - 2024/01/31 - v10520 Ruleset Updates	254	January 31, 2024

Ruleset Update Summary - 2024/04/11 - v10573

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Related Topics