Ruleset Update Summary - 2024/04/22 - v10580

Ruleset Updates
1

Summary:

35 new OPEN, 60 new PRO (35 + 25)

Added rules:

Open:

  • 2052200 - ET INFO DYNAMIC_DNS Query to a *.kalbas .com .vn Domain (info.rules)
  • 2052201 - ET INFO DYNAMIC_DNS HTTP Request to a *.kalbas .com .vn Domain (info.rules)
  • 2052202 - ET INFO DYNAMIC_DNS Query to a *.mysaol .com Domain (info.rules)
  • 2052203 - ET INFO DYNAMIC_DNS HTTP Request to a *.mysaol .com Domain (info.rules)
  • 2052204 - ET INFO DYNAMIC_DNS Query to a *.allisons .org Domain (info.rules)
  • 2052205 - ET INFO DYNAMIC_DNS HTTP Request to a *.allisons .org Domain (info.rules)
  • 2052206 - ET INFO DYNAMIC_DNS Query to a *.dearabba .org Domain (info.rules)
  • 2052207 - ET INFO DYNAMIC_DNS HTTP Request to a *.dearabba .org Domain (info.rules)
  • 2052208 - ET INFO DYNAMIC_DNS Query to a *.privateimport .jp Domain (info.rules)
  • 2052209 - ET INFO DYNAMIC_DNS HTTP Request to a *.privateimport .jp Domain (info.rules)
  • 2052210 - ET INFO DYNAMIC_DNS Query to a *.teakwondo .one .pl Domain (info.rules)
  • 2052211 - ET INFO DYNAMIC_DNS HTTP Request to a *.teakwondo .one .pl Domain (info.rules)
  • 2052212 - ET INFO Observed DNS Over HTTPS Domain (adguard .twotigers .xyz in TLS SNI) (info.rules)
  • 2052213 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (shatterbreathepsw .shop) (malware.rules)
  • 2052214 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (shortsvelventysjo .shop) (malware.rules)
  • 2052215 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (alcojoldwograpciw .shop) (malware.rules)
  • 2052216 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (incredibleextedwj .shop) (malware.rules)
  • 2052217 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (shatterbreathepsw .shop) (malware.rules)
  • 2052218 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (demonstationfukewko .shop) (malware.rules)
  • 2052219 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (tolerateilusidjukl .shop) (malware.rules)
  • 2052220 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (liabilitynighstjsko .shop) (malware.rules)
  • 2052221 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (productivelookewr .shop) (malware.rules)
  • 2052222 - ET MALWARE Observed Lumma Stealer Related Domain (alcojoldwograpciw .shop in TLS SNI) (malware.rules)
  • 2052223 - ET MALWARE Observed Lumma Stealer Related Domain (incredibleextedwj .shop in TLS SNI) (malware.rules)
  • 2052224 - ET MALWARE Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) (malware.rules)
  • 2052225 - ET MALWARE Observed Lumma Stealer Related Domain (demonstationfukewko .shop in TLS SNI) (malware.rules)
  • 2052226 - ET MALWARE Observed Lumma Stealer Related Domain (shortsvelventysjo .shop in TLS SNI) (malware.rules)
  • 2052227 - ET MALWARE Observed Lumma Stealer Related Domain (liabilitynighstjsko .shop in TLS SNI) (malware.rules)
  • 2052228 - ET MALWARE Observed Lumma Stealer Related Domain (productivelookewr .shop in TLS SNI) (malware.rules)
  • 2052229 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (strollheavengwu .shop) (malware.rules)
  • 2052230 - ET MALWARE Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) (malware.rules)
  • 2052231 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (stripmarrystresew .shop) (malware.rules)
  • 2052232 - ET MALWARE Observed Lumma Stealer Related Domain (stripmarrystresew .shop in TLS SNI) (malware.rules)
  • 2052233 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gnoticiasimparciais .com) (exploit_kit.rules)
  • 2052234 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gnoticiasimparciais .com) (exploit_kit.rules)

Pro:

  • 2856744 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2856745 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2856746 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2856747 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2856748 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2856749 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2856750 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2856751 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2856752 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2856753 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2856754 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2856755 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2856756 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2856757 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2856758 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2856759 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2856760 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2856761 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2856762 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2856763 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2856764 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2856765 - ETPRO MALWARE Suspected Malicious Remote Screen Session Tunnel Activity (malware.rules)
  • 2856766 - ETPRO MALWARE Malicious Remote Screen Session Tunnel Activity Domain in DNS Lookup (malware.rules)
  • 2856771 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856772 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)

Modified inactive rules:

  • 2018876 - ET POLICY DNS Query to .onion proxy Domain (onion.cab) (policy.rules)
  • 2022235 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022250 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022251 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022476 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022571 - ET MALWARE Malicious SSL certificate detected (Geodo MITM) (malware.rules)
  • 2022613 - ET MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2022733 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022795 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC) (malware.rules)
  • 2022799 - ET MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2022879 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2023006 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2023007 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2023008 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2023010 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2023031 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2023342 - ET MALWARE Malicious SSL certificate detected (Powershell Trojan) (malware.rules)
  • 2023536 - ET MALWARE Observed Malicious SSL Cert (FlokiBot CnC) (malware.rules)
  • 2023543 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2023550 - ET MALWARE Malicious SSL Certificate Detected (Gootkit CnC) (malware.rules)
  • 2023591 - ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected (malware.rules)
  • 2023639 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2023689 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2024246 - ET MALWARE Observed Malicious SSL cert (pyteHole Ransomware) (malware.rules)
  • 2024433 - ET MALWARE Observed Malicious SSL Cert (HiddenTear Variant CnC) (malware.rules)
  • 2024512 - ET MALWARE Observed Malicious Domain SSL Cert in SNI (JS_POWMET) (malware.rules)
  • 2024757 - ET MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2024902 - ET MALWARE Observed Malicious SSL Cert (Snatch CnC) (malware.rules)
  • 2024903 - ET MALWARE Observed Malicious SSL Cert (Snatch CnC) (malware.rules)
  • 2035863 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
  • 2035872 - ET MALWARE Vidar Stealer CnC Domain in DNS Lookup (malware.rules)
  • 2036338 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036339 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036340 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036341 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036342 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036343 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036344 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036345 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036346 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2037247 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037248 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2812377 - ETPRO MALWARE Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2814750 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2814751 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2815043 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2815185 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2815186 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2815187 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2815278 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2815291 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit CnC) (malware.rules)
  • 2815972 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2816035 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2816405 - ETPRO MALWARE Win32/Tepoyx Malicious SSL Certificate Detected (malware.rules)
  • 2816407 - ETPRO MALWARE Win32/Pawxnic.A Malicious SSL Certificate Detected (malware.rules)
  • 2816671 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2820327 - ETPRO MALWARE Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2820482 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2820511 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2820593 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2820594 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2820738 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2820739 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2820751 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2820752 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2820789 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2820790 - ETPRO MALWARE Malicious SSL certificate detected (Gootkit Injects) (malware.rules)
  • 2820817 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2820981 - ETPRO MALWARE Malicious SSL certificate detected (Malware C2) (malware.rules)
  • 2821053 - ETPRO MALWARE Malicious SSL certificate detected (Malware C2) (malware.rules)
  • 2821141 - ETPRO MALWARE Malicious SSL certificate detected (Gootkit Injects) (malware.rules)
  • 2821180 - ETPRO MALWARE Malicious SSL Certificate Detected (Zloader CnC) (malware.rules)
  • 2821472 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2821525 - ETPRO MALWARE Malicious SSL certificate detected (Zeus Injects) (malware.rules)
  • 2821567 - ETPRO MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2821613 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda Banker) (malware.rules)
  • 2821624 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda Injects) (malware.rules)
  • 2821625 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda Injects) (malware.rules)
  • 2821724 - ETPRO WEB_CLIENT Evil Redirector to EK - Observed Malicious SSL Cert (web_client.rules)
  • 2821808 - ETPRO MALWARE Malicious SSL certificate detected (Dreambot/Gozi CnC) (malware.rules)
  • 2821857 - ETPRO MALWARE Observed Malicious Domain SSL Cert in SNI (Zeus Panda) (malware.rules)
  • 2822222 - ETPRO WEB_CLIENT Evil Redirector to EK - Observed Malicious SSL Cert (web_client.rules)
  • 2822249 - ETPRO WEB_CLIENT Evil Redirector to EK - Observed Malicious SSL Cert (web_client.rules)
  • 2822521 - ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner) (malware.rules)
  • 2822660 - ETPRO MALWARE Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2822694 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda) (malware.rules)
  • 2823202 - ETPRO MALWARE Observed Malicious Domain SSL Cert in SNI (Remoto BR CnC) (malware.rules)
  • 2823244 - ETPRO MALWARE Observed Malicious Ransomware Domain SSL Cert in SNI (Hidden-Tear Variant) (malware.rules)
  • 2823245 - ETPRO MALWARE Observed Malicious Ransomware Domain SSL Cert in SNI (Hidden-Tear Variant) (malware.rules)
  • 2823327 - ETPRO MALWARE Observed Malicious SSL Cert (Gootkit CnC) (malware.rules)
  • 2823397 - ETPRO MALWARE Observed Malicious SSL Cert (FlokiBot CnC) (malware.rules)
  • 2823480 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2823556 - ETPRO MALWARE Observed Malicious SSL Cert (FlokiBot CnC) (malware.rules)
  • 2823623 - ETPRO MALWARE Observed Malicious SSL Cert (Vawtrak CnC) (malware.rules)
  • 2823657 - ETPRO MALWARE Observed Malicious SSL Cert (JS/Ostap Downloader) (malware.rules)
  • 2823673 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2823703 - ETPRO MALWARE Observed Malicious SSL Cert (FlokiBot CnC) (malware.rules)
  • 2823704 - ETPRO MALWARE Observed Malicious SSL Cert (FlokiBot CnC) (malware.rules)
  • 2823705 - ETPRO MALWARE Observed Malicious SSL Cert (FlokiBot CnC) (malware.rules)
  • 2823775 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2824357 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit CnC) (malware.rules)
  • 2824448 - ETPRO MALWARE Observed Malicious SSL Cert (Gootkit) (malware.rules)
  • 2824478 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2824544 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit CnC) (malware.rules)
  • 2824546 - ETPRO MALWARE Observed Malicious SSL Cert (Gootkit) (malware.rules)
  • 2824548 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2824633 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2824649 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2824690 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2824694 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2824913 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2824918 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2825032 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2825040 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2825386 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Variant) (malware.rules)
  • 2825558 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2826145 - ETPRO MALWARE Malicious SSL Certificate Detected (CobaltStrike Dropper) (malware.rules)
  • 2826437 - ETPRO MALWARE Observed Malicious SSL Cert (Orcus RAT) (malware.rules)
  • 2827131 - ETPRO MALWARE AgentTesla Downloader Malicious Domain in SNI Observed (malware.rules)
  • 2827173 - ETPRO MALWARE Zyklon Malicious Domain in SNI Observed (malware.rules)
  • 2827244 - ETPRO MALWARE Observed Malicious SSL Cert (URLZone CnC) (malware.rules)
  • 2827262 - ETPRO MALWARE Observed Malicious SSL Cert (Evil CoinMiner) (malware.rules)
  • 2827395 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2827464 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2827743 - ETPRO MALWARE Zloader Domain in SNI (storewideonline) (malware.rules)
  • 2827746 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2827764 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2827796 - ETPRO MALWARE NetSupport RAT Malicious Domain in SNI Observed (malware.rules)
  • 2827821 - ETPRO MALWARE Malicious SSL Certificate Detected (CredPhishing) (malware.rules)
  • 2827822 - ETPRO MALWARE Malicious SSL Certificate Detected (CredPhishing) (malware.rules)
  • 2827823 - ETPRO MALWARE Malicious SSL Certificate Detected (CredPhishing) (malware.rules)
  • 2827986 - ETPRO MALWARE Observed CoinMiner Downloader in SNI via SSL (malware.rules)
  • 2827991 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2828125 - ETPRO MALWARE Observed Ovidiy/Reborn Stealer in SNI via SSL (malware.rules)
  • 2828191 - ETPRO MALWARE Observed Malicious SSL Cert (Fake O356 Installer) (malware.rules)
  • 2828332 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2828428 - ETPRO MALWARE Malicious SSL certificate detected (TrickBot C2) (malware.rules)
  • 2828514 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 2 (mobile_malware.rules)
  • 2828515 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 3 (mobile_malware.rules)
  • 2828516 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 4 (mobile_malware.rules)
  • 2828517 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 5 (mobile_malware.rules)
  • 2828518 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 6 (mobile_malware.rules)
  • 2828519 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 7 (mobile_malware.rules)
  • 2828520 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 8 (mobile_malware.rules)
  • 2828551 - ETPRO MALWARE Observed Malicious SSL Cert (Spymaster Keylogger Domain) (malware.rules)
  • 2828584 - ETPRO MALWARE Observed Malicious Zeus Panda Domain in SNI (henfobuthis .com) (malware.rules)
  • 2828640 - ETPRO MALWARE Observed Malicious Reypston Ransomware Onion Domain in SNI (7wqzov2j5hkklbw6) (malware.rules)
  • 2828665 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc HTA Download) (malware.rules)
  • 2828666 - ETPRO MALWARE Observed Malicious MalDoc HTA DL Domain In SNI (fbcom .review) (malware.rules)
  • 2829252 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda CnC) (malware.rules)
  • 2829758 - ETPRO MALWARE Shifr/Shurl0cker Ransomware Onion Domain in SNI (u4hp32ms2u6s4x7q) (malware.rules)

Disabled and modified rules:

  • 2016742 - ET MALWARE Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment (malware.rules)
  • 2023715 - ET INFO Adobe FDF in HTTP Flowbit Set (info.rules)
  • 2050167 - ET INFO Observed DNS Over HTTPS Domain (fwgw .orangepipc .mywire .org in TLS SNI) (info.rules)
  • 2050168 - ET INFO Observed DNS Over HTTPS Domain (dns .ours .luxe in TLS SNI) (info.rules)
  • 2050169 - ET INFO Observed DNS Over HTTPS Domain (dns .mestdag .fr in TLS SNI) (info.rules)
  • 2050173 - ET INFO Observed DNS Over HTTPS Domain (inde .ragnvindr .org in TLS SNI) (info.rules)
  • 2050254 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (benddiscoleideasbridrew .site) (malware.rules)
  • 2050255 - ET MALWARE Observed Lumma Stealer Related Domain (benddiscoleideasbridrew .site in TLS SNI) (malware.rules)
  • 2050256 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lastbishopmultiplyeow .site) (malware.rules)
  • 2050257 - ET MALWARE Observed Lumma Stealer Related Domain (lastbishopmultiplyeow .site in TLS SNI) (malware.rules)
  • 2050258 - ET INFO Observed DNS Over HTTPS Domain (agh-yz .russel053 .com in TLS SNI) (info.rules)
  • 2050259 - ET INFO Observed DNS Over HTTPS Domain (dns .lgprk .com in TLS SNI) (info.rules)
  • 2050261 - ET INFO Observed DNS Over HTTPS Domain (dns .mikrotikrumahan .my .id in TLS SNI) (info.rules)
  • 2050262 - ET INFO Observed DNS Over HTTPS Domain (5g .o0o .re in TLS SNI) (info.rules)
  • 2050265 - ET INFO Observed DNS Over HTTPS Domain (dns .lvolland .fr in TLS SNI) (info.rules)
  • 2050266 - ET INFO Observed DNS Over HTTPS Domain (ns .ral9005 .org in TLS SNI) (info.rules)
  • 2050271 - ET INFO Observed DNS Over HTTPS Domain (adguard .marto .si in TLS SNI) (info.rules)
  • 2050275 - ET INFO Observed DNS Over HTTPS Domain (adguard .mattiafenzi .uk in TLS SNI) (info.rules)
  • 2050277 - ET INFO Observed DNS Over HTTPS Domain (emby .rasp .tv in TLS SNI) (info.rules)
  • 2051762 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (brickbrothjorkyooe .shop) (malware.rules)
  • 2051763 - ET MALWARE Observed Lumma Stealer Related Domain (brickbrothjorkyooe .shop in TLS SNI) (malware.rules)
  • 2806594 - ETPRO WEB_SPECIFIC_APPS Possible Atlassian Crowd Remote File Read Attempt (web_specific_apps.rules)
  • 2806799 - ETPRO INFO SecurityXploded Version Check (info.rules)
  • 2824313 - ETPRO WEB_CLIENT Possible Adobe Reader (CVE-2017-2947) (web_client.rules)
  • 2824720 - ETPRO MALWARE Ursnif JS Downloader Payload Request - Set (malware.rules)
  • 2835860 - ETPRO MALWARE Win32/Clouds.DDoS CnC Checkin (malware.rules)
  • 2836500 - ETPRO MALWARE ELF/Paranoia Bot CnC Checkin (malware.rules)
  • 2836614 - ETPRO MALWARE Win32/Unk.CNBD CnC Checkin (malware.rules)
  • 2836914 - ETPRO MALWARE ELF/Various IoT Botnet CnC Checkin (malware.rules)
  • 2837142 - ETPRO MALWARE APT34 Unk.Implant CnC Beacon (malware.rules)
  • 2849303 - ETPRO POLICY [MS-SRVS] DCERPC Bind_ack (flowbit set) (policy.rules)
  • 2856508 - ETPRO MALWARE Qbot Related Domain in DNS Lookup (malware.rules)
  • 2856509 - ETPRO MALWARE Observed Qbot Related Domain in TLS SNI (malware.rules)