Ruleset Update Summary - 2024/04/24 - v10582

Ruleset Updates
1

Summary:

17 new OPEN, 20 new PRO (17 + 3)

Thanks @crep1x

Added rules:

Open:

  • 2052248 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) (malware.rules)
  • 2052249 - ET CURRENT_EVENTS Various Malware Related Domain in DNS Lookup (adobeacrobatreaderupdate .net) (current_events.rules)
  • 2052250 - ET CURRENT_EVENTS Observed Various Malware Related Domain (adobeacrobatreaderupdate .net in TLS SNI) (current_events.rules)
  • 2052251 - ET MALWARE WaveStealer Related CnC Domain in DNS Lookup (wavebysudryez .fr) (malware.rules)
  • 2052252 - ET MALWARE Observed WaveStealer Related Domain (wavebysudryez .fr in TLS SNI) (malware.rules)
  • 2052253 - ET MALWARE WaveStealer Related CnC Domain in DNS Lookup (wave-assistant .com) (malware.rules)
  • 2052254 - ET MALWARE Observed WaveStealer Related Domain (wave-assistant .com in TLS SNI) (malware.rules)
  • 2052255 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (blockbeerman .fun) (malware.rules)
  • 2052256 - ET MALWARE Observed Lumma Stealer Related Domain (blockbeerman .fun in TLS SNI) (malware.rules)
  • 2052257 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns2 .lonet .org in TLS SNI) (info.rules)
  • 2052258 - ET INFO Observed DNS Over HTTPS Domain (b-ii .com in TLS SNI) (info.rules)
  • 2052259 - ET INFO Observed DNS Over HTTPS Domain (bl .eq .md in TLS SNI) (info.rules)
  • 2052260 - ET INFO Observed DNS Over HTTPS Domain (dns .enzonix .com in TLS SNI) (info.rules)
  • 2052261 - ET MALWARE Win32/ProcessKiller Payload Retrieval Attempt (malware.rules)
  • 2052262 - ET MALWARE Win32/ProcessKiller CnC Initialization (malware.rules)
  • 2052263 - ET MALWARE Win32/ProcessKiller CnC - Client Side (malware.rules)
  • 2052264 - ET MALWARE Win32/ProcessKiller CnC - Server Side (malware.rules)

Pro:

  • 2856775 - ETPRO PHISHING Shein Merchant Related Phish Domain in DNS Lookup (phishing.rules)
  • 2856776 - ETPRO PHISHING Observed Shein Merchant Related Phish Domain in TLS SNI (phishing.rules)
  • 2856777 - ETPRO MALWARE NetSupport RAT Related Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2016795 - ET MALWARE TROJ_NAIKON.A SSL Cert (malware.rules)
  • 2018005 - ET MALWARE Possible Upatre Downloader SSL certificate (fake org) (malware.rules)
  • 2018767 - ET MALWARE Malicious SSL Cert (KINS C2) (malware.rules)
  • 2018852 - ET MALWARE Malicious SSL Cert (KINS C2) (malware.rules)
  • 2018896 - ET MALWARE BitcoinMiner C2 SSL Cert (malware.rules)
  • 2019086 - ET MALWARE Unknown Trojan Dropped by Angler Aug 29 2014 (malware.rules)
  • 2019503 - ET CURRENT_EVENTS SSL SinkHole Cert Possible Infected Host (current_events.rules)
  • 2019505 - ET MALWARE BlackEnergy SSL Cert (malware.rules)
  • 2019635 - ET MALWARE ROM/BackOff C2 SSL Cert (malware.rules)
  • 2019646 - ET MALWARE Bedep SSL Cert (malware.rules)
  • 2020033 - ET MALWARE Possible Trojan.Nurjax SSL Cert (malware.rules)
  • 2020243 - ET MALWARE Scieron Possible SSL Cert (malware.rules)
  • 2020492 - ET MALWARE SuperFish Possible SSL Cert CnC Traffic (malware.rules)
  • 2020712 - ET ADWARE_PUP AdWare.Win32.BetterSurf.b SSL Cert (adware_pup.rules)
  • 2020736 - ET CURRENT_EVENTS Unauthorized SSL Cert for Google Domains (current_events.rules)
  • 2020866 - ET MALWARE Possible Dridex downloader SSL Certificate srv1.mainsftdomain.com (malware.rules)
  • 2021015 - ET MALWARE Win32/Ruckguv.A SSL Cert (malware.rules)
  • 2021061 - ET MALWARE Ursnif SSL Cert (malware.rules)
  • 2021097 - ET MALWARE Win32/Ruckguv.A SSL Cert (malware.rules)
  • 2021134 - ET MALWARE JavaScriptBackdoor SSL Cert (malware.rules)
  • 2021145 - ET MALWARE Likely Dridex SSL Cert (malware.rules)
  • 2021279 - ET MALWARE Backdoor.Elise SSL Cert (malware.rules)
  • 2021370 - ET MALWARE Dridex SSL Cert 30 June 2015 (malware.rules)
  • 2021372 - ET MALWARE Dridex SSL Cert 1 July 2015 (malware.rules)
  • 2021388 - ET MALWARE Likely Dridex SSL Cert (malware.rules)
  • 2021518 - ET MALWARE Likely Dridex SSL Cert (malware.rules)
  • 2021615 - ET MALWARE Dridex Downloader SSL Certificate (malware.rules)
  • 2022327 - ET MALWARE BlackEnergy SSL Cert (malware.rules)
  • 2022888 - ET MALWARE Malicious SSL Certificate Detected (Bancos C2) (malware.rules)
  • 2023536 - ET MALWARE Observed Malicious SSL Cert (FlokiBot CnC) (malware.rules)
  • 2024613 - ET MALWARE OSX.Pwnet.A Certificate Observed (malware.rules)
  • 2025319 - ET POLICY [Fidelis] Abnormal x509v3 SubjectKeyIdentifier extension (policy.rules)
  • 2025320 - ET POLICY [Fidelis] Abnormal Very Long x509v3 SubjectKeyIdentifier Extension (policy.rules)
  • 2026774 - ET INFO DNS Over TLS Request Outbound (info.rules)
  • 2805942 - ETPRO INFO SSL server Hello certificate Internet Widgits Pty Ltd State or Province name Some-State (info.rules)
  • 2808509 - ETPRO ADWARE_PUP PUP Win32/Soft32Downloader.D SSL Cert Observed (adware_pup.rules)
  • 2809294 - ETPRO MALWARE Possible Win32/ProxyChanger.EO SSL Cert (malware.rules)
  • 2809899 - ETPRO MALWARE Trojan-Ransom.Win32.Foreign.lrov SSL Certificate (malware.rules)
  • 2811050 - ETPRO MALWARE Likely Dridex Generic SSL Cert (malware.rules)
  • 2811654 - ETPRO ADWARE_PUP AdWare.Win32.Majuwe.A SSL Cert (adware_pup.rules)
  • 2812098 - ETPRO MALWARE Java/Adwind SSL Cert (malware.rules)
  • 2812549 - ETPRO MALWARE Possible Backdoor.Telnneru SSL Cert (malware.rules)
  • 2814059 - ETPRO MALWARE Pupy RAT SSL Cert (malware.rules)
  • 2815315 - ETPRO MALWARE Gootkit Malicious SSL Cert Dec 10 (malware.rules)
  • 2815320 - ETPRO MALWARE Evil SSL Cert Used By Unknown Trojan Dec 10 2015 (malware.rules)
  • 2815333 - ETPRO MALWARE Gootkit Injects SSL Cert (malware.rules)
  • 2815334 - ETPRO MALWARE Gootkit CnC SSL Cert (malware.rules)
  • 2815406 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2815622 - ETPRO MALWARE Sacto SSL Cert (malware.rules)
  • 2815771 - ETPRO MALWARE Ixeshe SSL Cert (malware.rules)
  • 2815945 - ETPRO MALWARE Observed Malvertising Domain SSL Cert (malware.rules)
  • 2815986 - ETPRO MALWARE Dridex Fakes/Redirects SSL Cert (malware.rules)
  • 2816002 - ETPRO MALWARE Observed Malvertising Domain SSL Cert (malware.rules)
  • 2816003 - ETPRO MALWARE Observed Malvertising Domain SSL Cert (malware.rules)
  • 2816004 - ETPRO MALWARE Observed Malvertising Domain SSL Cert (malware.rules)
  • 2816036 - ETPRO MALWARE Dridex Fakes SSL Cert (malware.rules)
  • 2816046 - ETPRO MALWARE Dridex Fakes/Redirects SSL Cert (malware.rules)
  • 2816048 - ETPRO MALWARE Gootkit CnC SSL Cert (malware.rules)
  • 2816079 - ETPRO MALWARE Dridex Downloader SSL Cert (malware.rules)
  • 2816232 - ETPRO WEB_CLIENT SSL Redirector Leading to EK Feb 13 2016 (web_client.rules)
  • 2816333 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2816708 - ETPRO MALWARE Observed Malvertizing Domain SSL Cert (malware.rules)
  • 2816750 - ETPRO MALWARE Observed Malvertising Domain SSL Cert in Client Hello (malware.rules)
  • 2816758 - ETPRO MALWARE Ursnif Injects Domain in SSL Client Hello (malware.rules)
  • 2816761 - ETPRO MALWARE Samsam Ransomware Domain in SSL Client Hello (malware.rules)
  • 2816762 - ETPRO MALWARE Samsam Ransomware Domain in SSL Client Hello (malware.rules)
  • 2816786 - ETPRO MALWARE Ransom MSIL/Ryzerlo.A SSL Cert Observed (malware.rules)
  • 2816798 - ETPRO MALWARE Observerd Malvertising Domain SSL Cert (malware.rules)
  • 2816834 - ETPRO MALWARE Observed Malvertizing Domain SSL Cert (malware.rules)
  • 2816835 - ETPRO MALWARE Observed Malvertizing Domain SSL Cert (malware.rules)
  • 2816894 - ETPRO MALWARE Observed Malvertising Domain SSL Cert in Client Hello (malware.rules)
  • 2819914 - ETPRO MALWARE Jupiter Banker Injects Domain in SSL Client Hello (malware.rules)
  • 2820589 - ETPRO PHISHING Mailbox Update HTTPS Phishing Domain Jun 13 (phishing.rules)
  • 2820953 - ETPRO MALWARE SBDH Toolkit SSL Cert (malware.rules)
  • 2822576 - ETPRO MALWARE StrongPity SSL Cert 2 (malware.rules)
  • 2824636 - ETPRO MALWARE Possible Malicious SSL - Default Values and Serial 0 (Ursnif CnC) (malware.rules)
  • 2825680 - ETPRO MALWARE Observed Malicious JS Downloader SSL Cert (malware.rules)
  • 2825681 - ETPRO MALWARE Observed Malicious JS Downloader SSL Cert (malware.rules)
  • 2826279 - ETPRO MALWARE ZLoader Malicious SSL Cert Observed (malware.rules)
  • 2826407 - ETPRO MALWARE Hidden-Tear Ransomware Variant Malicious SSL Cert Observed (malware.rules)
  • 2826927 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Jun 28 2017 (SSL Cert) (web_client.rules)
  • 2827125 - ETPRO MALWARE LockPOS SSL Cert Jul 13 2017 (malware.rules)
  • 2827126 - ETPRO MALWARE LockPOS SSL Cert Jul 13 2017 (malware.rules)
  • 2827261 - ETPRO MALWARE PoshC2 SSL Cert Observed (malware.rules)
  • 2828078 - ETPRO MOBILE_MALWARE Android-Trojan/Marcher.5ad46 SSL CnC Cert (mobile_malware.rules)
  • 2828320 - ETPRO MALWARE Ursnif SSL Certificate (malware.rules)
  • 2828352 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert 14 (mobile_malware.rules)

Disabled and modified rules:

  • 2014500 - ET INFO DYNAMIC_DNS Query to a *.flnet.org Domain (info.rules)
  • 2022055 - ET INFO PK/Compressed doc/JAR header (info.rules)
  • 2023713 - ET INFO MP4 in HTTP Flowbit Set (info.rules)
  • 2023900 - ET INFO MP4 in HTTP Flowbit Set M3 (info.rules)
  • 2024690 - ET WEB_CLIENT Download of .MOV Content flowbit set (web_client.rules)
  • 2029745 - ET POLICY File Downloaded via ge.tt Filesharing Service (policy.rules)
  • 2051772 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (prematuresolvehumoew .shop) (malware.rules)
  • 2051773 - ET MALWARE Observed Lumma Stealer Related Domain (prematuresolvehumoew .shop in TLS SNI) (malware.rules)
  • 2051774 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (spokespersonunjuriwo .shop) (malware.rules)
  • 2051775 - ET MALWARE Observed Lumma Stealer Related Domain (spokespersonunjuriwo .shop in TLS SNI) (malware.rules)
  • 2051777 - ET INFO Observed DNS Over HTTPS Domain (agent .frankutils .xyz in TLS SNI) (info.rules)
  • 2051778 - ET INFO Observed DNS Over HTTPS Domain (dns .ipty .de in TLS SNI) (info.rules)
  • 2051779 - ET INFO Observed DNS Over HTTPS Domain (dns .r9x .cc in TLS SNI) (info.rules)
  • 2051780 - ET INFO Observed DNS Over HTTPS Domain (adguard .jakinet .id in TLS SNI) (info.rules)
  • 2051781 - ET INFO Observed DNS Over HTTPS Domain (dns1 .saferbfc .org in TLS SNI) (info.rules)
  • 2052213 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (shatterbreathepsw .shop) (malware.rules)
  • 2800868 - ETPRO EXPLOIT Powerpoint Download (exploit.rules)
  • 2800869 - ETPRO EXPLOIT Microsoft Office PowerPoint Download Verification (exploit.rules)
  • 2804809 - ETPRO INFO DYNAMIC_DNS Query to *.gicp.net Domain (info.rules)
  • 2810411 - ETPRO MALWARE ge.tt file malicious extension download (malware.rules)
  • 2810412 - ETPRO MALWARE ge.tt PE EXE or DLL Windows file download (malware.rules)
  • 2814823 - ETPRO WEB_CLIENT Microsoft Excel RCE (CVE-2015-6038) 1 (web_client.rules)
  • 2814824 - ETPRO WEB_CLIENT Microsoft Excel RCE (CVE-2015-6038 2) (web_client.rules)
  • 2814825 - ETPRO WEB_CLIENT Microsoft Excel RCE (CVE-2015-6038) (web_client.rules)
  • 2815092 - ETPRO MALWARE Likely Malicious SWF Beacon Requesting Exploit (malware.rules)
  • 2824302 - ETPRO WEB_CLIENT Possible Adobe Flash mp4 parsing OOB Memory Access (CVE-2017-2926) (web_client.rules)
  • 2824935 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M3 (CVE-2017-2984) (web_client.rules)
  • 2824937 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M1 (CVE-2017-2990) (web_client.rules)
  • 2824940 - ETPRO EXPLOIT Flash Player Memory Corruption (CVE-2017-2991) (exploit.rules)
  • 2827898 - ETPRO EXPLOIT MP4 Atom Parser Vulnerability Inbound M2 (CVE-2017-11281) (exploit.rules)
  • 2849335 - ETPRO POLICY [MS-RPRN/SPOOLSS] DCERPC Bind_ack (flowbit set) (policy.rules)