Ruleset Update Summary - 2024/04/25 - v10583

rulesbot · April 25, 2024, 9:01pm

Summary:

11 new OPEN, 12 new PRO (11 + 1)

Added rules:

Open:

2052265 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) (malware.rules)
2052266 - ET INFO Suspected Pentesting Related Activity (info.rules)
2052267 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) (malware.rules)
2052268 - ET INFO File Sharing Domain (fastupload .io) in DNS Lookup (info.rules)
2052269 - ET INFO Observed File Sharing Domain (fastupload .io) in TLS SNI (info.rules)
2052270 - ET MALWARE Possible LINE RUNNER Backdoor Connection Attempt (malware.rules)
2052271 - ET MALWARE Possible LINE DANCER Backdoor Connection Attempt (malware.rules)
2052272 - ET MALWARE SocGholish Domain in DNS Lookup (muse .krazzykriss .com) (malware.rules)
2052273 - ET MALWARE SocGholish Domain in TLS SNI (muse .krazzykriss .com) (malware.rules)
2052274 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (ipscanadvsf .com) (exploit_kit.rules)
2052275 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (ipscanadvsf .com) (exploit_kit.rules)

Pro:

2856816 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound to Fake Update (2832f) (exploit_kit.rules)

Enabled and modified rules:

2050288 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (app .documentoffice .club) (malware.rules)

Modified inactive rules:

2014209 - ET MALWARE Sykipot SSL Certificate serial number detected (malware.rules)
2014210 - ET MALWARE Sykipot SSL Certificate subject emailAddress detected (malware.rules)
2023509 - ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert (mobile_malware.rules)
2023708 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
2808330 - ETPRO MALWARE Win32/SpamTool.Tedroo.BC Self-Signed Cert Serial Number (malware.rules)
2811904 - ETPRO MALWARE Win32/Rozena.NM SSL Cert (malware.rules)
2815458 - ETPRO MOBILE_MALWARE Android/Spy.Agent.RN SSL CnC Cert (mobile_malware.rules)
2815622 - ETPRO MALWARE Sacto SSL Cert (malware.rules)
2815911 - ETPRO MOBILE_MALWARE Android/Xippa.A SSL CnC Cert (mobile_malware.rules)
2816679 - ETPRO MALWARE Unknown Payload SSL Cert (malware.rules)
2819943 - ETPRO MALWARE Gootkit CnC SSL Cert (malware.rules)
2821843 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.l SSL CnC Cert 4 (mobile_malware.rules)
2822191 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.l SSL CnC Cert 5 (mobile_malware.rules)
2822723 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
2822724 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
2823187 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
2823203 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
2823204 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
2823500 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
2823659 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
2823896 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
2824189 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
2825589 - ETPRO MALWARE Samsam Ransomware Domain in SSL Client Hello (malware.rules)
2825590 - ETPRO MALWARE Samsam Ransomware Domain in SSL Client Hello (malware.rules)
2837122 - ETPRO MALWARE SNEAKYFISH SSL Client Hello (malware.rules)

Disabled and modified rules:

2023197 - ET USER_AGENTS Microsoft Edge on Windows 10 SET (user_agents.rules)
2023892 - ET INFO MP4 in HTTP Flowbit Set M2 (info.rules)
2025082 - ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 1 (web_client.rules)
2025083 - ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 2 (web_client.rules)
2025084 - ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 3 (web_client.rules)
2025411 - ET INFO Secondary Flash Request Seen (no alert) (info.rules)
2048566 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (climedballon .org) (exploit_kit.rules)
2048567 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (climedballon .org) (exploit_kit.rules)
2048750 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (zxcdota2huysasi .com) (exploit_kit.rules)
2048753 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (zxcdota2huysasi .com) (exploit_kit.rules)
2048950 - ET MALWARE Possible Konni RAT Domain in DNS Lookup (documentoffice .club) (malware.rules)
2049694 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (onewayskateboard .com) (exploit_kit.rules)
2049696 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (onewayskateboard .com) (exploit_kit.rules)
2049714 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (catsndogz .org) (exploit_kit.rules)
2049715 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (catsndogz .org) (exploit_kit.rules)
2049720 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (circuspride .org) (exploit_kit.rules)
2049721 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (circuspride .org) (exploit_kit.rules)
2049822 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (biggerfun .org) (exploit_kit.rules)
2049825 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (biggerfun .org) (exploit_kit.rules)
2050793 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .day .50adayplan .com) (malware.rules)
2050794 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .day .50adayplan .com) (malware.rules)
2050795 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (grantallardserver .com) (exploit_kit.rules)
2050796 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (casinovipclubs .com) (exploit_kit.rules)
2050797 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (grantallardserver .com) (exploit_kit.rules)
2050798 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (casinovipclubs .com) (exploit_kit.rules)
2050814 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (vfxfilmschool .com) (exploit_kit.rules)
2050815 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (vfxfilmschool .com) (exploit_kit.rules)
2050946 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jimissupercool .com) (exploit_kit.rules)
2050947 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (myclubpicks .com) (exploit_kit.rules)
2050948 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jimissupercool .com) (exploit_kit.rules)
2050949 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (myclubpicks .com) (exploit_kit.rules)
2050950 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .members .openarmscv .com) (malware.rules)
2050951 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .members .openarmscv .com) (malware.rules)
2050980 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (s14-nextjs .net) (exploit_kit.rules)
2050981 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (donnows .com) (exploit_kit.rules)
2050982 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (s14-nextjs .net) (exploit_kit.rules)
2050983 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (donnows .com) (exploit_kit.rules)
2050984 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (posiit .com) (exploit_kit.rules)
2050985 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (posiit .com) (exploit_kit.rules)
2050986 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (freegeneratorai .com) (exploit_kit.rules)
2050987 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (freegeneratorai .com) (exploit_kit.rules)
2051025 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ads-quantum .com) (exploit_kit.rules)
2051026 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ads-quantum .com) (exploit_kit.rules)
2051074 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (machineryideas .com) (exploit_kit.rules)
2051075 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (machineryideas .com) (exploit_kit.rules)
2804799 - ETPRO WEB_CLIENT Microsoft Rich Text File download with vulnerable ListView ActiveX control (web_client.rules)
2804800 - ETPRO WEB_CLIENT Microsoft Rich Text File download with vulnerable TreeView ActiveX control 2 (web_client.rules)
2822100 - ETPRO WEB_CLIENT Possible Microsoft Edge OOB Vulnerablity CVE-2016-3325 (web_client.rules)
2824934 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M2 (CVE-2017-2984) (web_client.rules)
2824938 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M2 (CVE-2017-2990) (web_client.rules)
2829953 - ETPRO EXPLOIT_KIT GreenFlash SunDown EK SecondaryFlash Call 2018-03-09 (exploit_kit.rules)
2856564 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)
2856565 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2856566 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)
2856578 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2856591 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2856775 - ETPRO PHISHING Shein Merchant Related Phish Domain in DNS Lookup (phishing.rules)
2856776 - ETPRO PHISHING Observed Shein Merchant Related Phish Domain in TLS SNI (phishing.rules)

Removed rules:

2850454 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/01/17 - v10508 Ruleset Updates	519	January 17, 2024
Ruleset Update Summary - 2023/05/03 - v10315 Ruleset Updates	302	May 3, 2023
Ruleset Update Summary - 2024/01/11 - v10505 Ruleset Updates	516	January 11, 2024
Ruleset Update Summary - 2024/04/08 - v10570 Ruleset Updates	195	April 8, 2024
Ruleset Update Summary - 2023/05/25 - v10332 Ruleset Updates	277	May 25, 2023

Ruleset Update Summary - 2024/04/25 - v10583

Summary:

Added rules:

Open:

Pro:

Enabled and modified rules:

Modified inactive rules:

Disabled and modified rules:

Removed rules:

Related Topics