Ruleset Update Summary - 2024/04/25 - v10583

Summary:

11 new OPEN, 12 new PRO (11 + 1)


Added rules:

Open:

  • 2052265 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) (malware.rules)
  • 2052266 - ET INFO Suspected Pentesting Related Activity (info.rules)
  • 2052267 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) (malware.rules)
  • 2052268 - ET INFO File Sharing Domain (fastupload .io) in DNS Lookup (info.rules)
  • 2052269 - ET INFO Observed File Sharing Domain (fastupload .io) in TLS SNI (info.rules)
  • 2052270 - ET MALWARE Possible LINE RUNNER Backdoor Connection Attempt (malware.rules)
  • 2052271 - ET MALWARE Possible LINE DANCER Backdoor Connection Attempt (malware.rules)
  • 2052272 - ET MALWARE SocGholish Domain in DNS Lookup (muse .krazzykriss .com) (malware.rules)
  • 2052273 - ET MALWARE SocGholish Domain in TLS SNI (muse .krazzykriss .com) (malware.rules)
  • 2052274 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (ipscanadvsf .com) (exploit_kit.rules)
  • 2052275 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (ipscanadvsf .com) (exploit_kit.rules)

Pro:

  • 2856816 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound to Fake Update (2832f) (exploit_kit.rules)

Enabled and modified rules:

  • 2050288 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (app .documentoffice .club) (malware.rules)

Modified inactive rules:

  • 2014209 - ET MALWARE Sykipot SSL Certificate serial number detected (malware.rules)
  • 2014210 - ET MALWARE Sykipot SSL Certificate subject emailAddress detected (malware.rules)
  • 2023509 - ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert (mobile_malware.rules)
  • 2023708 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
  • 2808330 - ETPRO MALWARE Win32/SpamTool.Tedroo.BC Self-Signed Cert Serial Number (malware.rules)
  • 2811904 - ETPRO MALWARE Win32/Rozena.NM SSL Cert (malware.rules)
  • 2815458 - ETPRO MOBILE_MALWARE Android/Spy.Agent.RN SSL CnC Cert (mobile_malware.rules)
  • 2815622 - ETPRO MALWARE Sacto SSL Cert (malware.rules)
  • 2815911 - ETPRO MOBILE_MALWARE Android/Xippa.A SSL CnC Cert (mobile_malware.rules)
  • 2816679 - ETPRO MALWARE Unknown Payload SSL Cert (malware.rules)
  • 2819943 - ETPRO MALWARE Gootkit CnC SSL Cert (malware.rules)
  • 2821843 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.l SSL CnC Cert 4 (mobile_malware.rules)
  • 2822191 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.l SSL CnC Cert 5 (mobile_malware.rules)
  • 2822723 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
  • 2822724 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
  • 2823187 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
  • 2823203 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
  • 2823204 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
  • 2823500 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
  • 2823659 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
  • 2823896 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
  • 2824189 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert (mobile_malware.rules)
  • 2825589 - ETPRO MALWARE Samsam Ransomware Domain in SSL Client Hello (malware.rules)
  • 2825590 - ETPRO MALWARE Samsam Ransomware Domain in SSL Client Hello (malware.rules)
  • 2837122 - ETPRO MALWARE SNEAKYFISH SSL Client Hello (malware.rules)

Disabled and modified rules:

  • 2023197 - ET USER_AGENTS Microsoft Edge on Windows 10 SET (user_agents.rules)
  • 2023892 - ET INFO MP4 in HTTP Flowbit Set M2 (info.rules)
  • 2025082 - ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 1 (web_client.rules)
  • 2025083 - ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 2 (web_client.rules)
  • 2025084 - ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 3 (web_client.rules)
  • 2025411 - ET INFO Secondary Flash Request Seen (no alert) (info.rules)
  • 2048566 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (climedballon .org) (exploit_kit.rules)
  • 2048567 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (climedballon .org) (exploit_kit.rules)
  • 2048750 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (zxcdota2huysasi .com) (exploit_kit.rules)
  • 2048753 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (zxcdota2huysasi .com) (exploit_kit.rules)
  • 2048950 - ET MALWARE Possible Konni RAT Domain in DNS Lookup (documentoffice .club) (malware.rules)
  • 2049694 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (onewayskateboard .com) (exploit_kit.rules)
  • 2049696 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (onewayskateboard .com) (exploit_kit.rules)
  • 2049714 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (catsndogz .org) (exploit_kit.rules)
  • 2049715 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (catsndogz .org) (exploit_kit.rules)
  • 2049720 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (circuspride .org) (exploit_kit.rules)
  • 2049721 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (circuspride .org) (exploit_kit.rules)
  • 2049822 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (biggerfun .org) (exploit_kit.rules)
  • 2049825 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (biggerfun .org) (exploit_kit.rules)
  • 2050793 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .day .50adayplan .com) (malware.rules)
  • 2050794 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .day .50adayplan .com) (malware.rules)
  • 2050795 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (grantallardserver .com) (exploit_kit.rules)
  • 2050796 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (casinovipclubs .com) (exploit_kit.rules)
  • 2050797 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (grantallardserver .com) (exploit_kit.rules)
  • 2050798 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (casinovipclubs .com) (exploit_kit.rules)
  • 2050814 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (vfxfilmschool .com) (exploit_kit.rules)
  • 2050815 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (vfxfilmschool .com) (exploit_kit.rules)
  • 2050946 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jimissupercool .com) (exploit_kit.rules)
  • 2050947 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (myclubpicks .com) (exploit_kit.rules)
  • 2050948 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jimissupercool .com) (exploit_kit.rules)
  • 2050949 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (myclubpicks .com) (exploit_kit.rules)
  • 2050950 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .members .openarmscv .com) (malware.rules)
  • 2050951 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .members .openarmscv .com) (malware.rules)
  • 2050980 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (s14-nextjs .net) (exploit_kit.rules)
  • 2050981 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (donnows .com) (exploit_kit.rules)
  • 2050982 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (s14-nextjs .net) (exploit_kit.rules)
  • 2050983 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (donnows .com) (exploit_kit.rules)
  • 2050984 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (posiit .com) (exploit_kit.rules)
  • 2050985 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (posiit .com) (exploit_kit.rules)
  • 2050986 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (freegeneratorai .com) (exploit_kit.rules)
  • 2050987 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (freegeneratorai .com) (exploit_kit.rules)
  • 2051025 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ads-quantum .com) (exploit_kit.rules)
  • 2051026 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ads-quantum .com) (exploit_kit.rules)
  • 2051074 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (machineryideas .com) (exploit_kit.rules)
  • 2051075 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (machineryideas .com) (exploit_kit.rules)
  • 2804799 - ETPRO WEB_CLIENT Microsoft Rich Text File download with vulnerable ListView ActiveX control (web_client.rules)
  • 2804800 - ETPRO WEB_CLIENT Microsoft Rich Text File download with vulnerable TreeView ActiveX control 2 (web_client.rules)
  • 2822100 - ETPRO WEB_CLIENT Possible Microsoft Edge OOB Vulnerablity CVE-2016-3325 (web_client.rules)
  • 2824934 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M2 (CVE-2017-2984) (web_client.rules)
  • 2824938 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M2 (CVE-2017-2990) (web_client.rules)
  • 2829953 - ETPRO EXPLOIT_KIT GreenFlash SunDown EK SecondaryFlash Call 2018-03-09 (exploit_kit.rules)
  • 2856564 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)
  • 2856565 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856566 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)
  • 2856578 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856591 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856775 - ETPRO PHISHING Shein Merchant Related Phish Domain in DNS Lookup (phishing.rules)
  • 2856776 - ETPRO PHISHING Observed Shein Merchant Related Phish Domain in TLS SNI (phishing.rules)

Removed rules:

  • 2850454 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)