Ruleset Update Summary - 2024/04/29 - v10585

rulesbot · April 29, 2024, 9:20pm

Summary:

17 new OPEN, 19 new PRO (17 + 2)

Thanks @Jane0sint, @ViriBack

Added rules:

Open:

2052279 - ET POLICY Vulnerable Java Version 22.0.x Detected (policy.rules)
2052280 - ET MALWARE Win32/Neshta Variant Related Activity (POST) (malware.rules)
2052281 - ET INFO File Sharing Service Domain in DNS Lookup (onedriveemail .atlassian .net) (info.rules)
2052282 - ET INFO Observed File Sharing Service Domain (onedriveemail .atlassian .net in TLS SNI) (info.rules)
2052283 - ET MALWARE [ANY.RUN] DarkGate HTTP POST Activity (TA577) (malware.rules)
2052284 - ET MALWARE Win32/MarioLoader Login Panel (malware.rules)
2052285 - ET MALWARE Possible Royal Road Payload Retrieval Attempt (malware.rules)
2052286 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (nanoderecho .com) (exploit_kit.rules)
2052287 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (pixelread .com) (exploit_kit.rules)
2052288 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (nanoderecho .com) (exploit_kit.rules)
2052289 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (pixelread .com) (exploit_kit.rules)
2052290 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (apidevst .com) (exploit_kit.rules)
2052291 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (apidevst .com) (exploit_kit.rules)
2052292 - ET MALWARE SocGholish Domain in DNS Lookup (premium .davidabostic .com) (malware.rules)
2052293 - ET MALWARE SocGholish Domain in TLS SNI (premium .davidabostic .com) (malware.rules)
2052294 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .demo .betterbuiltdogs .com) (malware.rules)
2052295 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .demo .betterbuiltdogs .com) (malware.rules)

Pro:

2856817 - ETPRO CURRENT_EVENTS Various Malware Related Domain in DNS Lookup (current_events.rules)
2856818 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

2019155 - ET MALWARE Possible Zeus GameOver Connectivity Check 2 (malware.rules)
2022716 - ET ADWARE_PUP OSX/Adware.Pirrit CnC Checkin (adware_pup.rules)
2024373 - ET MALWARE Win32/Spectre Ransomware CnC Checkin (malware.rules)
2024417 - ET MALWARE Fake Windows Scam ScreenLocker (malware.rules)
2025089 - ET MALWARE Vawtrak/NeverQuest CnC Beacon (malware.rules)
2048257 - ET MALWARE Ducktail Malware Related Domain in DNS Lookup (ductai .xyz) (malware.rules)
2048258 - ET MALWARE Observed Ducktail Malware Related Domain in TLS SNI (ductai .xyz) (malware.rules)
2050344 - ET INFO Observed DNS Over HTTPS Domain (dns .jundev .org in TLS SNI) (info.rules)
2050346 - ET INFO Observed DNS Over HTTPS Domain (dns .schlagheck .berlin in TLS SNI) (info.rules)
2050348 - ET INFO Observed DNS Over HTTPS Domain (privatnas .servebeer .com in TLS SNI) (info.rules)
2050350 - ET INFO Observed DNS Over HTTPS Domain (dns2 .saferbfc .org in TLS SNI) (info.rules)
2050353 - ET INFO Observed DNS Over HTTPS Domain (dns .scarx .net in TLS SNI) (info.rules)
2050377 - ET INFO Observed DNS Over HTTPS Domain (adguard .sparshbajaj .me in TLS SNI) (info.rules)
2050379 - ET INFO Observed DNS Over HTTPS Domain (dns .scuola .org in TLS SNI) (info.rules)
2050383 - ET INFO Observed DNS Over HTTPS Domain (www .inpssh .online in TLS SNI) (info.rules)
2050399 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (vesselspeedcrosswakew .site) (malware.rules)
2050400 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (communicationinchoicer .site) (malware.rules)
2050401 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (carvewomanflavourwop .site) (malware.rules)
2050402 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (retainfactorypunishjkw .site) (malware.rules)
2050403 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (willpoweragreebokkskiew .site) (malware.rules)
2050408 - ET MALWARE Observed Lumma Stealer Related Domain (brickabsorptiondullyi .site in TLS SNI) (malware.rules)
2050409 - ET MALWARE Observed Lumma Stealer Related Domain (retainfactorypunishjkw .site in TLS SNI) (malware.rules)
2050410 - ET MALWARE Observed Lumma Stealer Related Domain (communicationinchoicer .site in TLS SNI) (malware.rules)
2050411 - ET MALWARE Observed Lumma Stealer Related Domain (willpoweragreebokkskiew .site in TLS SNI) (malware.rules)
2050412 - ET MALWARE Observed Lumma Stealer Related Domain (carvewomanflavourwop .site in TLS SNI) (malware.rules)
2050417 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (gearboomchocolateowfs .site) (malware.rules)
2050418 - ET MALWARE Observed Lumma Stealer Related Domain (gearboomchocolateowfs .site in TLS SNI) (malware.rules)
2050467 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (crisisestimatehealtwh .site) (malware.rules)
2050468 - ET MALWARE Observed Lumma Stealer Related Domain (crisisestimatehealtwh .site in TLS SNI) (malware.rules)
2050473 - ET INFO Observed DNS Over HTTPS Domain (dns .f97 .xyz in TLS SNI) (info.rules)
2050475 - ET INFO Observed DNS Over HTTPS Domain (dns .unx .io in TLS SNI) (info.rules)
2050477 - ET INFO Observed DNS Over HTTPS Domain (dns .thebuckners .org in TLS SNI) (info.rules)
2050478 - ET INFO Observed DNS Over HTTPS Domain (dns .hujiayucc .cn in TLS SNI) (info.rules)
2050484 - ET INFO Observed DNS Over HTTPS Domain (ads .hunga1k47 .com in TLS SNI) (info.rules)
2050485 - ET INFO Observed DNS Over HTTPS Domain (dns .huseynov .work in TLS SNI) (info.rules)
2050520 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (tonguehypnothesislan .shop) (malware.rules)
2050521 - ET MALWARE Observed Lumma Stealer Related Domain (tonguehypnothesislan .shop in TLS SNI) (malware.rules)
2050530 - ET INFO Observed DNS Over HTTPS Domain (dns .furrydns .de in TLS SNI) (info.rules)
2050531 - ET INFO Observed DNS Over HTTPS Domain (ag .hostme .co .il in TLS SNI) (info.rules)
2050532 - ET INFO Observed DNS Over HTTPS Domain (dns .hugo0 .moe in TLS SNI) (info.rules)
2050533 - ET INFO Observed DNS Over HTTPS Domain (urology .wiki in TLS SNI) (info.rules)
2050535 - ET INFO Observed DNS Over HTTPS Domain (qual .cuprum .ru in TLS SNI) (info.rules)
2050538 - ET INFO Observed DNS Over HTTPS Domain (adguard .lista .my .id in TLS SNI) (info.rules)
2050540 - ET INFO Observed DNS Over HTTPS Domain (dns .lista .my .id in TLS SNI) (info.rules)
2050541 - ET INFO Observed DNS Over HTTPS Domain (home .enjoymylife .net in TLS SNI) (info.rules)
2807878 - ETPRO MALWARE Trojan-Dropper.Win32.Dapato.dfmz Checkin (malware.rules)
2809432 - ETPRO EXPLOIT tnftp_savefile CVE-2014-8517 Exploit Attempt Request (exploit.rules)
2809433 - ETPRO EXPLOIT tnftp_savefile CVE-2014-8517 Exploit Attempt Response (exploit.rules)
2814061 - ETPRO ADWARE_PUP Adware.Cntads Variant Activity (adware_pup.rules)
2815325 - ETPRO MALWARE Andromeda CnC Beacon Fake UA 2 (malware.rules)
2815432 - ETPRO MALWARE Emissary CnC Beacon M2 (malware.rules)
2823915 - ETPRO MALWARE Carbanak VBS/GGLDR CnC Beacon (malware.rules)

Removed rules:

2011296 - ET MALWARE Butterfly/Mariposa Bot Join Acknowledgment (malware.rules)
2023048 - ET PHISHING Successful Generic Adobe Shared Document Phish Aug 11 2016 (phishing.rules)
2026440 - ET MALWARE NCSC APT28 - CompuTrace_Beacon_UserAgent (malware.rules)
2800287 - ETPRO EXPLOIT Microsoft Active Directory LDAP Query Handling Denial of Service (exploit.rules)
2800726 - ETPRO DOS Microsoft Windows MSDTC Denial of Service Vulnerability (dos.rules)
2800727 - ETPRO DOS Microsoft Windows MSDTC Denial of Service Vulnerability (dos.rules)
2835832 - ETPRO MALWARE Evil JavaScript retrieved Apr 12 2019 (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/05/29 - v10605 Ruleset Updates	240	May 29, 2024
Ruleset Update Summary - 2024/01/17 - v10508 Ruleset Updates	651	January 17, 2024
Ruleset Update Summary - 2024/01/11 - v10505 Ruleset Updates	651	January 11, 2024
Ruleset Update Summary - 2023/05/03 - v10315 Ruleset Updates	368	May 3, 2023
Ruleset Update Summary - 2024/06/03 - v10608 Ruleset Updates	223	June 3, 2024

Ruleset Update Summary - 2024/04/29 - v10585

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related topics