Ruleset Update Summary - 2024/05/08 - v10592

rulesbot · May 8, 2024, 8:27pm

Summary:

19 new OPEN, 21 new PRO (19 + 2)

Thanks @travisbgreen

Added rules:

Open:

2052504 - ET WEB_CLIENT Suspected BeEF Related JS Activity (evercookie) (web_client.rules)
2052505 - ET WEB_CLIENT Suspected BeEF Related JS Activity (css history) (web_client.rules)
2052506 - ET WEB_CLIENT Suspected BeEF Related JS Activity M1 (web_client.rules)
2052507 - ET WEB_CLIENT Suspected BeEF Related JS Activity M2 (web_client.rules)
2052508 - ET WEB_CLIENT BeEF Related JS Activity M3 (web_client.rules)
2052509 - ET WEB_CLIENT BeEF Related JS Activity M4 (web_client.rules)
2052510 - ET INFO Acunetix Web Vulnerability Scanning Serice Domain in DNS Lookup (testphp .vulnweb .com) (info.rules)
2052511 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (currentsilverprice .com) (exploit_kit.rules)
2052512 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (debtavailable .com) (exploit_kit.rules)
2052513 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (listwisconsin .com) (exploit_kit.rules)
2052514 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (teachabletutorials .com) (exploit_kit.rules)
2052515 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (voicelesson .org) (exploit_kit.rules)
2052516 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (waytowealth .org) (exploit_kit.rules)
2052517 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (currentsilverprice .com) (exploit_kit.rules)
2052518 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (debtavailable .com) (exploit_kit.rules)
2052519 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (listwisconsin .com) (exploit_kit.rules)
2052520 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (teachabletutorials .com) (exploit_kit.rules)
2052521 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (voicelesson .org) (exploit_kit.rules)
2052522 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (waytowealth .org) (exploit_kit.rules)

Pro:

2856923 - ETPRO MALWARE UNK_SweetScepter SugarGh0st CnC Domain in DNS Lookup (malware.rules)
2856924 - ETPRO MALWARE UNK_SweetScepter SugarGh0st CnC Domain in TLS SNI (malware.rules)

Disabled and modified rules:

2038700 - ET ADWARE_PUP Win32/ReImageRepair.T CnC Cookie Pattern (adware_pup.rules)
2045070 - ET MALWARE Observed DNSQuery to TA444 Domain (256ventures .us) (malware.rules)
2045851 - ET MALWARE DNS Query to IcedID Domain (kicknocisd .com) (malware.rules)
2045852 - ET MALWARE DNS Query to IcedID Domain (guaracheza .pics) (malware.rules)
2045853 - ET MALWARE DNS Query to IcedID Domain (curabiebarristie .com) (malware.rules)
2045854 - ET MALWARE DNS Query to IcedID Domain (simipimi .com) (malware.rules)
2045855 - ET MALWARE DNS Query to IcedID Domain (belliecow .wiki) (malware.rules)
2045856 - ET MALWARE DNS Query to IcedID Domain (stayersa .art) (malware.rules)
2046791 - ET MALWARE DNS Query to UNK_BisonBooster Domain (booster724 .online) (malware.rules)
2046792 - ET MALWARE DNS Query to UNK_BisonBooster Domain (forsports .xyz) (malware.rules)
2046793 - ET MALWARE DNS Query to UNK_BisonBooster Domain (speedup-pc .online) (malware.rules)
2046922 - ET MALWARE TraderTraitor CnC Domain in DNS Lookup (launchruse .com) (malware.rules)
2046923 - ET MALWARE TraderTraitor CnC Domain in DNS Lookup (datadog-graph .com) (malware.rules)
2046924 - ET MALWARE TraderTraitor CnC Domain in DNS Lookup (alwaysckain .com) (malware.rules)
2046925 - ET MALWARE TraderTraitor CnC Domain in DNS Lookup (centos-pkg .org) (malware.rules)
2046926 - ET MALWARE TraderTraitor CnC Domain in DNS Lookup (canolagroove .com) (malware.rules)
2046927 - ET MALWARE TraderTraitor CnC Domain in DNS Lookup (reggedrobin .com) (malware.rules)
2046928 - ET MALWARE TraderTraitor CnC Domain in DNS Lookup (nomadpkgs .com) (malware.rules)
2046929 - ET MALWARE TraderTraitor CnC Domain in DNS Lookup (primerosauxiliosperu .com) (malware.rules)
2046930 - ET MALWARE TraderTraitor CnC Domain in DNS Lookup (toyourownbeat .com) (malware.rules)
2046931 - ET MALWARE TraderTraitor CnC Domain in DNS Lookup (datadog-cloud .com) (malware.rules)
2046932 - ET MALWARE TraderTraitor CnC Domain in DNS Lookup (centos-repos .org) (malware.rules)
2046933 - ET MALWARE TraderTraitor CnC Domain in DNS Lookup (nomadpkg .com) (malware.rules)
2046934 - ET MALWARE Observed TraderTraitor Domain (launchruse .com in TLS SNI) (malware.rules)
2046935 - ET MALWARE Observed TraderTraitor Domain (datadog-graph .com in TLS SNI) (malware.rules)
2046936 - ET MALWARE Observed TraderTraitor Domain (alwaysckain .com in TLS SNI) (malware.rules)
2046937 - ET MALWARE Observed TraderTraitor Domain (centos-pkg .org in TLS SNI) (malware.rules)
2046938 - ET MALWARE Observed TraderTraitor Domain (canolagroove .com in TLS SNI) (malware.rules)
2046939 - ET MALWARE Observed TraderTraitor Domain (reggedrobin .com in TLS SNI) (malware.rules)
2046940 - ET MALWARE Observed TraderTraitor Domain (nomadpkgs .com in TLS SNI) (malware.rules)
2046941 - ET MALWARE Observed TraderTraitor Domain (primerosauxiliosperu .com in TLS SNI) (malware.rules)
2046942 - ET MALWARE Observed TraderTraitor Domain (toyourownbeat .com in TLS SNI) (malware.rules)
2046943 - ET MALWARE Observed TraderTraitor Domain (datadog-cloud .com in TLS SNI) (malware.rules)
2046944 - ET MALWARE Observed TraderTraitor Domain (centos-repos .org in TLS SNI) (malware.rules)
2046945 - ET MALWARE Observed TraderTraitor Domain (nomadpkg .com in TLS SNI) (malware.rules)
2051954 - ET INFO Observed DNS Over HTTPS Domain (voyage-s01 .cloudku .technology in TLS SNI) (info.rules)
2827062 - ETPRO WEB_CLIENT Tech Support Scam Landing Jul 07 2017 (web_client.rules)
2828027 - ETPRO EXPLOIT_KIT GrandSoft EK Exploit Usage Sep 22 2017 (exploit_kit.rules)
2828029 - ETPRO EXPLOIT_KIT GrandSoft EK Possible CVE-2016-0198 Exploit Usage Sep 22 2017 (exploit_kit.rules)
2828030 - ETPRO EXPLOIT_KIT GrandSoft EK Exploit Usage M2 Sep 22 2017 (exploit_kit.rules)
2829923 - ETPRO MALWARE Observed MSIL/XRoS CnC Domain in TLS SNI (malware.rules)
2829951 - ETPRO MALWARE Observed Malicious Domain SSL Cert in SNI (Zyklon HTTP CnC) (malware.rules)
2830502 - ETPRO EXPLOIT_KIT Grandsoft EK Exploit Request 2018-04-20 (exploit_kit.rules)
2833902 - ETPRO MALWARE Async RAT CnC Keep-Alive (malware.rules)
2834170 - ETPRO MALWARE MSIL/Crimson CnC Server Command (cscreen) (malware.rules)
2834412 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound Leading to EK (9d5e3) (exploit_kit.rules)
2835592 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound Leading to EK (3f78a) (exploit_kit.rules)
2844562 - ETPRO USER_AGENTS Observed Malicious User-Agent (HttpRat) (user_agents.rules)
2845197 - ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (3980a) (web_client.rules)
2851114 - ETPRO MALWARE Win32/OnlyLogger Connectivity Check M2 (malware.rules)
2851740 - ETPRO MALWARE Powershell Pak-Loader Download (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/06/10 - v10613 Ruleset Updates	152	June 10, 2024
Ruleset Update Summary - 2023/08/29 - v10405 Ruleset Updates	268	August 29, 2023
Ruleset Update Summary - 2024/06/21 - v10624 Ruleset Updates	107	June 21, 2024
Ruleset Update Summary - 2024/07/11 - v10643 Ruleset Updates	73	July 11, 2024
Ruleset Update Summary - 2024/07/12 - v10644 Ruleset Updates	84	July 12, 2024

Ruleset Update Summary - 2024/05/08 - v10592

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related Topics