Ruleset Update Summary - 2024/05/16 - v10597

Summary:

86 new OPEN, 88 new PRO (86 + 2)

Thanks @pollo290987

Added rules:

Open:

• 2052634 - ET INFO DNS Query to Abused File Sharing/CRM Domain (flg .to) (info.rules)
• 2052635 - ET INFO DNS Query to Abused File Sharing/CRM Domain (getflg .com) (info.rules)
• 2052636 - ET INFO Observed Abused File Sharing/CRM Platform (flg .to in TLS SNI) (info.rules)
• 2052637 - ET INFO Observed Abused File Sharing/CRM Platform (getflg .com in TLS SNI) (info.rules)
• 2052638 - ET MALWARE Horabot CnC Host Details Exfil (malware.rules)
• 2052639 - ET MALWARE DNS Query to Darkgate Domain (savoystocks .com) (malware.rules)
• 2052640 - ET MALWARE DNS Query to Darkgate Domain (savoystocks .com) (malware.rules)
• 2052641 - ET MALWARE DNS Query to Darkgate Domain (rockcreekdds .com) (malware.rules)
• 2052642 - ET MALWARE Horabot Payload Inbound (malware.rules)
• 2052643 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (filmbondadminoswo .shop) (malware.rules)
• 2052644 - ET MALWARE Observed Lumma Stealer Related CnC Domain (filmbondadminoswo .shop in TLS SNI) (malware.rules)
• 2052645 - ET MALWARE TA417 Related Domain in DNS Lookup (operatida .com) (malware.rules)
• 2052646 - ET MALWARE TA417 Related Domain in DNS Lookup (gelatosg .com) (malware.rules)
• 2052647 - ET MALWARE TA417 Related Domain in DNS Lookup (lucashnancy .com) (malware.rules)
• 2052648 - ET MALWARE TA417 Related Domain in DNS Lookup (randaln .com) (malware.rules)
• 2052649 - ET MALWARE TA417 Related Domain in DNS Lookup (rchitecture .org) (malware.rules)
• 2052650 - ET MALWARE TA417 Related Domain in DNS Lookup (bakhell .com) (malware.rules)
• 2052651 - ET MALWARE TA417 Related Domain in DNS Lookup (nestnewhome .com) (malware.rules)
• 2052652 - ET MALWARE TA417 Related Domain in DNS Lookup (gayionsd .com) (malware.rules)
• 2052653 - ET MALWARE TA417 Related Domain in DNS Lookup (quadrantbd .com) (malware.rules)
• 2052654 - ET MALWARE TA417 Related Domain in DNS Lookup (dailteeau .com) (malware.rules)
• 2052655 - ET MALWARE TA417 Related Domain in DNS Lookup (availitond .com) (malware.rules)
• 2052656 - ET MALWARE TA417 Related Domain in DNS Lookup (centralizebd .com) (malware.rules)
• 2052657 - ET MALWARE TA417 Related Domain in DNS Lookup (ccarden .com) (malware.rules)
• 2052658 - ET MALWARE TA417 Related Domain in DNS Lookup (taishanlaw .com) (malware.rules)
• 2052659 - ET MALWARE Observed TA417 Domain (operatida .com) in TLS SNI (malware.rules)
• 2052660 - ET MALWARE Observed TA417 Domain (gelatosg .com) in TLS SNI (malware.rules)
• 2052661 - ET MALWARE Observed TA417 Domain (lucashnancy .com) in TLS SNI (malware.rules)
• 2052662 - ET MALWARE Observed TA417 Domain (randaln .com) in TLS SNI (malware.rules)
• 2052663 - ET MALWARE Observed TA417 Domain (rchitecture .org) in TLS SNI (malware.rules)
• 2052664 - ET MALWARE Observed TA417 Domain (bakhell .com) in TLS SNI (malware.rules)
• 2052665 - ET MALWARE Observed TA417 Domain (nestnewhome .com) in TLS SNI (malware.rules)
• 2052666 - ET MALWARE Observed TA417 Domain (gayionsd .com) in TLS SNI (malware.rules)
• 2052667 - ET MALWARE Observed TA417 Domain (quadrantbd .com) in TLS SNI (malware.rules)
• 2052668 - ET MALWARE Observed TA417 Domain (dailteeau .com) in TLS SNI (malware.rules)
• 2052669 - ET MALWARE Observed TA417 Domain (availitond .com) in TLS SNI (malware.rules)
• 2052670 - ET MALWARE Observed TA417 Domain (centralizebd .com) in TLS SNI (malware.rules)
• 2052671 - ET MALWARE Observed TA417 Domain (ccarden .com) in TLS SNI (malware.rules)
• 2052672 - ET MALWARE Observed TA417 Domain (taishanlaw .com) in TLS SNI (malware.rules)
• 2052673 - ET INFO Observed DNS over HTTPS Domain (dns4me .net) in TLS SNI (info.rules)
• 2052674 - ET MALWARE ACR Stealer CnC Checkin Attempt (malware.rules)
• 2052675 - ET MALWARE ACR Stealer Data Exfiltration Attempt M1 (malware.rules)
• 2052676 - ET MALWARE ACR Stealer Data Exfiltration Attempt M2 (malware.rules)
• 2052677 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (malware.rules)
• 2052678 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (malware.rules)
• 2052679 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (malware.rules)
• 2052680 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (malware.rules)
• 2052681 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (malware.rules)
• 2052682 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (malware.rules)
• 2052683 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (malware.rules)
• 2052684 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (malware.rules)
• 2052685 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (malware.rules)
• 2052686 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (malware.rules)
• 2052687 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (malware.rules)
• 2052688 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (malware.rules)
• 2052689 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (malware.rules)
• 2052690 - ET MALWARE Observed ACR Stealer Domain (iicc .fun) in TLS SNI (malware.rules)
• 2052691 - ET MALWARE Observed ACR Stealer Domain (dervinko .biz) in TLS SNI (malware.rules)
• 2052692 - ET MALWARE Observed ACR Stealer Domain (veronicabal .com) in TLS SNI (malware.rules)
• 2052693 - ET MALWARE Observed ACR Stealer Domain (frdk .xyz) in TLS SNI (malware.rules)
• 2052694 - ET MALWARE Observed ACR Stealer Domain (trxu .xyz) in TLS SNI (malware.rules)
• 2052695 - ET MALWARE Observed ACR Stealer Domain (trxq .xyz) in TLS SNI (malware.rules)
• 2052696 - ET MALWARE Observed ACR Stealer Domain (frjk .xyz) in TLS SNI (malware.rules)
• 2052697 - ET MALWARE Observed ACR Stealer Domain (frfk .xyz) in TLS SNI (malware.rules)
• 2052698 - ET MALWARE Observed ACR Stealer Domain (trxh .xyz) in TLS SNI (malware.rules)
• 2052699 - ET MALWARE Observed ACR Stealer Domain (frck .xyz) in TLS SNI (malware.rules)
• 2052700 - ET MALWARE Observed ACR Stealer Domain (frsk .xyz) in TLS SNI (malware.rules)
• 2052701 - ET MALWARE Observed ACR Stealer Domain (frpk .xyz) in TLS SNI (malware.rules)
• 2052702 - ET MALWARE Observed ACR Stealer Domain (frgk .xyz) in TLS SNI (malware.rules)
• 2052703 - ET INFO DNS Query to Abused File Sharing/CRM Domain (pipedrive .com) (info.rules)
• 2052704 - ET INFO Observed Abused File Sharing/CRM Domain (pipedrive .com) in TLS SNI (info.rules)
• 2052705 - ET INFO Abused File Sharing/CRM Platform in DNS Lookup (pipedrive-files--pipedrive .com .s3 . .amazonaws .com) (info.rules)
• 2052706 - ET INFO Observed Abused File Sharing/CRM Platform (pipedrive-files--pipedrive .com .s3 . .amazonaws .com) in TLS SNI (info.rules)
• 2052707 - ET INFO Request to AI Image Generation Service (info.rules)
• 2052708 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (modularfunctiondev .com) (exploit_kit.rules)
• 2052709 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (modularfunctiondev .com) (exploit_kit.rules)
• 2052710 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (d1x9q8w2e4 .xyz) (exploit_kit.rules)
• 2052711 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (d1x9q8w2e4 .xyz) (exploit_kit.rules)
• 2052712 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (redsquardhack .com) (exploit_kit.rules)
• 2052713 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (penisowners .com) (exploit_kit.rules)
• 2052714 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (sarkaribook .com) (exploit_kit.rules)
• 2052715 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (optifitme .com) (exploit_kit.rules)
• 2052716 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (redsquardhack .com) (exploit_kit.rules)
• 2052717 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (penisowners .com) (exploit_kit.rules)
• 2052718 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (sarkaribook .com) (exploit_kit.rules)
• 2052719 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (optifitme .com) (exploit_kit.rules)

Pro:

• 2856960 - ETPRO PHISHING Observed DNS Query to Microsoft Credential Phishing Domain (phishing.rules)
• 2856961 - ETPRO PHISHING Observed Microsoft Credential Phishing Domain in TLS SNI (phishing.rules)