Ruleset Update Summary - 2024/05/21 - v10600

Summary:

26 new OPEN, 29 new PRO (26 + 3)

Thanks @travisbgreen, @naumovax, @Redcanary


Added rules:

Open:

  • 2052794 - ET WEB_SERVER SQLi - SELECT and sysobject M2 (web_server.rules)
  • 2052795 - ET WEB_SERVER ATTACKER SQLi - SELECT and Schema Columns M2 (web_server.rules)
  • 2052796 - ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer M2 (web_server.rules)
  • 2052797 - ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer M3 (web_server.rules)
  • 2052798 - ET INFO DNS Query to Commonly Actor Abused Online Service (passproviders .com) (info.rules)
  • 2052799 - ET INFO DNS Query to Commonly Actor Abused Online Service (arkinfo .in) (info.rules)
  • 2052800 - ET INFO Commonly Actor Abused Online Service Domain (passproviders .com in TLS SNI) (info.rules)
  • 2052801 - ET INFO Commonly Actor Abused Online Service Domain (arkinfo .in in TLS SNI) (info.rules)
  • 2052802 - ET MALWARE DNS Query to Winnti Domain (linuxrelease .org) (malware.rules)
  • 2052803 - ET MALWARE Observed Winnti Domain (linuxrelease .org in TLS SNI) (malware.rules)
  • 2052804 - ET MALWARE Winnti CnC Activity (Outbound) (malware.rules)
  • 2052805 - ET MALWARE Winnti CnC Activity (Inbound) (malware.rules)
  • 2052806 - ET HUNTING Possible Fake Nintendo User-Agent Observed (hunting.rules)
  • 2052807 - ET MALWARE DNS Query to Malicious Domain (storagedsolutions .azurefd .net) (malware.rules)
  • 2052808 - ET MALWARE Observed Malicious Domain (storagedsolutions .azurefd .net in TLS SNI) (malware.rules)
  • 2052809 - ET MALWARE Observed Malicious Domain (storagedsolutions .azurefd .net in TLS SNI) (malware.rules)
  • 2052810 - ET MALWARE x64/AWAVATVWSH Malware CnC Activity (POST) (malware.rules)
  • 2052811 - ET MALWARE x64/AWAVATVWSH Malware CnC Response (malware.rules)
  • 2052812 - ET MALWARE AnonymousRAT Payload Retrieval Attempt (malware.rules)
  • 2052813 - ET INFO Dropbox paper Document Request Observed (info.rules)
  • 2052814 - ET INFO Observed Dropbox paper Domain (paper-attachments .dropboxusercontent .com) in DNS Query (info.rules)
  • 2052815 - ET INFO Observed Dropbox paper Domain (paper-attachments .dropboxusercontent .com) in TLS SNI (info.rules)
  • 2052816 - ET INFO Observed Dropbox paper Domain (paper .dropbox .com) in DNS Lookup (info.rules)
  • 2052817 - ET INFO Observed Dropbox paper Domain (paper .dropbox .com) in TLS SNI (info.rules)
  • 2052818 - ET INFO Observed Dropbox paper Domain (paperusercontent .com) in DNS Lookup (info.rules)
  • 2052819 - ET INFO Observed Dropbox paper Domain (paperusercontent .com) in TLS SNI (info.rules)

Pro:

  • 2857001 - ETPRO MALWARE DNS Query to UNK APT Domain (malware.rules)
  • 2857002 - ETPRO MALWARE Observed UNK APT Domain in TLS SNI (malware.rules)
  • 2857003 - ETPRO MALWARE Possible UNK APT Group URI Pattern (malware.rules)

Disabled and modified rules:

  • 2845266 - ETPRO PHISHING Successful PrimaBanka Phish 2020-11-02 (phishing.rules)