Summary:
5 new OPEN, 7 new PRO (5 + 2)
There will be no rule release on Monday, May 27th, 2024 on account of it being both a US and UK holiday.
Added rules:
Open:
- 2052881 - ET MALWARE Win32/Unknown Loader Related Activity M1 (POST) (malware.rules)
- 2052882 - ET MALWARE Win32/Unknown Loader Related Activity M2 (POST) (malware.rules)
- 2052883 - ET MALWARE Amadey CnC Domain in DNS Lookup (theclientisalwaysright .com) (malware.rules)
- 2052884 - ET MALWARE Observed Amadey Domain (theclientisalwaysright .com in TLS SNI) (malware.rules)
- 2052885 - ET EXPLOIT D-LINK Router DIR-645 / DIR-815 RCE (CVE-2014-100005) (exploit.rules)
Pro:
- 2857030 - ETPRO MALWARE APT36/Transparent Tribe Related Domain in DNS Lookup (malware.rules)
- 2857031 - ETPRO MALWARE Observed APT36/Transparent Tribe Domain in TLS SNI (malware.rules)
Disabled and modified rules:
- 2049142 - ET MALWARE SocGholish Domain in DNS Lookup (sermon .pastorbriantubbs .com) (malware.rules)
- 2049144 - ET MALWARE SocGholish Domain in TLS SNI (sermon .pastorbriantubbs .com) (malware.rules)
- 2049941 - ET MALWARE SocGholish Domain in DNS Lookup (retraining .allstardriving .org) (malware.rules)
- 2049942 - ET MALWARE SocGholish Domain in TLS SNI (retraining .allstardriving .org) (malware.rules)
- 2050071 - ET MALWARE SocGholish Domain in DNS Lookup (surprise .refillpantrysd .com) (malware.rules)
- 2050072 - ET MALWARE SocGholish Domain in TLS SNI (surprise .refillpantrysd .com) (malware.rules)
- 2051092 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (varinspector .com) (exploit_kit.rules)
- 2051094 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (varinspector .com) (exploit_kit.rules)
- 2051788 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .catching .fishingrealinvestments .com) (malware.rules)
- 2051789 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .catching .fishingrealinvestments .com) (malware.rules)
- 2051792 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jsluna .com) (exploit_kit.rules)
- 2051793 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jsluna .com) (exploit_kit.rules)