Ruleset Update Summary - 2024/05/29 - v10605

rulesbot · May 29, 2024, 8:28pm

Summary:

81 new OPEN, 81 new PRO (81 + 0)

Thanks @malware_traffic

Added rules:

Open:

2052949 - ET MALWARE Suspected Smokeloader Payload Related Activity (POST) (malware.rules)
2052950 - ET MALWARE Async RAT CnC Activity (GET) (malware.rules)
2052951 - ET WEB_SPECIFIC_APPS Joomla Improper Access Control to Webservice Endpoints (CVE-2023-23752) (web_specific_apps.rules)
2052952 - ET INFO File Sharing Domain (d .kuku .lu) in DNS Lookup (info.rules)
2052953 - ET INFO Observed File Sharing Domain (d .kuku .lu) in TLS SNI (info.rules)
2052954 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (abcdefghijkzz123 .servicedesks .net) (malware.rules)
2052955 - ET MALWARE Observed Cobalt Strike Domain (abcdefghijkzz123 .servicedesks .net) in TLS SNI (malware.rules)
2052956 - ET INFO Pastebin-like Service in DNS Lookup (anotepad .com) (info.rules)
2052957 - ET INFO Observed Pastebin-like Service Domain (anotepad .com) in TLS SNI (info.rules)
2052958 - ET MALWARE Unknown Microsoft Office Document Malware Domain in DNS Lookup (sealingshop .click) (malware.rules)
2052959 - ET MALWARE Observed Office Document Malware Domain (sealingshop .click) in TLS SNI (malware.rules)
2052960 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (hcbanking .com) (info.rules)
2052961 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (gmail-online .net) (info.rules)
2052962 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (adobeconnections .com) (info.rules)
2052963 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (sirumuv .com) (info.rules)
2052964 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (isthmiboutique .com) (info.rules)
2052965 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (wrightparkerobrien .biz) (info.rules)
2052966 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (fimotoclub .com) (info.rules)
2052967 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (microsoft-files .link) (info.rules)
2052968 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (office65 .info) (info.rules)
2052969 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (ms365 .group) (info.rules)
2052970 - ET INFO Observed Honeytrace .io Honeytoken Domain (hcbanking .com) in TLS SNI (info.rules)
2052971 - ET INFO Observed Honeytrace .io Honeytoken Domain (gmail-online .net) in TLS SNI (info.rules)
2052972 - ET INFO Observed Honeytrace .io Honeytoken Domain (adobeconnections .com) in TLS SNI (info.rules)
2052973 - ET INFO Observed Honeytrace .io Honeytoken Domain (sirumuv .com) in TLS SNI (info.rules)
2052974 - ET INFO Observed Honeytrace .io Honeytoken Domain (isthmiboutique .com) in TLS SNI (info.rules)
2052975 - ET INFO Observed Honeytrace .io Honeytoken Domain (wrightparkerobrien .biz) in TLS SNI (info.rules)
2052976 - ET INFO Observed Honeytrace .io Honeytoken Domain (fimotoclub .com) in TLS SNI (info.rules)
2052977 - ET INFO Observed Honeytrace .io Honeytoken Domain (microsoft-files .link) in TLS SNI (info.rules)
2052978 - ET INFO Observed Honeytrace .io Honeytoken Domain (office65 .info) in TLS SNI (info.rules)
2052979 - ET INFO Observed Honeytrace .io Honeytoken Domain (ms365 .group) in TLS SNI (info.rules)
2052980 - ET INFO Thinkst Honeytoken Domain in DNS Lookup (o3n .io) (info.rules)
2052981 - ET INFO Observed Thinkst Honeytoken Domain (o3n .io) in TLS SNI (info.rules)
2052982 - ET INFO Observed DNS Over HTTPS Domain (dns .comss .one) in TLS SNI (info.rules)
2052983 - ET INFO Observed DNS Over HTTPS Domain (pdns .krctechnologies .net) in TLS SNI (info.rules)
2052984 - ET INFO Observed DNS Over HTTPS Domain (your-dns .run) in TLS SNI (info.rules)
2052985 - ET INFO Observed DNS Over HTTPS Domain (doh1 .b-cdn .netdoh2 .b-cdn .net) in TLS SNI (info.rules)
2052986 - ET INFO Observed DNS Over HTTPS Domain (resolv1 .trash .net) in TLS SNI (info.rules)
2052987 - ET INFO Observed DNS Over HTTPS Domain (dns .mnet-online .de) in TLS SNI (info.rules)
2052988 - ET INFO Observed DNS Over HTTPS Domain (doh .totoro .pub) in TLS SNI (info.rules)
2052989 - ET INFO Observed DNS Over HTTPS Domain (senpai .pp .ua) in TLS SNI (info.rules)
2052990 - ET INFO Observed DNS Over HTTPS Domain (doh .manish .ltd) in TLS SNI (info.rules)
2052991 - ET INFO Observed DNS Over HTTPS Domain (dns .powerbs .net) in TLS SNI (info.rules)
2052992 - ET INFO Observed DNS Over HTTPS Domain (doh1 .infotek .net .id) in TLS SNI (info.rules)
2052993 - ET INFO Observed DNS Over HTTPS Domain (tirapan .top) in TLS SNI (info.rules)
2052994 - ET INFO Observed DNS Over HTTPS Domain (dns1 .pl .newpangea .de) in TLS SNI (info.rules)
2052995 - ET INFO Observed DNS Over HTTPS Domain (dns .kawa .tf) in TLS SNI (info.rules)
2052996 - ET INFO Observed DNS Over HTTPS Domain (ca .loii .in) in TLS SNI (info.rules)
2052997 - ET INFO Observed DNS Over HTTPS Domain (ns .trcnet .fi) in TLS SNI (info.rules)
2052998 - ET INFO Observed DNS Over HTTPS Domain (dns .wixxm .asia) in TLS SNI (info.rules)
2052999 - ET INFO Observed DNS Over HTTPS Domain (dot .modsh .top) in TLS SNI (info.rules)
2053000 - ET INFO Observed DNS Over HTTPS Domain (nightlymoon .us .kg) in TLS SNI (info.rules)
2053001 - ET INFO Observed DNS Over HTTPS Domain (dns .warpnine .de) in TLS SNI (info.rules)
2053002 - ET INFO Observed DNS Over HTTPS Domain (dns8 .orgn0 .euns3 .comns3 .cxns3 .link) in TLS SNI (info.rules)
2053003 - ET INFO Observed DNS Over HTTPS Domain (vpsus3 .pzhg .me) in TLS SNI (info.rules)
2053004 - ET INFO Observed DNS Over HTTPS Domain (dns .l6 .ee) in TLS SNI (info.rules)
2053005 - ET INFO Observed DNS Over HTTPS Domain (dns .velyn .my .id) in TLS SNI (info.rules)
2053006 - ET INFO Observed DNS Over HTTPS Domain (dns .dyn1 .de) in TLS SNI (info.rules)
2053007 - ET INFO Observed DNS Over HTTPS Domain (dns .diarbagus .id) in TLS SNI (info.rules)
2053008 - ET INFO Observed DNS Over HTTPS Domain (dns .engineer .web .id) in TLS SNI (info.rules)
2053009 - ET INFO Observed DNS Over HTTPS Domain (noad .kipp .cool) in TLS SNI (info.rules)
2053010 - ET INFO Observed DNS Over HTTPS Domain (resolv3 .trash .net) in TLS SNI (info.rules)
2053011 - ET INFO Observed DNS Over HTTPS Domain (testaghome .meshkov .info) in TLS SNI (info.rules)
2053012 - ET INFO Observed DNS Over HTTPS Domain (dns .repinger .my .id) in TLS SNI (info.rules)
2053013 - ET INFO Observed DNS Over HTTPS Domain (resolv2 .trash .net) in TLS SNI (info.rules)
2053014 - ET INFO Observed DNS Over HTTPS Domain (tor .vasi .li) in TLS SNI (info.rules)
2053015 - ET INFO Observed DNS Over HTTPS Domain (dns .nydau .fr) in TLS SNI (info.rules)
2053016 - ET INFO Observed DNS Over HTTPS Domain (dns .saneaki .com) in TLS SNI (info.rules)
2053017 - ET INFO Observed DNS Over HTTPS Domain (signsservers .ru) in TLS SNI (info.rules)
2053018 - ET MALWARE SocGholish Domain in DNS Lookup (scada .paradizeconstruction .com) (malware.rules)
2053019 - ET MALWARE SocGholish Domain in TLS SNI (scada .paradizeconstruction .com) (malware.rules)
2053020 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (cdnjscloudnetwork .co) (exploit_kit.rules)
2053021 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (cdnjscloudnetwork .co) (exploit_kit.rules)
2053022 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (burdurpastane .com) (exploit_kit.rules)
2053023 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (079zain .com) (exploit_kit.rules)
2053024 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (1kt8j .com) (exploit_kit.rules)
2053025 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (burdurpastane .com) (exploit_kit.rules)
2053026 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (079zain .com) (exploit_kit.rules)
2053027 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (1kt8j .com) (exploit_kit.rules)
2053028 - ET MALWARE ZPHP CnC Domain in DNS Lookup (lilygovert91 .top) (malware.rules)
2053029 - ET MALWARE ZPHP CnC Domain in TLS SNI (lilygovert91 .top) (malware.rules)

Enabled and modified rules:

2809850 - ETPRO MALWARE Cobalt Strike Covert DNS CnC Channel TXT Lookup (malware.rules)
2809851 - ETPRO MALWARE Cobalt Strike Covert DNS CnC Channel TXT Lookup (tcp) (malware.rules)

Modified inactive rules:

2010721 - ET HUNTING Suspicious Non-Escaping backslash in User-Agent Outbound (hunting.rules)
2011414 - ET MALWARE Win32/Small.gen!AQ Communication with Controller (malware.rules)
2015818 - ET EXPLOIT_KIT g01pack Exploit Kit .homeip. Landing Page (exploit_kit.rules)
2015819 - ET EXPLOIT_KIT g01pack Exploit Kit .homelinux. Landing Page (exploit_kit.rules)
2016748 - ET MALWARE RansomCrypt Intial Check-in (malware.rules)
2018177 - ET EXPLOIT_KIT OnClick Anti-BOT TDS POST Feb 25 2014 (exploit_kit.rules)
2018793 - ET MALWARE EUPUDS.A Requests for Boleto replacement (malware.rules)
2019100 - ET EXPLOIT_KIT FlashPack EK Redirect Sept 01 2014 (exploit_kit.rules)
2024008 - ET PHISHING Possible Phishing Redirect Feb 24 2017 (phishing.rules)
2024767 - ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M1 (current_events.rules)
2024768 - ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M2 (current_events.rules)
2026462 - ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M4 (current_events.rules)
2804876 - ETPRO MALWARE Win32/Coswid.A Checkin (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/04/29 - v10585 Ruleset Updates	236	April 29, 2024
Ruleset Update Summary - 2023/11/22 - v10471 Ruleset Updates	345	November 22, 2023
Ruleset Update Summary - 2024/06/03 - v10608 Ruleset Updates	208	June 3, 2024
Ruleset Update Summary - 2024/04/25 - v10583 Ruleset Updates	564	April 25, 2024
Ruleset Update Summary - 2023/05/03 - v10315 Ruleset Updates	353	May 3, 2023

Ruleset Update Summary - 2024/05/29 - v10605

Summary:

Added rules:

Open:

Enabled and modified rules:

Modified inactive rules:

Related Topics