Ruleset Update Summary - 2024/05/29 - v10605

Summary:

81 new OPEN, 81 new PRO (81 + 0)

Thanks @malware_traffic


Added rules:

Open:

  • 2052949 - ET MALWARE Suspected Smokeloader Payload Related Activity (POST) (malware.rules)
  • 2052950 - ET MALWARE Async RAT CnC Activity (GET) (malware.rules)
  • 2052951 - ET WEB_SPECIFIC_APPS Joomla Improper Access Control to Webservice Endpoints (CVE-2023-23752) (web_specific_apps.rules)
  • 2052952 - ET INFO File Sharing Domain (d .kuku .lu) in DNS Lookup (info.rules)
  • 2052953 - ET INFO Observed File Sharing Domain (d .kuku .lu) in TLS SNI (info.rules)
  • 2052954 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (abcdefghijkzz123 .servicedesks .net) (malware.rules)
  • 2052955 - ET MALWARE Observed Cobalt Strike Domain (abcdefghijkzz123 .servicedesks .net) in TLS SNI (malware.rules)
  • 2052956 - ET INFO Pastebin-like Service in DNS Lookup (anotepad .com) (info.rules)
  • 2052957 - ET INFO Observed Pastebin-like Service Domain (anotepad .com) in TLS SNI (info.rules)
  • 2052958 - ET MALWARE Unknown Microsoft Office Document Malware Domain in DNS Lookup (sealingshop .click) (malware.rules)
  • 2052959 - ET MALWARE Observed Office Document Malware Domain (sealingshop .click) in TLS SNI (malware.rules)
  • 2052960 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (hcbanking .com) (info.rules)
  • 2052961 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (gmail-online .net) (info.rules)
  • 2052962 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (adobeconnections .com) (info.rules)
  • 2052963 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (sirumuv .com) (info.rules)
  • 2052964 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (isthmiboutique .com) (info.rules)
  • 2052965 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (wrightparkerobrien .biz) (info.rules)
  • 2052966 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (fimotoclub .com) (info.rules)
  • 2052967 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (microsoft-files .link) (info.rules)
  • 2052968 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (office65 .info) (info.rules)
  • 2052969 - ET INFO Honeytrace .io Honeytoken Domain in DNS Lookup (ms365 .group) (info.rules)
  • 2052970 - ET INFO Observed Honeytrace .io Honeytoken Domain (hcbanking .com) in TLS SNI (info.rules)
  • 2052971 - ET INFO Observed Honeytrace .io Honeytoken Domain (gmail-online .net) in TLS SNI (info.rules)
  • 2052972 - ET INFO Observed Honeytrace .io Honeytoken Domain (adobeconnections .com) in TLS SNI (info.rules)
  • 2052973 - ET INFO Observed Honeytrace .io Honeytoken Domain (sirumuv .com) in TLS SNI (info.rules)
  • 2052974 - ET INFO Observed Honeytrace .io Honeytoken Domain (isthmiboutique .com) in TLS SNI (info.rules)
  • 2052975 - ET INFO Observed Honeytrace .io Honeytoken Domain (wrightparkerobrien .biz) in TLS SNI (info.rules)
  • 2052976 - ET INFO Observed Honeytrace .io Honeytoken Domain (fimotoclub .com) in TLS SNI (info.rules)
  • 2052977 - ET INFO Observed Honeytrace .io Honeytoken Domain (microsoft-files .link) in TLS SNI (info.rules)
  • 2052978 - ET INFO Observed Honeytrace .io Honeytoken Domain (office65 .info) in TLS SNI (info.rules)
  • 2052979 - ET INFO Observed Honeytrace .io Honeytoken Domain (ms365 .group) in TLS SNI (info.rules)
  • 2052980 - ET INFO Thinkst Honeytoken Domain in DNS Lookup (o3n .io) (info.rules)
  • 2052981 - ET INFO Observed Thinkst Honeytoken Domain (o3n .io) in TLS SNI (info.rules)
  • 2052982 - ET INFO Observed DNS Over HTTPS Domain (dns .comss .one) in TLS SNI (info.rules)
  • 2052983 - ET INFO Observed DNS Over HTTPS Domain (pdns .krctechnologies .net) in TLS SNI (info.rules)
  • 2052984 - ET INFO Observed DNS Over HTTPS Domain (your-dns .run) in TLS SNI (info.rules)
  • 2052985 - ET INFO Observed DNS Over HTTPS Domain (doh1 .b-cdn .netdoh2 .b-cdn .net) in TLS SNI (info.rules)
  • 2052986 - ET INFO Observed DNS Over HTTPS Domain (resolv1 .trash .net) in TLS SNI (info.rules)
  • 2052987 - ET INFO Observed DNS Over HTTPS Domain (dns .mnet-online .de) in TLS SNI (info.rules)
  • 2052988 - ET INFO Observed DNS Over HTTPS Domain (doh .totoro .pub) in TLS SNI (info.rules)
  • 2052989 - ET INFO Observed DNS Over HTTPS Domain (senpai .pp .ua) in TLS SNI (info.rules)
  • 2052990 - ET INFO Observed DNS Over HTTPS Domain (doh .manish .ltd) in TLS SNI (info.rules)
  • 2052991 - ET INFO Observed DNS Over HTTPS Domain (dns .powerbs .net) in TLS SNI (info.rules)
  • 2052992 - ET INFO Observed DNS Over HTTPS Domain (doh1 .infotek .net .id) in TLS SNI (info.rules)
  • 2052993 - ET INFO Observed DNS Over HTTPS Domain (tirapan .top) in TLS SNI (info.rules)
  • 2052994 - ET INFO Observed DNS Over HTTPS Domain (dns1 .pl .newpangea .de) in TLS SNI (info.rules)
  • 2052995 - ET INFO Observed DNS Over HTTPS Domain (dns .kawa .tf) in TLS SNI (info.rules)
  • 2052996 - ET INFO Observed DNS Over HTTPS Domain (ca .loii .in) in TLS SNI (info.rules)
  • 2052997 - ET INFO Observed DNS Over HTTPS Domain (ns .trcnet .fi) in TLS SNI (info.rules)
  • 2052998 - ET INFO Observed DNS Over HTTPS Domain (dns .wixxm .asia) in TLS SNI (info.rules)
  • 2052999 - ET INFO Observed DNS Over HTTPS Domain (dot .modsh .top) in TLS SNI (info.rules)
  • 2053000 - ET INFO Observed DNS Over HTTPS Domain (nightlymoon .us .kg) in TLS SNI (info.rules)
  • 2053001 - ET INFO Observed DNS Over HTTPS Domain (dns .warpnine .de) in TLS SNI (info.rules)
  • 2053002 - ET INFO Observed DNS Over HTTPS Domain (dns8 .orgn0 .euns3 .comns3 .cxns3 .link) in TLS SNI (info.rules)
  • 2053003 - ET INFO Observed DNS Over HTTPS Domain (vpsus3 .pzhg .me) in TLS SNI (info.rules)
  • 2053004 - ET INFO Observed DNS Over HTTPS Domain (dns .l6 .ee) in TLS SNI (info.rules)
  • 2053005 - ET INFO Observed DNS Over HTTPS Domain (dns .velyn .my .id) in TLS SNI (info.rules)
  • 2053006 - ET INFO Observed DNS Over HTTPS Domain (dns .dyn1 .de) in TLS SNI (info.rules)
  • 2053007 - ET INFO Observed DNS Over HTTPS Domain (dns .diarbagus .id) in TLS SNI (info.rules)
  • 2053008 - ET INFO Observed DNS Over HTTPS Domain (dns .engineer .web .id) in TLS SNI (info.rules)
  • 2053009 - ET INFO Observed DNS Over HTTPS Domain (noad .kipp .cool) in TLS SNI (info.rules)
  • 2053010 - ET INFO Observed DNS Over HTTPS Domain (resolv3 .trash .net) in TLS SNI (info.rules)
  • 2053011 - ET INFO Observed DNS Over HTTPS Domain (testaghome .meshkov .info) in TLS SNI (info.rules)
  • 2053012 - ET INFO Observed DNS Over HTTPS Domain (dns .repinger .my .id) in TLS SNI (info.rules)
  • 2053013 - ET INFO Observed DNS Over HTTPS Domain (resolv2 .trash .net) in TLS SNI (info.rules)
  • 2053014 - ET INFO Observed DNS Over HTTPS Domain (tor .vasi .li) in TLS SNI (info.rules)
  • 2053015 - ET INFO Observed DNS Over HTTPS Domain (dns .nydau .fr) in TLS SNI (info.rules)
  • 2053016 - ET INFO Observed DNS Over HTTPS Domain (dns .saneaki .com) in TLS SNI (info.rules)
  • 2053017 - ET INFO Observed DNS Over HTTPS Domain (signsservers .ru) in TLS SNI (info.rules)
  • 2053018 - ET MALWARE SocGholish Domain in DNS Lookup (scada .paradizeconstruction .com) (malware.rules)
  • 2053019 - ET MALWARE SocGholish Domain in TLS SNI (scada .paradizeconstruction .com) (malware.rules)
  • 2053020 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (cdnjscloudnetwork .co) (exploit_kit.rules)
  • 2053021 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (cdnjscloudnetwork .co) (exploit_kit.rules)
  • 2053022 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (burdurpastane .com) (exploit_kit.rules)
  • 2053023 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (079zain .com) (exploit_kit.rules)
  • 2053024 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (1kt8j .com) (exploit_kit.rules)
  • 2053025 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (burdurpastane .com) (exploit_kit.rules)
  • 2053026 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (079zain .com) (exploit_kit.rules)
  • 2053027 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (1kt8j .com) (exploit_kit.rules)
  • 2053028 - ET MALWARE ZPHP CnC Domain in DNS Lookup (lilygovert91 .top) (malware.rules)
  • 2053029 - ET MALWARE ZPHP CnC Domain in TLS SNI (lilygovert91 .top) (malware.rules)

Enabled and modified rules:

  • 2809850 - ETPRO MALWARE Cobalt Strike Covert DNS CnC Channel TXT Lookup (malware.rules)
  • 2809851 - ETPRO MALWARE Cobalt Strike Covert DNS CnC Channel TXT Lookup (tcp) (malware.rules)

Modified inactive rules:

  • 2010721 - ET HUNTING Suspicious Non-Escaping backslash in User-Agent Outbound (hunting.rules)
  • 2011414 - ET MALWARE Win32/Small.gen!AQ Communication with Controller (malware.rules)
  • 2015818 - ET EXPLOIT_KIT g01pack Exploit Kit .homeip. Landing Page (exploit_kit.rules)
  • 2015819 - ET EXPLOIT_KIT g01pack Exploit Kit .homelinux. Landing Page (exploit_kit.rules)
  • 2016748 - ET MALWARE RansomCrypt Intial Check-in (malware.rules)
  • 2018177 - ET EXPLOIT_KIT OnClick Anti-BOT TDS POST Feb 25 2014 (exploit_kit.rules)
  • 2018793 - ET MALWARE EUPUDS.A Requests for Boleto replacement (malware.rules)
  • 2019100 - ET EXPLOIT_KIT FlashPack EK Redirect Sept 01 2014 (exploit_kit.rules)
  • 2024008 - ET PHISHING Possible Phishing Redirect Feb 24 2017 (phishing.rules)
  • 2024767 - ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M1 (current_events.rules)
  • 2024768 - ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M2 (current_events.rules)
  • 2026462 - ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M4 (current_events.rules)
  • 2804876 - ETPRO MALWARE Win32/Coswid.A Checkin (malware.rules)