Ruleset Update Summary - 2024/06/07 - v10612

Ruleset Updates
1

Summary:

25 new OPEN, 25 new PRO (25 + 0)

Thanks @0x6rss, @Sophos

Added rules:

Open:

  • 2053320 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (moderncssframeworks .com) (exploit_kit.rules)
  • 2053321 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (moderncssframeworks .com) (exploit_kit.rules)
  • 2053322 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (jsincloud .com) (exploit_kit.rules)
  • 2053323 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (jsincloud .com) (exploit_kit.rules)
  • 2053324 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (elvesofiax .com) (exploit_kit.rules)
  • 2053325 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (coffeecrumbs .com) (exploit_kit.rules)
  • 2053326 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (elvesofiax .com) (exploit_kit.rules)
  • 2053327 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (coffeecrumbs .com) (exploit_kit.rules)
  • 2053328 - ET HUNTING Generic POST with Commmon Control/Escape Character in Filename Parameter - Possible Command Injection Attempt (hunting.rules)
  • 2053329 - ET EXPLOIT HikVision iSecure Center RCE Attempt Inbound (exploit.rules)
  • 2053330 - ET MALWARE DNS Query to Merlin C2 Domain (cloud .keepasses .com) (malware.rules)
  • 2053331 - ET MOBILE_MALWARE Android Botnet CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2053332 - ET MALWARE DNS Query to Merlin C2 Domain (scancenter .trendrealtime .com) (malware.rules)
  • 2053333 - ET MALWARE Observed Merlin C2 Domain (scancenter .trendrealtime .com in TLS SNI) (malware.rules)
  • 2053334 - ET MALWARE Observed Merlin C2 Domain (cloud .keepasses .com in TLS SNI) (malware.rules)
  • 2053335 - ET MALWARE DNS Query to PhantomNet C2 Domain (associate .freeonlinelearning .com) (malware.rules)
  • 2053336 - ET MALWARE Observed PhantomNet C2 Domain (associate .freeonlinelearningtech .com in TLS SNI) (malware.rules)
  • 2053337 - ET MALWARE Observed PhantomNet C2 Domain (associate .freeonlinelearning .com in TLS SNI) (malware.rules)
  • 2053338 - ET MALWARE DNS Query to PhantomNet C2 Domain (associate .freeonlinelearningtech .com) (malware.rules)
  • 2053339 - ET MALWARE DNS Query to CCoreDoor Domain (message .ooguy .com) (malware.rules)
  • 2053340 - ET MALWARE Observed CCoreDoor C2 Domain (message .ooguy .com in TLS SNI) (malware.rules)
  • 2053341 - ET MALWARE DNS Query to PocoProxy C2 Domain (googlespeedtest33 .com) (malware.rules)
  • 2053342 - ET MALWARE Observed PocoProxy C2 Domain (googlespeedtest33 .com in TLS SNI) (malware.rules)
  • 2053343 - ET MALWARE DNS Query to Cobalt Strike Domain (dnsspeedtest2022 .com) (malware.rules)
  • 2053344 - ET MALWARE Observed Cobalt Strike Domain (dnsspeedtest2022 .com in TLS SNI) (malware.rules)