Ruleset Update Summary - 2024/06/10 - v10613

rulesbot · June 10, 2024, 8:49pm

Summary:

92 new OPEN, 96 new PRO (92 + 4)

Thanks @Horizon3ai

Added rules:

Open:

2053345 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (b9y3b7ner2 .xyz) (exploit_kit.rules)
2053346 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (b9y3b7ner2 .xyz) (exploit_kit.rules)
2053347 - ET MALWARE Observed Glupteba CnC Domain (theupdatetime .org in TLS SNI) (malware.rules)
2053348 - ET INFO DYNAMIC_DNS Query to a *.tharkad .com Domain (info.rules)
2053349 - ET INFO DYNAMIC_DNS HTTP Request to a *.tharkad .com Domain (info.rules)
2053350 - ET INFO DYNAMIC_DNS Query to a *.muguro .com Domain (info.rules)
2053351 - ET INFO DYNAMIC_DNS HTTP Request to a *.muguro .com Domain (info.rules)
2053352 - ET INFO DYNAMIC_DNS Query to a *.it4e .co Domain (info.rules)
2053353 - ET INFO DYNAMIC_DNS HTTP Request to a *.it4e .co Domain (info.rules)
2053354 - ET INFO DYNAMIC_DNS Query to a *.neighborhoodcloud .com Domain (info.rules)
2053355 - ET INFO DYNAMIC_DNS HTTP Request to a *.neighborhoodcloud .com Domain (info.rules)
2053356 - ET INFO DYNAMIC_DNS Query to a *.voorl .com Domain (info.rules)
2053357 - ET INFO DYNAMIC_DNS HTTP Request to a *.voorl .com Domain (info.rules)
2053358 - ET INFO DYNAMIC_DNS Query to a *.hatumena .com Domain (info.rules)
2053359 - ET INFO DYNAMIC_DNS HTTP Request to a *.hatumena .com Domain (info.rules)
2053360 - ET INFO DYNAMIC_DNS Query to a *.lugaro .info Domain (info.rules)
2053361 - ET INFO DYNAMIC_DNS HTTP Request to a *.lugaro .info Domain (info.rules)
2053362 - ET INFO DYNAMIC_DNS Query to a *.neattogo .com Domain (info.rules)
2053363 - ET INFO DYNAMIC_DNS HTTP Request to a *.neattogo .com Domain (info.rules)
2053364 - ET INFO DYNAMIC_DNS Query to a *.freengers .com Domain (info.rules)
2053365 - ET INFO DYNAMIC_DNS HTTP Request to a *.freengers .com Domain (info.rules)
2053366 - ET INFO DYNAMIC_DNS Query to a *.lnbphotography .net Domain (info.rules)
2053367 - ET INFO DYNAMIC_DNS HTTP Request to a *.lnbphotography .net Domain (info.rules)
2053368 - ET INFO DYNAMIC_DNS Query to a [Redacted Vulgar] Domain (info.rules)
2053369 - ET INFO DYNAMIC_DNS HTTP Request to a [Redacted Vulgar] Domain (info.rules)
2053370 - ET INFO DYNAMIC_DNS Query to a *.kingshing .com Domain (info.rules)
2053371 - ET INFO DYNAMIC_DNS HTTP Request to a *.kingshing .com Domain (info.rules)
2053372 - ET INFO DYNAMIC_DNS Query to a *.anteroblue .com Domain (info.rules)
2053373 - ET INFO DYNAMIC_DNS HTTP Request to a *.anteroblue .com Domain (info.rules)
2053374 - ET INFO DYNAMIC_DNS Query to a *.wikilegia .com Domain (info.rules)
2053375 - ET INFO DYNAMIC_DNS HTTP Request to a *.wikilegia .com Domain (info.rules)
2053376 - ET INFO DYNAMIC_DNS Query to a *.nimali .net Domain (info.rules)
2053377 - ET INFO DYNAMIC_DNS HTTP Request to a *.nimali .net Domain (info.rules)
2053378 - ET INFO DYNAMIC_DNS Query to a *.telebazar .pl Domain (info.rules)
2053379 - ET INFO DYNAMIC_DNS HTTP Request to a *.telebazar .pl Domain (info.rules)
2053380 - ET INFO DYNAMIC_DNS Query to a *.25u .com Domain (info.rules)
2053381 - ET INFO DYNAMIC_DNS HTTP Request to a *.25u .com Domain (info.rules)
2053382 - ET INFO DYNAMIC_DNS Query to a *.30x .ru Domain (info.rules)
2053383 - ET INFO DYNAMIC_DNS HTTP Request to a *.30x .ru Domain (info.rules)
2053384 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (willingyhollowsk .shop) (malware.rules)
2053385 - ET MALWARE Observed Lumma Stealer Related Domain (willingyhollowsk .shop in TLS SNI) (malware.rules)
2053386 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (muggylasergaijynwjk .shop) (malware.rules)
2053387 - ET MALWARE Observed Lumma Stealer Related Domain (muggylasergaijynwjk .shop in TLS SNI) (malware.rules)
2053388 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (barebrilliancedkoso .shop) (malware.rules)
2053389 - ET MALWARE Observed Lumma Stealer Related Domain (barebrilliancedkoso .shop in TLS SNI) (malware.rules)
2053390 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (flourhishdiscovrw .shop) (malware.rules)
2053391 - ET MALWARE Observed Lumma Stealer Related Domain (flourhishdiscovrw .shop in TLS SNI) (malware.rules)
2053392 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (conferencefreckewl .shop) (malware.rules)
2053393 - ET MALWARE Observed Lumma Stealer Related Domain (conferencefreckewl .shop in TLS SNI) (malware.rules)
2053394 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (ohfantasyproclaiwlo .shop) (malware.rules)
2053395 - ET MALWARE Observed Lumma Stealer Related Domain (ohfantasyproclaiwlo .shop in TLS SNI) (malware.rules)
2053396 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (landdumpycolorwskfw .shop) (malware.rules)
2053397 - ET MALWARE Observed Lumma Stealer Related Domain (landdumpycolorwskfw .shop in TLS SNI) (malware.rules)
2053398 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (notoriousdcellkw .shop) (malware.rules)
2053399 - ET MALWARE Observed Lumma Stealer Related Domain (notoriousdcellkw .shop in TLS SNI) (malware.rules)
2053400 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (liabiliytshareodlkv .shop) (malware.rules)
2053401 - ET EXPLOIT PHP-Live-Chat Get Shell Attempt Inbound (exploit.rules)
2053402 - ET MALWARE Observed Lumma Stealer Related Domain (liabiliytshareodlkv .shop in TLS SNI) (malware.rules)
2053403 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (parallelmercywksoffw .shop) (malware.rules)
2053404 - ET MALWARE Observed Lumma Stealer Related Domain (parallelmercywksoffw .shop in TLS SNI) (malware.rules)
2053405 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (vivaciousdqugilew .shop) (malware.rules)
2053406 - ET MALWARE Observed Lumma Stealer Related Domain (vivaciousdqugilew .shop in TLS SNI) (malware.rules)
2053407 - ET MALWARE SocGholish CnC Domain in DNS (* .team .jessicabarrett .com) (malware.rules)
2053408 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .team .jessicabarrett .com) (malware.rules)
2053409 - ET EXPLOIT Hongjing eHR Showmedia.jsp SQL Injection Inbound (exploit.rules)
2053410 - ET EXPLOIT NextGen Mirth Connect <4.4.1 RCE Attempt (CVE-2023-43208) (exploit.rules)
2053411 - ET MALWARE ZPHP CnC Domain in DNS Lookup (psk777 .casa) (malware.rules)
2053412 - ET MALWARE DNS Query to ClearFlake Domain (businessresources .ltd) (malware.rules)
2053413 - ET MALWARE Observed ClearFlake Domain (businessresources .ltd in TLS SNI) (malware.rules)
2053414 - ET MALWARE ZPHP CnC Domain in TLS SNI (psk777 .casa) (malware.rules)
2053415 - ET MALWARE ClearFlake CnC Activity Outbound (source_id) (malware.rules)
2053416 - ET MALWARE ClearFlake CnC Checkin (POST) (malware.rules)
2053417 - ET MALWARE ClearFlake User-Agent Observed (malware.rules)
2053418 - ET MALWARE DNS Query to Lumma Stealer Domain (conferencefreckewl .shop) (malware.rules)
2053419 - ET MALWARE DNS Query to Lumma Stealer Domain (landdumpycolorwskfw .shop) (malware.rules)
2053420 - ET MALWARE DNS Query to Lumma Stealer Domain (liabiliytshareodlkv .shop) (malware.rules)
2053421 - ET MALWARE DNS Query to Lumma Stealer Domain (secretiveonnicuw .shop) (malware.rules)
2053422 - ET MALWARE DNS Query to Lumma Stealer Domain (parallelmercywksoffw .shop) (malware.rules)
2053423 - ET MALWARE DNS Query to Lumma Stealer Domain (flourhishdiscovrw .shop) (malware.rules)
2053424 - ET MALWARE DNS Query to Lumma Stealer Domain (ohfantasyproclaiwlo .shop) (malware.rules)
2053425 - ET MALWARE DNS Query to Lumma Stealer Domain (barebrilliancedkoso .shop) (malware.rules)
2053426 - ET MALWARE DNS Query to Lumma Stealer Domain (notoriousdcellkw .shop) (malware.rules)
2053427 - ET MALWARE Observed Lumma Stealer Domain (conferencefreckewl .shop in TLS SNI) (malware.rules)
2053428 - ET MALWARE Observed Lumma Stealer Domain (landdumpycolorwskfw .shop in TLS SNI) (malware.rules)
2053429 - ET MALWARE Observed Lumma Stealer Domain (liabiliytshareodlkv .shop in TLS SNI) (malware.rules)
2053430 - ET MALWARE Observed Lumma Stealer Domain (secretiveonnicuw .shop in TLS SNI) (malware.rules)
2053431 - ET MALWARE Observed Lumma Stealer Domain (parallelmercywksoffw .shop in TLS SNI) (malware.rules)
2053432 - ET MALWARE Observed Lumma Stealer Domain (flourhishdiscovrw .shop in TLS SNI) (malware.rules)
2053433 - ET MALWARE Observed Lumma Stealer Domain (ohfantasyproclaiwlo .shop in TLS SNI) (malware.rules)
2053434 - ET MALWARE Observed Lumma Stealer Domain (barebrilliancedkoso .shop in TLS SNI) (malware.rules)
2053435 - ET MALWARE Observed Lumma Stealer Domain (notoriousdcellkw .shop in TLS SNI) (malware.rules)
2053436 - ET HUNTING Suspicious Header Name In HTTP Request (U) (hunting.rules)

Pro:

2857158 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2857159 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2857160 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2857161 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)

Disabled and modified rules:

2856998 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/07/12 - v10644 Ruleset Updates	78	July 12, 2024
Ruleset Update Summary - 2023/08/29 - v10405 Ruleset Updates	268	August 29, 2023
Ruleset Update Summary - 2024/07/11 - v10643 Ruleset Updates	66	July 11, 2024
Ruleset Update Summary - 2024/06/21 - v10624 Ruleset Updates	103	June 21, 2024
Ruleset Update Summary - 2024/01/26 - v10515 Ruleset Updates	204	January 26, 2024

Ruleset Update Summary - 2024/06/10 - v10613

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related Topics