Summary:
41 new OPEN, 96 new PRO (41 + 55)
Thanks @greenplan_it, @AvastThreatLabs, @twinwavesec
Added rules:
Open:
- 2053704 - ET EXPLOIT HikVision Arbitrary Directory Traversal Attempt (exploit.rules)
- 2053705 - ET EXPLOIT [TW] Possible MSXMLHTTP Request (exploit.rules)
- 2053706 - ET EXPLOIT [TW] EXPLOIT Possible MMC Remote Command Execution (exploit.rules)
- 2053707 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (varinspector .com) (exploit_kit.rules)
- 2053708 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (varinspector .com) (exploit_kit.rules)
- 2053709 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (upstatesunflowerfestival .com) (exploit_kit.rules)
- 2053710 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (upstatesunflowerfestival .com) (exploit_kit.rules)
- 2053711 - ET INFO DYNAMIC_DNS Query to .giswebservice .com Domain (info.rules)
- 2053712 - ET INFO DYNAMIC_DNS Query to .afshin .ir Domain (info.rules)
- 2053713 - ET INFO Observed Dynamic DNS Domain ( .giswebservice .com) in TLS SNI (info.rules)
- 2053714 - ET INFO Observed Dynamic DNS Domain ( .afshin .ir) in TLS SNI (info.rules)
- 2053715 - ET INFO DYNAMIC_DNS Query to a *.ivc .org .ar Domain (info.rules)
- 2053716 - ET INFO DYNAMIC_DNS HTTP Request to a *.ivc .org .ar Domain (info.rules)
- 2053717 - ET INFO DYNAMIC_DNS Query to a *.doorsnknobs .net Domain (info.rules)
- 2053718 - ET INFO DYNAMIC_DNS HTTP Request to a *.doorsnknobs .net Domain (info.rules)
- 2053719 - ET INFO DYNAMIC_DNS Query to a *.sabaenergy .com Domain (info.rules)
- 2053720 - ET INFO DYNAMIC_DNS HTTP Request to a *.sabaenergy .com Domain (info.rules)
- 2053721 - ET INFO DYNAMIC_DNS Query to a *.ittqc .com Domain (info.rules)
- 2053722 - ET INFO DYNAMIC_DNS HTTP Request to a *.ittqc .com Domain (info.rules)
- 2053723 - ET INFO DYNAMIC_DNS Query to a *.dyndns-at-home .com Domain (info.rules)
- 2053724 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-at-home .com Domain (info.rules)
- 2053725 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (snaillymarriaggew .shop) (malware.rules)
- 2053726 - ET MALWARE Observed Lumma Stealer Related Domain (snaillymarriaggew .shop in TLS SNI) (malware.rules)
- 2053727 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (thidrsorebahsufll .shop) (malware.rules)
- 2053728 - ET MALWARE Observed Lumma Stealer Related Domain (thidrsorebahsufll .shop in TLS SNI) (malware.rules)
- 2053729 - ET INFO Commonly Actor Abused Online Service Domain (cdn .ethers .io) (info.rules)
- 2053730 - ET INFO Observed Commonly Actor Abused Online Service Domain (cdn .ethers .io in TLS SNI) (info.rules)
- 2053731 - ET MALWARE DNS Query to ClickFix Domain (oazevents .com) (malware.rules)
- 2053732 - ET MALWARE DNS Query to ClickFix Domain (test-1627838 .shop) (malware.rules)
- 2053733 - ET MALWARE Observed ClickFix Domain (oazevents .com in TLS SNI) (malware.rules)
- 2053734 - ET MALWARE Observed ClickFix Domain (test-1627838 .shop in TLS SNI) (malware.rules)
- 2053735 - ET MALWARE DNS Query to ClearFake Domain (zerosoftware .tech) (malware.rules)
- 2053736 - ET MALWARE DNS Query to ClearFake Domain (pchelpsrwizardpro .com) (malware.rules)
- 2053737 - ET MALWARE DNS Query to ClearFake Domain (pchelprwizzards .com) (malware.rules)
- 2053738 - ET MALWARE DNS Query to ClearFake Domain (pchelprowizard .com) (malware.rules)
- 2053739 - ET MALWARE Observed ClearFake Domain (zerosoftware .tech in TLS SNI) (malware.rules)
- 2053740 - ET MALWARE Observed ClearFake Domain (pchelpsrwizardpro .com in TLS SNI) (malware.rules)
- 2053741 - ET MALWARE Observed ClearFake Domain (pchelprwizzards .com in TLS SNI) (malware.rules)
- 2053742 - ET MALWARE Observed ClearFake Domain (pchelprowizard .com in TLS SNI) (malware.rules)
- 2053743 - ET MALWARE DNS Query to ClearFake Domain (ghufal .answermedia .site) (malware.rules)
- 2053744 - ET MALWARE Observed ClearFake Domain (ghufal .answermedia .site in TLS SNI) (malware.rules)
Pro:
- 2857227 - ETPRO MALWARE Win32/ScarletStealer CnC Notify Exfil (malware.rules)
- 2857228 - ETPRO MALWARE Win32/ScarletStealer Exfiltrating Files to CnC (malware.rules)
- 2857229 - ETPRO MALWARE Win32/ScarletStealer Loader Domain in DNS Lookup (malware.rules)
- 2857230 - ETPRO MALWARE Win32/ScarletStealer Loader Domain in TLS SNI (malware.rules)
- 2857235 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2857236 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857237 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857238 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857239 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2857240 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2857241 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2857242 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2857243 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2857244 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2857245 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2857246 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857247 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857248 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857249 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2857250 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2857251 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2857252 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2857253 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2857254 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2857255 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857256 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857257 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857258 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2857259 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2857260 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2857261 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2857262 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2857263 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2857264 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2857265 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2857266 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2857267 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2857268 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2857269 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2857270 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2857271 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2857272 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2857273 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2857274 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2857275 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
- 2857276 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
- 2857277 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
- 2857278 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2857279 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
- 2857280 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
- 2857281 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
- 2857282 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2857283 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
- 2857284 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
- 2857285 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
Modified inactive rules:
- 2851774 - ETPRO MALWARE Observed Snip3 Domain in DNS Lookup (malware.rules)
- 2851775 - ETPRO MALWARE Observed Snip3 Domain in DNS Lookup (malware.rules)
Disabled and modified rules:
- 2039103 - ET MALWARE Suspected Smokeloader Activity (POST) (malware.rules)
- 2051878 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (discovus .com) (exploit_kit.rules)
- 2051879 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mtlaikins .com) (exploit_kit.rules)
- 2051880 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (arquivisticalocal .com) (exploit_kit.rules)
- 2051881 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (discovus .com) (exploit_kit.rules)
- 2051882 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mtlaikins .com) (exploit_kit.rules)
- 2051883 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (arquivisticalocal .com) (exploit_kit.rules)
- 2051886 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .schedule .golfballnutz .com) (malware.rules)
- 2051887 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .schedule .golfballnutz .com) (malware.rules)
- 2051900 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ahryssa .com) (exploit_kit.rules)
- 2051901 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (elmworldacademy .com) (exploit_kit.rules)
- 2051902 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (foradopicadeiro .com) (exploit_kit.rules)
- 2051903 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (techyureka .com) (exploit_kit.rules)
- 2051904 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ahryssa .com) (exploit_kit.rules)
- 2051905 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (elmworldacademy .com) (exploit_kit.rules)
- 2051906 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (foradopicadeiro .com) (exploit_kit.rules)
- 2051907 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (techyureka .com) (exploit_kit.rules)
- 2051911 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (yappiexpress .com) (exploit_kit.rules)
- 2051912 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (emonteiroadm .com) (exploit_kit.rules)
- 2051913 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (yappiexpress .com) (exploit_kit.rules)
- 2051914 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (emonteiroadm .com) (exploit_kit.rules)
- 2051939 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (edelmiramejiaterapeutacosmica .com) (exploit_kit.rules)
- 2051940 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (replacegarbagedisposal .com) (exploit_kit.rules)
- 2051941 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (edelmiramejiaterapeutacosmica .com) (exploit_kit.rules)
- 2051942 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (replacegarbagedisposal .com) (exploit_kit.rules)
- 2051957 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fairfurryfriends .com) (exploit_kit.rules)
- 2051958 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (fairfurryfriends .com) (exploit_kit.rules)
- 2051959 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .pool .hjdeboer .com) (malware.rules)
- 2051965 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .loans .fishingreelinvestments .com) (malware.rules)
- 2051966 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .loans .fishingreelinvestments .com) (malware.rules)
- 2052020 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (infineitsolutions .com) (exploit_kit.rules)
- 2052021 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gitkonus .com) (exploit_kit.rules)
- 2052022 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (infineitsolutions .com) (exploit_kit.rules)
- 2052023 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gitkonus .com) (exploit_kit.rules)
- 2052086 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (akademipraktik .com) (exploit_kit.rules)
- 2052087 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (akademipraktik .com) (exploit_kit.rules)
- 2052088 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .register .arpsychotherapy .com) (malware.rules)
- 2052089 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .register .arpsychotherapy .com) (malware.rules)
- 2052090 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jhansgansowen .com) (exploit_kit.rules)
- 2052091 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (hlktradecenter .com) (exploit_kit.rules)
- 2052092 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bid2cart .com) (exploit_kit.rules)
- 2052093 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (carlaweishale .com) (exploit_kit.rules)
- 2052094 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jhansgansowen .com) (exploit_kit.rules)
- 2052095 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (hlktradecenter .com) (exploit_kit.rules)
- 2052096 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bid2cart .com) (exploit_kit.rules)
- 2052097 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (carlaweishale .com) (exploit_kit.rules)
- 2052124 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (barhell .com) (exploit_kit.rules)
- 2052125 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (betvanced .com) (exploit_kit.rules)
- 2052126 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (barhell .com) (exploit_kit.rules)
- 2052127 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (betvanced .com) (exploit_kit.rules)
- 2052130 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (kingofdolomites .com) (exploit_kit.rules)
- 2052131 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mmasports786 .com) (exploit_kit.rules)
- 2052132 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (onesmartiptv .com) (exploit_kit.rules)
- 2052133 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (beautyservicenearme .com) (exploit_kit.rules)
- 2052134 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (architecture-interior .com) (exploit_kit.rules)
- 2052135 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kingofdolomites .com) (exploit_kit.rules)
- 2052136 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mmasports786 .com) (exploit_kit.rules)
- 2052137 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (onesmartiptv .com) (exploit_kit.rules)
- 2052138 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (beautyservicenearme .com) (exploit_kit.rules)
- 2052139 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (architecture-interior .com) (exploit_kit.rules)
- 2052170 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .anesthetics .biomedzglobal .com) (malware.rules)
- 2052171 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .anesthetics .biomedzglobal .com) (malware.rules)
- 2052194 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (cuponerachilanga .com) (exploit_kit.rules)
- 2052195 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (svif-venezuela .com) (exploit_kit.rules)
- 2052196 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (go8et .lol) (exploit_kit.rules)
- 2052197 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (cuponerachilanga .com) (exploit_kit.rules)
- 2052198 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (svif-venezuela .com) (exploit_kit.rules)
- 2052199 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (go8et .lol) (exploit_kit.rules)
- 2809882 - ETPRO MALWARE Dridex Post Checkin Activity 3 (malware.rules)
- 2857046 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857099 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857130 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)