Ruleset Update Summary - 2024/06/20 - v10622

Ruleset Updates
1

Summary:

35 new OPEN, 40 new PRO (35 + 5)

Thanks @Fortinet

Added rules:

Open:

  • 2053749 - ET MALWARE Win32/ProcessKiller CnC Initialization M2 (malware.rules)
  • 2053750 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (doughtdrillyksow .shop) (malware.rules)
  • 2053751 - ET MALWARE Observed Lumma Stealer Related Domain (doughtdrillyksow .shop in TLS SNI) (malware.rules)
  • 2053752 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (publicitycharetew .shop) (malware.rules)
  • 2053753 - ET MALWARE Observed Lumma Stealer Related Domain (publicitycharetew .shop in TLS SNI) (malware.rules)
  • 2053754 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (facilitycoursedw .shop) (malware.rules)
  • 2053755 - ET MALWARE Observed Lumma Stealer Related Domain (facilitycoursedw .shop in TLS SNI) (malware.rules)
  • 2053756 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bargainnygroandjwk .shop) (malware.rules)
  • 2053757 - ET MALWARE Observed Lumma Stealer Related Domain (bargainnygroandjwk .shop in TLS SNI) (malware.rules)
  • 2053758 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (injurypiggyoewirog .shop) (malware.rules)
  • 2053759 - ET MALWARE Observed Lumma Stealer Related Domain (injurypiggyoewirog .shop in TLS SNI) (malware.rules)
  • 2053760 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (leafcalfconflcitw .shop) (malware.rules)
  • 2053761 - ET MALWARE Observed Lumma Stealer Related Domain (leafcalfconflcitw .shop in TLS SNI) (malware.rules)
  • 2053762 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (computerexcudesp .shop) (malware.rules)
  • 2053763 - ET MALWARE Observed Lumma Stealer Related Domain (computerexcudesp .shop in TLS SNI) (malware.rules)
  • 2053764 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (disappointcredisotw .shop) (malware.rules)
  • 2053765 - ET MALWARE Observed Lumma Stealer Related Domain (disappointcredisotw .shop in TLS SNI) (malware.rules)
  • 2053766 - ET INFO DYNAMIC_DNS Query to a *.nyphp .com Domain (info.rules)
  • 2053767 - ET INFO DYNAMIC_DNS HTTP Request to a *.nyphp .com Domain (info.rules)
  • 2053768 - ET MALWARE DNS Query to ClickFix Related Domain (x8f7a89 .pics) (malware.rules)
  • 2053769 - ET MALWARE DNS Query to ClickFix Related Domain (ndas8m92 .lol) (malware.rules)
  • 2053770 - ET MALWARE DNS Query to ClickFix Related Domain (flynews .us) (malware.rules)
  • 2053771 - ET MALWARE Observed ClickFix Domain (x8f7a89 .pics in TLS SNI) (malware.rules)
  • 2053772 - ET MALWARE Observed ClickFix Domain (ndas8m92 .lol in TLS SNI) (malware.rules)
  • 2053773 - ET MALWARE Observed ClickFix Domain (flynews .us in TLS SNI) (malware.rules)
  • 2053774 - ET MALWARE ClickFix CnC Activity (POST) (malware.rules)
  • 2053775 - ET MALWARE ClickFix Obfuscated Payload Inbound (malware.rules)
  • 2053776 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (onecapitalresidences .com) (exploit_kit.rules)
  • 2053777 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (onecapitalresidences .com) (exploit_kit.rules)
  • 2053778 - ET MALWARE ZPHP CnC Domain in DNS Lookup (daveiz .top) (malware.rules)
  • 2053779 - ET MALWARE Fickle Stealer C2 Server Tasking (malware.rules)
  • 2053780 - ET MALWARE ZPHP CnC Domain in TLS SNI (daveiz .top) (malware.rules)
  • 2053781 - ET MALWARE Suspected Powershell Empire Activity M1 (malware.rules)
  • 2053782 - ET MALWARE Suspected Powershell Empire Activity M2 (malware.rules)
  • 2053783 - ET MALWARE Suspected Powershell Empire Activity M3 (malware.rules)

Pro:

  • 2857292 - ETPRO EXPLOIT Form Tools 3.1.1 Server Side Template Injection Attempt Inbound (CVE-2024-22722) (exploit.rules)
  • 2857293 - ETPRO MALWARE Malicious Host Domain in DNS Lookup (malware.rules)
  • 2857295 - ETPRO MALWARE Observed Malicious Host Domain in TLS SNI (malware.rules)
  • 2857297 - ETPRO MALWARE TA450 Loader Initial CnC Check-in (malware.rules)
  • 2857298 - ETPRO MALWARE TA450 Loader Successful CnC Response (malware.rules)

Disabled and modified rules:

  • 2053723 - ET INFO DYNAMIC_DNS Query to a *.dyndns-at-home .com Domain (info.rules)
  • 2053724 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-at-home .com Domain (info.rules)