Ruleset Update Summary - 2024/06/25 - v10627

rulesbot · June 25, 2024, 9:25pm

Summary:

34 new OPEN, 42 new PRO (34 + 8)

Added rules:

Open:

2053849 - ET USER_AGENTS websocket-sharp User-Agent Observed (user_agents.rules)
2053850 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (divyjai2 .xyz) (exploit_kit.rules)
2053851 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (divyjai2 .xyz) (exploit_kit.rules)
2053852 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (aetherial .store) (exploit_kit.rules)
2053853 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bochka-keitaro .space) (exploit_kit.rules)
2053854 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (chemsentinel .com) (exploit_kit.rules)
2053855 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (buatywear .store) (exploit_kit.rules)
2053856 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eyesstore .store) (exploit_kit.rules)
2053857 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jonmesserartwork .com) (exploit_kit.rules)
2053858 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (trollsburninginhell .com) (exploit_kit.rules)
2053859 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (aetherial .store) (exploit_kit.rules)
2053860 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bochka-keitaro .space) (exploit_kit.rules)
2053861 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (chemsentinel .com) (exploit_kit.rules)
2053862 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (buatywear .store) (exploit_kit.rules)
2053863 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eyesstore .store) (exploit_kit.rules)
2053864 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jonmesserartwork .com) (exploit_kit.rules)
2053865 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (trollsburninginhell .com) (exploit_kit.rules)
2053866 - ET INFO DYNAMIC_DNS Query to a *.utdnews .com Domain (info.rules)
2053867 - ET INFO DYNAMIC_DNS HTTP Request to a *.utdnews .com Domain (info.rules)
2053868 - ET INFO DYNAMIC_DNS Query to a *.eduarmor .com Domain (info.rules)
2053869 - ET INFO DYNAMIC_DNS HTTP Request to a *.eduarmor .com Domain (info.rules)
2053870 - ET MALWARE Wordpress Social Warfare Plugin Attempted Admin User Creation (malware.rules)
2053871 - ET MALWARE Wordpress Social Warfare Plugin Exploit C2 Connect Request (POST) (malware.rules)
2053872 - ET MALWARE DNS Query to Wordpress Social Warfare Plugin Supply Chain Attack Related Domain (hostpdf .co) (malware.rules)
2053873 - ET MALWARE Observed Wordpress Social Warfare Plugin Supply Chain Attack Related Domain (hostpdf .co in TLS SNI) (malware.rules)
2053874 - ET ADWARE_PUP DNS Query to CoinMiner Proxy Domain (xmrminingproxy .com) (adware_pup.rules)
2053875 - ET MALWARE Observed CoinMiner Proxy Domain (xmrminingproxy .com in TLS SNI) (malware.rules)
2053876 - ET MALWARE Wordpress Social Warfare Plugin Exploit Payload URI in GET Request (malware.rules)
2053877 - ET WEB_SPECIFIC_APPS ShowDoc File Upload Vulnerability (web_specific_apps.rules)
2053878 - ET WEB_SPECIFIC_APPS Fanwei eMobile File Upload Vulnerability (web_specific_apps.rules)
2053879 - ET MALWARE Wordpress Social Warfare Plugin Exploit Payload Impression Request (malware.rules)
2053880 - ET MALWARE Wordpress Social Warfare Plugin Exploit CMS Users Exfil M1 (malware.rules)
2053881 - ET MALWARE Wordpress Social Warfare Plugin Exploit CMS Users Exfil M2 (malware.rules)
2053882 - ET MALWARE Wordpress Social Warfare Plugin Exploit CMS Users Exfil M3 (malware.rules)

Pro:

2857339 - ETPRO HUNTING HTTP POST Request with Directory Traversal in Generic Parameter M1 (hunting.rules)
2857340 - ETPRO HUNTING HTTP POST Request with Directory Traversal in Generic Parameter M2 (hunting.rules)
2857345 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2857346 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2857347 - ETPRO MALWARE Win32/SpiceRAT C2 Check-in (malware.rules)
2857348 - ETPRO MALWARE Win32/SpiceRAT C2 Response (malware.rules)
2857349 - ETPRO MALWARE Win32/SpiceRAT Bot Reporting Successful Encrypted Implant Installation to C2 (malware.rules)
2857350 - ETPRO MALWARE Win32/SpiceRAT C2 Reporting Successful Encrypted Implant Installation (malware.rules)

Disabled and modified rules:

2053804 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (onecapitalresidences .com) (exploit_kit.rules)
2053807 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (onecapitalresidences .com) (exploit_kit.rules)

Removed rules:

2851038 - ETPRO USER_AGENTS Websocket-Sharp User-Agent (websocket-sharp) (user_agents.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/07/11 - v10643 Ruleset Updates	87	July 11, 2024
Ruleset Update Summary - 2024/08/05 - v10659 Ruleset Updates	137	August 5, 2024
Ruleset Update Summary - 2024/02/19 - v10535 Ruleset Updates	475	February 19, 2024
Ruleset Update Summary - 2024/04/17 - v10577 Ruleset Updates	159	April 17, 2024
Ruleset Update Summary - 2024/11/22 - v10748 Ruleset Updates	39	November 22, 2024

Ruleset Update Summary - 2024/06/25 - v10627

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related topics