Ruleset Update Summary - 2024/06/27 - v10630

Ruleset Updates
1

Summary:

31 new OPEN, 33 new PRO (31 + 2)

Added rules:

Open:

  • 2054074 - ET EXPLOIT Kingdee Cloud Star Deserialization Vulnerability (exploit.rules)
  • 2054075 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jaipurstylo .com) (exploit_kit.rules)
  • 2054076 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (sarahkatherinelewis .com) (exploit_kit.rules)
  • 2054077 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jaipurstylo .com) (exploit_kit.rules)
  • 2054078 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (sarahkatherinelewis .com) (exploit_kit.rules)
  • 2054079 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (constructgeneratisa .xyz) (malware.rules)
  • 2054080 - ET MALWARE Observed Lumma Stealer Related Domain (constructgeneratisa .xyz in TLS SNI) (malware.rules)
  • 2054081 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (exertcreatedadnndjw .xyz) (malware.rules)
  • 2054082 - ET MALWARE Observed Lumma Stealer Related Domain (exertcreatedadnndjw .xyz in TLS SNI) (malware.rules)
  • 2054083 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (panameradovkews .xyz) (malware.rules)
  • 2054084 - ET MALWARE Observed Lumma Stealer Related Domain (panameradovkews .xyz in TLS SNI) (malware.rules)
  • 2054085 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (manufactiredowreachhd .xyz) (malware.rules)
  • 2054086 - ET MALWARE Observed Lumma Stealer Related Domain (manufactiredowreachhd .xyz in TLS SNI) (malware.rules)
  • 2054087 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (gloomopiniosnforuw .xyz) (malware.rules)
  • 2054088 - ET MALWARE Observed Lumma Stealer Related Domain (gloomopiniosnforuw .xyz in TLS SNI) (malware.rules)
  • 2054089 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (slammyslideplanntywks .xyz) (malware.rules)
  • 2054090 - ET MALWARE Observed Lumma Stealer Related Domain (slammyslideplanntywks .xyz in TLS SNI) (malware.rules)
  • 2054091 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (compilecoppydkewsw .xyz) (malware.rules)
  • 2054092 - ET MALWARE Observed Lumma Stealer Related Domain (compilecoppydkewsw .xyz in TLS SNI) (malware.rules)
  • 2054093 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (depositybounceddwk .xyz) (malware.rules)
  • 2054094 - ET MALWARE Observed Lumma Stealer Related Domain (depositybounceddwk .xyz in TLS SNI) (malware.rules)
  • 2054095 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (aplointexhausdh .xyz) (malware.rules)
  • 2054096 - ET MALWARE Observed Lumma Stealer Related Domain (aplointexhausdh .xyz in TLS SNI) (malware.rules)
  • 2054097 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (proffyrobharborye .xyz) (malware.rules)
  • 2054098 - ET MALWARE Observed Lumma Stealer Related Domain (proffyrobharborye .xyz in TLS SNI) (malware.rules)
  • 2054099 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (landownerryparaxodwo .xyz) (malware.rules)
  • 2054100 - ET MALWARE Observed Lumma Stealer Related Domain (landownerryparaxodwo .xyz in TLS SNI) (malware.rules)
  • 2054101 - ET INFO URL Shortener Service Domain in DNS Lookup (iplog .co) (info.rules)
  • 2054102 - ET INFO Observed URL Shortener Service Domain (iplog .co in TLS SNI) (info.rules)
  • 2054103 - ET MALWARE Koadic RC4 Encrypted Payload Inbound M1 (malware.rules)
  • 2054104 - ET MALWARE Koadic RC4 Encrypted Payload Inbound M2 (malware.rules)

Pro:

  • 2857356 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857357 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2012573 - ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt (web_specific_apps.rules)
  • 2013285 - ET MALWARE DarkComet-RAT Client Keepalive (malware.rules)
  • 2013516 - ET MALWARE TR/Spy.Gen checkin via dns ANY query (malware.rules)
  • 2018904 - ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false) (info.rules)
  • 2018905 - ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true) (info.rules)
  • 2018906 - ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false) (info.rules)
  • 2018907 - ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true) (info.rules)
  • 2018908 - ET INFO Session Traversal Utilities for NAT (STUN Binding Response) (info.rules)
  • 2033690 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
  • 2033691 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
  • 2033692 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
  • 2033693 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
  • 2033694 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
  • 2033695 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
  • 2033774 - ET MALWARE Observed Karen Ransomware Domain (karen .h07 .wlh .io in TLS SNI) (malware.rules)
  • 2033870 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033871 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033873 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033875 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2034200 - ET EXPLOIT TerraMaster TOS RCE via OS Command Injection Inbound (CVE-2020-28188) (exploit.rules)
  • 2041680 - ET PHISHING Observed Phish Domain in DNS Lookup (administrator-enoc .com) 2022-12-05 (phishing.rules)
  • 2041682 - ET PHISHING Observed Phish Domain in DNS Lookup (kilimondoilgas-dubai .com) 2022-12-05 (phishing.rules)
  • 2041683 - ET PHISHING Observed Phish Domain in DNS Lookup (horsespeedtravel .com) 2022-12-05 (phishing.rules)
  • 2041684 - ET PHISHING Observed Phish Domain in DNS Lookup (snocprojectae .com) 2022-12-05 (phishing.rules)
  • 2041685 - ET PHISHING Observed Phish Domain in DNS Lookup (snoc-projectae .com) 2022-12-05 (phishing.rules)
  • 2041687 - ET PHISHING Observed Phish Domain in DNS Lookup (nowmcopetroleum .com) 2022-12-05 (phishing.rules)
  • 2041689 - ET PHISHING Observed Phish Domain in DNS Lookup (proposal-enoc .com) 2022-12-05 (phishing.rules)
  • 2041690 - ET PHISHING Observed Phish Domain in DNS Lookup (llhhospitals .com) 2022-12-05 (phishing.rules)
  • 2041691 - ET PHISHING Observed Phish Domain in DNS Lookup (alzarafatravellsae .com) 2022-12-05 (phishing.rules)
  • 2041692 - ET PHISHING Observed Phish Domain in DNS Lookup (specgulfae .com) 2022-12-05 (phishing.rules)
  • 2041693 - ET PHISHING Observed Phish Domain in DNS Lookup (eaglestravels-ae .com) 2022-12-05 (phishing.rules)
  • 2041694 - ET PHISHING Observed Phish Domain in DNS Lookup (stalinschoolintlacademy .com) 2022-12-05 (phishing.rules)
  • 2041695 - ET PHISHING Observed Phish Domain in DNS Lookup (consultant-enoc .com) 2022-12-05 (phishing.rules)
  • 2041696 - ET PHISHING Observed Phish Domain in DNS Lookup (vendor-enocbid .com) 2022-12-05 (phishing.rules)
  • 2041697 - ET PHISHING Observed Phish Domain in DNS Lookup (proposal-ae-enoc .com) 2022-12-05 (phishing.rules)
  • 2041698 - ET PHISHING Observed Phish Domain in DNS Lookup (zbavitae .com) 2022-12-05 (phishing.rules)
  • 2041699 - ET PHISHING Observed Phish Domain in DNS Lookup (bid-taqa .com) 2022-12-05 (phishing.rules)
  • 2041700 - ET PHISHING Observed Phish Domain in DNS Lookup (safetravel-services .com) 2022-12-05 (phishing.rules)
  • 2041701 - ET PHISHING Observed Phish Domain in DNS Lookup (gulfcoastoilngas-ae .com) 2022-12-05 (phishing.rules)
  • 2041702 - ET PHISHING Observed Phish Domain in DNS Lookup (camschooluae .com) 2022-12-05 (phishing.rules)
  • 2041703 - ET PHISHING Observed Phish Domain in DNS Lookup (alhmodzinoilfildservices .com) 2022-12-05 (phishing.rules)
  • 2041704 - ET PHISHING Observed Phish Domain in DNS Lookup (nipmse .com) 2022-12-05 (phishing.rules)
  • 2041705 - ET PHISHING Observed Phish Domain in DNS Lookup (globalhospae .com) 2022-12-05 (phishing.rules)
  • 2041706 - ET PHISHING Observed Phish Domain in DNS Lookup (gulfins-ae .com) 2022-12-05 (phishing.rules)
  • 2041707 - ET PHISHING Observed Phish Domain in DNS Lookup (zirvaenergy .com) 2022-12-05 (phishing.rules)
  • 2041708 - ET PHISHING Observed Phish Domain in DNS Lookup (tenders-adio .com) 2022-12-05 (phishing.rules)
  • 2041709 - ET PHISHING Observed Phish Domain in DNS Lookup (uae-snocproject .com) 2022-12-05 (phishing.rules)
  • 2041710 - ET PHISHING Observed Phish Domain in DNS Lookup (alfayhaatravels .com) 2022-12-05 (phishing.rules)
  • 2041711 - ET PHISHING Observed Phish Domain in DNS Lookup (contract-snoc .com) 2022-12-05 (phishing.rules)
  • 2041712 - ET PHISHING Observed Phish Domain in DNS Lookup (biding-enoc .com) 2022-12-05 (phishing.rules)
  • 2041713 - ET PHISHING Observed Phish Domain in DNS Lookup (dibfinancialservice-uae .com) 2022-12-05 (phishing.rules)
  • 2041714 - ET PHISHING Observed Phish Domain in DNS Lookup (registrations-adnoc .com) 2022-12-05 (phishing.rules)
  • 2041715 - ET PHISHING Observed Phish Domain in DNS Lookup (enocbids .com) 2022-12-05 (phishing.rules)
  • 2041716 - ET PHISHING Observed Phish Domain in DNS Lookup (snocprojectuae .com) 2022-12-05 (phishing.rules)
  • 2041717 - ET PHISHING Observed Phish Domain in DNS Lookup (adio-gov .com) 2022-12-05 (phishing.rules)
  • 2041718 - ET PHISHING Observed Phish Domain in DNS Lookup (gulfmarineoilservices .com) 2022-12-05 (phishing.rules)
  • 2041719 - ET PHISHING Observed Phish Domain in DNS Lookup (fenczyflyemiratetravels .com) 2022-12-05 (phishing.rules)
  • 2041720 - ET PHISHING Observed Phish Domain in DNS Lookup (abienceinvestments-fze .com) 2022-12-05 (phishing.rules)
  • 2041721 - ET PHISHING Observed Phish Domain in DNS Lookup (flywaytravelandtourism .com) 2022-12-05 (phishing.rules)
  • 2041722 - ET PHISHING Observed Phish Domain in DNS Lookup (aiischools .com) 2022-12-05 (phishing.rules)
  • 2041723 - ET PHISHING Observed Phish Domain in DNS Lookup (emspgenerahospae .com) 2022-12-05 (phishing.rules)
  • 2041724 - ET PHISHING Observed Phish Domain in DNS Lookup (investinadio .com) 2022-12-05 (phishing.rules)
  • 2041725 - ET PHISHING Observed Phish Domain in DNS Lookup (mohregov-ae .com) 2022-12-05 (phishing.rules)
  • 2041726 - ET PHISHING Observed Phish Domain in DNS Lookup (enacopetroleum .com) 2022-12-05 (phishing.rules)
  • 2041727 - ET PHISHING Observed Phish Domain in DNS Lookup (emsclikoil .com) 2022-12-05 (phishing.rules)
  • 2041728 - ET PHISHING Observed Phish Domain in DNS Lookup (westernmedicalspecialisthosp .com) 2022-12-05 (phishing.rules)
  • 2041729 - ET PHISHING Observed Phish Domain in DNS Lookup (contact-adnocae .com) 2022-12-05 (phishing.rules)
  • 2041730 - ET PHISHING Observed Phish Domain in DNS Lookup (quickcitytravel .com) 2022-12-05 (phishing.rules)
  • 2041731 - ET PHISHING Observed Phish Domain in DNS Lookup (snoc-projectuae .com) 2022-12-05 (phishing.rules)
  • 2041732 - ET PHISHING Observed Phish Domain in DNS Lookup (consultant-ae-enoc .com) 2022-12-05 (phishing.rules)
  • 2041733 - ET PHISHING Observed Phish Domain in DNS Lookup (salacomimmigration .com) 2022-12-05 (phishing.rules)
  • 2041734 - ET PHISHING Observed Phish Domain in DNS Lookup (dubaiferryae .com) 2022-12-05 (phishing.rules)
  • 2041735 - ET PHISHING Observed Phish Domain in DNS Lookup (bid-adnoc .com) 2022-12-05 (phishing.rules)
  • 2041736 - ET PHISHING Observed Phish Domain in DNS Lookup (adbntogo .com) 2022-12-05 (phishing.rules)
  • 2041737 - ET PHISHING Observed Phish Domain in DNS Lookup (iconiqueimmigration .com) 2022-12-05 (phishing.rules)
  • 2041738 - ET PHISHING Observed Phish Domain in DNS Lookup (alfujairah-ae .com) 2022-12-05 (phishing.rules)
  • 2041739 - ET PHISHING Observed Phish Domain in DNS Lookup (contractors-adnoc .com) 2022-12-05 (phishing.rules)
  • 2041740 - ET PHISHING Observed Phish Domain in DNS Lookup (stabluk .com) 2022-12-05 (phishing.rules)
  • 2041741 - ET PHISHING Observed Phish Domain in DNS Lookup (bid-enoc .com) 2022-12-05 (phishing.rules)
  • 2041742 - ET PHISHING Observed Phish Domain in DNS Lookup (siemenoilandgas .com) 2022-12-05 (phishing.rules)
  • 2041743 - ET PHISHING Observed Phish Domain in DNS Lookup (proposals-ae-enoc .com) 2022-12-05 (phishing.rules)
  • 2041744 - ET PHISHING Observed Phish Domain in DNS Lookup (hamraoilgroup .com) 2022-12-05 (phishing.rules)
  • 2041745 - ET PHISHING Observed Phish Domain in DNS Lookup (flylinkimmigration .com) 2022-12-05 (phishing.rules)
  • 2041747 - ET PHISHING Observed Phish Domain in DNS Lookup (ae-snoctenders .com) 2022-12-05 (phishing.rules)
  • 2041748 - ET PHISHING Observed Phish Domain in DNS Lookup (contracts-adnoc .com) 2022-12-05 (phishing.rules)
  • 2041749 - ET PHISHING Observed Phish Domain in DNS Lookup (registrations-enoc .com) 2022-12-05 (phishing.rules)
  • 2041750 - ET PHISHING Observed Phish Domain in DNS Lookup (uae-snoctenders .com) 2022-12-05 (phishing.rules)
  • 2041751 - ET PHISHING Observed Phish Domain in DNS Lookup (oceanicflyimmigration .com) 2022-12-05 (phishing.rules)
  • 2041752 - ET PHISHING Observed Phish Domain in DNS Lookup (rfq-taziz .com) 2022-12-05 (phishing.rules)
  • 2041753 - ET PHISHING Observed Phish Domain in DNS Lookup (consultants-ae-enoc .com) 2022-12-05 (phishing.rules)
  • 2041754 - ET PHISHING Observed Phish Domain in DNS Lookup (abbrossgeneralhospital .com) 2022-12-05 (phishing.rules)
  • 2041755 - ET PHISHING Observed Phish Domain in DNS Lookup (snocproject-ae .com) 2022-12-05 (phishing.rules)
  • 2041756 - ET PHISHING Observed Phish Domain in DNS Lookup (dahilalcapitalinvest .com) 2022-12-05 (phishing.rules)
  • 2041757 - ET PHISHING Observed Phish Domain in DNS Lookup (duramtravelagency .com) 2022-12-05 (phishing.rules)
  • 2041758 - ET PHISHING Observed Phish Domain in DNS Lookup (biddings-enoc .com) 2022-12-05 (phishing.rules)
  • 2041759 - ET PHISHING Observed Phish Domain in DNS Lookup (hpschooluae .com) 2022-12-05 (phishing.rules)
  • 2041760 - ET PHISHING Observed Phish Domain in DNS Lookup (rakpetrolae .com) 2022-12-05 (phishing.rules)
  • 2041761 - ET PHISHING Observed Phish Domain in DNS Lookup (arabianmigration .com) 2022-12-05 (phishing.rules)
  • 2041762 - ET PHISHING Observed Phish Domain in DNS Lookup (snocuae .com) 2022-12-05 (phishing.rules)
  • 2041763 - ET PHISHING Observed Phish Domain in DNS Lookup (atenaeps .com) 2022-12-05 (phishing.rules)
  • 2041764 - ET PHISHING Observed Phish Domain in DNS Lookup (ae-snocproject .com) 2022-12-05 (phishing.rules)
  • 2041765 - ET PHISHING Observed Phish Domain in DNS Lookup (harvesttravelagency .com) 2022-12-05 (phishing.rules)
  • 2041766 - ET PHISHING Observed Phish Domain in DNS Lookup (registration-ae-enoc .com) 2022-12-05 (phishing.rules)
  • 2041767 - ET PHISHING Observed Phish Domain in DNS Lookup (toursolutions4u .com) 2022-12-05 (phishing.rules)
  • 2041768 - ET PHISHING Observed Phish Domain in DNS Lookup (easternbaytravels .com) 2022-12-05 (phishing.rules)
  • 2041769 - ET PHISHING Observed Phish Domain in DNS Lookup (contractor-enoc .com) 2022-12-05 (phishing.rules)
  • 2041770 - ET PHISHING Observed Phish Domain in DNS Lookup (ahaliahospitalae .com) 2022-12-05 (phishing.rules)
  • 2041771 - ET PHISHING Observed Phish Domain in DNS Lookup (tenders-adnoc .com) 2022-12-05 (phishing.rules)
  • 2041772 - ET PHISHING Observed Phish Domain in DNS Lookup (emarataljabrisolicitors .com) 2022-12-05 (phishing.rules)
  • 2041773 - ET PHISHING Observed Phish Domain in DNS Lookup (abdul-sattar-abdul-tr .com) 2022-12-05 (phishing.rules)
  • 2041774 - ET PHISHING Observed Phish Domain in DNS Lookup (tenders-aisschools .com) 2022-12-05 (phishing.rules)
  • 2041775 - ET PHISHING Observed Phish Domain in DNS Lookup (builds-emaar .com) 2022-12-05 (phishing.rules)
  • 2041776 - ET PHISHING Observed Phish Domain in DNS Lookup (tender-adnoc .com) 2022-12-05 (phishing.rules)
  • 2041777 - ET PHISHING Observed Phish Domain in DNS Lookup (sheikhmouradoil .com) 2022-12-05 (phishing.rules)
  • 2041778 - ET PHISHING Observed Phish Domain in DNS Lookup (diligencefinconsultants .com) 2022-12-05 (phishing.rules)
  • 2050083 - ET MALWARE BackConnect CnC Activity (Bot Reconnect) M1 (malware.rules)
  • 2050094 - ET MALWARE BackConnect CnC Activity (Bot Reconnect) M2 (malware.rules)
  • 2054045 - ET MALWARE Observed Wordpress Social Warfare Plugin Exploit Related Domain (dateyourlove .live in TLS SNI) (malware.rules)
  • 2054046 - ET MALWARE Observed Wordpress Social Warfare Plugin Exploit Related Domain (matchingsingles .net in TLS SNI) (malware.rules)
  • 2054048 - ET MALWARE Observed Wordpress Social Warfare Plugin Exploit Related Domain (face-your-dreams .com in TLS SNI) (malware.rules)
  • 2054051 - ET MALWARE Observed Wordpress Social Warfare Plugin Exploit Related Domain (silver-dates .com in TLS SNI) (malware.rules)
  • 2809851 - ETPRO MALWARE Cobalt Strike Covert DNS CnC Channel TXT Lookup (tcp) (malware.rules)