Summary:
46 new OPEN, 49 new PRO (46 + 3)
Added rules:
Open:
- 2027267 - ET INFO Possible Lateral Movement - File Creation Request in Remote System32 Directory (T1105) (info.rules)
- 2054173 - ET MALWARE Poseidon Stealer Data Exfiltration Attempt (malware.rules)
- 2054174 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (swellfrrgwwos .xyz) (malware.rules)
- 2054175 - ET MALWARE Observed Lumma Stealer Related Domain (swellfrrgwwos .xyz in TLS SNI) (malware.rules)
- 2054176 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pedestriankodwu .xyz) (malware.rules)
- 2054177 - ET MALWARE Observed Lumma Stealer Related Domain (pedestriankodwu .xyz in TLS SNI) (malware.rules)
- 2054178 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (towerxxuytwi .xyz) (malware.rules)
- 2054179 - ET MALWARE Observed Lumma Stealer Related Domain (towerxxuytwi .xyz in TLS SNI) (malware.rules)
- 2054180 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (contintnetksows .shop) (malware.rules)
- 2054181 - ET MALWARE Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI) (malware.rules)
- 2054182 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (potterryisiw .shop) (malware.rules)
- 2054183 - ET MALWARE Observed Lumma Stealer Related Domain (potterryisiw .shop in TLS SNI) (malware.rules)
- 2054184 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (foodypannyjsud .shop) (malware.rules)
- 2054185 - ET MALWARE Observed Lumma Stealer Related Domain (foodypannyjsud .shop in TLS SNI) (malware.rules)
- 2054186 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (ellaboratepwsz .xyz) (malware.rules)
- 2054187 - ET MALWARE Observed Lumma Stealer Related Domain (ellaboratepwsz .xyz in TLS SNI) (malware.rules)
- 2054188 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (penetratedpoopp .xyz) (malware.rules)
- 2054189 - ET MALWARE Observed Lumma Stealer Related Domain (penetratedpoopp .xyz in TLS SNI) (malware.rules)
- 2054190 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (flockkydwos .shop) (malware.rules)
- 2054191 - ET MALWARE Observed Lumma Stealer Related Domain (flockkydwos .shop in TLS SNI) (malware.rules)
- 2054192 - ET INFO DYNAMIC_DNS Query to a *.7s .com .tr Domain (info.rules)
- 2054193 - ET INFO DYNAMIC_DNS HTTP Request to a *.7s .com .tr Domain (info.rules)
- 2054194 - ET MALWARE SocGholish CnC Domain in DNS (* .fans .smalladventureguide .com) (malware.rules)
- 2054195 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .fans .smalladventureguide .com in TLS SNI) (malware.rules)
- 2054196 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (frontendcodingtips .com) (exploit_kit.rules)
- 2054197 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (frontendcodingtips .com) (exploit_kit.rules)
- 2054198 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (beetrootculture .com) (exploit_kit.rules)
- 2054199 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (propertyclosings .com) (exploit_kit.rules)
- 2054200 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (beetrootculture .com) (exploit_kit.rules)
- 2054201 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (propertyclosings .com) (exploit_kit.rules)
- 2054202 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (agov-ch .net) (malware.rules)
- 2054203 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (agov-ch .com) (malware.rules)
- 2054204 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (poseidon .cool) (malware.rules)
- 2054205 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (agovaccess-ch .com) (malware.rules)
- 2054206 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (agov-access .com) (malware.rules)
- 2054207 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (agov-access .net) (malware.rules)
- 2054208 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (register-agov .com) (malware.rules)
- 2054209 - ET MALWARE Poseidon Stealer Related Domain in DNS Lookup (register-agov .net) (malware.rules)
- 2054210 - ET MALWARE Observed Poseidon Stealer Related Domain (agov-ch .net) in TLS SNI (malware.rules)
- 2054211 - ET MALWARE Observed Poseidon Stealer Related Domain (agov-ch .com) in TLS SNI (malware.rules)
- 2054212 - ET MALWARE Observed Poseidon Stealer Related Domain (poseidon .cool) in TLS SNI (malware.rules)
- 2054213 - ET MALWARE Observed Poseidon Stealer Related Domain (agovaccess-ch .com) in TLS SNI (malware.rules)
- 2054214 - ET MALWARE Observed Poseidon Stealer Related Domain (agov-access .com) in TLS SNI (malware.rules)
- 2054215 - ET MALWARE Observed Poseidon Stealer Related Domain (agov-access .net) in TLS SNI (malware.rules)
- 2054216 - ET MALWARE Observed Poseidon Stealer Related Domain (register-agov .com) in TLS SNI (malware.rules)
- 2054217 - ET MALWARE Observed Poseidon Stealer Related Domain (register-agov .net) in TLS SNI (malware.rules)
Pro:
- 2857458 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
- 2857459 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857460 - ETPRO MALWARE SocGholish CnC Initial Request M7 (malware.rules)
Removed rules:
- 2027267 - ET ATTACK_RESPONSE Possible Lateral Movement - File Creation Request in Remote System32 Directory (T1105) (attack_response.rules)