Ruleset Update Summary - 2024/07/03 - v10636

Summary:

10 new OPEN, 44 new PRO (10 + 34)

Added rules:

Open:

• 2054242 - ET INFO Outbound HTTP Request from Microsoft Office for .html (info.rules)
• 2054243 - ET INFO Server Responding to Microsoft Office HTTP Request for .html with JavaScript (info.rules)
• 2054244 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (adobefallshomes .com) (exploit_kit.rules)
• 2054245 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (adobefallshomes .com) (exploit_kit.rules)
• 2054246 - ET ATTACK_RESPONSE Eval Hex Obfuscated JS Inbound (attack_response.rules)
• 2054247 - ET MALWARE SilentCryptoMiner Agent Config Inbound (malware.rules)
• 2054248 - ET INFO DYNAMIC_DNS Query to a *.ninehells .com Domain (info.rules)
• 2054249 - ET INFO DYNAMIC_DNS HTTP Request to a *.ninehells .com Domain (info.rules)
• 2054250 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (periodicroytewrsn .shop) (malware.rules)
• 2054251 - ET MALWARE Observed Lumma Stealer Related Domain (periodicroytewrsn .shop in TLS SNI) (malware.rules)

Pro:

• 2856594 - ETPRO INFO Anti-DDoS Lua Script Challenge (info.rules)
• 2857469 - ETPRO PHISHING Suspected Successful Generic Credential Phish Landing Page 2024-07-02 (phishing.rules)
• 2857470 - ETPRO EXPLOIT_KIT Possible LandUpdate808 Compromise - Failed to Serve JS Inject (exploit_kit.rules)
• 2857471 - ETPRO INFO Server Responding to Microsoft Office HTTP Request for .html - Possible Windows MSHTML Platform Security Feature Bypass (CVE-2024-30040) (info.rules)
• 2857472 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
• 2857473 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
• 2857474 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
• 2857475 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
• 2857480 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2857481 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2857482 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2857483 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2857484 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
• 2857485 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2857486 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
• 2857487 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2857488 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
• 2857489 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2857490 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2857491 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
• 2857492 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
• 2857493 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2857494 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2857495 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2857496 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2857497 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
• 2857498 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2857499 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
• 2857500 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2857501 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
• 2857502 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2857503 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2857504 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
• 2857505 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Modified inactive rules:

• 2023611 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 107 (malware.rules)

Disabled and modified rules:

• 2801078 - ETPRO SCADA DIRECTLOGIC (Event 11) Unlock PLC Attempt (scada.rules)
• 2855498 - ETPRO MALWARE Possible DarkGate AutoIT Script Download (malware.rules)
• 2857463 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound to Balada (exploit_kit.rules)

Removed rules:

• 2856594 - ETPRO PHISHING Anti-DDoS Lua Script Challenge (phishing.rules)