Ruleset Update Summary - 2024/07/22 - v10650

Ruleset Updates
1

Summary:

25 new OPEN, 27 new PRO (25 + 2)

Added rules:

Open:

  • 2054619 - ET MALWARE Covenant .NET Framework SSL/TLS Certificate Observed (malware.rules)
  • 2054620 - ET MALWARE Win32/Kryptik_AGen.DOP C2 Checkin (malware.rules)
  • 2054621 - ET INFO DYNAMIC_DNS Query to a * .w6rob .com Domain (info.rules)
  • 2054622 - ET INFO DYNAMIC_DNS HTTP Request to a * .w6rob .com Domain (info.rules)
  • 2054623 - ET INFO DYNAMIC_DNS Query to a * .bamapos .com Domain (info.rules)
  • 2054624 - ET INFO DYNAMIC_DNS HTTP Request to a * .bamapos .com Domain (info.rules)
  • 2054625 - ET INFO DYNAMIC_DNS Query to a * .i-taiwan .tv Domain (info.rules)
  • 2054626 - ET INFO DYNAMIC_DNS HTTP Request to a * .i-taiwan .tv Domain (info.rules)
  • 2054627 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (freezetdopzx .shop) (malware.rules)
  • 2054628 - ET MALWARE Observed Lumma Stealer Related Domain (freezetdopzx .shop in TLS SNI) (malware.rules)
  • 2054629 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (hookybeamngwskow .xyz) (malware.rules)
  • 2054630 - ET MALWARE Observed Lumma Stealer Related Domain (hookybeamngwskow .xyz in TLS SNI) (malware.rules)
  • 2054631 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (nobledpcowep .shop) (malware.rules)
  • 2054632 - ET MALWARE Observed Lumma Stealer Related Domain (nobledpcowep .shop in TLS SNI) (malware.rules)
  • 2054633 - ET MALWARE SocGholish CnC Domain in DNS (* .loyalty .hienphucuanhanloai .org) (malware.rules)
  • 2054634 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .loyalty.hienphucuanhanloai .org) (malware.rules)
  • 2054635 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (berrebyre .com) (exploit_kit.rules)
  • 2054636 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gametuners .com) (exploit_kit.rules)
  • 2054637 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (berrebyre .com) (exploit_kit.rules)
  • 2054638 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gametuners .com) (exploit_kit.rules)
  • 2054639 - ET INFO Commonly Actor Abused Online Service Domain (storjshare .io) (info.rules)
  • 2054640 - ET INFO Observed Commonly Actor Abused Online Service Domain (storjshare .io in TLS SNI) (info.rules)
  • 2054641 - ET MALWARE UNK_HamsaHatef Related URI (malware.rules)
  • 2054642 - ET MALWARE APT Related URI in HTTP Request (malware.rules)
  • 2054643 - ET MALWARE Mythic Framework SSL/TLS Certificate Observed (malware.rules)

Pro:

  • 2857637 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857638 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Enabled and modified rules:

  • 2050454 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (storage .webfiledata .com) (exploit_kit.rules)
  • 2050463 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (storage .webfiledata .com) (exploit_kit.rules)

Modified inactive rules:

  • 2852953 - ETPRO MALWARE Qbot Style Payload Request (malware.rules)

Removed rules:

  • 2054619 - ET ATTACK_RESPONSE Covenant .NET Framework SSL/TLS Certificate Observed (attack_response.rules)