Ruleset Update Summary - 2024/07/30 - v10656

Ruleset Updates
1

Summary:

33 new OPEN, 73 new PRO (33 + 40)

Thanks @suyog41

ET/ETPRO Customers: Please be aware that Friday, August 2nd, is a Proofpoint Company holiday, and there will not be a daily rule release that day. Daily rule releases will continue the following Monday, August 5th.

Added rules:

Open:

  • 2054751 - ET INFO DYNAMIC_DNS Query to a * .bal-tazaar .be Domain (info.rules)
  • 2054752 - ET INFO DYNAMIC_DNS HTTP Request to a * .bal-tazaar .be Domain (info.rules)
  • 2054753 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (saratu .com) (exploit_kit.rules)
  • 2054754 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (velellablue .com) (exploit_kit.rules)
  • 2054755 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (saratu .com) (exploit_kit.rules)
  • 2054756 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (velellablue .com) (exploit_kit.rules)
  • 2054757 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (dividenntyss .shop) (malware.rules)
  • 2054758 - ET MALWARE Observed Lumma Stealer Related Domain (dividenntyss .shop in TLS SNI) (malware.rules)
  • 2054759 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (paradexjdoa .shop) (malware.rules)
  • 2054760 - ET MALWARE Observed Lumma Stealer Related Domain (paradexjdoa .shop in TLS SNI) (malware.rules)
  • 2054761 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (ammycanedpors .shop) (malware.rules)
  • 2054762 - ET MALWARE Observed Lumma Stealer Related Domain (ammycanedpors .shop in TLS SNI) (malware.rules)
  • 2054763 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (egorepetiiiosn .shop) (malware.rules)
  • 2054764 - ET MALWARE Observed Lumma Stealer Related Domain (egorepetiiiosn .shop in TLS SNI) (malware.rules)
  • 2054765 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (faceddullinhs .shop) (malware.rules)
  • 2054766 - ET MALWARE Observed Lumma Stealer Related Domain (faceddullinhs .shop in TLS SNI) (malware.rules)
  • 2054767 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (shootydowtqosm .shop) (malware.rules)
  • 2054768 - ET MALWARE Observed Lumma Stealer Related Domain (shootydowtqosm .shop in TLS SNI) (malware.rules)
  • 2054769 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (triallyforwhgh .shop) (malware.rules)
  • 2054770 - ET MALWARE Observed Lumma Stealer Related Domain (triallyforwhgh .shop in TLS SNI) (malware.rules)
  • 2054771 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (illnesmunxkza .shop) (malware.rules)
  • 2054772 - ET MALWARE Observed Lumma Stealer Related Domain (illnesmunxkza .shop in TLS SNI) (malware.rules)
  • 2054773 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (chequedxmznp .shop) (malware.rules)
  • 2054774 - ET MALWARE Observed Lumma Stealer Related Domain (chequedxmznp .shop in TLS SNI) (malware.rules)
  • 2054775 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (shelterryujxo .shop) (malware.rules)
  • 2054776 - ET MALWARE Observed Lumma Stealer Related Domain (shelterryujxo .shop in TLS SNI) (malware.rules)
  • 2054777 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (supportyattraos .shop) (malware.rules)
  • 2054778 - ET MALWARE Observed Lumma Stealer Related Domain (supportyattraos .shop in TLS SNI) (malware.rules)
  • 2054779 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (megabahis664 .com) (exploit_kit.rules)
  • 2054780 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (megabahis664 .com) (exploit_kit.rules)
  • 2054781 - ET MALWARE Specula Framework CnC Activity (POST) (malware.rules)
  • 2054782 - ET MALWARE Specula Framework CnC Activity (GET) (malware.rules)
  • 2054783 - ET MALWARE CHM Stealer CnC Host Profile Exfil (POST) (malware.rules)

Pro:

  • 2857688 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857689 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857690 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857691 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2857692 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857693 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857694 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2857695 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2857696 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2857697 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2857698 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2857699 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2857700 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2857701 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2857702 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2857703 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2857704 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857705 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2857706 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2857707 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2857708 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857709 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2857710 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2857711 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2857712 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2857713 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2857714 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2857715 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2857716 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857717 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857718 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2857719 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2857720 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2857721 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2857722 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2857723 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2857724 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2857725 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2857726 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2857727 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

  • 2052574 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (firstaischool .com) (exploit_kit.rules)
  • 2052575 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (veniam-veritatis .site) (exploit_kit.rules)
  • 2052576 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (firstaischool .com) (exploit_kit.rules)
  • 2052577 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (veniam-veritatis .site) (exploit_kit.rules)
  • 2052578 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .location .oysterfloats .us) (malware.rules)
  • 2052579 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .location .oysterfloats .us) (malware.rules)
  • 2052630 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (forgreatestgoal .site) (exploit_kit.rules)
  • 2052631 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (polikarbonad .xyz) (exploit_kit.rules)
  • 2052632 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (forgreatestgoal .site) (exploit_kit.rules)
  • 2052633 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (polikarbonad .xyz) (exploit_kit.rules)
  • 2052710 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (d1x9q8w2e4 .xyz) (exploit_kit.rules)
  • 2052711 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (d1x9q8w2e4 .xyz) (exploit_kit.rules)
  • 2052712 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (redsquardhack .com) (exploit_kit.rules)
  • 2052713 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (penisowners .com) (exploit_kit.rules)
  • 2052714 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (sarkaribook .com) (exploit_kit.rules)
  • 2052715 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (optifitme .com) (exploit_kit.rules)
  • 2052716 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (redsquardhack .com) (exploit_kit.rules)
  • 2052717 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (penisowners .com) (exploit_kit.rules)
  • 2052718 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (sarkaribook .com) (exploit_kit.rules)
  • 2052719 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (optifitme .com) (exploit_kit.rules)
  • 2052755 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (chezfur .com) (exploit_kit.rules)
  • 2052756 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (osiria-agency .com) (exploit_kit.rules)
  • 2052757 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (chezfur .com) (exploit_kit.rules)
  • 2052758 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (osiria-agency .com) (exploit_kit.rules)
  • 2052790 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .glue .oystergardening .net) (malware.rules)
  • 2052791 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .glue .oystergardening .net) (malware.rules)
  • 2052792 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gamestockxchange .com) (exploit_kit.rules)
  • 2052793 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gamestockxchange .com) (exploit_kit.rules)
  • 2052836 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (awakentoyoga .com) (exploit_kit.rules)
  • 2052837 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lucabet68 .online) (exploit_kit.rules)
  • 2052838 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (awakentoyoga .com) (exploit_kit.rules)
  • 2052839 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lucabet68 .online) (exploit_kit.rules)
  • 2052840 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jurassicworldtheexhibition .com) (exploit_kit.rules)
  • 2052841 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (womendonotdothat .com) (exploit_kit.rules)
  • 2052842 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jurassicworldtheexhibition .com) (exploit_kit.rules)
  • 2052843 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (womendonotdothat .com) (exploit_kit.rules)
  • 2052877 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (georgiaprivateinvestigations .com) (exploit_kit.rules)
  • 2052878 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (georgiaprivateinvestigations .com) (exploit_kit.rules)
  • 2052937 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .sticky .oystergardening .name) (malware.rules)
  • 2052938 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .sticky .oystergardening .name) (malware.rules)
  • 2052939 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (10xshares .com) (exploit_kit.rules)
  • 2052940 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (elbied .com) (exploit_kit.rules)
  • 2052941 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bookmycooks .com) (exploit_kit.rules)
  • 2052942 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ycva887 .top) (exploit_kit.rules)
  • 2052944 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (10xshares .com) (exploit_kit.rules)
  • 2052945 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (elbied .com) (exploit_kit.rules)
  • 2052946 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bookmycooks .com) (exploit_kit.rules)
  • 2052947 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ycva887 .top) (exploit_kit.rules)
  • 2053022 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (burdurpastane .com) (exploit_kit.rules)
  • 2053023 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (079zain .com) (exploit_kit.rules)
  • 2053024 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (1kt8j .com) (exploit_kit.rules)
  • 2053025 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (burdurpastane .com) (exploit_kit.rules)
  • 2053026 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (079zain .com) (exploit_kit.rules)
  • 2053027 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (1kt8j .com) (exploit_kit.rules)
  • 2053043 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (bestcdnforfree .site) (exploit_kit.rules)
  • 2053044 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (gotthebestoffer .site) (exploit_kit.rules)
  • 2053045 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (p4wq3e5r6t .xyz) (exploit_kit.rules)
  • 2053046 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (bestcdnforfree .site) (exploit_kit.rules)
  • 2053047 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (gotthebestoffer .site) (exploit_kit.rules)
  • 2053048 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (p4wq3e5r6t .xyz) (exploit_kit.rules)
  • 2053050 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (24f1989 .com) (exploit_kit.rules)
  • 2053051 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ranconimports .com) (exploit_kit.rules)
  • 2053052 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (24f1989 .com) (exploit_kit.rules)
  • 2053053 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ranconimports .com) (exploit_kit.rules)
  • 2053054 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (s9l0w7n3y5 .xyz) (exploit_kit.rules)
  • 2053055 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (s9l0w7n3y5 .xyz) (exploit_kit.rules)
  • 2857356 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857459 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857521 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857522 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857626 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857627 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857628 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857629 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857630 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)