Ruleset Update Summary - 2024/07/31 - v10657

Ruleset Updates
1

Summary:

29 new OPEN, 30 new PRO (29 + 1)

Thanks @fe_tsoc, @naumovax

ETOPEN/ETPRO Customers: Please be aware that Friday, August 2nd, is a Proofpoint company holiday. There will be no daily rule release that day. Daily rule releases will continue the following Monday, August 5th.

Added rules:

Open:

  • 2054784 - ET INFO DYNAMIC_DNS Query to a * .itzzm .com Domain (info.rules)
  • 2054785 - ET INFO DYNAMIC_DNS HTTP Request to a * .itzzm .com Domain (info.rules)
  • 2054786 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (celosiapatroen .shop) (malware.rules)
  • 2054787 - ET MALWARE Observed Lumma Stealer Related Domain (celosiapatroen .shop in TLS SNI) (malware.rules)
  • 2054788 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (flyyedreplacodp .shop) (malware.rules)
  • 2054789 - ET MALWARE Observed Lumma Stealer Related Domain (flyyedreplacodp .shop in TLS SNI) (malware.rules)
  • 2054790 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (weaknessmznxo .shop) (malware.rules)
  • 2054791 - ET MALWARE Observed Lumma Stealer Related Domain (weaknessmznxo .shop in TLS SNI) (malware.rules)
  • 2054792 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (myanswerpronto .com) (exploit_kit.rules)
  • 2054793 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (myanswerpronto .com) (exploit_kit.rules)
  • 2054794 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (recordsbluemountain .com) (exploit_kit.rules)
  • 2054795 - ET EXPLOIT_KIT Balada Domain in TLS SNI (recordsbluemountain .com) (exploit_kit.rules)
  • 2054796 - ET MALWARE DNS Query to Casbaneiro Domain (geradcontsad .pro) (malware.rules)
  • 2054797 - ET MALWARE Observed Casbaneiro Domain (geradcontsad .pro in TLS SNI) (malware.rules)
  • 2054798 - ET INFO DNS Query to Abused File Sharing Domain (discreetshare .com) (info.rules)
  • 2054799 - ET MALWARE TA426/Zebrocy Related Domain in DNS Lookup (trust-certificate .net) (malware.rules)
  • 2054800 - ET INFO Observed Abused File Sharing Domain (discreetshare .com in TLS SNI) (info.rules)
  • 2054801 - ET MALWARE TA426/Zebrocy Related Domain in DNS Lookup (enrollmentdm .com) (malware.rules)
  • 2054802 - ET MALWARE Observed TA426/Zebrocy Domain (trust-certificate .net) in TLS SNI (malware.rules)
  • 2054803 - ET MALWARE Observed TA426/Zebrocy Domain (enrollmentdm .com) in TLS SNI (malware.rules)
  • 2054804 - ET INFO Commonly Actor Abused Online Service Domain (farmerswife .com) (info.rules)
  • 2054805 - ET INFO Observed Commonly Actor Abused Online Service Domain (farmerswife .com in TLS SNI) (info.rules)
  • 2054806 - ET MALWARE Crimson RAT CnC Activity (Inbound) M1 (malware.rules)
  • 2054807 - ET MALWARE Transparent Tribe CnC Domain in DNS Lookup (mus09 .duckdns .org) (malware.rules)
  • 2054808 - ET MALWARE Observed Transparent Tribe CnC Domain (mus09 .duckdns .org in TLS SNI) (malware.rules)
  • 2054809 - ET MALWARE Crimson RAT CnC Activity (Inbound) M2 (malware.rules)
  • 2054810 - ET INFO Observed DNS Over HTTPS Domain (get-resolution-ok-cdn .dahi .icu) in TLS SNI (info.rules)
  • 2054811 - ET INFO Observed DNS Over HTTPS Domain (dns .guard .io) in TLS SNI (info.rules)
  • 2054812 - ET MALWARE Crimson RAT CnC Victim Details Exfil (malware.rules)

Pro:

  • 2857736 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound to Balada (962ab) (exploit_kit.rules)