Summary:
34 new OPEN, 80 new PRO (34 + 46)
Added rules:
Open:
- 2054935 - ET INFO PDQ Remote Management HTTP Header Observed (x-pdq-key-ids) (info.rules)
- 2054936 - ET INFO PDQ Remote Management User-Agent Observed (PDQ rover) (info.rules)
- 2054937 - ET INFO PDQ Remote Management Agent HTTP Activity (info.rules)
- 2054938 - ET INFO PDQ Remote Management Agent Checkin (info.rules)
- 2054939 - ET MALWARE MOONSTONE SLEET APT Payload Delivery Attempt (malware.rules)
- 2054940 - ET INFO DYNAMIC_DNS Query to a * .avtosnoj .si Domain (info.rules)
- 2054941 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (clouddycuiomsnz .shop) (malware.rules)
- 2054942 - ET MALWARE Observed Lumma Stealer Related Domain (clouddycuiomsnz .shop in TLS SNI) (malware.rules)
- 2054943 - ET INFO DYNAMIC_DNS Query to a * .ventapel .com Domain (info.rules)
- 2054944 - ET INFO DYNAMIC_DNS HTTP Request to a * .ventapel .com Domain (info.rules)
- 2054945 - ET MALWARE Panther Stealer CnC Domain in DNS Lookup (api-lofy .xyz) (malware.rules)
- 2054946 - ET MALWARE Observed Panther Stealer Domain (api-lofy .xyz in TLS SNI) (malware.rules)
- 2054947 - ET WEB_SPECIFIC_APPS Apache OFBiz Pre-Auth Remote Code Execution Attempt (CVE-2024-38856) (web_specific_apps.rules)
- 2054948 - ET EXPLOIT_KIT ClickFIx Domain in DNS Lookup (peskpdfgif .shop) (exploit_kit.rules)
- 2054949 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (peskpdfgif .shop) (exploit_kit.rules)
- 2054950 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (quialitsuzoxm .shop) (malware.rules)
- 2054951 - ET MALWARE Observed Lumma Stealer Related Domain (quialitsuzoxm .shop in TLS SNI) (malware.rules)
- 2054952 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (complaintsipzzx .shop) (malware.rules)
- 2054953 - ET MALWARE Observed Lumma Stealer Related Domain (complaintsipzzx .shop in TLS SNI) (malware.rules)
- 2054954 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (languagedscie .shop) (malware.rules)
- 2054955 - ET MALWARE Observed Lumma Stealer Related Domain (languagedscie .shop in TLS SNI) (malware.rules)
- 2054956 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (mennyudosirso .shop) (malware.rules)
- 2054957 - ET MALWARE Observed Lumma Stealer Related Domain (mennyudosirso .shop in TLS SNI) (malware.rules)
- 2054958 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bassizcellskz .shop) (malware.rules)
- 2054959 - ET MALWARE Observed Lumma Stealer Related Domain (bassizcellskz .shop in TLS SNI) (malware.rules)
- 2054960 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (deallerospfosu .shop) (malware.rules)
- 2054961 - ET MALWARE Observed Lumma Stealer Related Domain (deallerospfosu .shop in TLS SNI) (malware.rules)
- 2054962 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (writerospzm .shop) (malware.rules)
- 2054963 - ET MALWARE Observed Lumma Stealer Related Domain (writerospzm .shop in TLS SNI) (malware.rules)
- 2054964 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (celebratioopz .shop) (malware.rules)
- 2054965 - ET MALWARE Observed Lumma Stealer Related Domain (celebratioopz .shop in TLS SNI) (malware.rules)
- 2054966 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pieddfreedinsu .shop) (malware.rules)
- 2054967 - ET MALWARE Observed Lumma Stealer Related Domain (pieddfreedinsu .shop in TLS SNI) (malware.rules)
- 2054968 - ET HUNTING Possible Machine GUID Observed in HTTP POST (hunting.rules)
Pro:
- 2857810 - ETPRO PHISHING UK Gov Tax Rebate Form Credential Phish Landing Page 2024-08-05 M1 (phishing.rules)
- 2857811 - ETPRO PHISHING UK Gov Tax Rebate Form Credential Phish Landing Page 2024-08-05 M2 (phishing.rules)
- 2857812 - ETPRO PHISHING Successful UK Gov Tax Rebate Form Credential Phish 2024-08-05 M1 (phishing.rules)
- 2857813 - ETPRO PHISHING Successful UK Gov Tax Rebate Form Credential Phish 2024-08-05 M2 (phishing.rules)
- 2857814 - ETPRO PHISHING Successful UK Gov Tax Rebate Form Credential Phish 2024-08-05 M3 (phishing.rules)
- 2857815 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857816 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2857817 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857818 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857819 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2857820 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2857821 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2857822 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2857823 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2857824 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2857825 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2857826 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2857827 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2857828 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2857829 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857830 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857831 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2857832 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2857833 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2857834 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2857835 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2857836 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2857837 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857838 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857839 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857840 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2857841 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
- 2857842 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2857843 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
- 2857844 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
- 2857845 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2857846 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2857847 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2857848 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2857849 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2857850 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2857851 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2857852 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2857853 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
- 2857854 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
- 2857859 - ETPRO PHISHING Possible RAKBANK Phishing Landing Page (phishing.rules)
Disabled and modified rules:
- 2857765 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2857769 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2857774 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2857779 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2857781 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)