Ruleset Update Summary - 2024/08/08 - v10662

Ruleset Updates
1

Summary:

155 new OPEN, 159 new PRO (155 + 4)

Thanks @StrikeReadyLabs

Added rules:

Open:

  • 2055042 - ET PHISHING Kimsuky Domain in DNS Lookup (phishing.rules)
  • 2055043 - ET PHISHING Kimsuky Domain in DNS Lookup (phishing.rules)
  • 2055044 - ET PHISHING Kimsuky Domain in DNS Lookup (phishing.rules)
  • 2055045 - ET PHISHING Kimsuky Domain in DNS Lookup (phishing.rules)
  • 2055046 - ET PHISHING Kimsuky Domain in DNS Lookup (phishing.rules)
  • 2055047 - ET PHISHING Kimsuky Domain in DNS Lookup (phishing.rules)
  • 2055048 - ET PHISHING Kimsuky Domain in DNS Lookup (phishing.rules)
  • 2055049 - ET PHISHING Kimsuky Domain in DNS Lookup (phishing.rules)
  • 2055050 - ET PHISHING Kimsuky Domain in DNS Lookup (phishing.rules)
  • 2055051 - ET PHISHING Kimsuky Domain in DNS Lookup (phishing.rules)
  • 2055052 - ET PHISHING Kimsuky Domain in DNS Lookup (phishing.rules)
  • 2055053 - ET PHISHING Kimsuky Domain in DNS Lookup (phishing.rules)
  • 2055054 - ET PHISHING Kimsuky Domain in TLS SNI (phishing.rules)
  • 2055055 - ET PHISHING Kimsuky Domain in TLS SNI (phishing.rules)
  • 2055056 - ET PHISHING Kimsuky Domain in TLS SNI (phishing.rules)
  • 2055057 - ET PHISHING Kimsuky Domain in TLS SNI (phishing.rules)
  • 2055058 - ET PHISHING Kimsuky Domain in TLS SNI (phishing.rules)
  • 2055059 - ET PHISHING Kimsuky Domain in TLS SNI (phishing.rules)
  • 2055060 - ET PHISHING Kimsuky Domain in TLS SNI (phishing.rules)
  • 2055061 - ET PHISHING Kimsuky Domain in TLS SNI (phishing.rules)
  • 2055062 - ET PHISHING Kimsuky Domain in TLS SNI (phishing.rules)
  • 2055063 - ET PHISHING Kimsuky Domain in TLS SNI (phishing.rules)
  • 2055064 - ET PHISHING Kimsuky Domain in TLS SNI (phishing.rules)
  • 2055065 - ET PHISHING Kimsuky Domain in TLS SNI (phishing.rules)
  • 2055066 - ET INFO DYNAMIC_DNS Query to a * .benabood .com Domain (info.rules)
  • 2055067 - ET INFO DYNAMIC_DNS HTTP Request to a * .benabood .com Domain (info.rules)
  • 2055068 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (stomachoverwis .shop) (malware.rules)
  • 2055069 - ET MALWARE Observed Lumma Stealer Related Domain (stomachoverwis .shop in TLS SNI) (malware.rules)
  • 2055070 - ET MALWARE DNS Query to TA399 SideWinder Domain (mofa-gov-pk .dowmload .info) (malware.rules)
  • 2055071 - ET MALWARE Observed TA399/SideWinder Domain (mofa-gov-pk .dowmload .info in TLS SNI) (malware.rules)
  • 2055072 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (barelytherejewels .com) (exploit_kit.rules)
  • 2055073 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (barelytherejewels .com) (exploit_kit.rules)
  • 2055074 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (majordatabases .lat) (exploit_kit.rules)
  • 2055075 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (majordatabases .lat) (exploit_kit.rules)
  • 2055076 - ET INFO DeskTime Desktop Productivity Software Checkin (info.rules)
  • 2055077 - ET INFO Desktop Productivity Software Domain in DNS Lookup (desktime .com) (info.rules)
  • 2055078 - ET INFO Observed Desktop Productivity Software Domain (desktime .com) in TLS SNI (info.rules)
  • 2055079 - ET MALWARE TA399/Sidewinder APT CnC Server Response (malware.rules)
  • 2055080 - ET MALWARE Microsoft Word HTTP Request for .rtf Payload (malware.rules)
  • 2055081 - ET MALWARE Microsoft Outlook Requesting .rtf (malware.rules)
  • 2055082 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (suezcanal .portdedjibouti .live) (malware.rules)
  • 2055083 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (notice .portdedjibouti .live) (malware.rules)
  • 2055084 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (mofa-gov-sa .direct888 .net) (malware.rules)
  • 2055085 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (cabinet-division-pk .fia-gov .com) (malware.rules)
  • 2055086 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (sarabanmithnavy .tni-mil .com) (malware.rules)
  • 2055087 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (moitt-gov-pk .fia-gov .net) (malware.rules)
  • 2055088 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (moitt .paknavy-govpk .info) (malware.rules)
  • 2055089 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (training .detru .info) (malware.rules)
  • 2055090 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (www-army-mil-bd .dirctt88 .co) (malware.rules)
  • 2055091 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (mofa-gov-pk .donwloaded .com) (malware.rules)
  • 2055092 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (mailarmylk .mods .email) (malware.rules)
  • 2055093 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (reports .dgps-govtpk .com) (malware.rules)
  • 2055094 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (navy-lk .direct888 .net) (malware.rules)
  • 2055095 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (mofa-gov-pk .directt888 .com) (malware.rules)
  • 2055096 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (moemaldives .pmd-office .com) (malware.rules)
  • 2055097 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (mod-gov-bd .dowmload .co) (malware.rules)
  • 2055098 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (mora .pdfadobe .com) (malware.rules)
  • 2055099 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (efes-mindef-gov-pk .dowmload .org) (malware.rules)
  • 2055100 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (opmcm-gov-np .fia-gov .net) (malware.rules)
  • 2055101 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (www-moha-gov-lk .direct888 .net) (malware.rules)
  • 2055102 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (commerce-gov-pk .directt888 .com) (malware.rules)
  • 2055103 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (salary-cutting .session-out .com) (malware.rules)
  • 2055104 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (mailmofagovmm .mofa .email) (malware.rules)
  • 2055105 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (investigation04 .session-out .com) (malware.rules)
  • 2055106 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (president-gov-lk .donwloaded .net) (malware.rules)
  • 2055107 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (paknavy .defpak .org) (malware.rules)
  • 2055108 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (msacn .ntcpk .net) (malware.rules)
  • 2055109 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (invitation-letter .govpk .info) (malware.rules)
  • 2055110 - ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (heatwave .paknavy .store) (malware.rules)
  • 2055111 - ET MALWARE Observed TA399/Sidewinder APT Domain (suezcanal .portdedjibouti .live in TLS SNI) (malware.rules)
  • 2055112 - ET MALWARE Observed TA399/Sidewinder APT Domain (notice .portdedjibouti .live in TLS SNI) (malware.rules)
  • 2055113 - ET MALWARE Observed TA399/Sidewinder APT Domain (mofa-gov-sa .direct888 .net in TLS SNI) (malware.rules)
  • 2055114 - ET MALWARE Observed TA399/Sidewinder APT Domain (cabinet-division-pk .fia-gov .com in TLS SNI) (malware.rules)
  • 2055115 - ET MALWARE Observed TA399/Sidewinder APT Domain (sarabanmithnavy .tni-mil .com in TLS SNI) (malware.rules)
  • 2055116 - ET MALWARE Observed TA399/Sidewinder APT Domain (moitt-gov-pk .fia-gov .net in TLS SNI) (malware.rules)
  • 2055117 - ET MALWARE Observed TA399/Sidewinder APT Domain (moitt .paknavy-govpk .info in TLS SNI) (malware.rules)
  • 2055118 - ET MALWARE Observed TA399/Sidewinder APT Domain (training .detru .info in TLS SNI) (malware.rules)
  • 2055119 - ET MALWARE Observed TA399/Sidewinder APT Domain (www-army-mil-bd .dirctt88 .co in TLS SNI) (malware.rules)
  • 2055120 - ET MALWARE Observed TA399/Sidewinder APT Domain (mofa-gov-pk .donwloaded .com in TLS SNI) (malware.rules)
  • 2055121 - ET MALWARE Observed TA399/Sidewinder APT Domain (mailarmylk .mods .email in TLS SNI) (malware.rules)
  • 2055122 - ET MALWARE Observed TA399/Sidewinder APT Domain (reports .dgps-govtpk .com in TLS SNI) (malware.rules)
  • 2055123 - ET MALWARE Observed TA399/Sidewinder APT Domain (navy-lk .direct888 .net in TLS SNI) (malware.rules)
  • 2055124 - ET MALWARE Observed TA399/Sidewinder APT Domain (mofa-gov-pk .directt888 .com in TLS SNI) (malware.rules)
  • 2055125 - ET MALWARE Observed TA399/Sidewinder APT Domain (moemaldives .pmd-office .com in TLS SNI) (malware.rules)
  • 2055126 - ET MALWARE Observed TA399/Sidewinder APT Domain (mod-gov-bd .dowmload .co in TLS SNI) (malware.rules)
  • 2055127 - ET MALWARE Observed TA399/Sidewinder APT Domain (mora .pdfadobe .com in TLS SNI) (malware.rules)
  • 2055128 - ET MALWARE Observed TA399/Sidewinder APT Domain (efes-mindef-gov-pk .dowmload .org in TLS SNI) (malware.rules)
  • 2055129 - ET MALWARE Possible TA399/SideWinder Related Empty .rtf Inbound (malware.rules)
  • 2055130 - ET MALWARE Observed TA399/Sidewinder APT Domain (opmcm-gov-np .fia-gov .net in TLS SNI) (malware.rules)
  • 2055131 - ET MALWARE Observed TA399/Sidewinder APT Domain (www-moha-gov-lk .direct888 .net in TLS SNI) (malware.rules)
  • 2055132 - ET MALWARE Observed TA399/Sidewinder APT Domain (commerce-gov-pk .directt888 .com in TLS SNI) (malware.rules)
  • 2055133 - ET MALWARE Observed TA399/Sidewinder APT Domain (salary-cutting .session-out .com in TLS SNI) (malware.rules)
  • 2055134 - ET MALWARE Observed TA399/Sidewinder APT Domain (mailmofagovmm .mofa .email in TLS SNI) (malware.rules)
  • 2055135 - ET MALWARE Observed TA399/Sidewinder APT Domain (investigation04 .session-out .com in TLS SNI) (malware.rules)
  • 2055136 - ET MALWARE Observed TA399/Sidewinder APT Domain (president-gov-lk .donwloaded .net in TLS SNI) (malware.rules)
  • 2055137 - ET MALWARE Observed TA399/Sidewinder APT Domain (paknavy .defpak .org in TLS SNI) (malware.rules)
  • 2055138 - ET MALWARE Observed TA399/Sidewinder APT Domain (msacn .ntcpk .net in TLS SNI) (malware.rules)
  • 2055139 - ET MALWARE Observed TA399/Sidewinder APT Domain (invitation-letter .govpk .info in TLS SNI) (malware.rules)
  • 2055140 - ET MALWARE Observed TA399/Sidewinder APT Domain (heatwave .paknavy .store in TLS SNI) (malware.rules)
  • 2055141 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mailnavybd .govpk .net) (malware.rules)
  • 2055142 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (ministryofforeignaffairs-mofa-gov-pk .dytt88 .org) (malware.rules)
  • 2055143 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (moma .comsats-net .com) (malware.rules)
  • 2055144 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (bdmil .alit .live) (malware.rules)
  • 2055145 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofabn .ksewpk .com) (malware.rules)
  • 2055146 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mohgovsg .bahariafoundation .live) (malware.rules)
  • 2055147 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mtss .bol-south .org) (malware.rules)
  • 2055148 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (forecast .comsats-net .com) (malware.rules)
  • 2055149 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (promotionlist .comsats-net .com) (malware.rules)
  • 2055150 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (dgms .paknavy-gov .com) (malware.rules)
  • 2055151 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (cstc-spares-vip-163 .dowmload .net) (malware.rules)
  • 2055152 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (paknavy .jmicc .xyz) (malware.rules)
  • 2055153 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (dgpr .paknvay-pk .net) (malware.rules)
  • 2055154 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (careitservices .paknvay-pk .net) (malware.rules)
  • 2055155 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (dgmp-paknavy .mod-pk .com) (malware.rules)
  • 2055156 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (paknavy .paknavy .live) (malware.rules)
  • 2055157 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (cabinet-gov-pk .ministry-pk .net) (malware.rules)
  • 2055158 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (defencelk .cvix .live) (malware.rules)
  • 2055159 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofa-gov .interior-pk .org) (malware.rules)
  • 2055160 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (srilanka-navy .lforvk .com) (malware.rules)
  • 2055161 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (sppc .moma-pk .org) (malware.rules)
  • 2055162 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mofadividion .ptcl-gov .com) (malware.rules)
  • 2055163 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (paknavy-gov-pk .downld .net) (malware.rules)
  • 2055164 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (sl-navy .office-drive .live) (malware.rules)
  • 2055165 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (pnwc .bol-north .com) (malware.rules)
  • 2055166 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mailrta .mfagov .org) (malware.rules)
  • 2055167 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (mailaplf .cvix .live) (malware.rules)
  • 2055168 - ET MALWARE TA399/Sidewinder APT CnC Domain in DNS Lookup (srilankanavy .ksew .org) (malware.rules)
  • 2055169 - ET MALWARE Observed TA399/Sidewinder APT Domain (mailnavybd .govpk .net in TLS SNI) (malware.rules)
  • 2055170 - ET MALWARE Observed TA399/Sidewinder APT Domain (ministryofforeignaffairs-mofa-gov-pk .dytt88 .org in TLS SNI) (malware.rules)
  • 2055171 - ET MALWARE Observed TA399/Sidewinder APT Domain (moma .comsats-net .com in TLS SNI) (malware.rules)
  • 2055172 - ET MALWARE Observed TA399/Sidewinder APT Domain (bdmil .alit .live in TLS SNI) (malware.rules)
  • 2055173 - ET MALWARE Observed TA399/Sidewinder APT Domain (mofabn .ksewpk .com in TLS SNI) (malware.rules)
  • 2055174 - ET MALWARE Observed TA399/Sidewinder APT Domain (mohgovsg .bahariafoundation .live in TLS SNI) (malware.rules)
  • 2055175 - ET MALWARE Observed TA399/Sidewinder APT Domain (mtss .bol-south .org in TLS SNI) (malware.rules)
  • 2055176 - ET MALWARE Observed TA399/Sidewinder APT Domain (forecast .comsats-net .com in TLS SNI) (malware.rules)
  • 2055177 - ET MALWARE Observed TA399/Sidewinder APT Domain (promotionlist .comsats-net .com in TLS SNI) (malware.rules)
  • 2055178 - ET MALWARE Observed TA399/Sidewinder APT Domain (dgms .paknavy-gov .com in TLS SNI) (malware.rules)
  • 2055179 - ET MALWARE Observed TA399/Sidewinder APT Domain (cstc-spares-vip-163 .dowmload .net in TLS SNI) (malware.rules)
  • 2055180 - ET MALWARE Observed TA399/Sidewinder APT Domain (paknavy .jmicc .xyz in TLS SNI) (malware.rules)
  • 2055181 - ET MALWARE Observed TA399/Sidewinder APT Domain (dgpr .paknvay-pk .net in TLS SNI) (malware.rules)
  • 2055182 - ET MALWARE Observed TA399/Sidewinder APT Domain (careitservices .paknvay-pk .net in TLS SNI) (malware.rules)
  • 2055183 - ET MALWARE Observed TA399/Sidewinder APT Domain (dgmp-paknavy .mod-pk .com in TLS SNI) (malware.rules)
  • 2055184 - ET MALWARE Observed TA399/Sidewinder APT Domain (paknavy .paknavy .live in TLS SNI) (malware.rules)
  • 2055185 - ET MALWARE Observed TA399/Sidewinder APT Domain (cabinet-gov-pk .ministry-pk .net in TLS SNI) (malware.rules)
  • 2055186 - ET MALWARE Observed TA399/Sidewinder APT Domain (defencelk .cvix .live in TLS SNI) (malware.rules)
  • 2055187 - ET MALWARE Observed TA399/Sidewinder APT Domain (mofa-gov .interior-pk .org in TLS SNI) (malware.rules)
  • 2055188 - ET MALWARE Observed TA399/Sidewinder APT Domain (srilanka-navy .lforvk .com in TLS SNI) (malware.rules)
  • 2055189 - ET MALWARE Observed TA399/Sidewinder APT Domain (sppc .moma-pk .org in TLS SNI) (malware.rules)
  • 2055190 - ET MALWARE Observed TA399/Sidewinder APT Domain (mofadividion .ptcl-gov .com in TLS SNI) (malware.rules)
  • 2055191 - ET MALWARE Observed TA399/Sidewinder APT Domain (paknavy-gov-pk .downld .net in TLS SNI) (malware.rules)
  • 2055192 - ET MALWARE Observed TA399/Sidewinder APT Domain (sl-navy .office-drive .live in TLS SNI) (malware.rules)
  • 2055193 - ET MALWARE Observed TA399/Sidewinder APT Domain (pnwc .bol-north .com in TLS SNI) (malware.rules)
  • 2055194 - ET MALWARE Observed TA399/Sidewinder APT Domain (mailrta .mfagov .org in TLS SNI) (malware.rules)
  • 2055195 - ET MALWARE Observed TA399/Sidewinder APT Domain (mailaplf .cvix .live in TLS SNI) (malware.rules)
  • 2055196 - ET MALWARE Observed TA399/Sidewinder APT Domain (srilankanavy .ksew .org in TLS SNI) (malware.rules)

Pro:

  • 2857860 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857861 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
  • 2857862 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2857863 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)

Disabled and modified rules:

  • 2054940 - ET INFO DYNAMIC_DNS Query to a * .avtosnoj .si Domain (info.rules)