Ruleset Update Summary - 2024/09/05 - v10682

Summary:

25 new OPEN, 27 new PRO (25 + 2)

Thanks @MichalKoczwara


Added rules:

Open:

  • 2055080 - ET INFO Microsoft Word HTTP Request for .rtf Payload (info.rules)
  • 2055081 - ET INFO Microsoft Outlook Requesting .rtf (info.rules)
  • 2055738 - ET MALWARE SocGholish CnC Domain in DNS (* .podcast .lisameyerson .com) (malware.rules)
  • 2055739 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .podcast .lisameyerson .com) (malware.rules)
  • 2055740 - ET INFO DYNAMIC_DNS Query to a * .grantmaskell .com Domain (info.rules)
  • 2055741 - ET INFO DYNAMIC_DNS HTTP Request to a * .grantmaskell .com Domain (info.rules)
  • 2055742 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bassicnuadnwi .shop) (malware.rules)
  • 2055743 - ET MALWARE Observed Lumma Stealer Related Domain (bassicnuadnwi .shop in TLS SNI) (malware.rules)
  • 2055744 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (extorteauhhwigw .shop) (malware.rules)
  • 2055745 - ET MALWARE Observed Lumma Stealer Related Domain (extorteauhhwigw .shop in TLS SNI) (malware.rules)
  • 2055746 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (femininedspzmhu .shop) (malware.rules)
  • 2055747 - ET MALWARE Observed Lumma Stealer Related Domain (femininedspzmhu .shop in TLS SNI) (malware.rules)
  • 2055748 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (limitadmitiwo .shop) (malware.rules)
  • 2055749 - ET MALWARE Observed Lumma Stealer Related Domain (limitadmitiwo .shop in TLS SNI) (malware.rules)
  • 2055750 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (tiggerstrhekk .shop) (malware.rules)
  • 2055751 - ET MALWARE Observed Lumma Stealer Related Domain (tiggerstrhekk .shop in TLS SNI) (malware.rules)
  • 2055752 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (unawaredfostwp .shop) (malware.rules)
  • 2055753 - ET MALWARE Observed Lumma Stealer Related Domain (unawaredfostwp .shop in TLS SNI) (malware.rules)
  • 2055754 - ET MALWARE VenomRAT CnC Server Keepalive (malware.rules)
  • 2055755 - ET MALWARE Malicious CobaltStrike SSL/TLS Certificate Observed (malware.rules)
  • 2055756 - ET EXPLOIT_KIT Credit Card Skimmer Domain in DNS Lookup (analytisweb .com) (exploit_kit.rules)
  • 2055757 - ET EXPLOIT_KIT Credit Card Skimmer Domain in TLS SNI (analytisweb .com) (exploit_kit.rules)
  • 2055758 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (theapplefix .com) (exploit_kit.rules)
  • 2055759 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (theapplefix .com) (exploit_kit.rules)
  • 2055760 - ET MALWARE VBS/Clipboard Stealer Related Activity (GET) (malware.rules)

Pro:

  • 2858295 - ETPRO HUNTING Reverse Base64 Encoded EXE Content-Type Mismatch (text/plain) (hunting.rules)
  • 2858296 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

  • 2045213 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M3 (malware.rules)
  • 2858252 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)

Removed rules:

  • 2055080 - ET MALWARE Microsoft Word HTTP Request for .rtf Payload (malware.rules)
  • 2055081 - ET MALWARE Microsoft Outlook Requesting .rtf (malware.rules)