Summary:
25 new OPEN, 27 new PRO (25 + 2)
Thanks @MichalKoczwara
Added rules:
Open:
- 2055080 - ET INFO Microsoft Word HTTP Request for .rtf Payload (info.rules)
- 2055081 - ET INFO Microsoft Outlook Requesting .rtf (info.rules)
- 2055738 - ET MALWARE SocGholish CnC Domain in DNS (* .podcast .lisameyerson .com) (malware.rules)
- 2055739 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .podcast .lisameyerson .com) (malware.rules)
- 2055740 - ET INFO DYNAMIC_DNS Query to a * .grantmaskell .com Domain (info.rules)
- 2055741 - ET INFO DYNAMIC_DNS HTTP Request to a * .grantmaskell .com Domain (info.rules)
- 2055742 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bassicnuadnwi .shop) (malware.rules)
- 2055743 - ET MALWARE Observed Lumma Stealer Related Domain (bassicnuadnwi .shop in TLS SNI) (malware.rules)
- 2055744 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (extorteauhhwigw .shop) (malware.rules)
- 2055745 - ET MALWARE Observed Lumma Stealer Related Domain (extorteauhhwigw .shop in TLS SNI) (malware.rules)
- 2055746 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (femininedspzmhu .shop) (malware.rules)
- 2055747 - ET MALWARE Observed Lumma Stealer Related Domain (femininedspzmhu .shop in TLS SNI) (malware.rules)
- 2055748 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (limitadmitiwo .shop) (malware.rules)
- 2055749 - ET MALWARE Observed Lumma Stealer Related Domain (limitadmitiwo .shop in TLS SNI) (malware.rules)
- 2055750 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (tiggerstrhekk .shop) (malware.rules)
- 2055751 - ET MALWARE Observed Lumma Stealer Related Domain (tiggerstrhekk .shop in TLS SNI) (malware.rules)
- 2055752 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (unawaredfostwp .shop) (malware.rules)
- 2055753 - ET MALWARE Observed Lumma Stealer Related Domain (unawaredfostwp .shop in TLS SNI) (malware.rules)
- 2055754 - ET MALWARE VenomRAT CnC Server Keepalive (malware.rules)
- 2055755 - ET MALWARE Malicious CobaltStrike SSL/TLS Certificate Observed (malware.rules)
- 2055756 - ET EXPLOIT_KIT Credit Card Skimmer Domain in DNS Lookup (analytisweb .com) (exploit_kit.rules)
- 2055757 - ET EXPLOIT_KIT Credit Card Skimmer Domain in TLS SNI (analytisweb .com) (exploit_kit.rules)
- 2055758 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (theapplefix .com) (exploit_kit.rules)
- 2055759 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (theapplefix .com) (exploit_kit.rules)
- 2055760 - ET MALWARE VBS/Clipboard Stealer Related Activity (GET) (malware.rules)
Pro:
- 2858295 - ETPRO HUNTING Reverse Base64 Encoded EXE Content-Type Mismatch (text/plain) (hunting.rules)
- 2858296 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
Disabled and modified rules:
- 2045213 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M3 (malware.rules)
- 2858252 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
Removed rules:
- 2055080 - ET MALWARE Microsoft Word HTTP Request for .rtf Payload (malware.rules)
- 2055081 - ET MALWARE Microsoft Outlook Requesting .rtf (malware.rules)