Ruleset Update Summary - 2024/09/19 - v10698

Ruleset Updates
1

Summary:

22 new OPEN, 24 new PRO (22 + 2)

Added rules:

Open:

  • 2039184 - ET RETIRED MSSQL maggie backdoor ls Query Observed (retired.rules)
  • 2039415 - ET RETIRED MSSQL maggie backdoor Query Observed (other functions) (retired.rules)
  • 2039440 - ET RETIRED WinGo/YT Stealer CnC Domain in DNS Lookup (retired.rules)
  • 2039441 - ET RETIRED WinGo/YT Stealer CnC Checkin (retired.rules)
  • 2039478 - ET RETIRED Suspected Polonium CnC Initial Checkin M1 (retired.rules)
  • 2039479 - ET RETIRED Suspected Polonium CnC Initial Checkin M2 (retired.rules)
  • 2039480 - ET RETIRED Suspected Polonium CnC Checkin (get_cmd) (retired.rules)
  • 2039481 - ET RETIRED Suspected Polonium CnC Checkin (result.php - process list) M1 (retired.rules)
  • 2039482 - ET RETIRED Suspected Polonium CnC Checkin (result.php - process list) M2 (retired.rules)
  • 2055977 - ET WEB_SPECIFIC_APPS Hoverfly Arbitrary File Read via Traversal Attempt Inbound (CVE-2024-45388) (web_specific_apps.rules)
  • 2055978 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (chefspavilion .com) (exploit_kit.rules)
  • 2055979 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (chefspavilion .com) (exploit_kit.rules)
  • 2055980 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (trendpronet .com) (exploit_kit.rules)
  • 2055981 - ET EXPLOIT_KIT CC Skimmer Domain in TLS SNI (trendpronet .com) (exploit_kit.rules)
  • 2055982 - ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth Password Encrypt Primitive (CVE-2024-6670) (web_specific_apps.rules)
  • 2055983 - ET WEB_SPECIFIC_APPS Progress WhatsUp Gold HasErrors SQL Injection Authentication Bypass (CVE-2024-6670) (web_specific_apps.rules)
  • 2055984 - ET WEB_SPECIFIC_APPS Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-8190) (web_specific_apps.rules)
  • 2055985 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (liversymbwqp .shop) (malware.rules)
  • 2055986 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (liversymbwqp .shop in TLS SNI) (malware.rules)
  • 2055987 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (polishuwqiwom .shop) (malware.rules)
  • 2055988 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (polishuwqiwom .shop in TLS SNI) (malware.rules)
  • 2055989 - ET WEB_SPECIFIC_APPS Zabbix Server Blind SQL Injection via clientip Parameter (CVE-2024-22120) (web_specific_apps.rules)

Pro:

  • 2858414 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858415 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2054045 - ET MALWARE Observed Wordpress Social Warfare Plugin Exploit Related Domain (dateyourlove .live in TLS SNI) (malware.rules)
  • 2054046 - ET MALWARE Observed Wordpress Social Warfare Plugin Exploit Related Domain (matchingsingles .net in TLS SNI) (malware.rules)
  • 2054048 - ET MALWARE Observed Wordpress Social Warfare Plugin Exploit Related Domain (face-your-dreams .com in TLS SNI) (malware.rules)
  • 2054051 - ET MALWARE Observed Wordpress Social Warfare Plugin Exploit Related Domain (silver-dates .com in TLS SNI) (malware.rules)

Disabled and modified rules:

  • 2039425 - ET MALWARE Win32/Lumma Stealer CnC Domain (765mm .xyz) in DNS Lookup (malware.rules)
  • 2039426 - ET MALWARE Win32/Lumma Stealer CnC Domain (safe-car .ru) in DNS Lookup (malware.rules)
  • 2039476 - ET MALWARE Suspected POLONIUM CnC Domain (consulting-ukraine .tk) in DNS Lookup (malware.rules)
  • 2039477 - ET MALWARE Suspected POLONIUM CnC Domain (ukrsupport .info) in DNS Lookup (malware.rules)
  • 2039527 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (pedaily .online) (malware.rules)
  • 2039528 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (ellechina .online) (malware.rules)
  • 2039529 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (gov .mil .ua .aspx .io) (malware.rules)
  • 2039530 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (notfiled .com) (malware.rules)
  • 2039534 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (www .get .adobe .com .aspx .io) (malware.rules)
  • 2039593 - ET MOBILE_MALWARE Android/Drinik CnC Domain (gia .3utilities .com) in DNS Lookup (mobile_malware.rules)
  • 2039606 - ET MALWARE Malicious Doc CnC Domain (e-demarches .kodeo .ch) in DNS Lookup (malware.rules)
  • 2039721 - ET MALWARE Win32\Cryptbot CnC Domain (okwnyw02 .top) in DNS Lookup (malware.rules)
  • 2039722 - ET MALWARE Win32\Cryptbot CnC Domain (okwydg05 .top) in DNS Lookup (malware.rules)
  • 2039729 - ET MALWARE Win32\Cryptbot CnC Domain (suqpvu08 .top) in DNS Lookup (malware.rules)
  • 2039730 - ET MALWARE Win32\Cryptbot CnC Domain (towhfs22 .top) in DNS Lookup (malware.rules)
  • 2050435 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - GET Request M2 (CVE-2024-0204) (web_specific_apps.rules)
  • 2050437 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - POST Request M2 (CVE-2024-0204) (web_specific_apps.rules)
  • 2852769 - ETPRO PHISHING Microsoft OneDrive Phishing Domain (mycourier .email) in DNS Lookup (phishing.rules)
  • 2852770 - ETPRO PHISHING Observed Microsoft OneDrive Phishing Domain (mycourier .email) in TLS SNI (phishing.rules)

Removed rules:

  • 2039184 - ET MALWARE MSSQL maggie backdoor ls Query Observed (malware.rules)
  • 2039415 - ET MALWARE MSSQL maggie backdoor Query Observed (other functions) (malware.rules)
  • 2039440 - ET MALWARE WinGo/YT Stealer CnC Domain in DNS Lookup (malware.rules)
  • 2039441 - ET MALWARE WinGo/YT Stealer CnC Checkin (malware.rules)
  • 2039478 - ET MALWARE Suspected Polonium CnC Initial Checkin M1 (malware.rules)
  • 2039479 - ET MALWARE Suspected Polonium CnC Initial Checkin M2 (malware.rules)
  • 2039480 - ET MALWARE Suspected Polonium CnC Checkin (get_cmd) (malware.rules)
  • 2039481 - ET MALWARE Suspected Polonium CnC Checkin (result.php - process list) M1 (malware.rules)
  • 2039482 - ET MALWARE Suspected Polonium CnC Checkin (result.php - process list) M2 (malware.rules)