Summary:
22 new OPEN, 24 new PRO (22 + 2)
Added rules:
Open:
- 2039184 - ET RETIRED MSSQL maggie backdoor ls Query Observed (retired.rules)
- 2039415 - ET RETIRED MSSQL maggie backdoor Query Observed (other functions) (retired.rules)
- 2039440 - ET RETIRED WinGo/YT Stealer CnC Domain in DNS Lookup (retired.rules)
- 2039441 - ET RETIRED WinGo/YT Stealer CnC Checkin (retired.rules)
- 2039478 - ET RETIRED Suspected Polonium CnC Initial Checkin M1 (retired.rules)
- 2039479 - ET RETIRED Suspected Polonium CnC Initial Checkin M2 (retired.rules)
- 2039480 - ET RETIRED Suspected Polonium CnC Checkin (get_cmd) (retired.rules)
- 2039481 - ET RETIRED Suspected Polonium CnC Checkin (result.php - process list) M1 (retired.rules)
- 2039482 - ET RETIRED Suspected Polonium CnC Checkin (result.php - process list) M2 (retired.rules)
- 2055977 - ET WEB_SPECIFIC_APPS Hoverfly Arbitrary File Read via Traversal Attempt Inbound (CVE-2024-45388) (web_specific_apps.rules)
- 2055978 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (chefspavilion .com) (exploit_kit.rules)
- 2055979 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (chefspavilion .com) (exploit_kit.rules)
- 2055980 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (trendpronet .com) (exploit_kit.rules)
- 2055981 - ET EXPLOIT_KIT CC Skimmer Domain in TLS SNI (trendpronet .com) (exploit_kit.rules)
- 2055982 - ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth Password Encrypt Primitive (CVE-2024-6670) (web_specific_apps.rules)
- 2055983 - ET WEB_SPECIFIC_APPS Progress WhatsUp Gold HasErrors SQL Injection Authentication Bypass (CVE-2024-6670) (web_specific_apps.rules)
- 2055984 - ET WEB_SPECIFIC_APPS Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-8190) (web_specific_apps.rules)
- 2055985 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (liversymbwqp .shop) (malware.rules)
- 2055986 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (liversymbwqp .shop in TLS SNI) (malware.rules)
- 2055987 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (polishuwqiwom .shop) (malware.rules)
- 2055988 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (polishuwqiwom .shop in TLS SNI) (malware.rules)
- 2055989 - ET WEB_SPECIFIC_APPS Zabbix Server Blind SQL Injection via clientip Parameter (CVE-2024-22120) (web_specific_apps.rules)
Pro:
- 2858414 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2858415 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
Modified inactive rules:
- 2054045 - ET MALWARE Observed Wordpress Social Warfare Plugin Exploit Related Domain (dateyourlove .live in TLS SNI) (malware.rules)
- 2054046 - ET MALWARE Observed Wordpress Social Warfare Plugin Exploit Related Domain (matchingsingles .net in TLS SNI) (malware.rules)
- 2054048 - ET MALWARE Observed Wordpress Social Warfare Plugin Exploit Related Domain (face-your-dreams .com in TLS SNI) (malware.rules)
- 2054051 - ET MALWARE Observed Wordpress Social Warfare Plugin Exploit Related Domain (silver-dates .com in TLS SNI) (malware.rules)
Disabled and modified rules:
- 2039425 - ET MALWARE Win32/Lumma Stealer CnC Domain (765mm .xyz) in DNS Lookup (malware.rules)
- 2039426 - ET MALWARE Win32/Lumma Stealer CnC Domain (safe-car .ru) in DNS Lookup (malware.rules)
- 2039476 - ET MALWARE Suspected POLONIUM CnC Domain (consulting-ukraine .tk) in DNS Lookup (malware.rules)
- 2039477 - ET MALWARE Suspected POLONIUM CnC Domain (ukrsupport .info) in DNS Lookup (malware.rules)
- 2039527 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (pedaily .online) (malware.rules)
- 2039528 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (ellechina .online) (malware.rules)
- 2039529 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (gov .mil .ua .aspx .io) (malware.rules)
- 2039530 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (notfiled .com) (malware.rules)
- 2039534 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (www .get .adobe .com .aspx .io) (malware.rules)
- 2039593 - ET MOBILE_MALWARE Android/Drinik CnC Domain (gia .3utilities .com) in DNS Lookup (mobile_malware.rules)
- 2039606 - ET MALWARE Malicious Doc CnC Domain (e-demarches .kodeo .ch) in DNS Lookup (malware.rules)
- 2039721 - ET MALWARE Win32\Cryptbot CnC Domain (okwnyw02 .top) in DNS Lookup (malware.rules)
- 2039722 - ET MALWARE Win32\Cryptbot CnC Domain (okwydg05 .top) in DNS Lookup (malware.rules)
- 2039729 - ET MALWARE Win32\Cryptbot CnC Domain (suqpvu08 .top) in DNS Lookup (malware.rules)
- 2039730 - ET MALWARE Win32\Cryptbot CnC Domain (towhfs22 .top) in DNS Lookup (malware.rules)
- 2050435 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - GET Request M2 (CVE-2024-0204) (web_specific_apps.rules)
- 2050437 - ET WEB_SPECIFIC_APPS GoAnywhere MFT Authentication Bypass Attempt - POST Request M2 (CVE-2024-0204) (web_specific_apps.rules)
- 2852769 - ETPRO PHISHING Microsoft OneDrive Phishing Domain (mycourier .email) in DNS Lookup (phishing.rules)
- 2852770 - ETPRO PHISHING Observed Microsoft OneDrive Phishing Domain (mycourier .email) in TLS SNI (phishing.rules)
Removed rules:
- 2039184 - ET MALWARE MSSQL maggie backdoor ls Query Observed (malware.rules)
- 2039415 - ET MALWARE MSSQL maggie backdoor Query Observed (other functions) (malware.rules)
- 2039440 - ET MALWARE WinGo/YT Stealer CnC Domain in DNS Lookup (malware.rules)
- 2039441 - ET MALWARE WinGo/YT Stealer CnC Checkin (malware.rules)
- 2039478 - ET MALWARE Suspected Polonium CnC Initial Checkin M1 (malware.rules)
- 2039479 - ET MALWARE Suspected Polonium CnC Initial Checkin M2 (malware.rules)
- 2039480 - ET MALWARE Suspected Polonium CnC Checkin (get_cmd) (malware.rules)
- 2039481 - ET MALWARE Suspected Polonium CnC Checkin (result.php - process list) M1 (malware.rules)
- 2039482 - ET MALWARE Suspected Polonium CnC Checkin (result.php - process list) M2 (malware.rules)