Ruleset Update Summary - 2024/09/20 - v10700

Summary:

44 new OPEN, 46 new PRO (44 + 2)

Thanks @Unit42_Intel, @sekoia_io


Added rules:

Open:

  • 2044143 - ET WEB_SPECIFIC_APPS Fortra MFT Deserialization Remote Code Execution Attempt (CVE-2023-0669) M1 (web_specific_apps.rules)
  • 2044144 - ET WEB_SPECIFIC_APPS Fortra MFT Deserialization Remote Code Execution Attempt (CVE-2023-0669) M2 (web_specific_apps.rules)
  • 2055990 - ET MALWARE PeakLight/Emmenhtal Loader Payload Request (malware.rules)
  • 2055991 - ET HUNTING Discord WebHook Activity M1 (Contains Key, content) (hunting.rules)
  • 2055992 - ET HUNTING Discord WebHook Activity M2 (Contains Key, embeds) (hunting.rules)
  • 2055993 - ET HUNTING Discord WebHook Activity M3 (Contains Key, components) (hunting.rules)
  • 2055994 - ET HUNTING Discord WebHook Activity M4 (Contains Key, file) (hunting.rules)
  • 2055995 - ET HUNTING Discord WebHook Activity M5 (Contains Key, poll) (hunting.rules)
  • 2055996 - ET EXPLOIT_KIT Fake Java Update Domain in DNS Lookup (javadevssdk .com) (exploit_kit.rules)
  • 2055997 - ET EXPLOIT_KIT Fake Java Update Domain in TLS SNI (javadevssdk .com) (exploit_kit.rules)
  • 2055998 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mtpolice2030 .com) (exploit_kit.rules)
  • 2055999 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mtpolice2030 .com) (exploit_kit.rules)
  • 2056000 - ET INFO DYNAMIC_DNS Query to a * .meridiano .com .br Domain (info.rules)
  • 2056001 - ET INFO DYNAMIC_DNS HTTP Request to a * .meridiano .com .br Domain (info.rules)
  • 2056002 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (bytesbazar .com) (exploit_kit.rules)
  • 2056003 - ET EXPLOIT_KIT CC Skimmer Domain in TLS SNI (bytesbazar .com) (exploit_kit.rules)
  • 2056004 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (achievenmtynwjq .shop) (malware.rules)
  • 2056005 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (achievenmtynwjq .shop in TLS SNI) (malware.rules)
  • 2056006 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (carrtychaintnyw .shop) (malware.rules)
  • 2056007 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (carrtychaintnyw .shop in TLS SNI) (malware.rules)
  • 2056008 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chickerkuso .shop) (malware.rules)
  • 2056009 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (chickerkuso .shop in TLS SNI) (malware.rules)
  • 2056010 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (contractowno .shop) (malware.rules)
  • 2056011 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (contractowno .shop in TLS SNI) (malware.rules)
  • 2056012 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dumpliportiwo .shop) (malware.rules)
  • 2056013 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dumpliportiwo .shop in TLS SNI) (malware.rules)
  • 2056014 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (metallygaricwo .shop) (malware.rules)
  • 2056015 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (metallygaricwo .shop in TLS SNI) (malware.rules)
  • 2056016 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (milldymarskwom .shop) (malware.rules)
  • 2056017 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (milldymarskwom .shop in TLS SNI) (malware.rules)
  • 2056018 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (opponnentduei .shop) (malware.rules)
  • 2056019 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (opponnentduei .shop in TLS SNI) (malware.rules)
  • 2056020 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (puredoffustow .shop) (malware.rules)
  • 2056021 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (puredoffustow .shop in TLS SNI) (malware.rules)
  • 2056022 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (questionmwq .shop) (malware.rules)
  • 2056023 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (questionmwq .shop in TLS SNI) (malware.rules)
  • 2056024 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quotamkdsdqo .shop) (malware.rules)
  • 2056025 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (quotamkdsdqo .shop in TLS SNI) (malware.rules)
  • 2056026 - ET MALWARE Unknown Info Stealer URI Structure (malware.rules)
  • 2056027 - ET WEB_SPECIFIC_APPS Wordpress LiteSpeed Cache Plugin debug.log Access Attempt (CVE-2024-44000) (web_specific_apps.rules)
  • 2056028 - ET WEB_SPECIFIC_APPS Cisco Smart Licensing Utility customer-cslu-lib-log.log Access Attempt (CVE-2024-20440) (web_specific_apps.rules)
  • 2056029 - ET EXPLOIT_KIT Fake Java Update Domain in DNS Lookup (mozilaupgrade .com) (exploit_kit.rules)
  • 2056030 - ET EXPLOIT_KIT Fake Java Update Domain in TLS SNI (mozilaupgrade .com) (exploit_kit.rules)
  • 2056031 - ET PHISHING Suspected Generic Credential Phish Landing Page (2024-09-20) (phishing.rules)

Pro:

  • 2858416 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound to VexTrio (exploit_kit.rules)
  • 2858417 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2054635 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (berrebyre .com) (exploit_kit.rules)
  • 2054636 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gametuners .com) (exploit_kit.rules)
  • 2054637 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (berrebyre .com) (exploit_kit.rules)
  • 2054638 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gametuners .com) (exploit_kit.rules)
  • 2858296 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Removed rules:

  • 2044143 - ET EXPLOIT Fortra MFT Deserialization Remote Code Execution Attempt (CVE-2023-0669) M1 (exploit.rules)
  • 2044144 - ET EXPLOIT Fortra MFT Deserialization Remote Code Execution Attempt (CVE-2023-0669) M2 (exploit.rules)