Ruleset Update Summary - 2024/09/26 - v10704

Ruleset Updates
1

Summary:

28 new OPEN, 33 new PRO (28 + 5)

Added rules:

Open:

  • 2033858 - ET MALWARE TA399/Sidewinder Activity Payload Request M2, Microsoft Office UA Request for .rtf (malware.rules)
  • 2055080 - ET MALWARE TA399/Sidewinder Activity Payload Request M3, Microsoft Word UA Request for .rtf (malware.rules)
  • 2055081 - ET MALWARE TA399/Sidewinder Activity Payload Request M1, Microsoft Outlook UA Request for .rtf (malware.rules)
  • 2056185 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (liedshorqwi .shop) (malware.rules)
  • 2056186 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (liedshorqwi .shop in TLS SNI) (malware.rules)
  • 2056187 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (moduledfahhhiov .shop) (malware.rules)
  • 2056188 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (moduledfahhhiov .shop in TLS SNI) (malware.rules)
  • 2056189 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (punisshepuredo .shop) (malware.rules)
  • 2056190 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (punisshepuredo .shop in TLS SNI) (malware.rules)
  • 2056191 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (teenylogicod .shop) (malware.rules)
  • 2056192 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (teenylogicod .shop in TLS SNI) (malware.rules)
  • 2056193 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tenseddrywsqio .shop) (malware.rules)
  • 2056194 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tenseddrywsqio .shop in TLS SNI) (malware.rules)
  • 2056195 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (videobenefdii .shop) (malware.rules)
  • 2056196 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (videobenefdii .shop in TLS SNI) (malware.rules)
  • 2056197 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (md928zs .shop) (exploit_kit.rules)
  • 2056198 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (md928zs .shop) (exploit_kit.rules)
  • 2056199 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (cdngetmyname .biz) (exploit_kit.rules)
  • 2056200 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (cdngetmyname .biz) (exploit_kit.rules)
  • 2056201 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (restbycalm .com) (exploit_kit.rules)
  • 2056202 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (restbycalm .com) (exploit_kit.rules)
  • 2056203 - ET MALWARE Magnet Goblin Linux Nerbian RAT Trigger Sequence from CnC Server (malware.rules)
  • 2056204 - ET EXPLOIT .NET Remoting SoapServerFormatterSink ObjRef Leak (CVE-2024-29059) (exploit.rules)
  • 2056205 - ET EXPLOIT .NET Remoting BinaryServerFormatterSink ObjRef Leak (CVE-2024-29059) (exploit.rules)
  • 2056206 - ET WEB_SPECIFIC_APPS Apache Spark OS Command Injection (CVE-2023-32007) (web_specific_apps.rules)
  • 2056207 - ET WEB_SPECIFIC_APPS Adobe Commerce / Magento Pre-Authentication XML Entity Injection (CVE-2024-34102) (web_specific_apps.rules)
  • 2056208 - ET WEB_SPECIFIC_APPS Geoserver JT-Jiffle Extension Code Injection (CVE-2022-24816) (web_specific_apps.rules)
  • 2056209 - ET EXPLOIT Veeam Backup & Replication Cloud Connect RCE Attempt Inbound (CVE-2023-27532) (exploit.rules)

Pro:

  • 2858451 - ETPRO WEB_SPECIFIC_APPS HTTP URI Contains Common RCE String (web_specific_apps.rules)
  • 2858452 - ETPRO WEB_SPECIFIC_APPS HTTP Header Contains Common RCE String (web_specific_apps.rules)
  • 2858453 - ETPRO EXPLOIT SMTP Header Contains Common RCE String (exploit.rules)
  • 2858504 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858506 - ETPRO MALWARE .rtf containing Office Equation Editor Exploit (CVE-2018-0798) (malware.rules)

Removed rules:

  • 2033858 - ET INFO Office Retrieving .rtf (GET) (info.rules)
  • 2055080 - ET INFO Microsoft Word HTTP Request for .rtf Payload (info.rules)
  • 2055081 - ET INFO Microsoft Outlook Requesting .rtf (info.rules)