Ruleset Update Summary - 2024/09/30 - v10709

Ruleset Updates
1

Summary:

84 new OPEN, 89 new PRO (84 + 5)

Added rules:

Open:

  • 2037236 - ET RETIRED Win32/Wacatac.B!ml Data Exfiltration (retired.rules)
  • 2043362 - ET RETIRED Playful Taurus Malicious SSL Certificate Observed (retired.rules)
  • 2043364 - ET RETIRED Playful Taurus Observe malicious SSL Cert (self-signed www .netgate .com) (retired.rules)
  • 2044003 - ET RETIRED Malvirt/KoiVM Downloader Variant Payload Retrieval Request (retired.rules)
  • 2044031 - ET RETIRED GCleaner CnC Checkin M1 (retired.rules)
  • 2044032 - ET RETIRED GCleaner Payload Retrieval Attempt (retired.rules)
  • 2044033 - ET RETIRED GCleaner CnC Checkin M2 (retired.rules)
  • 2044034 - ET RETIRED Potential GCleaner CnC Checkin (retired.rules)
  • 2044035 - ET RETIRED Win32/VoipRaider Data Collection Attempt (retired.rules)
  • 2044047 - ET RETIRED Observed URL Shortener Service Domain (fanlink .to) in TLS SNI (retired.rules)
  • 2044111 - ET RETIRED Patchwork APT BADNEWS Variant CnC Checkin M1 (retired.rules)
  • 2044112 - ET RETIRED Patchwork APT BADNEWS Variant CnC Checkin M2 (retired.rules)
  • 2044133 - ET RETIRED Win32/RecordBreaker - Observed UA M6 (01785252112) (retired.rules)
  • 2044134 - ET RETIRED Win32/RecordBreaker - Observed UA M7 (1235125521512) (retired.rules)
  • 2044135 - ET RETIRED Win32/RecordBreaker - Observed UA M8 (125122112551) (retired.rules)
  • 2044236 - ET RETIRED APT37 M2RAT CnC Server Command - OKR (retired.rules)
  • 2044237 - ET RETIRED APT37 M2RAT CnC Server Command - URL (retired.rules)
  • 2044238 - ET RETIRED APT37 M2RAT CnC Server Command - UPD (retired.rules)
  • 2044239 - ET RETIRED APT37 M2RAT CnC Server Command - RES (retired.rules)
  • 2044240 - ET RETIRED APT37 M2RAT CnC Server Command - UNI (retired.rules)
  • 2044241 - ET RETIRED APT37 M2RAT CnC Server Command - CMD (retired.rules)
  • 2044358 - ET RETIRED Win32/S1deload Stealer CnC Domain (neukoo .top) in DNS Lookup (retired.rules)
  • 2044359 - ET RETIRED Win32/S1deload Stealer CnC Checkin (retired.rules)
  • 2044360 - ET RETIRED Win32/S1deload Stealer CnC Checkin - Get Tasking (retired.rules)
  • 2044431 - ET RETIRED MSIL/PSW.Agent.STP Data Exfiltration Attempt (retired.rules)
  • 2044449 - ET RETIRED Parallax CnC Activity M18 (set) (retired.rules)
  • 2044450 - ET RETIRED Parallax CnC Response Activity M18 (retired.rules)
  • 2044503 - ET RETIRED Hiatus RAT CnC Checkin (retired.rules)
  • 2044564 - ET RETIRED Sharp Panda Soul Framework CnC Checkin (retired.rules)
  • 2044583 - ET RETIRED Win32/Root Finder Stealer Sending System Information via Telegram (GET) (retired.rules)
  • 2044584 - ET RETIRED Win32/AMGO Keylogger - Keylogger Started Message via Telegram (POST) (retired.rules)
  • 2044740 - ET RETIRED Win32/HookSpoofer Stealer Sending System Information via Telegram (GET) (retired.rules)
  • 2044744 - ET RETIRED SOMNIRECORD Backdoor PROBE Command in DNS Query (retired.rules)
  • 2044745 - ET RETIRED SOMNIRECORD Backdoor CMD Command in DNS Query (retired.rules)
  • 2044746 - ET RETIRED SOMNIRECORD Backdoor DATA Command in DNS Query (retired.rules)
  • 2044763 - ET RETIRED LogStih Stealer CnC Checkin (retired.rules)
  • 2044764 - ET RETIRED LogStih Stealer Data Exfiltration Attempt (retired.rules)
  • 2044788 - ET RETIRED Vidar Stealer CnC Checkin (retired.rules)
  • 2044796 - ET RETIRED Win32/PSWStealer Data Exfiltration Attempt (retired.rules)
  • 2044853 - ET RETIRED Crashedtech Loader CnC Checkin (retired.rules)
  • 2045056 - ET RETIRED Win32/Fabookie.ek CnC Domain in DNS Lookup (retired.rules)
  • 2045057 - ET RETIRED Win32/Fabookie.ek CnC Request M4 (GET) (retired.rules)
  • 2045058 - ET RETIRED Win32/Fabookie.ek CnC Activity M2 (retired.rules)
  • 2056318 - ET PHISHING Generic Credential Phish Landing Page M1 2024-09-27 (phishing.rules)
  • 2056319 - ET PHISHING Generic Credential Phish Landing Page M2 2024-09-27 (phishing.rules)
  • 2056320 - ET WEB_SPECIFIC_APPS Apache CloudStack SAML Authentication Bypass (CVE-2024-41107) (web_specific_apps.rules)
  • 2056321 - ET MALWARE SocGholish CnC Domain in DNS (* .shades .whatisaweekend .com) (malware.rules)
  • 2056322 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .shades .whatisaweekend .com) (malware.rules)
  • 2056323 - ET WEB_SPECIFIC_APPS Apache HugeGraph Gremlin SecurityManager Reflection Filter Bypass (CVE-2024-27348) (web_specific_apps.rules)
  • 2056324 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (agentyanlark .site) (malware.rules)
  • 2056325 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (agentyanlark .site in TLS SNI) (malware.rules)
  • 2056326 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (annthostiledm .shop) (malware.rules)
  • 2056327 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (annthostiledm .shop in TLS SNI) (malware.rules)
  • 2056328 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellykmrebk .site) (malware.rules)
  • 2056329 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bellykmrebk .site in TLS SNI) (malware.rules)
  • 2056330 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bundledborne .shop) (malware.rules)
  • 2056331 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bundledborne .shop in TLS SNI) (malware.rules)
  • 2056332 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (candleduseiwo .shop) (malware.rules)
  • 2056333 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (candleduseiwo .shop in TLS SNI) (malware.rules)
  • 2056334 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (commandejorsk .site) (malware.rules)
  • 2056335 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (commandejorsk .site in TLS SNI) (malware.rules)
  • 2056336 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (delaylacedmn .site) (malware.rules)
  • 2056337 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (delaylacedmn .site in TLS SNI) (malware.rules)
  • 2056338 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (famikyjdiag .site) (malware.rules)
  • 2056339 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (famikyjdiag .site in TLS SNI) (malware.rules)
  • 2056340 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (possiwreeste .site) (malware.rules)
  • 2056341 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (possiwreeste .site in TLS SNI) (malware.rules)
  • 2056342 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (termyfencdw .site) (malware.rules)
  • 2056343 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (termyfencdw .site in TLS SNI) (malware.rules)
  • 2056344 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (underlinemdsj .site) (malware.rules)
  • 2056345 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (underlinemdsj .site in TLS SNI) (malware.rules)
  • 2056346 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (writekdmsnu .site) (malware.rules)
  • 2056347 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (writekdmsnu .site in TLS SNI) (malware.rules)
  • 2056348 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (innerglowjourney .com) (exploit_kit.rules)
  • 2056349 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (reputationb .com) (exploit_kit.rules)
  • 2056350 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (paperbearsweets .com) (exploit_kit.rules)
  • 2056351 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (innerglowjourney .com) (exploit_kit.rules)
  • 2056352 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (reputationb .com) (exploit_kit.rules)
  • 2056353 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (paperbearsweets .com) (exploit_kit.rules)
  • 2056354 - ET WEB_SPECIFIC_APPS PRTG Network Monitor Information Disclosure Attempt (CVE-2020-11547) (web_specific_apps.rules)
  • 2056355 - ET WEB_SPECIFIC_APPS Mitel Micollab Directory Traversal Attempt (CVE-2020-11798) (web_specific_apps.rules)
  • 2056356 - ET EXPLOIT Zimbra postjournal RCE Attempt Inbound (CVE-2024-45519) (exploit.rules)
  • 2056357 - ET INFO URL Shortener Service Domain in DNS Lookup (2ly .link) (info.rules)
  • 2056358 - ET INFO Observed URL Shortener Service Domain (2ly .link in TLS SNI) (info.rules)

Pro:

  • 2854246 - ETPRO RETIRED Gatef Loader Payload Retrieval Attempt (retired.rules)
  • 2858508 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858509 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858510 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858511 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

  • 2043299 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2043300 - ET MALWARE Cobalt Strike Domain in DNS Lookup (fepopeguc .com) (malware.rules)
  • 2043301 - ET MALWARE Cobalt Strike Domain (fepopeguc .com) in TLS SNI (malware.rules)
  • 2043365 - ET MALWARE Playful Taurus CnC Domain (scm .oracleapps .org) in DNS Lookup (malware.rules)
  • 2043366 - ET MALWARE Playful Taurus CnC Domain (update .adboeonline .net) in DNS Lookup (malware.rules)
  • 2043367 - ET MALWARE Playful Taurus CnC Domain (mail .indiarailways .net) in DNS Lookup (malware.rules)
  • 2043368 - ET MALWARE Playful Taurus CnC Domain (update .delldrivers .in) in DNS Lookup (malware.rules)
  • 2043370 - ET MALWARE Kimsuky CnC Domain (lifehelper .kr) in DNS Lookup (malware.rules)
  • 2043439 - ET MOBILE_MALWARE Android/Gigabud CnC Domain (lionaiothai .com) in DNS Lookup (mobile_malware.rules)
  • 2043440 - ET MOBILE_MALWARE Android/Gigabud CnC Domain (cmnb9 .cc) in DNS Lookup (mobile_malware.rules)
  • 2043441 - ET MOBILE_MALWARE Android/Gigabud CnC Domain (bweri6 .cc) in DNS Lookup (mobile_malware.rules)
  • 2043988 - ET MALWARE Cobalt Strike CnC Domain (020 .57thandnormal .com) in DNS Lookup (malware.rules)
  • 2043989 - ET MALWARE Cobalt Strike CnC Domain (r2 .57thandnormal .com) in DNS Lookup (malware.rules)
  • 2043990 - ET MALWARE Cobalt Strike CnC Domain (r1 .57thandnormal .com) in DNS Lookup (malware.rules)
  • 2044025 - ET MALWARE ConnectWise ScreenConnect Payload Delivery Domain (win02 .xyz) in DNS Lookup (malware.rules)
  • 2044026 - ET MALWARE ConnectWise ScreenConnect Payload Delivery Domain (win03 .xyz) in DNS Lookup (malware.rules)
  • 2044027 - ET MALWARE ConnectWise ScreenConnect Payload Delivery Domain (win04 .xyz) in DNS Lookup (malware.rules)
  • 2044028 - ET MALWARE ConnectWise ScreenConnect Payload Delivery Domain (win01 .xyz) in DNS Lookup (malware.rules)
  • 2044183 - ET MALWARE Backdoored Xpopup Domain (xpopup .pe .kr) in DNS Lookup (malware.rules)
  • 2044203 - ET MALWARE Donot APT Related Domain in DNS Lookup (blogs .tourseasons .xyz) (malware.rules)
  • 2044312 - ET MALWARE Cobalt Strike CnC Domain (taoche .cn .wswebpic .com) in DNS Lookup (malware.rules)
  • 2044852 - ET MALWARE Crashedtech Loader Domain (crashedff .xyz) in DNS Lookup (malware.rules)
  • 2045113 - ET MALWARE FROZENLAKE (APT 28) Related Domain in DNS Lookup (setnewcreds .ukr .net .frge .io) (malware.rules)
  • 2045114 - ET MALWARE FROZENLAKE (APT 28) Related Domain in DNS Lookup (robot-876 .frge .io) (malware.rules)
  • 2045115 - ET MALWARE FROZENLAKE (APT 28) Related Domain in DNS Lookup (ukrprivatesite .frge .io) (malware.rules)
  • 2045116 - ET MALWARE PUSHCHA Related Domain in DNS Lookup (passport-ua .site) (malware.rules)
  • 2045117 - ET MALWARE PUSHCHA Related Domain in DNS Lookup (meta-l .space) (malware.rules)
  • 2045118 - ET MALWARE PUSHCHA Related Domain in DNS Lookup (passport-log .online) (malware.rules)
  • 2045119 - ET MALWARE Cuba Ransomware Related Domain in DNS Lookup (masterofdigital .org) (malware.rules)
  • 2045120 - ET MALWARE Cuba Ransomware Related Domain in DNS Lookup (chatgpt4beta .com) (malware.rules)
  • 2045131 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowcsupdates .com) (attack_response.rules)
  • 2045132 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (anydeskupdate .com) (attack_response.rules)
  • 2045133 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (anydeskupdates .com) (attack_response.rules)
  • 2045134 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecemter .com) (attack_response.rules)
  • 2045135 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (winserverupdates .com) (attack_response.rules)
  • 2045136 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (netviewremote .com) (attack_response.rules)
  • 2045137 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (updateservicecenter .com) (attack_response.rules)
  • 2045138 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecenter .com) (attack_response.rules)
  • 2045139 - ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecentar .com) (attack_response.rules)
  • 2853780 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
  • 2853782 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)

Removed rules:

  • 2037236 - ET MALWARE Win32/Wacatac.B!ml Data Exfiltration (malware.rules)
  • 2043362 - ET MALWARE Playful Taurus Malicious SSL Certificate Observed (malware.rules)
  • 2043364 - ET MALWARE Playful Taurus Observe malicious SSL Cert (self-signed www .netgate .com) (malware.rules)
  • 2044003 - ET MALWARE Malvirt/KoiVM Downloader Variant Payload Retrieval Request (malware.rules)
  • 2044031 - ET MALWARE GCleaner CnC Checkin M1 (malware.rules)
  • 2044032 - ET MALWARE GCleaner Payload Retrieval Attempt (malware.rules)
  • 2044033 - ET MALWARE GCleaner CnC Checkin M2 (malware.rules)
  • 2044034 - ET MALWARE Potential GCleaner CnC Checkin (malware.rules)
  • 2044035 - ET ADWARE_PUP Win32/VoipRaider Data Collection Attempt (adware_pup.rules)
  • 2044047 - ET INFO Observed URL Shortener Service Domain (fanlink .to) in TLS SNI (info.rules)
  • 2044111 - ET MALWARE Patchwork APT BADNEWS Variant CnC Checkin M1 (malware.rules)
  • 2044112 - ET MALWARE Patchwork APT BADNEWS Variant CnC Checkin M2 (malware.rules)
  • 2044133 - ET MALWARE Win32/RecordBreaker - Observed UA M6 (01785252112) (malware.rules)
  • 2044134 - ET MALWARE Win32/RecordBreaker - Observed UA M7 (1235125521512) (malware.rules)
  • 2044135 - ET MALWARE Win32/RecordBreaker - Observed UA M8 (125122112551) (malware.rules)
  • 2044236 - ET MALWARE APT37 M2RAT CnC Server Command - OKR (malware.rules)
  • 2044237 - ET MALWARE APT37 M2RAT CnC Server Command - URL (malware.rules)
  • 2044238 - ET MALWARE APT37 M2RAT CnC Server Command - UPD (malware.rules)
  • 2044239 - ET MALWARE APT37 M2RAT CnC Server Command - RES (malware.rules)
  • 2044240 - ET MALWARE APT37 M2RAT CnC Server Command - UNI (malware.rules)
  • 2044241 - ET MALWARE APT37 M2RAT CnC Server Command - CMD (malware.rules)
  • 2044358 - ET MALWARE Win32/S1deload Stealer CnC Domain (neukoo .top) in DNS Lookup (malware.rules)
  • 2044359 - ET MALWARE Win32/S1deload Stealer CnC Checkin (malware.rules)
  • 2044360 - ET MALWARE Win32/S1deload Stealer CnC Checkin - Get Tasking (malware.rules)
  • 2044431 - ET MALWARE MSIL/PSW.Agent.STP Data Exfiltration Attempt (malware.rules)
  • 2044449 - ET MALWARE Parallax CnC Activity M18 (set) (malware.rules)
  • 2044450 - ET MALWARE Parallax CnC Response Activity M18 (malware.rules)
  • 2044503 - ET MALWARE Hiatus RAT CnC Checkin (malware.rules)
  • 2044564 - ET MALWARE Sharp Panda Soul Framework CnC Checkin (malware.rules)
  • 2044583 - ET MALWARE Win32/Root Finder Stealer Sending System Information via Telegram (GET) (malware.rules)
  • 2044584 - ET MALWARE Win32/AMGO Keylogger - Keylogger Started Message via Telegram (POST) (malware.rules)
  • 2044740 - ET MALWARE Win32/HookSpoofer Stealer Sending System Information via Telegram (GET) (malware.rules)
  • 2044744 - ET MALWARE SOMNIRECORD Backdoor PROBE Command in DNS Query (malware.rules)
  • 2044745 - ET MALWARE SOMNIRECORD Backdoor CMD Command in DNS Query (malware.rules)
  • 2044746 - ET MALWARE SOMNIRECORD Backdoor DATA Command in DNS Query (malware.rules)
  • 2044763 - ET MALWARE LogStih Stealer CnC Checkin (malware.rules)
  • 2044764 - ET MALWARE LogStih Stealer Data Exfiltration Attempt (malware.rules)
  • 2044788 - ET MALWARE Vidar Stealer CnC Checkin (malware.rules)
  • 2044796 - ET MALWARE Win32/PSWStealer Data Exfiltration Attempt (malware.rules)
  • 2044853 - ET MALWARE Crashedtech Loader CnC Checkin (malware.rules)
  • 2045056 - ET MALWARE Win32/Fabookie.ek CnC Domain in DNS Lookup (malware.rules)
  • 2045057 - ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET) (malware.rules)
  • 2045058 - ET MALWARE Win32/Fabookie.ek CnC Activity M2 (malware.rules)
  • 2854246 - ETPRO MALWARE Gatef Loader Payload Retrieval Attempt (malware.rules)