Ruleset Update Summary - 2024/10/03 - v10713

Ruleset Updates
1

Summary:

64 new OPEN, 67 new PRO (64 + 3)

Added rules:

Open:

  • 2049307 - ET RETIRED TA406 Win32/Updog CnC Checkin (retired.rules)
  • 2049380 - ET RETIRED Andariel Group Nukesped Variant CnC Checkin (retired.rules)
  • 2049931 - ET RETIRED Sharp Panda APT Related Activity M3 (retired.rules)
  • 2049975 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M1 (retired.rules)
  • 2049976 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M2 (retired.rules)
  • 2049977 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M3 (retired.rules)
  • 2049978 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M4 (retired.rules)
  • 2049979 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M5 (retired.rules)
  • 2049980 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M6 (retired.rules)
  • 2049981 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M7 (retired.rules)
  • 2049982 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M8 (retired.rules)
  • 2049983 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M9 (retired.rules)
  • 2049984 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M10 (retired.rules)
  • 2049985 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M11 (retired.rules)
  • 2049986 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M12 (retired.rules)
  • 2049987 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M13 (retired.rules)
  • 2049988 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M14 (retired.rules)
  • 2049989 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M15 (retired.rules)
  • 2049990 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M16 (retired.rules)
  • 2049991 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M17 (retired.rules)
  • 2049992 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M18 (retired.rules)
  • 2049993 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M19 (retired.rules)
  • 2049994 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M20 (retired.rules)
  • 2049995 - ET RETIRED Blister Loader Cobalt Strike C2 Profile M21 (retired.rules)
  • 2049996 - ET RETIRED Blister Loader Mythic C2 Profile M1 (retired.rules)
  • 2049997 - ET RETIRED Blister Loader Mythic C2 Profile M2 (retired.rules)
  • 2049998 - ET RETIRED Blister Loader Mythic C2 Profile M3 (retired.rules)
  • 2049999 - ET RETIRED Blister Loader Mythic C2 Profile M4 (retired.rules)
  • 2050511 - ET RETIRED Earth Preta PUBLOAD Activity M2 (retired.rules)
  • 2050512 - ET RETIRED Earth Preta PUBLOAD Activity M3 (retired.rules)
  • 2050708 - ET RETIRED Mispadu Stealer CnC Checkin M1 (retired.rules)
  • 2050709 - ET RETIRED Mispadu Stealer CnC Checkin M2 (retired.rules)
  • 2051513 - ET RETIRED Bitter APT Related Activity (GET) (retired.rules)
  • 2056415 - ET MALWARE Observed DNS Query to YK0130 Reverse Shell Payload Domain (toptipvideo .com) (malware.rules)
  • 2056416 - ET MALWARE Observed YK0130 Reverse Shell Payload Domain (toptipvideo .com in TLS SNI) (malware.rules)
  • 2056417 - ET MALWARE TONESHELL CnC Domain in DNS Lookup (uvfr4ep .com) (malware.rules)
  • 2056418 - ET MALWARE TONESHELL CnC Domain in DNS Lookup (dljmp2p .com) (malware.rules)
  • 2056419 - ET MALWARE TONESHELL CnC Domain in DNS Lookup (dl6yfsl .com) (malware.rules)
  • 2056420 - ET MALWARE Observed TONESHELL Domain (uvfr4ep .com in TLS SNI) (malware.rules)
  • 2056421 - ET MALWARE Observed TONESHELL Domain (dljmp2p .com in TLS SNI) (malware.rules)
  • 2056422 - ET MALWARE Observed TONESHELL Domain (dl6yfsl .com in TLS SNI) (malware.rules)
  • 2056423 - ET WEB_SPECIFIC_APPS Apache 2.4.0 → 2.4.55 HTTP Smuggling Attempt M1 (CVE-2023-25690) (web_specific_apps.rules)
  • 2056424 - ET WEB_SPECIFIC_APPS Apache 2.4.0 → 2.4.55 HTTP Smuggling Attempt M2 (CVE-2023-25690) (web_specific_apps.rules)
  • 2056425 - ET WEB_SPECIFIC_APPS Apache 2.4.0 → 2.4.55 HTTP Smuggling Attempt M3 (CVE-2023-25690) (web_specific_apps.rules)
  • 2056426 - ET WEB_SPECIFIC_APPS Apache 2.4.0 → 2.4.55 HTTP Smuggling Attempt M4 (CVE-2023-25690) (web_specific_apps.rules)
  • 2056427 - ET WEB_SPECIFIC_APPS Apache 2.4.0 → 2.4.55 HTTP Smuggling Attempt M5 (CVE-2023-25690) (web_specific_apps.rules)
  • 2056428 - ET WEB_SPECIFIC_APPS Apache 2.4.0 → 2.4.55 HTTP Smuggling Attempt M6 (CVE-2023-25690) (web_specific_apps.rules)
  • 2056429 - ET WEB_SPECIFIC_APPS Apache 2.4.0 → 2.4.55 HTTP Smuggling Attempt M7 (CVE-2023-25690) (web_specific_apps.rules)
  • 2056430 - ET INFO Vultr CDN/Object Storage Domain in DNS Lookup (vultrcdn .com) (info.rules)
  • 2056431 - ET INFO Vultr CDN/Object Storage Domain in DNS Lookup (vultrobjects .com) (info.rules)
  • 2056432 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (tecstify .com) (exploit_kit.rules)
  • 2056433 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jerescarla .com) (exploit_kit.rules)
  • 2056434 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (shaoriffandco .com) (exploit_kit.rules)
  • 2056435 - ET INFO Observed Vultr CDN/Object Storage Domain (vultrcdn .com) in TLS SNI (info.rules)
  • 2056436 - ET INFO Observed Vultr CDN/Object Storage Domain (vultrobjects .com) in TLS SNI (info.rules)
  • 2056437 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (tecstify .com) (exploit_kit.rules)
  • 2056438 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jerescarla .com) (exploit_kit.rules)
  • 2056439 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (shaoriffandco .com) (exploit_kit.rules)
  • 2056440 - ET INFO DYNAMIC_DNS Query to a * .fagerho .lt Domain (info.rules)
  • 2056441 - ET INFO DYNAMIC_DNS HTTP Request to a * .fagerho .lt Domain (info.rules)
  • 2056442 - ET INFO DYNAMIC_DNS Query to a * .kbmax .sg Domain (info.rules)
  • 2056443 - ET INFO DYNAMIC_DNS HTTP Request to a * .kbmax .sg Domain (info.rules)
  • 2056444 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (accentypastedw .store) (malware.rules)
  • 2056445 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (accentypastedw .store in TLS SNI) (malware.rules)

Pro:

  • 2856406 - ETPRO RETIRED Possible Metamorfo Payload Response (retired.rules)
  • 2858534 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858535 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

  • 2049818 - ET MALWARE Win32/Unknown Stealer CnC Domain in DNS Lookup (webvideoshareonline .com) (malware.rules)
  • 2049819 - ET MALWARE Suspicious Domain (webvideoshareonline .com) in TLS SNI (malware.rules)
  • 2049820 - ET MALWARE Win32/Koi Loader/Stealer CnC Domain in DNS Lookup (podologie-werne .de) (malware.rules)
  • 2049821 - ET MALWARE Observed Win32/Koi Loader/Stealer Domain (podologie-werne .de) in TLS SNI (malware.rules)
  • 2049932 - ET MALWARE Sharp Panda APT Related Domain in DNS Lookup (openxmlformats .shop) (malware.rules)
  • 2050634 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (farstream .org) (malware.rules)
  • 2050635 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (sysupdates .org) (malware.rules)
  • 2050638 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (be-at-home .s3 .ap-northeast-2 .amazonaws .com) (malware.rules)
  • 2050639 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (bbr-promo .s3 .amazonaws .com) (malware.rules)
  • 2050640 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (bigtimeassets .s3 .amazonaws .com) (malware.rules)
  • 2050641 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (acapros-app .s3-us-west-2 .amazonaws .com) (malware.rules)
  • 2050642 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (beansdeals-static .s3 .amazonaws .com) (malware.rules)
  • 2050643 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (bringthenoiseappnew .s3 .amazonaws .com) (malware.rules)
  • 2050644 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (2261992 .s3 .amazonaws .com) (malware.rules)
  • 2050645 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (ahha-asset .s3 .ap-northeast-2 .amazonaws .com) (malware.rules)
  • 2050646 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (breaknlinks .s3 .amazonaws .com) (malware.rules)
  • 2050693 - ET MALWARE RubySleet APT TrollAgent CnC Domain in DNS Lookup (ol .negapa .p-e .kr) (malware.rules)
  • 2050694 - ET MALWARE RubySleet APT TrollAgent CnC Domain in DNS Lookup (ai .kostin .p-e .kr) (malware.rules)
  • 2051087 - ET MALWARE Malvertising Domain in DNS Lookup (parsic .org) (malware.rules)
  • 2051088 - ET MALWARE Malvertising Domain in DNS Lookup (reclaimmycredit .com) (malware.rules)
  • 2051123 - ET MALWARE Malvertising Related Domain in DNS Lookup (hmgcyberschools .com) (malware.rules)
  • 2051124 - ET MALWARE Malvertising Related Domain in DNS Lookup (darknetlinks .wiki) (malware.rules)
  • 2051125 - ET MALWARE Malvertising Related Domain in DNS Lookup (legit .onelink .me) (malware.rules)
  • 2051126 - ET MALWARE Malvertising Related Domain in DNS Lookup (healthbeautycosmetics .com) (malware.rules)
  • 2051127 - ET MALWARE Observed Malvertising Related Domain (hmgcyberschools .com) in TLS SNI (malware.rules)
  • 2051128 - ET MALWARE Observed Malvertising Related Domain (darknetlinks .wiki) in TLS SNI (malware.rules)
  • 2051129 - ET MALWARE Observed Malvertising Related Domain (legit .onelink .me) in TLS SNI (malware.rules)
  • 2051130 - ET MALWARE Observed Malvertising Related Domain (healthbeautycosmetics .com) in TLS SNI (malware.rules)
  • 2051150 - ET MALWARE Lazarus Group Combacker CnC Domain in DNS Lookup (blockchain-newtech .com) (malware.rules)
  • 2051151 - ET MALWARE Lazarus Group Combacker CnC Domain in DNS Lookup (chaingrown .com) (malware.rules)
  • 2051152 - ET MALWARE Lazarus Group Combacker CnC Domain in DNS Lookup (fasttet .com) (malware.rules)
  • 2051526 - ET MALWARE FakeExt CnC Domain in DNS Lookup (cdn .jsassets .sbs) (malware.rules)
  • 2051527 - ET MALWARE FakeExt CnC Domain in DNS Lookup (fastify .elfaker .workers .dev) (malware.rules)
  • 2051528 - ET MALWARE FakeExt CnC Domain in DNS Lookup (prod .jslibrary .sbs) (malware.rules)
  • 2051529 - ET MALWARE FakeExt CnC Domain in DNS Lookup (browser .internalfiles .sbs) (malware.rules)
  • 2051530 - ET MALWARE FakeExt CnC Domain in DNS Lookup (fastify .sbs) (malware.rules)
  • 2051531 - ET MALWARE FakeExt CnC Domain in DNS Lookup (cdn .lll .yachts) (malware.rules)
  • 2051532 - ET MALWARE FakeExt CnC Domain in DNS Lookup (jschecks .com) (malware.rules)
  • 2051533 - ET MALWARE FakeExt CnC Domain in DNS Lookup (javascrip12 .com) (malware.rules)
  • 2051534 - ET MALWARE Observed FakeExt Domain (cdn .jsassets .sbs) in TLS SNI (malware.rules)
  • 2051535 - ET MALWARE Observed FakeExt Domain (fastify .elfaker .workers .dev) in TLS SNI (malware.rules)
  • 2051536 - ET MALWARE Observed FakeExt Domain (prod .jslibrary .sbs) in TLS SNI (malware.rules)
  • 2051537 - ET MALWARE Observed FakeExt Domain (fastify .sbs) in TLS SNI (malware.rules)
  • 2051538 - ET MALWARE Observed FakeExt Domain (cdn .lll .yachts) in TLS SNI (malware.rules)
  • 2051539 - ET MALWARE Observed FakeExt Domain (screen-security .com) in TLS SNI (malware.rules)
  • 2051540 - ET MALWARE Observed FakeExt Domain (jschecks .com) in TLS SNI (malware.rules)
  • 2051541 - ET MALWARE Observed FakeExt Domain (javascrip12 .com) in TLS SNI (malware.rules)
  • 2051562 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (oncloud-analytics .com) (malware.rules)
  • 2051563 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (cloudflareaddons .com) (malware.rules)
  • 2051564 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (dev-clientservice .com) (malware.rules)
  • 2051565 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (prorecieve .com) (malware.rules)
  • 2051566 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (mailchimp-addons .com) (malware.rules)
  • 2051567 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (allsecurehosting .com) (malware.rules)
  • 2051568 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (textsmsonline .com) (malware.rules)
  • 2051569 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (oncloud-analytics .com) in TLS SNI (malware.rules)
  • 2051570 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (cloudflareaddons .com) in TLS SNI (malware.rules)
  • 2051571 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (dev-clientservice .com) in TLS SNI (malware.rules)
  • 2051572 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (prorecieve .com) in TLS SNI (malware.rules)
  • 2051573 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (mailchimp-addons .com) in TLS SNI (malware.rules)
  • 2051574 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (allsecurehosting .com) in TLS SNI (malware.rules)
  • 2051575 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (textsmsonline .com) in TLS SNI (malware.rules)
  • 2051783 - ET MALWARE Python Typo Squatting Domain in DNS Lookup (files .pypihosted .org) (malware.rules)
  • 2051784 - ET MALWARE Python Typosquatting Domain (files .pypihosted .org) in TLS SNI (malware.rules)
  • 2051983 - ET MALWARE 3proxy Backdoor CnC Domain in DNS Lookup (catalog .micrisoftdrivers .com) (malware.rules)
  • 2051984 - ET MALWARE 3proxy Backdoor Domain (catalog .micrisoftdrivers .com) in TLS SNI (malware.rules)
  • 2051985 - ET INFO Phishing Training Domain in DNS Lookup (notifierservice .com) (info.rules)
  • 2051986 - ET INFO Phishing Training Domain (notifierservice .com) in TLS SNI (info.rules)
  • 2052002 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn33 .space) (malware.rules)
  • 2052003 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn32 .space) (malware.rules)
  • 2052004 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn36 .space) (malware.rules)
  • 2052005 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn38 .space) (malware.rules)
  • 2052006 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn37 .space) (malware.rules)
  • 2052007 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn34 .space) (malware.rules)
  • 2052008 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn35 .space) (malware.rules)
  • 2052009 - ET MALWARE Suspected FIN7 Related domain in DNS Lookup (cdn31 .space) (malware.rules)
  • 2052010 - ET MALWARE Suspected Fin7 Related Domain (cdn33 .space) in TLS SNI (malware.rules)
  • 2052011 - ET MALWARE Suspected Fin7 Related Domain (cdn32 .space) in TLS SNI (malware.rules)
  • 2052012 - ET MALWARE Suspected Fin7 Related Domain (cdn36 .space) in TLS SNI (malware.rules)
  • 2052013 - ET MALWARE Suspected Fin7 Related Domain (cdn38 .space) in TLS SNI (malware.rules)
  • 2052014 - ET MALWARE Suspected Fin7 Related Domain (cdn37 .space) in TLS SNI (malware.rules)
  • 2052015 - ET MALWARE Suspected Fin7 Related Domain (cdn34 .space) in TLS SNI (malware.rules)
  • 2052016 - ET MALWARE Suspected Fin7 Related Domain (cdn35 .space) in TLS SNI (malware.rules)
  • 2052017 - ET MALWARE Suspected Fin7 Related Domain (cdn31 .space) in TLS SNI (malware.rules)
  • 2856306 - ETPRO MALWARE Suspected Domestic Kitten APT CnC Domain in DNS Lookup (malware.rules)
  • 2856407 - ETPRO MALWARE Suspected Metamorfo Domain in DNS Lookup (malware.rules)

Removed rules:

  • 2049307 - ET MALWARE TA406 Win32/Updog CnC Checkin (malware.rules)
  • 2049380 - ET MALWARE Andariel Group Nukesped Variant CnC Checkin (malware.rules)
  • 2049931 - ET MALWARE Sharp Panda APT Related Activity M3 (malware.rules)
  • 2049975 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M1 (malware.rules)
  • 2049976 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M2 (malware.rules)
  • 2049977 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M3 (malware.rules)
  • 2049978 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M4 (malware.rules)
  • 2049979 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M5 (malware.rules)
  • 2049980 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M6 (malware.rules)
  • 2049981 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M7 (malware.rules)
  • 2049982 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M8 (malware.rules)
  • 2049983 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M9 (malware.rules)
  • 2049984 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M10 (malware.rules)
  • 2049985 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M11 (malware.rules)
  • 2049986 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M12 (malware.rules)
  • 2049987 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M13 (malware.rules)
  • 2049988 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M14 (malware.rules)
  • 2049989 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M15 (malware.rules)
  • 2049990 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M16 (malware.rules)
  • 2049991 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M17 (malware.rules)
  • 2049992 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M18 (malware.rules)
  • 2049993 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M19 (malware.rules)
  • 2049994 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M20 (malware.rules)
  • 2049995 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M21 (malware.rules)
  • 2049996 - ET MALWARE Blister Loader Mythic C2 Profile M1 (malware.rules)
  • 2049997 - ET MALWARE Blister Loader Mythic C2 Profile M2 (malware.rules)
  • 2049998 - ET MALWARE Blister Loader Mythic C2 Profile M3 (malware.rules)
  • 2049999 - ET MALWARE Blister Loader Mythic C2 Profile M4 (malware.rules)
  • 2050511 - ET MALWARE Earth Preta PUBLOAD Activity M2 (malware.rules)
  • 2050512 - ET MALWARE Earth Preta PUBLOAD Activity M3 (malware.rules)
  • 2050708 - ET MALWARE Mispadu Stealer CnC Checkin M1 (malware.rules)
  • 2050709 - ET MALWARE Mispadu Stealer CnC Checkin M2 (malware.rules)
  • 2051513 - ET MALWARE Bitter APT Related Activity (GET) (malware.rules)
  • 2856406 - ETPRO MALWARE Possible Metamorfo Payload Response (malware.rules)