Ruleset Update Summary - 2024/10/08 - v10716

rulesbot · October 8, 2024, 8:55pm

Summary:

17 new OPEN, 36 new PRO (17 + 19)

Please be aware that Friday, October 11th, is a Proofpoint company holiday. There will not be a rule release that day. Rule releases will continue the following Monday, October 14th.

Added rules:

Open:

2056539 - ET MALWARE Havoc Demon CnC Request (malware.rules)
2056540 - ET MALWARE Havoc Demon CnC Domain in DNS Lookup (ttwweatterarartgea .ga) (malware.rules)
2056541 - ET MALWARE Observed Havoc Demon Domain (ttwweatterarartgea .ga in TLS SNI) (malware.rules)
2056542 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bleedminejw .buzz) (malware.rules)
2056543 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bleedminejw .buzz in TLS SNI) (malware.rules)
2056544 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (epiloggati .sbs) (malware.rules)
2056545 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (epiloggati .sbs in TLS SNI) (malware.rules)
2056546 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (methodbojjewkl .shop) (malware.rules)
2056547 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (methodbojjewkl .shop in TLS SNI) (malware.rules)
2056548 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ggoryo .com) (exploit_kit.rules)
2056549 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ggoryo .com) (exploit_kit.rules)
2056550 - ET MALWARE Win32/DeerStealer CnC Checkin (malware.rules)
2056551 - ET INFO DNS Query to TA Abused Online File Sharing Service (adttemp .com .br) (info.rules)
2056552 - ET INFO Observed TA Abused Online File Sharing Service Domain (adttemp .com .br in TLS SNI) (info.rules)
2056553 - ET INFO File Download from transfer .sh Service (info.rules)
2056554 - ET MALWARE SocGholish CnC Domain in DNS (* .outfit .dianamercer .com) (malware.rules)
2056555 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .outfit .dianamercer .com) (malware.rules)

Pro:

2858646 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2858647 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2858648 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2858649 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2858650 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
2858651 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2858652 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
2858653 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2858654 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2858655 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2858656 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2858657 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
2858658 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2858659 - ETPRO WEB_CLIENT Possible Microsoft Edge Sandbox Escape Attempt (CVE-2024-43573) (web_client.rules)
2858660 - ETPRO HUNTING Microsoft Management Console Link to Web Address Snap-in URI Scheme (hunting.rules)
2858661 - ETPRO HUNTING Microsoft Management Console ActiveX Control Snap-in Arbitrary Code (hunting.rules)
2858662 - ETPRO HUNTING Microsoft Management Console Taskpad Command (hunting.rules)
2858663 - ETPRO HUNTING Microsoft Management Console Control File View Object Reference (hunting.rules)
2858664 - ETPRO HUNTING Microsoft Management Console Control File Arbitrary Redirect (apds.dll) (hunting.rules)

Disabled and modified rules:

2033885 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2039577 - ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot) (malware.rules)
2039578 - ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot) (malware.rules)
2041126 - ET MALWARE TA453 Related Domain in DNS Lookup (tinyurl .ink) (malware.rules)
2041127 - ET MALWARE TA453 Related Domain in DNS Lookup (de-ma .online) (malware.rules)
2041128 - ET MALWARE TA453 Related Domain in DNS Lookup (litby .us) (malware.rules)
2041129 - ET MALWARE TA453 Related Domain in DNS Lookup (mailer-daemon .online) (malware.rules)
2041130 - ET MALWARE TA453 Related Domain in DNS Lookup (mailer-daemon .org) (malware.rules)
2041658 - ET MALWARE Observed DNS Query to AppleJeus Domain (strainservice .com) (malware.rules)
2041659 - ET MALWARE Observed DNS Query to AppleJeus Domain (telloo .io) (malware.rules)
2041660 - ET MALWARE Observed DNS Query to AppleJeus Domain (wirexpro .com) (malware.rules)
2041661 - ET MALWARE Observed DNS Query to AppleJeus Domain (rebelthumb .net) (malware.rules)
2041662 - ET MALWARE Observed DNS Query to AppleJeus Domain (oilycargo .com) (malware.rules)
2041663 - ET MALWARE Observed DNS Query to AppleJeus Domain (bloxholder .com) (malware.rules)
2041676 - ET MALWARE Observed DNS Query to ElectronBot Domain (Electron-Bot .s3 .eu-central-1 .amazonaws .com) (malware.rules)
2041677 - ET MALWARE Observed DNS Query to ElectronBot Domain (11k .online) (malware.rules)
2041681 - ET PHISHING Observed Phish Domain in DNS Lookup (registration-adnoc .com) 2022-12-05 (phishing.rules)
2041686 - ET PHISHING Observed Phish Domain in DNS Lookup (qatarenergys .com) 2022-12-05 (phishing.rules)
2041688 - ET PHISHING Observed Phish Domain in DNS Lookup (bidders-enoc .com) 2022-12-05 (phishing.rules)
2041779 - ET PHISHING Observed Phish Domain in DNS Lookup (rambolloil .com) 2022-12-05 (phishing.rules)
2041924 - ET MALWARE Observed DNS Query to Pirate Stealer Domain (mdvksublbpczqluqvvbytfprxdwakuke .nl) (malware.rules)
2041925 - ET MALWARE Observed Pirate Stealer Domain in DNS Lookup (wearenotbbystealer .nl) (malware.rules)
2042542 - ET MALWARE Observed Pirate Stealer Domain in DNS Lookup (socket .bby .gg) (malware.rules)
2043241 - ET MALWARE DNS Query to Fake TeamViewer Domain (coldcreekranch .com) (malware.rules)
2043242 - ET MALWARE Observed DNS Query to IcedID Domain (dogotungtam .com) (malware.rules)
2043243 - ET MALWARE Observed DNS Query to IcedID Domain (acehphonnajaya .com) (malware.rules)
2043244 - ET MALWARE Observed DNS Query to IcedID Domain (baherlakerl .online) (malware.rules)
2043245 - ET MALWARE Observed DNS Query to IcedID Domain (ajerlakerl .online) (malware.rules)
2850552 - ETPRO MALWARE Observed Malicious SSL Cert (TeerD1) (malware.rules)
2852660 - ETPRO MALWARE TA4563 Domain in DNS Lookup (malware.rules)
2852662 - ETPRO MALWARE TA4563 Domain in DNS Lookup (malware.rules)
2852665 - ETPRO MALWARE Suspected TA463 Domain in DNS Lookup (malware.rules)
2853019 - ETPRO PHISHING Observed DNS Query to DomBox Phishing Domain (2023-01-06) (phishing.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/10/09 - v10717 Ruleset Updates	72	October 9, 2024
Ruleset Update Summary - 2024/10/07 - v10715 Ruleset Updates	99	October 7, 2024
Ruleset Update Summary - 2024/02/28 - v10542 Ruleset Updates	230	February 28, 2024
Ruleset Update Summary - 2024/07/31 - v10657 Ruleset Updates	102	July 31, 2024
Ruleset Update Summary - 2024/10/10 - v10718 Ruleset Updates	101	October 10, 2024