Ruleset Update Summary - 2024/10/15 - v10720

Summary:

78 new OPEN, 101 new PRO (78 + 23)

Thanks @Fortinet


Added rules:

Open:

  • 2036745 - ET RETIRED [TW] Page Contains Redirect to Likely Urlpages Web Hosting Technique (retired.rules)
  • 2048052 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (snxn298y5brpxd67rbntynb6p4qupuuv .com) (retired.rules)
  • 2048053 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (3aqulcx8xkg6qxrhxgmisecrt98kxlenzj .com) (retired.rules)
  • 2048054 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q922jh6d3zk0aelqdfc7yygzjr29sle .com) (retired.rules)
  • 2048055 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qc230lt32ey73qlaj9rkujm0ujtv090 .com) (retired.rules)
  • 2048056 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q8hn7d0uhpspz9xcp3hl9e5erddlew .com) (retired.rules)
  • 2048057 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qr0kxc4gcqt2lcpkdnz8ehs02u9n2xkgz89rwpr .com) (retired.rules)
  • 2048058 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qp2we64k79237y0npqehprfgynlz02fwpktlwte .com) (retired.rules)
  • 2048059 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q6zd25jmkfh5x24ymp60tq99xdugpq .com) (retired.rules)
  • 2048060 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qm34lmk6eesc65zpw79lxes69zkq3ew .com) (retired.rules)
  • 2048061 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (1kmtet1wyig94bxbcke45nivfx1w3m3hth .com) (retired.rules)
  • 2048062 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (13fzyjcfqhnryc4dkxkykbaawkzwrmhcfc .com) (retired.rules)
  • 2048063 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q6crq62w2sclm0cwwk6m2wugr6jkh .com) (retired.rules)
  • 2048064 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q0hcvl2p88zdv4dj97mfwtwv4usxm .com) (retired.rules)
  • 2048065 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qm34lsc65zpw79lxes69zkqmk6ee3ew .com) (retired.rules)
  • 2048066 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qjywr9cpsm5u7e4yrmnx2jsahgzzmm7 .com) (retired.rules)
  • 2048067 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h .com) (retired.rules)
  • 2048068 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (snxn298y5brpxd67rbntynb6p4qupuuv .com in TLS SNI) (retired.rules)
  • 2048069 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (3aqulcx8xkg6qxrhxgmisecrt98kxlenzj .com in TLS SNI) (retired.rules)
  • 2048070 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1q922jh6d3zk0aelqdfc7yygzjr29sle .com in TLS SNI) (retired.rules)
  • 2048071 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qc230lt32ey73qlaj9rkujm0ujtv090 .com in TLS SNI) (retired.rules)
  • 2048072 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1q8hn7d0uhpspz9xcp3hl9e5erddlew .com in TLS SNI) (retired.rules)
  • 2048073 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qr0kxc4gcqt2lcpkdnz8ehs02u9n2xkgz89rwpr .com in TLS SNI) (retired.rules)
  • 2048074 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qp2we64k79237y0npqehprfgynlz02fwpktlwte .com in TLS SNI) (retired.rules)
  • 2048075 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1q6zd25jmkfh5x24ymp60tq99xdugpq .com in TLS SNI) (retired.rules)
  • 2048076 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qm34lmk6eesc65zpw79lxes69zkq3ew .com in TLS SNI) (retired.rules)
  • 2048077 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (1kmtet1wyig94bxbcke45nivfx1w3m3hth .com in TLS SNI) (retired.rules)
  • 2048078 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (13fzyjcfqhnryc4dkxkykbaawkzwrmhcfc .com in TLS SNI) (retired.rules)
  • 2048079 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1q6crq62w2sclm0cwwk6m2wugr6jkh .com in TLS SNI) (retired.rules)
  • 2048080 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1q0hcvl2p88zdv4dj97mfwtwv4usxm .com in TLS SNI) (retired.rules)
  • 2048081 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qm34lsc65zpw79lxes69zkqmk6ee3ew .com in TLS SNI) (retired.rules)
  • 2048082 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qjywr9cpsm5u7e4yrmnx2jsahgzzmm7 .com in TLS SNI) (retired.rules)
  • 2048083 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h .com in TLS SNI) (retired.rules)
  • 2049962 - ET RETIRED TrollAgent CnC Domain in DNS Lookup (ar .kostin .p-e .kr) (retired.rules)
  • 2049967 - ET RETIRED TrollAgent CnC Domain in DNS Lookup (ol .negapa .p-e .kr) (retired.rules)
  • 2049968 - ET RETIRED TrollAgent CnC Domain in DNS Lookup (winters .r-e .kr) (retired.rules)
  • 2049969 - ET RETIRED TrollAgent CnC Domain in DNS Lookup (ai .kostin .p-e .kr) (retired.rules)
  • 2049970 - ET RETIRED Observed TrollAgent Domain (winters .r-e .kr in TLS SNI) (retired.rules)
  • 2049971 - ET RETIRED Observed TrollAgent Domain (ai .kostin .p-e .kr in TLS SNI) (retired.rules)
  • 2049972 - ET RETIRED Observed TrollAgent Domain (ol .negapa .p-e .kr in TLS SNI) (retired.rules)
  • 2049973 - ET RETIRED Observed TrollAgent Domain (ar .kostin .p-e .kr in TLS SNI) (retired.rules)
  • 2056649 - ET INFO DYNAMIC_DNS Query to a * .gethow .com Domain (info.rules)
  • 2056650 - ET INFO DYNAMIC_DNS HTTP Request to a * .gethow .com Domain (info.rules)
  • 2056651 - ET INFO DYNAMIC_DNS Query to a * .bobwohl .com Domain (info.rules)
  • 2056652 - ET INFO DYNAMIC_DNS HTTP Request to a * .bobwohl .com Domain (info.rules)
  • 2056653 - ET INFO DYNAMIC_DNS Query to a * .iziliang .com Domain (info.rules)
  • 2056654 - ET INFO DYNAMIC_DNS HTTP Request to a * .iziliang .com Domain (info.rules)
  • 2056655 - ET INFO DYNAMIC_DNS Query to a * .wxnw .net Domain (info.rules)
  • 2056656 - ET INFO DYNAMIC_DNS HTTP Request to a * .wxnw .net Domain (info.rules)
  • 2056657 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (braidyintw .cfd) (malware.rules)
  • 2056658 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (braidyintw .cfd in TLS SNI) (malware.rules)
  • 2056659 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dormynwj .buzz) (malware.rules)
  • 2056660 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dormynwj .buzz in TLS SNI) (malware.rules)
  • 2056661 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enginenek .buzz) (malware.rules)
  • 2056662 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enginenek .buzz in TLS SNI) (malware.rules)
  • 2056663 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explorationmsn .store) (malware.rules)
  • 2056664 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorationmsn .store in TLS SNI) (malware.rules)
  • 2056665 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (magneticcosi .buzz) (malware.rules)
  • 2056666 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (magneticcosi .buzz in TLS SNI) (malware.rules)
  • 2056667 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (osberverynsb .biz) (malware.rules)
  • 2056668 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (osberverynsb .biz in TLS SNI) (malware.rules)
  • 2056669 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (passimovrt .cfd) (malware.rules)
  • 2056670 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (passimovrt .cfd in TLS SNI) (malware.rules)
  • 2056671 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (servebothez .biz) (malware.rules)
  • 2056672 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (servebothez .biz in TLS SNI) (malware.rules)
  • 2056673 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sippymroat .cfd) (malware.rules)
  • 2056674 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sippymroat .cfd in TLS SNI) (malware.rules)
  • 2056675 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (unlikerwu .sbs) (malware.rules)
  • 2056676 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (unlikerwu .sbs in TLS SNI) (malware.rules)
  • 2056677 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (artickon .shop) (exploit_kit.rules)
  • 2056678 - ET EXPLOIT_KIT CC Skimmer Domain in TLS SNI (artickon .shop) (exploit_kit.rules)
  • 2056679 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (selllify .shop) (exploit_kit.rules)
  • 2056680 - ET EXPLOIT_KIT CC Skimmer Domain in TLS SNI (selllify .shop) (exploit_kit.rules)
  • 2056681 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (y553488469 .top) (exploit_kit.rules)
  • 2056682 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bailingla .com) (exploit_kit.rules)
  • 2056683 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (y553488469 .top) (exploit_kit.rules)
  • 2056684 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bailingla .com) (exploit_kit.rules)
  • 2056685 - ET EXPLOIT Ivanti Cloud Services Appliance Path Traversal Exploit Attempt (CVE-2024-8190) (exploit.rules)

Pro:

  • 2858681 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2858682 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2858689 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2858690 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858691 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858692 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2858693 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2858694 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2858695 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2858696 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2858697 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2858698 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2858699 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2858700 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2858701 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2858702 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2858703 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858704 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2858705 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2858706 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2858707 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2858708 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2858709 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

  • 2021203 - ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5 (malware.rules)

Removed rules:

  • 2036745 - ET HUNTING [TW] Page Contains Redirect to Likely Urlpages Web Hosting Technique (hunting.rules)
  • 2048052 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (snxn298y5brpxd67rbntynb6p4qupuuv .com) (phishing.rules)
  • 2048053 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (3aqulcx8xkg6qxrhxgmisecrt98kxlenzj .com) (phishing.rules)
  • 2048054 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q922jh6d3zk0aelqdfc7yygzjr29sle .com) (phishing.rules)
  • 2048055 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qc230lt32ey73qlaj9rkujm0ujtv090 .com) (phishing.rules)
  • 2048056 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q8hn7d0uhpspz9xcp3hl9e5erddlew .com) (phishing.rules)
  • 2048057 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qr0kxc4gcqt2lcpkdnz8ehs02u9n2xkgz89rwpr .com) (phishing.rules)
  • 2048058 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qp2we64k79237y0npqehprfgynlz02fwpktlwte .com) (phishing.rules)
  • 2048059 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q6zd25jmkfh5x24ymp60tq99xdugpq .com) (phishing.rules)
  • 2048060 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qm34lmk6eesc65zpw79lxes69zkq3ew .com) (phishing.rules)
  • 2048061 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (1kmtet1wyig94bxbcke45nivfx1w3m3hth .com) (phishing.rules)
  • 2048062 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (13fzyjcfqhnryc4dkxkykbaawkzwrmhcfc .com) (phishing.rules)
  • 2048063 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q6crq62w2sclm0cwwk6m2wugr6jkh .com) (phishing.rules)
  • 2048064 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q0hcvl2p88zdv4dj97mfwtwv4usxm .com) (phishing.rules)
  • 2048065 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qm34lsc65zpw79lxes69zkqmk6ee3ew .com) (phishing.rules)
  • 2048066 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qjywr9cpsm5u7e4yrmnx2jsahgzzmm7 .com) (phishing.rules)
  • 2048067 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h .com) (phishing.rules)
  • 2048068 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (snxn298y5brpxd67rbntynb6p4qupuuv .com in TLS SNI) (phishing.rules)
  • 2048069 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (3aqulcx8xkg6qxrhxgmisecrt98kxlenzj .com in TLS SNI) (phishing.rules)
  • 2048070 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1q922jh6d3zk0aelqdfc7yygzjr29sle .com in TLS SNI) (phishing.rules)
  • 2048071 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qc230lt32ey73qlaj9rkujm0ujtv090 .com in TLS SNI) (phishing.rules)
  • 2048072 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1q8hn7d0uhpspz9xcp3hl9e5erddlew .com in TLS SNI) (phishing.rules)
  • 2048073 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qr0kxc4gcqt2lcpkdnz8ehs02u9n2xkgz89rwpr .com in TLS SNI) (phishing.rules)
  • 2048074 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qp2we64k79237y0npqehprfgynlz02fwpktlwte .com in TLS SNI) (phishing.rules)
  • 2048075 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1q6zd25jmkfh5x24ymp60tq99xdugpq .com in TLS SNI) (phishing.rules)
  • 2048076 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qm34lmk6eesc65zpw79lxes69zkq3ew .com in TLS SNI) (phishing.rules)
  • 2048077 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (1kmtet1wyig94bxbcke45nivfx1w3m3hth .com in TLS SNI) (phishing.rules)
  • 2048078 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (13fzyjcfqhnryc4dkxkykbaawkzwrmhcfc .com in TLS SNI) (phishing.rules)
  • 2048079 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1q6crq62w2sclm0cwwk6m2wugr6jkh .com in TLS SNI) (phishing.rules)
  • 2048080 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1q0hcvl2p88zdv4dj97mfwtwv4usxm .com in TLS SNI) (phishing.rules)
  • 2048081 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qm34lsc65zpw79lxes69zkqmk6ee3ew .com in TLS SNI) (phishing.rules)
  • 2048082 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qjywr9cpsm5u7e4yrmnx2jsahgzzmm7 .com in TLS SNI) (phishing.rules)
  • 2048083 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h .com in TLS SNI) (phishing.rules)
  • 2049962 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (ar .kostin .p-e .kr) (malware.rules)
  • 2049967 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (ol .negapa .p-e .kr) (malware.rules)
  • 2049968 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (winters .r-e .kr) (malware.rules)
  • 2049969 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (ai .kostin .p-e .kr) (malware.rules)
  • 2049970 - ET MALWARE Observed TrollAgent Domain (winters .r-e .kr in TLS SNI) (malware.rules)
  • 2049971 - ET MALWARE Observed TrollAgent Domain (ai .kostin .p-e .kr in TLS SNI) (malware.rules)
  • 2049972 - ET MALWARE Observed TrollAgent Domain (ol .negapa .p-e .kr in TLS SNI) (malware.rules)
  • 2049973 - ET MALWARE Observed TrollAgent Domain (ar .kostin .p-e .kr in TLS SNI) (malware.rules)