Ruleset Update Summary - 2024/10/15 - v10720

rulesbot · October 15, 2024, 8:20pm

Summary:

78 new OPEN, 101 new PRO (78 + 23)

Thanks @Fortinet

Added rules:

Open:

2036745 - ET RETIRED [TW] Page Contains Redirect to Likely Urlpages Web Hosting Technique (retired.rules)
2048052 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (snxn298y5brpxd67rbntynb6p4qupuuv .com) (retired.rules)
2048053 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (3aqulcx8xkg6qxrhxgmisecrt98kxlenzj .com) (retired.rules)
2048054 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q922jh6d3zk0aelqdfc7yygzjr29sle .com) (retired.rules)
2048055 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qc230lt32ey73qlaj9rkujm0ujtv090 .com) (retired.rules)
2048056 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q8hn7d0uhpspz9xcp3hl9e5erddlew .com) (retired.rules)
2048057 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qr0kxc4gcqt2lcpkdnz8ehs02u9n2xkgz89rwpr .com) (retired.rules)
2048058 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qp2we64k79237y0npqehprfgynlz02fwpktlwte .com) (retired.rules)
2048059 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q6zd25jmkfh5x24ymp60tq99xdugpq .com) (retired.rules)
2048060 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qm34lmk6eesc65zpw79lxes69zkq3ew .com) (retired.rules)
2048061 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (1kmtet1wyig94bxbcke45nivfx1w3m3hth .com) (retired.rules)
2048062 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (13fzyjcfqhnryc4dkxkykbaawkzwrmhcfc .com) (retired.rules)
2048063 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q6crq62w2sclm0cwwk6m2wugr6jkh .com) (retired.rules)
2048064 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q0hcvl2p88zdv4dj97mfwtwv4usxm .com) (retired.rules)
2048065 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qm34lsc65zpw79lxes69zkqmk6ee3ew .com) (retired.rules)
2048066 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qjywr9cpsm5u7e4yrmnx2jsahgzzmm7 .com) (retired.rules)
2048067 - ET RETIRED [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h .com) (retired.rules)
2048068 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (snxn298y5brpxd67rbntynb6p4qupuuv .com in TLS SNI) (retired.rules)
2048069 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (3aqulcx8xkg6qxrhxgmisecrt98kxlenzj .com in TLS SNI) (retired.rules)
2048070 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1q922jh6d3zk0aelqdfc7yygzjr29sle .com in TLS SNI) (retired.rules)
2048071 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qc230lt32ey73qlaj9rkujm0ujtv090 .com in TLS SNI) (retired.rules)
2048072 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1q8hn7d0uhpspz9xcp3hl9e5erddlew .com in TLS SNI) (retired.rules)
2048073 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qr0kxc4gcqt2lcpkdnz8ehs02u9n2xkgz89rwpr .com in TLS SNI) (retired.rules)
2048074 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qp2we64k79237y0npqehprfgynlz02fwpktlwte .com in TLS SNI) (retired.rules)
2048075 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1q6zd25jmkfh5x24ymp60tq99xdugpq .com in TLS SNI) (retired.rules)
2048076 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qm34lmk6eesc65zpw79lxes69zkq3ew .com in TLS SNI) (retired.rules)
2048077 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (1kmtet1wyig94bxbcke45nivfx1w3m3hth .com in TLS SNI) (retired.rules)
2048078 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (13fzyjcfqhnryc4dkxkykbaawkzwrmhcfc .com in TLS SNI) (retired.rules)
2048079 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1q6crq62w2sclm0cwwk6m2wugr6jkh .com in TLS SNI) (retired.rules)
2048080 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1q0hcvl2p88zdv4dj97mfwtwv4usxm .com in TLS SNI) (retired.rules)
2048081 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qm34lsc65zpw79lxes69zkqmk6ee3ew .com in TLS SNI) (retired.rules)
2048082 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qjywr9cpsm5u7e4yrmnx2jsahgzzmm7 .com in TLS SNI) (retired.rules)
2048083 - ET RETIRED [TW] Observed Microsoft Credential Phish V3 Domain (bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h .com in TLS SNI) (retired.rules)
2049962 - ET RETIRED TrollAgent CnC Domain in DNS Lookup (ar .kostin .p-e .kr) (retired.rules)
2049967 - ET RETIRED TrollAgent CnC Domain in DNS Lookup (ol .negapa .p-e .kr) (retired.rules)
2049968 - ET RETIRED TrollAgent CnC Domain in DNS Lookup (winters .r-e .kr) (retired.rules)
2049969 - ET RETIRED TrollAgent CnC Domain in DNS Lookup (ai .kostin .p-e .kr) (retired.rules)
2049970 - ET RETIRED Observed TrollAgent Domain (winters .r-e .kr in TLS SNI) (retired.rules)
2049971 - ET RETIRED Observed TrollAgent Domain (ai .kostin .p-e .kr in TLS SNI) (retired.rules)
2049972 - ET RETIRED Observed TrollAgent Domain (ol .negapa .p-e .kr in TLS SNI) (retired.rules)
2049973 - ET RETIRED Observed TrollAgent Domain (ar .kostin .p-e .kr in TLS SNI) (retired.rules)
2056649 - ET INFO DYNAMIC_DNS Query to a * .gethow .com Domain (info.rules)
2056650 - ET INFO DYNAMIC_DNS HTTP Request to a * .gethow .com Domain (info.rules)
2056651 - ET INFO DYNAMIC_DNS Query to a * .bobwohl .com Domain (info.rules)
2056652 - ET INFO DYNAMIC_DNS HTTP Request to a * .bobwohl .com Domain (info.rules)
2056653 - ET INFO DYNAMIC_DNS Query to a * .iziliang .com Domain (info.rules)
2056654 - ET INFO DYNAMIC_DNS HTTP Request to a * .iziliang .com Domain (info.rules)
2056655 - ET INFO DYNAMIC_DNS Query to a * .wxnw .net Domain (info.rules)
2056656 - ET INFO DYNAMIC_DNS HTTP Request to a * .wxnw .net Domain (info.rules)
2056657 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (braidyintw .cfd) (malware.rules)
2056658 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (braidyintw .cfd in TLS SNI) (malware.rules)
2056659 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dormynwj .buzz) (malware.rules)
2056660 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dormynwj .buzz in TLS SNI) (malware.rules)
2056661 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enginenek .buzz) (malware.rules)
2056662 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enginenek .buzz in TLS SNI) (malware.rules)
2056663 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explorationmsn .store) (malware.rules)
2056664 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorationmsn .store in TLS SNI) (malware.rules)
2056665 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (magneticcosi .buzz) (malware.rules)
2056666 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (magneticcosi .buzz in TLS SNI) (malware.rules)
2056667 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (osberverynsb .biz) (malware.rules)
2056668 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (osberverynsb .biz in TLS SNI) (malware.rules)
2056669 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (passimovrt .cfd) (malware.rules)
2056670 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (passimovrt .cfd in TLS SNI) (malware.rules)
2056671 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (servebothez .biz) (malware.rules)
2056672 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (servebothez .biz in TLS SNI) (malware.rules)
2056673 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sippymroat .cfd) (malware.rules)
2056674 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sippymroat .cfd in TLS SNI) (malware.rules)
2056675 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (unlikerwu .sbs) (malware.rules)
2056676 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (unlikerwu .sbs in TLS SNI) (malware.rules)
2056677 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (artickon .shop) (exploit_kit.rules)
2056678 - ET EXPLOIT_KIT CC Skimmer Domain in TLS SNI (artickon .shop) (exploit_kit.rules)
2056679 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (selllify .shop) (exploit_kit.rules)
2056680 - ET EXPLOIT_KIT CC Skimmer Domain in TLS SNI (selllify .shop) (exploit_kit.rules)
2056681 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (y553488469 .top) (exploit_kit.rules)
2056682 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bailingla .com) (exploit_kit.rules)
2056683 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (y553488469 .top) (exploit_kit.rules)
2056684 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bailingla .com) (exploit_kit.rules)
2056685 - ET EXPLOIT Ivanti Cloud Services Appliance Path Traversal Exploit Attempt (CVE-2024-8190) (exploit.rules)

Pro:

2858681 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2858682 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2858689 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2858690 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2858691 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2858692 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2858693 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
2858694 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2858695 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
2858696 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2858697 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2858698 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2858699 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2858700 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
2858701 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2858702 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2858703 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2858704 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2858705 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2858706 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2858707 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2858708 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2858709 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

2021203 - ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5 (malware.rules)

Removed rules:

2036745 - ET HUNTING [TW] Page Contains Redirect to Likely Urlpages Web Hosting Technique (hunting.rules)
2048052 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (snxn298y5brpxd67rbntynb6p4qupuuv .com) (phishing.rules)
2048053 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (3aqulcx8xkg6qxrhxgmisecrt98kxlenzj .com) (phishing.rules)
2048054 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q922jh6d3zk0aelqdfc7yygzjr29sle .com) (phishing.rules)
2048055 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qc230lt32ey73qlaj9rkujm0ujtv090 .com) (phishing.rules)
2048056 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q8hn7d0uhpspz9xcp3hl9e5erddlew .com) (phishing.rules)
2048057 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qr0kxc4gcqt2lcpkdnz8ehs02u9n2xkgz89rwpr .com) (phishing.rules)
2048058 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qp2we64k79237y0npqehprfgynlz02fwpktlwte .com) (phishing.rules)
2048059 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q6zd25jmkfh5x24ymp60tq99xdugpq .com) (phishing.rules)
2048060 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qm34lmk6eesc65zpw79lxes69zkq3ew .com) (phishing.rules)
2048061 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (1kmtet1wyig94bxbcke45nivfx1w3m3hth .com) (phishing.rules)
2048062 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (13fzyjcfqhnryc4dkxkykbaawkzwrmhcfc .com) (phishing.rules)
2048063 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q6crq62w2sclm0cwwk6m2wugr6jkh .com) (phishing.rules)
2048064 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1q0hcvl2p88zdv4dj97mfwtwv4usxm .com) (phishing.rules)
2048065 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qm34lsc65zpw79lxes69zkqmk6ee3ew .com) (phishing.rules)
2048066 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qjywr9cpsm5u7e4yrmnx2jsahgzzmm7 .com) (phishing.rules)
2048067 - ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS Lookup (bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h .com) (phishing.rules)
2048068 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (snxn298y5brpxd67rbntynb6p4qupuuv .com in TLS SNI) (phishing.rules)
2048069 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (3aqulcx8xkg6qxrhxgmisecrt98kxlenzj .com in TLS SNI) (phishing.rules)
2048070 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1q922jh6d3zk0aelqdfc7yygzjr29sle .com in TLS SNI) (phishing.rules)
2048071 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qc230lt32ey73qlaj9rkujm0ujtv090 .com in TLS SNI) (phishing.rules)
2048072 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1q8hn7d0uhpspz9xcp3hl9e5erddlew .com in TLS SNI) (phishing.rules)
2048073 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qr0kxc4gcqt2lcpkdnz8ehs02u9n2xkgz89rwpr .com in TLS SNI) (phishing.rules)
2048074 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qp2we64k79237y0npqehprfgynlz02fwpktlwte .com in TLS SNI) (phishing.rules)
2048075 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1q6zd25jmkfh5x24ymp60tq99xdugpq .com in TLS SNI) (phishing.rules)
2048076 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qm34lmk6eesc65zpw79lxes69zkq3ew .com in TLS SNI) (phishing.rules)
2048077 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (1kmtet1wyig94bxbcke45nivfx1w3m3hth .com in TLS SNI) (phishing.rules)
2048078 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (13fzyjcfqhnryc4dkxkykbaawkzwrmhcfc .com in TLS SNI) (phishing.rules)
2048079 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1q6crq62w2sclm0cwwk6m2wugr6jkh .com in TLS SNI) (phishing.rules)
2048080 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1q0hcvl2p88zdv4dj97mfwtwv4usxm .com in TLS SNI) (phishing.rules)
2048081 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qm34lsc65zpw79lxes69zkqmk6ee3ew .com in TLS SNI) (phishing.rules)
2048082 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qjywr9cpsm5u7e4yrmnx2jsahgzzmm7 .com in TLS SNI) (phishing.rules)
2048083 - ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain (bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h .com in TLS SNI) (phishing.rules)
2049962 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (ar .kostin .p-e .kr) (malware.rules)
2049967 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (ol .negapa .p-e .kr) (malware.rules)
2049968 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (winters .r-e .kr) (malware.rules)
2049969 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (ai .kostin .p-e .kr) (malware.rules)
2049970 - ET MALWARE Observed TrollAgent Domain (winters .r-e .kr in TLS SNI) (malware.rules)
2049971 - ET MALWARE Observed TrollAgent Domain (ai .kostin .p-e .kr in TLS SNI) (malware.rules)
2049972 - ET MALWARE Observed TrollAgent Domain (ol .negapa .p-e .kr in TLS SNI) (malware.rules)
2049973 - ET MALWARE Observed TrollAgent Domain (ar .kostin .p-e .kr in TLS SNI) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/09/13 - v10416 Ruleset Updates	212	September 13, 2023
Daily Ruleset Update Summary 2022/10/26 Ruleset Updates	303	October 26, 2022
Daily Ruleset Update Summary 2022/10/10 Ruleset Updates	158	October 10, 2022
Ruleset Update Summary - 2024/08/14 - v10666 Ruleset Updates	61	August 14, 2024
Ruleset Update Summary - 2025/04/16 - v10907 Ruleset Updates	50	April 16, 2025

Ruleset Update Summary - 2024/10/15 - v10720

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related topics