Ruleset Update Summary - 2024/11/05 - v10735

rulesbot · November 5, 2024, 9:50pm

Summary:

27 new OPEN, 36 new PRO (27 + 9)

Thanks @NCSC

Added rules:

Open:

2057246 - ET MALWARE [NCSC] Pygmy Goat SSH Banner (malware.rules)
2057247 - ET MALWARE [NCSC] Pygmy Goat SSH ed25519 Key (malware.rules)
2057248 - ET WEB_SPECIFIC_APPS D-Link DIR820 ping.ccp Command Injection Attempt (CVE-2023-25280) (web_specific_apps.rules)
2057249 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (chat2cams .com) (exploit_kit.rules)
2057250 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (chat2cams .com) (exploit_kit.rules)
2057251 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (webapiintegration .cloud) (exploit_kit.rules)
2057252 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (webapiintegration .cloud) (exploit_kit.rules)
2057253 - ET WEB_SPECIFIC_APPS Tenda AX3 Command Injection Attempt (CVE-2023-27240) (web_specific_apps.rules)
2057254 - ET WEB_SPECIFIC_APPS APsystems ECU-R Command Inject Attempt (CVE-2022-45699) (web_specific_apps.rules)
2057255 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (moutheventushz .shop) (malware.rules)
2057256 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (moutheventushz .shop in TLS SNI) (malware.rules)
2057257 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (respectabosiz .shop) (malware.rules)
2057258 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (respectabosiz .shop in TLS SNI) (malware.rules)
2057259 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (conceszustyb .shop) (malware.rules)
2057260 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (conceszustyb .shop in TLS SNI) (malware.rules)
2057261 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bakedstusteeb .shop) (malware.rules)
2057262 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bakedstusteeb .shop in TLS SNI) (malware.rules)
2057263 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nightybinybz .shop) (malware.rules)
2057264 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (nightybinybz .shop in TLS SNI) (malware.rules)
2057265 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (standartedby .shop) (malware.rules)
2057266 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (standartedby .shop in TLS SNI) (malware.rules)
2057267 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mutterissuen .shop) (malware.rules)
2057268 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mutterissuen .shop in TLS SNI) (malware.rules)
2057269 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (worddosofrm .shop) (malware.rules)
2057270 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (worddosofrm .shop in TLS SNI) (malware.rules)
2057271 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (healthpathway-culinarydelight .shop) (malware.rules)
2057272 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (healthpathway-culinarydelight .shop in TLS SNI) (malware.rules)

Pro:

2858888 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2858889 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2858890 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2858891 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2858892 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2858893 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2858894 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2858895 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2858896 - ETPRO PHISHING Google Redirect to Generic Credential Phish Landing Page 2024-11-05 (phishing.rules)

Modified inactive rules:

2056856 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explorationmsn .store) (malware.rules)
2057053 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (arreggshow .cfd) (malware.rules)
2057055 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wheatari .cyou) (malware.rules)

Disabled and modified rules:

2858883 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
2858884 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
2858885 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
2858886 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
2858887 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/07/05 - v10639 Ruleset Updates	138	July 5, 2024
Ruleset Update Summary - 2024/08/26 - v10674 Ruleset Updates	138	August 26, 2024
Ruleset Update Summary - 2024/02/05 - v10524 Ruleset Updates	442	February 5, 2024
Ruleset Update Summary - 2024/11/08 - v10738 Ruleset Updates	96	November 8, 2024
Ruleset Update Summary - 2024/06/27 - v10630 Ruleset Updates	109	June 27, 2024

Ruleset Update Summary - 2024/11/05 - v10735

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Related topics