Ruleset Update Summary - 2024/11/19 - v10745

rulesbot · November 19, 2024, 9:50pm

Summary:

24 new OPEN, 28 new PRO (24 + 4)

Added rules:

Open:

2045284 - ET ATTACK_RESPONSE CMDASP Webshell Default Title in HTTP Response (attack_response.rules)
2057703 - ET WEB_SPECIFIC_APPS pyLoad Remote Code Execution via js2py Sandbox Escape (CVE-2024-39205) (web_specific_apps.rules)
2057704 - ET WEB_SPECIFIC_APPS Wordpress WPLMS Learning Management System Directory Traversal (web_specific_apps.rules)
2057705 - ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Authentication Bypass (CVE-2024-0012) (web_specific_apps.rules)
2057706 - ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Command Injection in User Parameter (web_specific_apps.rules)
2057707 - ET HUNTING Redis Authenticated Remote Code Execution in bit Library (CVE-2024-31449) (hunting.rules)
2057708 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (windpull .cyou) (malware.rules)
2057709 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (windpull .cyou in TLS SNI) (malware.rules)
2057710 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (bytesbazar .com) (exploit_kit.rules)
2057711 - ET EXPLOIT_KIT CC Skimmer Domain in TLS Lookup (bytesbazar .com) (exploit_kit.rules)
2057712 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (inayatullah .com) (exploit_kit.rules)
2057713 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (viralnavigator .com) (exploit_kit.rules)
2057714 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eegqzvxd .shop) (exploit_kit.rules)
2057715 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (inayatullah .com) (exploit_kit.rules)
2057716 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (viralnavigator .com) (exploit_kit.rules)
2057717 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eegqzvxd .shop) (exploit_kit.rules)
2057718 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (genhil .com) (exploit_kit.rules)
2057719 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (genhil .com) (exploit_kit.rules)
2057720 - ET EXPLOIT Progress Kemp LoadMaster RCE Attempt Inbound (CVE-2024-1212) (exploit.rules)
2057721 - ET WEB_SPECIFIC_APPS Palo Alto Expedition Remote Code Execution (CVE-2024-9463) (web_specific_apps.rules)
2057722 - ET MALWARE Strela Stealer CnC Activity (malware.rules)
2057723 - ET WEB_SPECIFIC_APPS Cisco ASA WebVPN Cross-Site Scripting (CVE-2014-2120) (web_specific_apps.rules)
2057724 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (tickerwell .com) (exploit_kit.rules)
2057725 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (tickerwell .com) (exploit_kit.rules)

Pro:

2859087 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2859088 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2859089 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859090 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

2057569 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (1212tank .activitydmy .icu) (malware.rules)
2057570 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (1212tank .activitydmy .icu in TLS SNI) (malware.rules)
2057571 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brake-effect .cyou) (malware.rules)
2057572 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brake-effect .cyou in TLS SNI) (malware.rules)
2057573 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (expectegirn .icu) (malware.rules)
2057574 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (expectegirn .icu in TLS SNI) (malware.rules)
2057575 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kettletakkz .fun) (malware.rules)
2057576 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (kettletakkz .fun in TLS SNI) (malware.rules)
2057577 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (promotechangez .cyou) (malware.rules)
2057578 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (promotechangez .cyou in TLS SNI) (malware.rules)
2057579 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wackysheibr .fun) (malware.rules)
2057580 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wackysheibr .fun in TLS SNI) (malware.rules)
2057581 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washcolorediz .fun) (malware.rules)
2057582 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (washcolorediz .fun in TLS SNI) (malware.rules)
2859028 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2859029 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2859030 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2859031 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2859032 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2859033 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2859034 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2859035 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Removed rules:

2045284 - ET MALWARE CMDASP Webshell Default Title in HTTP Response (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/11/22 - v10748 Ruleset Updates	67	November 22, 2024
Ruleset Update Summary - 2024/10/30 - v10731 Ruleset Updates	178	October 30, 2024
Ruleset Update Summary - 2024/09/06 - v10683 Ruleset Updates	82	September 6, 2024
Ruleset Update Summary - 2024/07/05 - v10639 Ruleset Updates	141	July 5, 2024
Ruleset Update Summary - 2024/07/09 - v10641 Ruleset Updates	114	July 9, 2024

Ruleset Update Summary - 2024/11/19 - v10745

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related topics