Ruleset Update Summary - 2024/11/25 - v10750

Ruleset Updates
1

Summary:

63 new OPEN, 119 new PRO (63 + 56)

Added rules:

Open:

  • 2057791 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (assetoutdoor .shop) (exploit_kit.rules)
  • 2057792 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (opporeno8 .com) (exploit_kit.rules)
  • 2057793 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (reviewtypes .com) (exploit_kit.rules)
  • 2057794 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (modandcrackedapk .com) (exploit_kit.rules)
  • 2057795 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (assetoutdoor .shop) (exploit_kit.rules)
  • 2057796 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (opporeno8 .com) (exploit_kit.rules)
  • 2057797 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (reviewtypes .com) (exploit_kit.rules)
  • 2057798 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (modandcrackedapk .com) (exploit_kit.rules)
  • 2057799 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (codereviewerss .com) (exploit_kit.rules)
  • 2057800 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (esaleerugs .com) (exploit_kit.rules)
  • 2057801 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ilsotto .com) (exploit_kit.rules)
  • 2057802 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (codereviewerss .com) (exploit_kit.rules)
  • 2057803 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (esaleerugs .com) (exploit_kit.rules)
  • 2057804 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (ilsotto .com) (exploit_kit.rules)
  • 2057805 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (source .scriptsafedata .com) (exploit_kit.rules)
  • 2057806 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (source .scriptsafedata .com) (exploit_kit.rules)
  • 2057807 - ET MALWARE Malicious CnC Domain in DNS Lookup (meowware .ddns .net) (malware.rules)
  • 2057808 - ET MALWARE Observed Malicious Domain (meowware .ddns .net in TLS SNI) (malware.rules)
  • 2057809 - ET EXPLOIT Linksys E1500/E2500 Remote Command Execution 3 (exploit.rules)
  • 2057810 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .lessons .southsidechurchofchristla .org) (malware.rules)
  • 2057811 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .lessons .southsidechurchofchristla .org) (malware.rules)
  • 2057812 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (blade-govern .sbs) (malware.rules)
  • 2057813 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blade-govern .sbs in TLS SNI) (malware.rules)
  • 2057814 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (disobey-curly .sbs) (malware.rules)
  • 2057815 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (disobey-curly .sbs in TLS SNI) (malware.rules)
  • 2057816 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (farewellnzu .icu) (malware.rules)
  • 2057817 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (farewellnzu .icu in TLS SNI) (malware.rules)
  • 2057818 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (frogs-severz .sbs) (malware.rules)
  • 2057819 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (frogs-severz .sbs in TLS SNI) (malware.rules)
  • 2057820 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fumblingactor .cyou) (malware.rules)
  • 2057821 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fumblingactor .cyou in TLS SNI) (malware.rules)
  • 2057822 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hellpartnercareeroo .shop) (malware.rules)
  • 2057823 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hellpartnercareeroo .shop in TLS SNI) (malware.rules)
  • 2057824 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leg-sate-boat .sbs) (malware.rules)
  • 2057825 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (leg-sate-boat .sbs in TLS SNI) (malware.rules)
  • 2057826 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (motion-treesz .sbs) (malware.rules)
  • 2057827 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (motion-treesz .sbs in TLS SNI) (malware.rules)
  • 2057828 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oak-smash .cyou) (malware.rules)
  • 2057829 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oak-smash .cyou in TLS SNI) (malware.rules)
  • 2057830 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (occupy-blushi .sbs) (malware.rules)
  • 2057831 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (occupy-blushi .sbs in TLS SNI) (malware.rules)
  • 2057832 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (peacefulmind .shop) (malware.rules)
  • 2057833 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (peacefulmind .shop in TLS SNI) (malware.rules)
  • 2057834 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (powerful-avoids .sbs) (malware.rules)
  • 2057835 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (powerful-avoids .sbs in TLS SNI) (malware.rules)
  • 2057836 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (property-imper .sbs) (malware.rules)
  • 2057837 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (property-imper .sbs in TLS SNI) (malware.rules)
  • 2057838 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (push-hook .cyou) (malware.rules)
  • 2057839 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (push-hook .cyou in TLS SNI) (malware.rules)
  • 2057840 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shirk-home .cyou) (malware.rules)
  • 2057841 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shirk-home .cyou in TLS SNI) (malware.rules)
  • 2057842 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (story-tense-faz .sbs) (malware.rules)
  • 2057843 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (story-tense-faz .sbs in TLS SNI) (malware.rules)
  • 2057844 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sturdy-operated .cyou) (malware.rules)
  • 2057845 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sturdy-operated .cyou in TLS SNI) (malware.rules)
  • 2057846 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sunny-beach .shop) (malware.rules)
  • 2057847 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sunny-beach .shop in TLS SNI) (malware.rules)
  • 2057848 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tail-cease .cyou) (malware.rules)
  • 2057849 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tail-cease .cyou in TLS SNI) (malware.rules)
  • 2057850 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (w0rdergen1 .cyou) (malware.rules)
  • 2057851 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (w0rdergen1 .cyou in TLS SNI) (malware.rules)
  • 2057852 - ET MALWARE Observed Glupteba CnC Domain (blackempirebuild .com in TLS SNI) (malware.rules)
  • 2057853 - ET MALWARE Observed Glupteba CnC Domain (okonewacon .com in TLS SNI) (malware.rules)

Pro:

  • 2859132 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M8 (hunting.rules)
  • 2859133 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M9 (hunting.rules)
  • 2859134 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859135 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859136 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859141 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859142 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2859143 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
  • 2859144 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859145 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859146 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859147 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859148 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859149 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859150 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859151 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859152 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859153 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859154 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859155 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859156 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859157 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859158 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859159 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859160 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859161 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859162 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859163 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859164 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859165 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859166 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859167 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859168 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859169 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859170 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859171 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859172 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859173 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859174 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859175 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859176 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859177 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859178 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859179 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859180 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2859181 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2859182 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2859183 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2859184 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859185 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2859186 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859187 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2859188 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859189 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859190 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2859191 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Modified inactive rules:

  • 2053407 - ET MALWARE SocGholish CnC Domain in DNS (* .team .jessicabarrett .com) (malware.rules)
  • 2053830 - ET MALWARE SocGholish CnC Domain in DNS (* .partners .gloriadeicr .com) (malware.rules)
  • 2054194 - ET MALWARE SocGholish CnC Domain in DNS (* .fans .smalladventureguide .com) (malware.rules)
  • 2054354 - ET MALWARE SocGholish CnC Domain in DNS (* .parish .chuathuongxot .org) (malware.rules)
  • 2054498 - ET MALWARE SocGholish CnC Domain in DNS (* .award .vuheritagefoundation .org) (malware.rules)
  • 2054633 - ET MALWARE SocGholish CnC Domain in DNS (* .loyalty .hienphucuanhanloai .org) (malware.rules)
  • 2055494 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .contest .printondemandmerchandise .com) (malware.rules)
  • 2055738 - ET MALWARE SocGholish CnC Domain in DNS (* .podcast .lisameyerson .com) (malware.rules)
  • 2056856 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explorationmsn .store) (malware.rules)
  • 2057053 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (arreggshow .cfd) (malware.rules)
  • 2057055 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wheatari .cyou) (malware.rules)
  • 2057433 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lossycristi .cyou) (malware.rules)
  • 2057569 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (1212tank .activitydmy .icu) (malware.rules)
  • 2057571 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brake-effect .cyou) (malware.rules)
  • 2057573 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (expectegirn .icu) (malware.rules)
  • 2057575 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kettletakkz .fun) (malware.rules)
  • 2057577 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (promotechangez .cyou) (malware.rules)
  • 2057579 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wackysheibr .fun) (malware.rules)
  • 2057581 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washcolorediz .fun) (malware.rules)

Disabled and modified rules:

  • 2016858 - ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) (malware.rules)
  • 2018958 - ET MALWARE Worm.Win32.Vobfus Checkin 3 (malware.rules)
  • 2019881 - ET MALWARE Chthonic Check-in (malware.rules)
  • 2849482 - ETPRO HUNTING Generic HTTP Header Buffer Overflow Check - http.host (hunting.rules)