Summary:
12 new OPEN, 20 new PRO (12 + 8)
Please be aware that November 28 and 29 are Proofpoint company holidays. There will not be rule releases on these days. Rule releases will continue the following Monday, December 2.
Added rules:
Open:
- 2057885 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (erickakingpr .com) (exploit_kit.rules)
- 2057886 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (studioclic53 .com) (exploit_kit.rules)
- 2057887 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (erickakingpr .com) (exploit_kit.rules)
- 2057888 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (studioclic53 .com) (exploit_kit.rules)
- 2057889 - ET MALWARE Observed DNS Query to Known Payload Delivery Domain (shopping-nice .com) (malware.rules)
- 2057890 - ET MALWARE Observed Payload Delivery Domain (shopping-nice .com in TLS SNI) (malware.rules)
- 2057891 - ET HUNTING Possible Host Profile Exfiltration on High TCP Port (hunting.rules)
- 2057892 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slam-hot .cyou) (malware.rules)
- 2057893 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (slam-hot .cyou in TLS SNI) (malware.rules)
- 2057894 - ET PHISHING TA582 JS Delivery Page 2024-11-27 (phishing.rules)
- 2057895 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (premiosdosul .com) (exploit_kit.rules)
- 2057896 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (premiosdosul .com) (exploit_kit.rules)
Pro:
- 2859200 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859201 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859202 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
- 2859203 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
- 2859204 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
- 2859205 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
- 2859206 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
- 2859207 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
Disabled and modified rules:
- 2008863 - ET MALWARE Virtumonde Variant Reporting to Controller via HTTP (3) (malware.rules)
- 2803437 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin (malware.rules)