Ruleset Update Summary - 2024/12/02 - v10777

rulesbot · December 2, 2024, 3:22pm

Summary:

0 new OPEN, 0 new PRO (0 + 0)

Modified inactive rules:

2031488 - ET POLICY SSLv2 Used in Session (policy.rules)
2031489 - ET POLICY SSLv3 Used in Session (policy.rules)
2031490 - ET POLICY TLSv1.1 Used in Session (policy.rules)
2031491 - ET POLICY TLSv1.0 Used in Session (policy.rules)
2031526 - ET EXPLOIT Possible NTFS Index Attribute Corruption Vulnerability (exploit.rules)
2032318 - ET MALWARE Suspected Jobcrypter Ransomware Exfil (SMTP) (malware.rules)
2033140 - ET MALWARE Observed APT41 Malicious SSL Cert (ColunmTK Campaign) (malware.rules)
2033185 - ET HUNTING Suspected DNS CnC via TXT queries (hunting.rules)
2033216 - ET PHISHING Observed Possible Phishing Landing Page 2021-06-29 (phishing.rules)
2033217 - ET PHISHING Observed Possible Phishing Landing Page 2021-06-29 (phishing.rules)
2033247 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M1 (policy.rules)
2033274 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M2 (policy.rules)
2033275 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M3 (policy.rules)
2033276 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M4 (policy.rules)
2033451 - ET EXPLOIT Possible Dovecot Memory Corruption Inbound (CVE-2019-11500) (exploit.rules)
2033720 - ET MALWARE Unknown Chinese Threat Actor Malicious Redirect Activity (malware.rules)
2033998 - ET INFO Outdated Browser Landing Page M3 (info.rules)
2034094 - ET INFO HTTP/2 Traffic (SET) (info.rules)
2034212 - ET INFO Outbound .png HTTP GET flowbit set (info.rules)
2034214 - ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC) (malware.rules)
2034215 - ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC) (malware.rules)
2034228 - ET INFO Fake AppleWebKit User-Agent Version Number Observed (info.rules)
2034334 - ET MALWARE APT-C-59 Related Domain in DNS Lookup (malware.rules)
2034349 - ET MOBILE_MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (google-play .serveftp .com) (mobile_malware.rules)
2034350 - ET MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (bitsadmin .ddns .net) (malware.rules)
2034351 - ET MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (list-sert .ddns .net) (malware.rules)
2034357 - ET MALWARE Observed Cobalt Strike Domain in TLS SNI (stackpatc-technologies .digital) (malware.rules)
2034391 - ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup (rackspare-technology .digital) (malware.rules)
2034398 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akastat .app) (malware.rules)
2034401 - ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup (akamaclouds .tech) (malware.rules)
2034404 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akamalupdate .site) (malware.rules)
2034405 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (c2 .hax .vg) (malware.rules)
2034406 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (azuresecure .tech) (malware.rules)
2034407 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (securesurvey .cloud) (malware.rules)
2034408 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akabox .tech) (malware.rules)
2034409 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (electronicwhosaleonline .com) (malware.rules)
2034473 - ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (bg .knonwsec .com) (malware.rules)
2034534 - ET MALWARE Dridex CnC Returning Email Addresses - Possible Spam Module (malware.rules)
2034670 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (bingsearchlib .com) (attack_response.rules)
2035190 - ET INFO Observed Let’s Encrypt Certificate from Active Intermediate, R3 (info.rules)
2035191 - ET INFO Observed Let’s Encrypt Certificate from Active Intermediate, E1 (info.rules)
2035192 - ET INFO Observed Let’s Encrypt Certificate from Backup Intermediate, R4 (info.rules)
2035193 - ET INFO Observed Let’s Encrypt Certificate from Backup Intermediate, E2 (info.rules)
2035308 - ET MALWARE Suspected PlugX Checkin Activity (udp) (malware.rules)
2035522 - ET PHISHING Possible Successful TA422 Credential Phish 2022-03-17 (phishing.rules)
2035647 - ET PHISHING Generic Phish Landing Page 2022-03-29 (phishing.rules)
2035768 - ET HUNTING Kaspov Related Hex In HTTP Accept Header (hunting.rules)
2036222 - ET HUNTING Potential Forced OGNL Evaluation - HTTP URI (hunting.rules)
2036223 - ET HUNTING Potential Forced OGNL Evaluation - HTTP Header (hunting.rules)
2036224 - ET HUNTING Potential Forced OGNL Evaluation - HTTP Body (hunting.rules)
2036393 - ET HUNTING Suspicious SSL Certificate detected (Observed in US Government Bid Credential Phish) (hunting.rules)
2036428 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M1 (web_server.rules)
2036429 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M2 (web_server.rules)
2036430 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M3 (web_server.rules)
2036431 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M4 (web_server.rules)
2036432 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M5 (web_server.rules)
2036433 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M6 (web_server.rules)
2036435 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M8 (web_server.rules)
2036436 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M9 (web_server.rules)
2036437 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M10 (web_server.rules)
2036438 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M11 (web_server.rules)
2036439 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M12 (web_server.rules)
2036440 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M13 (web_server.rules)
2036441 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M14 (web_server.rules)
2036442 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M15 (web_server.rules)
2036443 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M16 (web_server.rules)
2036444 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M17 (web_server.rules)
2036445 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M18 (web_server.rules)
2036446 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M19 (web_server.rules)
2036447 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M20 (web_server.rules)
2036448 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M21 (web_server.rules)
2036449 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M22 (web_server.rules)
2036450 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M23 (web_server.rules)
2036451 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M24 (web_server.rules)
2036452 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M25 (web_server.rules)
2036698 - ET INFO Possible JARM Fingerprinting Client Hello via tls1_3_reverse (info.rules)
2036751 - ET MALWARE Suspected BPFDoor UDP Magic Packet (Inbound) (malware.rules)
2036752 - ET MALWARE Suspected BPFDoor TCP Magic Packet (Inbound) (malware.rules)
2036753 - ET MALWARE Suspected BPFDoor ICMP Magic Packet (Inbound) (malware.rules)
2036977 - ET INFO AmanVPN Heartbeat (info.rules)
2036978 - ET INFO AmanVPN Heartbeat Response (info.rules)
2037214 - ET MALWARE Observed Malicious SSL/TLS Certificate (MageCart Payload CnC) (malware.rules)
2037215 - ET MALWARE Observed Malicious SSL/TLS Certificate (MageCart Payload CnC) (malware.rules)
2037242 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037243 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037244 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037245 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037256 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037257 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037258 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037259 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037260 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037732 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037733 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037752 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037778 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037779 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037807 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037808 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037823 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037824 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2037825 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
2038495 - ET PHISHING Possible Phish with cazanova= Cookie (phishing.rules)
2038744 - ET PHISHING Successful Generic Credential Phish (.ngrok .io) (phishing.rules)
2039005 - ET EXPLOIT Possible Zoho ManageEngine RCE Attempt Inbound (CVE-2022-35405) (exploit.rules)
2039821 - ET PHISHING Generic Credential Phish Landing Page 2022-11-22 (phishing.rules)
2045230 - ET MALWARE Win32/Phorpiex Requesting Compromised Email Credentials List (malware.rules)
2045778 - ET MALWARE DonotGroup Maldoc Activity (GET) (malware.rules)
2846352 - ETPRO INFO Websockets Pong (keepalive) Response from Server (info.rules)
2846476 - ETPRO MALWARE Malicious SSL Certificate detected (PlugX CnC) (malware.rules)
2846661 - ETPRO POLICY External IP Address Lookup (eryaz .net) (policy.rules)
2848862 - ETPRO POLICY Outbound H.323 Q.931 INFORMATION Packet On High Port (policy.rules)
2848863 - ETPRO POLICY Outbound H.323 Q.931 RELEASE COMPLETE Packet On High Port (policy.rules)
2848864 - ETPRO POLICY Outbound H.323 Q.931 SETUP Packet On High Port (policy.rules)
2848865 - ETPRO POLICY Outbound H.323 Q.931 CALL PROCEEDING Packet On High Port (policy.rules)
2848866 - ETPRO POLICY Outbound H.323 Q.931 CONNECT Packet On High Port (policy.rules)
2848867 - ETPRO POLICY Outbound H.323 Q.931 FACILITY Packet On High Port (policy.rules)
2849129 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx (policy.rules)
2849173 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriver (policy.rules)
2849174 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcEnumPrinterDrivers (policy.rules)
2849175 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcGetPrinterDriver (policy.rules)
2849176 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcGetPrinterDriverDirectory (policy.rules)
2849177 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcDeletePrinterDriver (policy.rules)
2849178 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcGetPrinterDriver2 (policy.rules)
2849179 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcDeletePrinterDriverEx (policy.rules)
2849180 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcGetCorePrinterDrivers (policy.rules)
2849181 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcGetPrinterDriverPackagePath (policy.rules)
2849196 - ETPRO HUNTING Inbound Batch Script Deleting IIS Log Directory (hunting.rules)
2849197 - ETPRO HUNTING Inbound Batch Script Deleting Log Files (hunting.rules)
2849304 - ETPRO POLICY [MS-SRVS] Microsoft Server Service Remote Protocol Activity - NetShareEnumAll (policy.rules)
2849383 - ETPRO POLICY DCERPC ncacn_np LSASS Bind_ack (flowbit set) (policy.rules)
2849384 - ETPRO POLICY DCERPC ncacn_np EFSR Bind_ack (flowbit set) (policy.rules)
2849385 - ETPRO POLICY DCERPC ncacn_np LSARPC Bind_ack (flowbit set) (policy.rules)
2849386 - ETPRO POLICY DCERPC ncacn_np SAMR Bind_ack (flowbit set) (policy.rules)
2849387 - ETPRO POLICY DCERPC ncacn_np NETLOGON Bind_ack (flowbit set) (policy.rules)
2849388 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M1 (policy.rules)
2849389 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M2 (policy.rules)
2849390 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M3 (policy.rules)
2849391 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M4 (policy.rules)
2849392 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M5 (policy.rules)
2849393 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M1 (policy.rules)
2849394 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M2 (policy.rules)
2849395 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M3 (policy.rules)
2849396 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M4 (policy.rules)
2849397 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M5 (policy.rules)
2849398 - ETPRO POLICY DCERPC ncacn_ip_tcp LSASS Bind_ack (flowbit set) (policy.rules)
2849399 - ETPRO POLICY DCERPC ncacn_ip_tcp EFSR Bind_ack (flowbit set) (policy.rules)
2849400 - ETPRO POLICY DCERPC ncacn_ip_tcp LSARPC Bind_ack (flowbit set) (policy.rules)
2849401 - ETPRO POLICY DCERPC ncacn_ip_tcp SAMR Bind_ack (flowbit set) (policy.rules)
2849402 - ETPRO POLICY DCERPC ncacn_ip_tcp NETLOGON Bind_ack (flowbit set) (policy.rules)
2849403 - ETPRO POLICY Possible PetitPotam Successful NTLM Relay Attack (policy.rules)
2849429 - ETPRO EXPLOIT Possible dhcpcd IPv6 IA/NA Buffer Overflow [Advertise 0x02] Inbound (CVE-2019-11577) (exploit.rules)
2849665 - ETPRO HUNTING Observed Suspicious URI Structure with Common Escape Character - Possible Exploit (hunting.rules)
2849854 - ETPRO HUNTING PowerShell String Concatenation Payload Inbound M1 (hunting.rules)
2850053 - ETPRO PHISHING Successful Generic Phish Hosted at pythonanywhere .com 2021-09-27 (phishing.rules)
2850120 - ETPRO EXPLOIT Possible Microsoft Edge Chakra InitClass Type Confusion (CVE-2019-0539) (exploit.rules)
2850125 - ETPRO EXPLOIT Possible XStream Library ReflectionConverter Insecure Deserialization Inbound (CVE-2019-10173) (exploit.rules)
2850146 - ETPRO PHISHING Generic Redirect to Password Form (phishing.rules)
2850150 - ETPRO PHISHING Successful Generic Credential Phish POST M2 (phishing.rules)
2850159 - ETPRO EXPLOIT Possible Adobe Acrobat JOBOPTIONS File Parsing Out of Bounds Write Inbound M1 (CVE-2019-7111) (exploit.rules)
2850265 - ETPRO PHISHING Successful Generic Phish 2021-10-21 (phishing.rules)
2850266 - ETPRO HUNTING Suspicious Cookie [jOWL] (hunting.rules)
2850284 - ETPRO PHISHING Successful Generic Phish 2021-10-25 (phishing.rules)
2850369 - ETPRO MALWARE Observed Cobalt Strike Domain in TLS SNI (malware.rules)
2850424 - ETPRO MALWARE Unknown Spambot - Russian Language Targeting (Outbound Spam Template 1 - Email Body M1) (malware.rules)
2850425 - ETPRO MALWARE Unknown Spambot - Russian Language Targeting (Outbound Spam Template 1 - Email Body M2) (malware.rules)
2850426 - ETPRO MALWARE Unknown Spambot - Russian Language Targeting (Outbound Spam Template 1 - Email Body M3) (malware.rules)
2850486 - ETPRO MALWARE Observed Malicious SSL/TLS Certificate (CobaltStrike CnC) (malware.rules)
2850487 - ETPRO MALWARE Observed Malicious SSL/TLS Certificate (CobaltStrike CnC) (malware.rules)
2850533 - ETPRO INFO Brandfetch API Usage for Custom Logo M1 (info.rules)
2850534 - ETPRO INFO Brandfetch API Usage for Custom Logo M2 (info.rules)
2850745 - ETPRO PHISHING Successful Generic Phish 2021-12-29 (set) (phishing.rules)
2850924 - ETPRO PHISHING Successful Generic Phish 2022-01-25 (phishing.rules)
2850961 - ETPRO PHISHING Successful Generic Phish 2022-01-28 (phishing.rules)
2851439 - ETPRO INFO Successful Instagram Login via AJAX Request (info.rules)
2851440 - ETPRO PHISHING Possible Instagram Phish Traffic (phishing.rules)
2851705 - ETPRO MALWARE Possible MalDoc Retrieving Payload 2022-05-25 (malware.rules)
2852169 - ETPRO EXPLOIT Possible Microsoft Windows Server HTTP.sys DOS Inbound (CVE-2022-35748) (exploit.rules)
2853292 - ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin (malware.rules)
2853348 - ETPRO MALWARE SocGholish CnC Initial Request M2 (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/04/26 - v10584 Ruleset Updates	226	April 26, 2024
Ruleset Update Summary - 2022/11/16 - v10174 Ruleset Updates	323	November 16, 2022
Ruleset Update Summary - 2024/04/12 - v10574 Ruleset Updates	600	April 12, 2024
Ruleset Update Summary - 2023/05/25 - v10332 Ruleset Updates	355	May 25, 2023
Ruleset Update Summary - 2023/11/22 - v10471 Ruleset Updates	349	November 22, 2023

Ruleset Update Summary - 2024/12/02 - v10777

Summary:

Modified inactive rules:

Related topics