Ruleset Update Summary - 2024/12/02 - v10778

Ruleset Updates
1

Summary:

0 new OPEN, 0 new PRO (0 + 0)

Modified inactive rules:

  • 2029425 - ET HUNTING [TGI] Possible Cobalt Strike Extra Whitespace HTTP Response (hunting.rules)
  • 2029619 - ET MOBILE_MALWARE Suspected SandCat Related CnC (mobile_malware.rules)
  • 2029626 - ET MALWARE Observed DNS Query to Vicious Panda CnC Domain (malware.rules)
  • 2029631 - ET MALWARE Observed DNS Query to Vicious Panda CnC Domain (malware.rules)
  • 2029745 - ET POLICY File Downloaded via ge.tt Filesharing Service (policy.rules)
  • 2029910 - ET MALWARE Suspected SPECULOOS Backdoor CnC Init Packet Masquerading as SNI Request to live .com (malware.rules)
  • 2030172 - ET PHISHING Possible Successful Phish to NOIP DynDNS Domain (phishing.rules)
  • 2030173 - ET PHISHING Possible Successful Phish to ChangeIP Dynamic DNS Domain (phishing.rules)
  • 2030174 - ET PHISHING Possible Successful Phish to Afraid.org Top 100 Dynamic DNS Domain (phishing.rules)
  • 2030221 - ET EXPLOIT Possible DNS BIND TSIG Denial of Service Attempt (CVE-2020-8617) (exploit.rules)
  • 2030225 - ET HUNTING Suspicious Request for Terse Numeric .dat File (hunting.rules)
  • 2030520 - ET INFO Suspicious HTTP GET Request on Port 53 Outbound (info.rules)
  • 2030521 - ET INFO Suspicious HTTP GET Request on Port 53 Inbound (info.rules)
  • 2030522 - ET INFO Suspicious HTTP POST Request on Port 53 Outbound (info.rules)
  • 2030523 - ET INFO Suspicious HTTP POST Request on Port 53 Inbound (info.rules)
  • 2030555 - ET INFO Outbound RRSIG DNS Query Observed (info.rules)
  • 2030615 - ET MALWARE Observed Lazarus APT MalDoc DL Domain in TLS SNI (malware.rules)
  • 2030697 - ET MALWARE Suspected REDCURL CnC Activity M1 (malware.rules)
  • 2030728 - ET MALWARE Suspected Zebrocy Downloader Traffic (malware.rules)
  • 2031193 - ET MALWARE Suspected Snugy DNS Backdoor Initial Beacon (malware.rules)
  • 2031194 - ET MALWARE Suspected Snugy DNS Backdoor CnC Activity (Hostname Send) (malware.rules)
  • 2031206 - ET MALWARE CCleaner Backdoor DGA Domain (ab1de19d80ae6 .com) in DNS Lookup (malware.rules)
  • 2031252 - ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (hotspot .accesscam .org) (malware.rules)
  • 2031253 - ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (highcolumn .webredirect .org) (malware.rules)
  • 2031254 - ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (ethdns .mywire .org) (malware.rules)
  • 2031255 - ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (theguardian .webredirect .org) (malware.rules)
  • 2031428 - ET MALWARE Observed SystemBC CnC Domain in DNS Query (malware.rules)
  • 2032763 - ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .live) 2021-04-15 (phishing.rules)
  • 2032764 - ET EXPLOIT_KIT Observed BottleEK Domain in DNS Lookup 2021-04-15 (exploit_kit.rules)
  • 2032765 - ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .xyz) 2021-04-15 (phishing.rules)
  • 2032893 - ET MALWARE Observed DNS Query to Buer - DomainInfo Domain (malware.rules)
  • 2033022 - ET MALWARE Suspected Gootkit Activity (malware.rules)
  • 2033364 - ET MALWARE Suspected DonotGroup Dropper Telegram API Activity (malware.rules)
  • 2033690 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
  • 2033691 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
  • 2033692 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
  • 2033693 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
  • 2033694 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
  • 2033695 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
  • 2033844 - ET INFO Suspicious Shellcode Request (info.rules)
  • 2033870 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033871 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033872 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033873 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033874 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033875 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033876 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033878 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033879 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033880 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033881 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033882 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033883 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033884 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033885 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2034095 - ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Denial of Service Inbound (CVE-2019-9515) (dos.rules)
  • 2034096 - ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Error Response (CVE-2019-9515) (dos.rules)
  • 2034317 - ET MALWARE PinkBot CnC Domain in DNS Lookup (cnc .pinklander .com) (malware.rules)
  • 2034452 - ET MALWARE Possible MalDoc Retrieving Payload 2021-07-19 (malware.rules)
  • 2034464 - ET MALWARE Possible MalDoc Retrieving Payload 2021-11-01 (malware.rules)
  • 2034833 - ET MALWARE OWOWA Stealer CnC Domain in DNS Lookup (malware.rules)
  • 2035292 - ET MALWARE Suspected PlugX Checkin Activity (GET) (malware.rules)
  • 2035375 - ET MALWARE Suspected Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035447 - ET PHISHING Successful Generic Phish 2022-03-11 (phishing.rules)
  • 2035551 - ET MALWARE Suspected Mustang Panda APT Related Activity (GET) (malware.rules)
  • 2035692 - ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M1 (malware.rules)
  • 2036233 - ET MALWARE Observed DNS Query to Hilal RAT Domain (archery .dedyn .io) (malware.rules)
  • 2036257 - ET MALWARE Suspected TA404 APT Related Activity M1 (malware.rules)
  • 2036258 - ET MALWARE Suspected TA404 APT Related Activity M2 (malware.rules)
  • 2036268 - ET HUNTING Request To Suspicious Filename via Powershell (payload) (hunting.rules)
  • 2036338 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036339 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036340 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036341 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036342 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036343 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036344 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036345 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036346 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036389 - ET INFO Commonly Abused SSL/TLS Certificate Observed (mylnavyfederal .com) (info.rules)
  • 2036551 - ET HUNTING Suspicious HTTP Connection Header Observed (hunting.rules)
  • 2036712 - ET MALWARE Tandem Espionage CnC Domain (cugdwpnykghx .ru) in DNS Lookup (malware.rules)
  • 2036713 - ET MALWARE Tandem Espionage CnC Domain (zpuxmwmwdxxk .ru) in DNS Lookup (malware.rules)
  • 2036714 - ET MALWARE Tandem Espionage CnC Domain (rhjebiuujydv .ru) in DNS Lookup (malware.rules)
  • 2036852 - ET HUNTING DNS Lookup to (laurentprotector .com) (hunting.rules)
  • 2036976 - ET INFO AmanVPN Checkin (info.rules)
  • 2036991 - ET PHISHING Generic Phishing DNS Lookup (aberto .click2eat .co .il) (phishing.rules)
  • 2036992 - ET PHISHING Generic Phishing DNS Lookup (xn–sapeaunoticias-kjb .com .br) (phishing.rules)
  • 2037082 - ET MALWARE Possible Follina Payload Delivery Page (malware.rules)
  • 2037083 - ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) (exploit.rules)
  • 2037247 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2037248 - ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) (malware.rules)
  • 2039063 - ET MALWARE Chaos Botnet CnC Domain (are .nishabig .pro) in DNS Lookup (malware.rules)
  • 2039103 - ET MALWARE Suspected Smokeloader Activity (POST) (malware.rules)
  • 2039199 - ET MALWARE Observed DNS Query to Budminer Domain (cart .skyseaweb .org) (malware.rules)
  • 2039200 - ET MALWARE Observed DNS Query to Budminer Domain (Facebook .ddns .ms) (malware.rules)
  • 2039273 - ET MALWARE Observed DNS Query to Budminer Domain (moeaidb .ro .lt) (malware.rules)
  • 2039303 - ET MALWARE Observed DNS Query to Budminer Domain (moeaidb .tk) (malware.rules)
  • 2039329 - ET MALWARE Observed DNS Query to Budminer Domain (backupcoa .serveftp .com) (malware.rules)
  • 2039352 - ET MALWARE Observed DNS Query to Budminer Domain (music .apchnetinfo .com) (malware.rules)
  • 2039354 - ET MALWARE Observed DNS Query to Budminer Domain (googlemailinforma .orge .pl) (malware.rules)
  • 2039355 - ET MALWARE Observed DNS Query to Budminer Domain (news .onmypc .org) (malware.rules)
  • 2039356 - ET MALWARE Observed DNS Query to Budminer Domain (k1fsc .ax .lt) (malware.rules)
  • 2039377 - ET MALWARE Observed DNS Query to Budminer Domain (sososb .twbbs .org) (malware.rules)
  • 2039378 - ET MALWARE Observed DNS Query to Budminer Domain (yahoo .mailweb .sxn .us) (malware.rules)
  • 2039385 - ET MALWARE Observed DNS Query to Budminer Domain (tw .americanunfinished .com) (malware.rules)
  • 2039577 - ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot) (malware.rules)
  • 2039578 - ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot) (malware.rules)
  • 2039632 - ET MALWARE Observed DNS Query to Ursnif Domain (damnater .com) (malware.rules)
  • 2039633 - ET MALWARE Observed DNS Query to Ursnif Domain (minotos .xyz) (malware.rules)
  • 2039637 - ET MALWARE Observed DNS Query to Ursnif Domain (higmon .cyou) (malware.rules)
  • 2039638 - ET MALWARE Observed DNS Query to Ursnif Domain (gigiman .xyz) (malware.rules)
  • 2039639 - ET MALWARE Observed DNS Query to Ursnif Domain (fineg .xyz) (malware.rules)
  • 2039644 - ET MALWARE Observed DNS Query to Ursnif Domain (mainwog .xyz) (malware.rules)
  • 2039645 - ET MALWARE Observed DNS Query to Ursnif Domain (gigimas .xyz) (malware.rules)
  • 2039667 - ET MALWARE Observed Ursnif Domain in TLS SNI (pipap .xyz) (malware.rules)
  • 2041734 - ET PHISHING Observed Phish Domain in DNS Lookup (dubaiferryae .com) 2022-12-05 (phishing.rules)
  • 2041758 - ET PHISHING Observed Phish Domain in DNS Lookup (biddings-enoc .com) 2022-12-05 (phishing.rules)
  • 2042172 - ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain (plastic .delldrivers .in) (malware.rules)
  • 2042173 - ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain (iransec .services) (malware.rules)
  • 2042175 - ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain (iredugov .wiki) (malware.rules)
  • 2042176 - ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain (news .alberto2011 .com) (malware.rules)
  • 2042179 - ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain (srv .fazlollah .net) (malware.rules)
  • 2042180 - ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain (api .vmwareapi .net) (malware.rules)
  • 2042181 - ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain (mail .irir .org) (malware.rules)
  • 2045871 - ET HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M2 (hunting.rules)
  • 2840286 - ETPRO POLICY Observed PandaCoin P2P Activity (policy.rules)
  • 2840313 - ETPRO MALWARE Observed DNS Query to MuddyWater DNSClient Domain (malware.rules)
  • 2840624 - ETPRO HUNTING Suspicious Zipped Filename in Outbound POST Request (Chrome_Default_Cookies) (hunting.rules)
  • 2842127 - ETPRO PHISHING Successful Generic Credit Card Information Phish 2020-04-21 (phishing.rules)
  • 2842174 - ETPRO MALWARE Possible MuddyWater DNSClient CnC (Outbound) (malware.rules)
  • 2842411 - ETPRO MALWARE Suspected MEDUSA RAT CnC Response (malware.rules)
  • 2843074 - ETPRO MALWARE Observed DNS Query to Unk.Loader Domain M6 (malware.rules)
  • 2843182 - ETPRO PHISHING Possible Successful Generic Res Phish 2020-06-24 (phishing.rules)
  • 2843730 - ETPRO POLICY AppWizard Installer (Possible PUP/PUA) Activity (policy.rules)
  • 2843764 - ETPRO HUNTING Observed Very Large HTTP POST (Content-Length >999999) (hunting.rules)
  • 2844014 - ETPRO PHISHING Successful Generic Phish 2020-08-17 (phishing.rules)
  • 2844036 - ETPRO MALWARE Observed IcedID CnC Domain in TLS SNI (malware.rules)
  • 2844055 - ETPRO HUNTING Suspicious Zipped Filename in Outbound POST Request (Browsers/Autofills/) M2 (hunting.rules)
  • 2844108 - ETPRO PHISHING Successful Generic Webmail Phish 2020-08-21 (phishing.rules)
  • 2844189 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
  • 2844190 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
  • 2844191 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
  • 2844192 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
  • 2844193 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
  • 2844194 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
  • 2844195 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
  • 2844196 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
  • 2844197 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
  • 2844198 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
  • 2844997 - ETPRO MALWARE Observed Possible Zloader CnC SSL Cert Inbound (malware.rules)
  • 2845074 - ETPRO PHISHING Successful Generic Phish 2020-10-21 (phishing.rules)
  • 2845639 - ETPRO PHISHING Successful Generic Phish 2020-11-24 (phishing.rules)
  • 2848351 - ETPRO HUNTING Suspicious HTTP Header (RAM) (hunting.rules)
  • 2849303 - ETPRO POLICY [MS-SRVS] DCERPC Bind_ack (flowbit set) (policy.rules)
  • 2849335 - ETPRO POLICY [MS-RPRN/SPOOLSS] DCERPC Bind_ack (flowbit set) (policy.rules)
  • 2849482 - ETPRO HUNTING Generic HTTP Header Buffer Overflow Check - http.host (hunting.rules)
  • 2850157 - ETPRO PHISHING Successful Generic Phish 2021-10-11 (phishing.rules)
  • 2850291 - ETPRO PHISHING Successful Generic Phish 2021-10-26 (phishing.rules)
  • 2850488 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M1 (hunting.rules)
  • 2850490 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M3 (hunting.rules)
  • 2850491 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M4 (hunting.rules)
  • 2850492 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M5 (hunting.rules)
  • 2850667 - ETPRO PHISHING Successful Generic Phish 2021-12-10 (phishing.rules)
  • 2850746 - ETPRO PHISHING Successful Generic Phish 2021-12-29 (phishing.rules)
  • 2850747 - ETPRO PHISHING Successful Generic Phish 2021-12-29 (phishing.rules)
  • 2850832 - ETPRO PHISHING Successful Generic Phish 2022-01-10 (phishing.rules)
  • 2851706 - ETPRO MALWARE Malicious Word Document Template Download Domain in DNS Lookup (truecolor8 .xyz) (malware.rules)