Ruleset Update Summary - 2024/12/02 - v10779

Ruleset Updates
1

Summary:

0 new OPEN, 0 new PRO (0 + 0)

Modified inactive rules:

  • 2035065 - ET MALWARE W32/Emotet.v4 Checkin Fake 404 Payload Response (malware.rules)
  • 2035139 - ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) (info.rules)
  • 2035625 - ET MALWARE TransparentTribe APT Related Backdoor Activity (malware.rules)
  • 2035682 - ET MALWARE MustangPanda APT Dropper Activity (POST) (malware.rules)
  • 2036222 - ET HUNTING Potential Forced OGNL Evaluation - HTTP URI (hunting.rules)
  • 2036223 - ET HUNTING Potential Forced OGNL Evaluation - HTTP Header (hunting.rules)
  • 2036224 - ET HUNTING Potential Forced OGNL Evaluation - HTTP Body (hunting.rules)
  • 2036425 - ET MOBILE_MALWARE Android/FakeWallet.D Activity (GET) (mobile_malware.rules)
  • 2036551 - ET HUNTING Suspicious HTTP Connection Header Observed (hunting.rules)
  • 2037026 - ET MALWARE Win32.Banker Trojan CnC Checkin (malware.rules)
  • 2038781 - ET EXPLOIT D-Link Remote Code Execution Attempt (CVE-2022-26258) (exploit.rules)
  • 2041645 - ET WEB_SERVER Likely Malicious Request for /proc//maps (web_server.rules)
  • 2043099 - ET MALWARE TA569 Domain in DNS Lookup (luxurycompare .com) (malware.rules)
  • 2043304 - ET INFO Suspicious Large HTTP Header Key Observed - Possible Exploit Activity (info.rules)
  • 2044538 - ET HUNTING robots Request (set) (hunting.rules)
  • 2044775 - ET MALWARE Observed DNS Query to Gamaredon Domain (highfalutin .ru) (malware.rules)
  • 2045700 - ET ADWARE_PUP DNS Query to Neoreklami (service-domain .xyz) (adware_pup.rules)
  • 2045701 - ET ADWARE_PUP DNS Query to Neoreklami (check-data .xyz) (adware_pup.rules)
  • 2045702 - ET ADWARE_PUP DNS Query to Neoreklami (vadimmqz .beget .tech) (adware_pup.rules)
  • 2045726 - ET MALWARE DNS Query to Gamaredon Domain (kahotepa .ru) (malware.rules)
  • 2045727 - ET MALWARE DNS Query to Gamaredon Domain (kaziyapa .ru) (malware.rules)
  • 2045728 - ET MALWARE DNS Query to Gamaredon Domain (OpenAsTextStream .zuberipa .ru) (malware.rules)
  • 2045729 - ET MALWARE DNS Query to Gamaredon Domain (80delay .dzhabaripa .ru) (malware.rules)
  • 2045730 - ET MALWARE DNS Query to Gamaredon Domain (71delay .dzhahipa .ru) (malware.rules)
  • 2045731 - ET MALWARE DNS Query to Gamaredon Domain (zaherpa .ru) (malware.rules)
  • 2045732 - ET MALWARE DNS Query to Gamaredon Domain (goruspa .ru) (malware.rules)
  • 2045733 - ET MALWARE DNS Query to Gamaredon Domain (iknatonpa .ru) (malware.rules)
  • 2045734 - ET MALWARE DNS Query to Gamaredon Domain (dzhahipa .ru) (malware.rules)
  • 2045735 - ET MALWARE DNS Query to Gamaredon Domain (dzhabaripa .ru) (malware.rules)
  • 2045736 - ET MALWARE DNS Query to Gamaredon Domain (zuberipa .ru) (malware.rules)
  • 2047063 - ET MALWARE IcedID CnC Domain in DNS Lookup (pireltotus .com) (malware.rules)
  • 2047774 - ET INFO Interactsh Domain in DNS Lookup (.oast .me) (info.rules)
  • 2047775 - ET INFO Interactsh Domain in DNS Lookup (.oast .site) (info.rules)
  • 2047777 - ET INFO Interactsh Domain in DNS Lookup (.oast .live) (info.rules)
  • 2047779 - ET INFO Interactsh Domain in DNS Lookup (.oast .pro) (info.rules)
  • 2047783 - ET INFO Interactsh Domain in DNS Lookup (.oast .fun) (info.rules)
  • 2052639 - ET MALWARE DNS Query to Darkgate Domain (savoystocks .com) (malware.rules)
  • 2054405 - ET INFO HTTP GET for JPG File (flowbit set) (info.rules)
  • 2054406 - ET HUNTING Server Responding to JPG Request with Fake JPG Structure (hunting.rules)
  • 2852169 - ETPRO EXPLOIT Possible Microsoft Windows Server HTTP.sys DOS Inbound (CVE-2022-35748) (exploit.rules)
  • 2853060 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly (Replace) M1 (hunting.rules)
  • 2853061 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly (Replace) M2 (hunting.rules)
  • 2853062 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly (StringChar) M1 (hunting.rules)
  • 2853063 - ETPRO HUNTING Possible PowerShell Inbound - Char Concat Obfuscation (hunting.rules)
  • 2853292 - ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin (malware.rules)
  • 2853518 - ETPRO INFO Abnormally Large Remote TLS Certificate Drip Feed Inbound - Potential Exploit Activity (info.rules)
  • 2853567 - ETPRO HUNTING Suspicious Empty Critical-CH Header (hunting.rules)
  • 2853642 - ETPRO HUNTING Large RTF Font Table Observed - Possible Exploit Activity (CVE-2023-21716) (hunting.rules)
  • 2853734 - ETPRO EXPLOIT Possible CVE-2023-23415 Xbit Threshold Set (noalert) (exploit.rules)
  • 2853735 - ETPRO EXPLOIT Inbound Fragmented ICMP Flood - Possible Exploit Activity (CVE-2023-23415) (exploit.rules)
  • 2857339 - ETPRO HUNTING HTTP POST Request with Directory Traversal in Generic Parameter M1 (hunting.rules)
  • 2857340 - ETPRO HUNTING HTTP POST Request with Directory Traversal in Generic Parameter M2 (hunting.rules)
  • 2859130 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M6 (hunting.rules)
  • 2859131 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M7 (hunting.rules)