Ruleset Update Summary - 2024/12/02 - v10781

Summary:

116 new OPEN, 153 new PRO (116 + 37)

Thanks @TrendMicro


Added rules:

Open:

  • 2057921 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz) (malware.rules)
  • 2057922 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) (malware.rules)
  • 2057923 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (balloon-sneak .cyou) (malware.rules)
  • 2057924 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (balloon-sneak .cyou in TLS SNI) (malware.rules)
  • 2057925 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) (malware.rules)
  • 2057926 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) (malware.rules)
  • 2057927 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) (malware.rules)
  • 2057928 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dare-curbys .biz in TLS SNI) (malware.rules)
  • 2057929 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) (malware.rules)
  • 2057930 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dwell-exclaim .biz in TLS SNI) (malware.rules)
  • 2057931 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) (malware.rules)
  • 2057932 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (formy-spill .biz in TLS SNI) (malware.rules)
  • 2057933 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hallowed-noisy .sbs) (malware.rules)
  • 2057934 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hallowed-noisy .sbs in TLS SNI) (malware.rules)
  • 2057935 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) (malware.rules)
  • 2057936 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (impend-differ .biz in TLS SNI) (malware.rules)
  • 2057937 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lumdexibuy .shop) (malware.rules)
  • 2057938 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lumdexibuy .shop in TLS SNI) (malware.rules)
  • 2057939 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lumharmonyfields .shop) (malware.rules)
  • 2057940 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lumharmonyfields .shop in TLS SNI) (malware.rules)
  • 2057941 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lumhiddenforest .shop) (malware.rules)
  • 2057942 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lumhiddenforest .shop in TLS SNI) (malware.rules)
  • 2057943 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) (malware.rules)
  • 2057944 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (print-vexer .biz in TLS SNI) (malware.rules)
  • 2057945 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) (malware.rules)
  • 2057946 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) (malware.rules)
  • 2057947 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (violationsyxzb .shop) (malware.rules)
  • 2057948 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (violationsyxzb .shop in TLS SNI) (malware.rules)
  • 2057949 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) (malware.rules)
  • 2057950 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (zinc-sneark .biz in TLS SNI) (malware.rules)
  • 2057951 - ET INFO DYNAMIC_DNS Query to a *.ekcal .com domain (info.rules)
  • 2057952 - ET INFO DYNAMIC_DNS HTTP Request to a *.ekcal .com domain (info.rules)
  • 2057953 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (adult-perfect .cyou) (malware.rules)
  • 2057954 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (adult-perfect .cyou in TLS SNI) (malware.rules)
  • 2057955 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (creating-egg .cyou) (malware.rules)
  • 2057956 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (creating-egg .cyou in TLS SNI) (malware.rules)
  • 2057957 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (infect-crackle .cyou) (malware.rules)
  • 2057958 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (infect-crackle .cyou in TLS SNI) (malware.rules)
  • 2057959 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lumcitikai .shop:) (malware.rules)
  • 2057960 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lumcitikai .shop: in TLS SNI) (malware.rules)
  • 2057961 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (teach-shave .cyou) (malware.rules)
  • 2057962 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (teach-shave .cyou in TLS SNI) (malware.rules)
  • 2057963 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .trc20 .kcgrocks .com) (malware.rules)
  • 2057964 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .trc20 .kcgrocks .com) (malware.rules)
  • 2057965 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grow-deprive .cyou) (malware.rules)
  • 2057966 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grow-deprive .cyou in TLS SNI) (malware.rules)
  • 2057967 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (s3-eu-north-1 .culture-quest .shop) (malware.rules)
  • 2057968 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (s3-eu-north-1 .culture-quest .shop in TLS SNI) (malware.rules)
  • 2057969 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) (malware.rules)
  • 2057970 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (impend-differ .biz in TLS SNI) (malware.rules)
  • 2057971 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) (malware.rules)
  • 2057972 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (print-vexer .biz in TLS SNI) (malware.rules)
  • 2057973 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) (malware.rules)
  • 2057974 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covery-mover .biz in TLS SNI) (malware.rules)
  • 2057975 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) (malware.rules)
  • 2057976 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dare-curbys .biz in TLS SNI) (malware.rules)
  • 2057977 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) (malware.rules)
  • 2057978 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (formy-spill .biz in TLS SNI) (malware.rules)
  • 2057979 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) (malware.rules)
  • 2057980 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dwell-exclaim .biz in TLS SNI) (malware.rules)
  • 2057981 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) (malware.rules)
  • 2057982 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (zinc-sneark .biz in TLS SNI) (malware.rules)
  • 2057983 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) (malware.rules)
  • 2057984 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (se-blurry .biz in TLS SNI) (malware.rules)
  • 2057985 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lumdexibuy .shop) (malware.rules)
  • 2057986 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lumdexibuy .shop in TLS SNI) (malware.rules)
  • 2057987 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (preside-comforter .sbs) (malware.rules)
  • 2057988 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (preside-comforter .sbs in TLS SNI) (malware.rules)
  • 2057989 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savvy-steereo .sbs) (malware.rules)
  • 2057990 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (savvy-steereo .sbs in TLS SNI) (malware.rules)
  • 2057991 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (copper-replace .sbs) (malware.rules)
  • 2057992 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (copper-replace .sbs in TLS SNI) (malware.rules)
  • 2057993 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (record-envyp .sbs) (malware.rules)
  • 2057994 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (record-envyp .sbs in TLS SNI) (malware.rules)
  • 2057995 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slam-whipp .sbs) (malware.rules)
  • 2057996 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (slam-whipp .sbs in TLS SNI) (malware.rules)
  • 2057997 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrench-creter .sbs) (malware.rules)
  • 2057998 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wrench-creter .sbs in TLS SNI) (malware.rules)
  • 2057999 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (looky-marked .sbs) (malware.rules)
  • 2058000 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (looky-marked .sbs in TLS SNI) (malware.rules)
  • 2058001 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (plastic-mitten .sbs) (malware.rules)
  • 2058002 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (plastic-mitten .sbs in TLS SNI) (malware.rules)
  • 2058003 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (petited-hulking .cyou) (malware.rules)
  • 2058004 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (petited-hulking .cyou in TLS SNI) (malware.rules)
  • 2058005 - ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io) (info.rules)
  • 2058006 - ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (sharizz .io) (info.rules)
  • 2058007 - ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (storj .io) (info.rules)
  • 2058008 - ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (bublup .com) (info.rules)
  • 2058009 - ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (pcloud .com) (info.rules)
  • 2058010 - ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (shz .ai) (info.rules)
  • 2058011 - ET INFO Observed Commonly Abused File Sharing Site Domain (file .io) in TLS SNI (info.rules)
  • 2058012 - ET INFO Observed Commonly Abused File Sharing Site Domain (sharizz .io) in TLS SNI (info.rules)
  • 2058013 - ET INFO Observed Commonly Abused File Sharing Site Domain (storj .io) in TLS SNI (info.rules)
  • 2058014 - ET INFO Observed Commonly Abused File Sharing Site Domain (bublup .com) in TLS SNI (info.rules)
  • 2058015 - ET INFO Observed Commonly Abused File Sharing Site Domain (pcloud .com) in TLS SNI (info.rules)
  • 2058016 - ET INFO Observed Commonly Abused File Sharing Site Domain (shz .ai) in TLS SNI (info.rules)
  • 2058017 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bfd78 .biz) (exploit_kit.rules)
  • 2058018 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (zeroassoluto .biz) (exploit_kit.rules)
  • 2058019 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (best-net .biz) (exploit_kit.rules)
  • 2058020 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (aquabaru .online) (exploit_kit.rules)
  • 2058021 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (chudautu .info) (exploit_kit.rules)
  • 2058022 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bfd78 .biz) (exploit_kit.rules)
  • 2058023 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (zeroassoluto .biz) (exploit_kit.rules)
  • 2058024 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (best-net .biz) (exploit_kit.rules)
  • 2058025 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (aquabaru .online) (exploit_kit.rules)
  • 2058026 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (chudautu .info) (exploit_kit.rules)
  • 2058027 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (monsterpword .com) (exploit_kit.rules)
  • 2058028 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (monsterpword .com) (exploit_kit.rules)
  • 2058029 - ET MALWARE Earth Kasha CnC Domain in DNS Lookup (srmbr .com) (malware.rules)
  • 2058030 - ET MALWARE Earth Kasha CnC Domain in DNS Lookup (tlsart .com) (malware.rules)
  • 2058031 - ET MALWARE Earth Kasha CnC Domain in DNS Lookup (tw8sl .com) (malware.rules)
  • 2058032 - ET MALWARE Observed Earth Kasha Domain (srmbr .com) in TLS SNI (malware.rules)
  • 2058033 - ET MALWARE Observed Earth Kasha Domain (tlsart .com) in TLS SNI (malware.rules)
  • 2058034 - ET MALWARE Observed Earth Kasha Domain (tw8sl .com) in TLS SNI (malware.rules)
  • 2058035 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .trc20 .kcgrocks .com) (malware.rules)
  • 2058036 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .trc20 .kcgrocks .com) (malware.rules)

Pro:

  • 2859214 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2859215 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2859216 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859217 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859218 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859219 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859220 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859221 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859222 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859223 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2859224 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859225 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2859226 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859227 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2859228 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859229 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859230 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2859231 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859232 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859233 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859234 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859235 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859236 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859237 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859238 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859239 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859240 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859241 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859242 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859243 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859244 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859245 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859246 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859247 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859248 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859249 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859250 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2030555 - ET INFO Outbound RRSIG DNS Query Observed (info.rules)
  • 2031209 - ET MALWARE ModPipe CnC Activity (Response) (malware.rules)
  • 2031488 - ET POLICY SSLv2 Used in Session (policy.rules)
  • 2031489 - ET POLICY SSLv3 Used in Session (policy.rules)
  • 2031490 - ET POLICY TLSv1.1 Used in Session (policy.rules)
  • 2031491 - ET POLICY TLSv1.0 Used in Session (policy.rules)
  • 2033022 - ET MALWARE Suspected Gootkit Activity (malware.rules)
  • 2033247 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M1 (policy.rules)
  • 2033274 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M2 (policy.rules)
  • 2033275 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M3 (policy.rules)
  • 2033276 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M4 (policy.rules)
  • 2033816 - ET MALWARE Javascript Click and Removal of Download Element (malware.rules)
  • 2033908 - ET MALWARE Maldoc OneDrive Download Activity (GET) (malware.rules)
  • 2034094 - ET INFO HTTP/2 Traffic (SET) (info.rules)
  • 2034113 - ET MALWARE Observed HTTP Request to Known PUA Host Domain (malware.rules)
  • 2034114 - ET MALWARE Observed HTTP Request to Known PUA Host Domain (malware.rules)
  • 2034212 - ET INFO Outbound .png HTTP GET flowbit set (info.rules)
  • 2034228 - ET INFO Fake AppleWebKit User-Agent Version Number Observed (info.rules)
  • 2034234 - ET PHISHING Covid19 Stimulus Payment Phish Inbound M3 (2021-10-21) (phishing.rules)
  • 2034533 - ET MALWARE Dridex Dotted Quad CnC Request (flowbit set) (malware.rules)
  • 2034534 - ET MALWARE Dridex CnC Returning Email Addresses - Possible Spam Module (malware.rules)
  • 2848862 - ETPRO POLICY Outbound H.323 Q.931 INFORMATION Packet On High Port (policy.rules)
  • 2848863 - ETPRO POLICY Outbound H.323 Q.931 RELEASE COMPLETE Packet On High Port (policy.rules)
  • 2848864 - ETPRO POLICY Outbound H.323 Q.931 SETUP Packet On High Port (policy.rules)
  • 2848865 - ETPRO POLICY Outbound H.323 Q.931 CALL PROCEEDING Packet On High Port (policy.rules)
  • 2848866 - ETPRO POLICY Outbound H.323 Q.931 CONNECT Packet On High Port (policy.rules)
  • 2848867 - ETPRO POLICY Outbound H.323 Q.931 FACILITY Packet On High Port (policy.rules)
  • 2849002 - ETPRO MALWARE Unk Rootkit Receiving IP Redirect Config (malware.rules)
  • 2849173 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriver (policy.rules)
  • 2849174 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcEnumPrinterDrivers (policy.rules)
  • 2849175 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcGetPrinterDriver (policy.rules)
  • 2849176 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcGetPrinterDriverDirectory (policy.rules)
  • 2849177 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcDeletePrinterDriver (policy.rules)
  • 2849178 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcGetPrinterDriver2 (policy.rules)
  • 2849179 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcDeletePrinterDriverEx (policy.rules)
  • 2849180 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcGetCorePrinterDrivers (policy.rules)
  • 2849181 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcGetPrinterDriverPackagePath (policy.rules)
  • 2849303 - ETPRO POLICY [MS-SRVS] DCERPC Bind_ack (flowbit set) (policy.rules)
  • 2849304 - ETPRO POLICY [MS-SRVS] Microsoft Server Service Remote Protocol Activity - NetShareEnumAll (policy.rules)
  • 2849335 - ETPRO POLICY [MS-RPRN/SPOOLSS] DCERPC Bind_ack (flowbit set) (policy.rules)
  • 2849383 - ETPRO POLICY DCERPC ncacn_np LSASS Bind_ack (flowbit set) (policy.rules)
  • 2849384 - ETPRO POLICY DCERPC ncacn_np EFSR Bind_ack (flowbit set) (policy.rules)
  • 2849385 - ETPRO POLICY DCERPC ncacn_np LSARPC Bind_ack (flowbit set) (policy.rules)
  • 2849386 - ETPRO POLICY DCERPC ncacn_np SAMR Bind_ack (flowbit set) (policy.rules)
  • 2849387 - ETPRO POLICY DCERPC ncacn_np NETLOGON Bind_ack (flowbit set) (policy.rules)
  • 2849388 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M1 (policy.rules)
  • 2849389 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M2 (policy.rules)
  • 2849390 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M3 (policy.rules)
  • 2849391 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M4 (policy.rules)
  • 2849392 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M5 (policy.rules)
  • 2849393 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M1 (policy.rules)
  • 2849394 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M2 (policy.rules)
  • 2849395 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M3 (policy.rules)
  • 2849396 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M4 (policy.rules)
  • 2849397 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M5 (policy.rules)
  • 2849398 - ETPRO POLICY DCERPC ncacn_ip_tcp LSASS Bind_ack (flowbit set) (policy.rules)
  • 2849399 - ETPRO POLICY DCERPC ncacn_ip_tcp EFSR Bind_ack (flowbit set) (policy.rules)
  • 2849400 - ETPRO POLICY DCERPC ncacn_ip_tcp LSARPC Bind_ack (flowbit set) (policy.rules)
  • 2849401 - ETPRO POLICY DCERPC ncacn_ip_tcp SAMR Bind_ack (flowbit set) (policy.rules)
  • 2849402 - ETPRO POLICY DCERPC ncacn_ip_tcp NETLOGON Bind_ack (flowbit set) (policy.rules)
  • 2849403 - ETPRO POLICY Possible PetitPotam Successful NTLM Relay Attack (policy.rules)

Disabled and modified rules:

  • 2038672 - ET EXPLOIT Jira Server/Data Center 8.4.0 Remote File Read Attempt (CVE-2021-26086) M1 (exploit.rules)
  • 2038673 - ET EXPLOIT Jira Server/Data Center 8.4.0 Remote File Read Attempt (CVE-2021-26086) M2 (exploit.rules)
  • 2038782 - ET EXPLOIT D-Link Remote Code Execution Attempt (CVE-2022-28958) (exploit.rules)
  • 2038841 - ET MALWARE Brute Ratel CnC Activity (xml-c2) M1 (malware.rules)
  • 2038842 - ET MALWARE Brute Ratel CnC Activity (xml-c2) M2 (malware.rules)
  • 2038843 - ET MALWARE Brute Ratel CnC Activity (json-c2) M1 (malware.rules)
  • 2038844 - ET MALWARE Brute Ratel CnC Activity (json-c2) M2 (malware.rules)
  • 2039019 - ET MALWARE Win32/Variant.Babar.74963 CnC Exfil (malware.rules)
  • 2039072 - ET MALWARE Observed Lazarus Domain (market .contradecapital .com in TLS SNI) (malware.rules)
  • 2039156 - ET MALWARE HTML/Qbot Dropper (.zip) (malware.rules)
  • 2039158 - ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot) (malware.rules)
  • 2039159 - ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot) (malware.rules)
  • 2039170 - ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot) (malware.rules)
  • 2043309 - ET MALWARE Observed DNS Query to Mirai Domain (miraistealer .xyz) (malware.rules)
  • 2044310 - ET MALWARE Observed Malicious Domain in DNS Lookup (wpsupdate .luckfafa .com) (malware.rules)
  • 2852362 - ETPRO MALWARE Script/Unknown CnC Activity (malware.rules)
  • 2852385 - ETPRO MALWARE Win32/Delf.NBX CnC Response (malware.rules)