Ruleset Update Summary - 2024/12/03 - v10787

rulesbot · December 3, 2024, 9:20pm

Summary:

26 new OPEN, 41 new PRO (26 + 15)

Added rules:

Open:

2012303 - ET RETIRED Night Dragon CnC Beacon Outbound (retired.rules)
2012306 - ET RETIRED Night Dragon CnC Traffic Outbound 2 (retired.rules)
2012690 - ET RETIRED Windows 7 CMD Shell from Local System (retired.rules)
2012894 - ET RETIRED Dropper.Win32.Agent.bpxo Checkin (retired.rules)
2012895 - ET RETIRED Dropper.Win32.Agent.ahju Checkin (retired.rules)
2012957 - ET RETIRED Backdoor.Win32.ZZSlash/Redosdru.E checkin (retired.rules)
2013245 - ET RETIRED Ruskill/Palevo Download Command (retired.rules)
2013247 - ET RETIRED Ruskill/Palevo KCIK IRC Command (retired.rules)
2013338 - ET RETIRED Bifrose Client Checkin (retired.rules)
2013506 - ET RETIRED W32/Badlib Connectivity Check To Department of Defense Intelligence Information Systems (retired.rules)
2013771 - ET RETIRED Win32.Cerberus RAT Checkin Outbound (retired.rules)
2013772 - ET RETIRED Win32.Cerberus RAT Checkin Response (retired.rules)
2058037 - ET INFO DYNAMIC_DNS Query to a *.christopherharmon .net domain (info.rules)
2058038 - ET INFO DYNAMIC_DNS HTTP Request to a *.christopherharmon .net domain (info.rules)
2058039 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz) (malware.rules)
2058040 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI) (malware.rules)
2058041 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clamfluffys .click) (malware.rules)
2058042 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (clamfluffys .click in TLS SNI) (malware.rules)
2058043 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lumcyjukui .shop) (malware.rules)
2058044 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lumcyjukui .shop in TLS SNI) (malware.rules)
2058045 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lummunaqea .shop) (malware.rules)
2058046 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lummunaqea .shop in TLS SNI) (malware.rules)
2058047 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (blackshelter .org) (exploit_kit.rules)
2058048 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (blackshelter .org) (exploit_kit.rules)
2058049 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (q8ds .net) (exploit_kit.rules)
2058050 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (q8ds .net) (exploit_kit.rules)

Pro:

2801439 - ETPRO RETIRED Generic Portuguese Trojan Infection Report (retired.rules)
2802088 - ETPRO RETIRED Backdoor.Win32.Quejob.evl Checkin 2 (retired.rules)
2802161 - ETPRO RETIRED VBCrypt/Spy.582013.2 Keepalive to CnC (retired.rules)
2802174 - ETPRO RETIRED ProRat Keylogger Infection Report via Email (retired.rules)
2802973 - ETPRO RETIRED Yahlover Checkin Request (setting.doc) (retired.rules)
2803322 - ETPRO RETIRED Win32.Generic.127FCD1B Connectivity Check Ping (retired.rules)
2803686 - ETPRO RETIRED Win32/Whybo.F DDoS Traffic Outbound (retired.rules)
2803691 - ETPRO RETIRED Win32/Whybo.F DDoS Traffic Inbound (retired.rules)
2804053 - ETPRO RETIRED Putty SSH CnC outbound Possible Win32.Penepe Checkin (retired.rules)
2859251 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2859252 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2859253 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859254 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859255 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859256 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

2057903 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (copper-replace .sbs) (malware.rules)
2057905 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (looky-marked .sbs) (malware.rules)
2057909 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (plastic-mitten .sbs) (malware.rules)
2057911 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (preside-comforter .sbs) (malware.rules)
2057913 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (record-envyp .sbs) (malware.rules)
2057915 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savvy-steereo .sbs) (malware.rules)
2057917 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slam-whipp .sbs) (malware.rules)
2057919 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrench-creter .sbs) (malware.rules)
2057925 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) (malware.rules)
2057927 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) (malware.rules)
2057929 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) (malware.rules)
2057931 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) (malware.rules)
2057935 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) (malware.rules)
2057937 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lumdexibuy .shop) (malware.rules)
2057943 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) (malware.rules)
2057945 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) (malware.rules)
2057949 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) (malware.rules)

Removed rules:

2012303 - ET MALWARE Night Dragon CnC Beacon Outbound (malware.rules)
2012306 - ET MALWARE Night Dragon CnC Traffic Outbound 2 (malware.rules)
2012690 - ET ATTACK_RESPONSE Windows 7 CMD Shell from Local System (attack_response.rules)
2012894 - ET MALWARE Dropper.Win32.Agent.bpxo Checkin (malware.rules)
2012895 - ET MALWARE Dropper.Win32.Agent.ahju Checkin (malware.rules)
2012957 - ET MALWARE Backdoor.Win32.ZZSlash/Redosdru.E checkin (malware.rules)
2013245 - ET MALWARE Ruskill/Palevo Download Command (malware.rules)
2013247 - ET MALWARE Ruskill/Palevo KCIK IRC Command (malware.rules)
2013338 - ET MALWARE Bifrose Client Checkin (malware.rules)
2013506 - ET MALWARE W32/Badlib Connectivity Check To Department of Defense Intelligence Information Systems (malware.rules)
2013771 - ET MALWARE Win32.Cerberus RAT Checkin Outbound (malware.rules)
2013772 - ET MALWARE Win32.Cerberus RAT Checkin Response (malware.rules)
2801439 - ETPRO MALWARE Generic Portuguese Trojan Infection Report (malware.rules)
2802088 - ETPRO MALWARE Backdoor.Win32.Quejob.evl Checkin 2 (malware.rules)
2802161 - ETPRO MALWARE VBCrypt/Spy.582013.2 Keepalive to CnC (malware.rules)
2802174 - ETPRO MALWARE ProRat Keylogger Infection Report via Email (malware.rules)
2802973 - ETPRO MALWARE Yahlover Checkin Request (setting.doc) (malware.rules)
2803322 - ETPRO MALWARE Win32.Generic.127FCD1B Connectivity Check Ping (malware.rules)
2803686 - ETPRO DOS Win32/Whybo.F DDoS Traffic Outbound (dos.rules)
2803691 - ETPRO DOS Win32/Whybo.F DDoS Traffic Inbound (dos.rules)
2804053 - ETPRO MALWARE Putty SSH CnC outbound Possible Win32.Penepe Checkin (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/09/23 - v10701 Ruleset Updates	116	September 23, 2024
Ruleset Update Summary - 2024/03/05 - v10545 Ruleset Updates	752	March 5, 2024
Ruleset Update Summary - 2024/01/16 - v10507 Ruleset Updates	547	January 16, 2024
Ruleset Update Summary - 2024/03/13 - v10551 Ruleset Updates	313	March 13, 2024
Ruleset Update Summary - 2024/11/15 - v10743 Ruleset Updates	118	November 15, 2024

Ruleset Update Summary - 2024/12/03 - v10787

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related topics