Ruleset Update Summary - 2024/12/04 - v10788

Summary:

33 new OPEN, 46 new PRO (33 + 13)


Added rules:

Open:

  • 2014135 - ET RETIRED Zeus/Reveton checkin to /images.rar (retired.rules)
  • 2015597 - ET RETIRED DNS Query Gauss Domain *.gowin7.com (retired.rules)
  • 2015598 - ET RETIRED DNS Query Gauss Domain *.secuurity.net (retired.rules)
  • 2015599 - ET RETIRED DNS Query Gauss Domain *.bestcomputeradvisor.com (retired.rules)
  • 2015600 - ET RETIRED DNS Query Gauss Domain *.dotnetadvisor.info (retired.rules)
  • 2015601 - ET RETIRED DNS Query Gauss Domain *.dataspotlight.net (retired.rules)
  • 2015602 - ET RETIRED DNS Query Gauss Domain *.guest-access.net (retired.rules)
  • 2015618 - ET RETIRED DNS Query Gauss Domain *.datajunction.org (retired.rules)
  • 2015874 - ET RETIRED Known Reveton Domain HTTP whatwillber.com (retired.rules)
  • 2015875 - ET RETIRED DNS Query Known Reveton Domain whatwillber.com (retired.rules)
  • 2058051 - ET HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M1 (hunting.rules)
  • 2058052 - ET HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M2 (hunting.rules)
  • 2058053 - ET HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M3 (hunting.rules)
  • 2058054 - ET HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M4 (hunting.rules)
  • 2058055 - ET HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M5 (hunting.rules)
  • 2058056 - ET HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M4 (hunting.rules)
  • 2058057 - ET HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M6 (hunting.rules)
  • 2058058 - ET HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M7 (hunting.rules)
  • 2058059 - ET HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M8 (hunting.rules)
  • 2058060 - ET HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M9 (hunting.rules)
  • 2058061 - ET INFO DYNAMIC_DNS Query to a *.rkfd .com domain (info.rules)
  • 2058062 - ET INFO DYNAMIC_DNS HTTP Request to a *.rkfd .com domain (info.rules)
  • 2058063 - ET INFO DYNAMIC_DNS Query to a *.tmbpc .org domain (info.rules)
  • 2058064 - ET INFO DYNAMIC_DNS HTTP Request to a *.tmbpc .org domain (info.rules)
  • 2058065 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (renqidm .info) (exploit_kit.rules)
  • 2058066 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (renqidm .info) (exploit_kit.rules)
  • 2058067 - ET ATTACK_RESPONSE Base64 Encoded Powershell Performing Byte Operations Inbound (attack_response.rules)
  • 2058068 - ET MALWARE Observed DNS Query to PeakLight/Emmenhtal Domain (recommends-returned-browser-brave .trycloudflare .com) (malware.rules)
  • 2058069 - ET MALWARE Observed DNS Query to PeakLight/Emmenhtal Domain (partinvshipppjbb .click) (malware.rules)
  • 2058070 - ET MALWARE Observed DNS Query to PeakLight/Emmenhtal Domain (desbullariamos .sa .com) (malware.rules)
  • 2058071 - ET MALWARE Observed PeakLight/Emmenhtal Domain (recommends-returned-browser-brave .trycloudflare .com in TLS SNI) (malware.rules)
  • 2058072 - ET MALWARE Observed PeakLight/Emmenhtal Domain (partinvshipppjbb .click in TLS SNI) (malware.rules)
  • 2058073 - ET MALWARE Observed PeakLight/Emmenhtal Domain (desbullariamos .sa .com in TLS SNI) (malware.rules)

Pro:

  • 2804814 - ETPRO RETIRED PWS.Win32/Reveton.A Checkin (retired.rules)
  • 2805467 - ETPRO RETIRED Gauss CnC (retired.rules)
  • 2805875 - ETPRO RETIRED Win32/Reveton.N Checkin (retired.rules)
  • 2807230 - ETPRO RETIRED Reveton Checkin (retired.rules)
  • 2808450 - ETPRO RETIRED REVETON CnC SET (retired.rules)
  • 2808451 - ETPRO RETIRED REVETON CnC OUTBOUND (retired.rules)
  • 2808475 - ETPRO RETIRED Win32/Reveton.gen!C Checkin (retired.rules)
  • 2815060 - ETPRO RETIRED Reveton.ScreenLocker Checkin (retired.rules)
  • 2829595 - ETPRO RETIRED Reveton Domain Observed (itisagooddaytodie .com in DNS Lookup) (retired.rules)
  • 2829596 - ETPRO RETIRED Reveton Domain Observed (googleprofit8 .com in DNS Lookup) (retired.rules)
  • 2829599 - ETPRO RETIRED Reveton Domain Observed (lalalablabla1313lolo .com in DNS Lookup) (retired.rules)
  • 2859259 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859260 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

  • 2056104 - ET EXPLOIT_KIT Fake Update Domain in DNS Lookup (mediamic .info) (exploit_kit.rules)
  • 2056105 - ET EXPLOIT_KIT Fake Update Domain in TLS SNI (mediamic .info) (exploit_kit.rules)
  • 2056106 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (flyjeta .com) (exploit_kit.rules)
  • 2056107 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (flyjeta .com) (exploit_kit.rules)
  • 2056179 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (roadrunnersell .com) (exploit_kit.rules)
  • 2056180 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (roadrunnersell .com) (exploit_kit.rules)
  • 2056197 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (md928zs .shop) (exploit_kit.rules)
  • 2056198 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (md928zs .shop) (exploit_kit.rules)
  • 2056199 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (cdngetmyname .biz) (exploit_kit.rules)
  • 2056200 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (cdngetmyname .biz) (exploit_kit.rules)
  • 2056201 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (restbycalm .com) (exploit_kit.rules)
  • 2056202 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (restbycalm .com) (exploit_kit.rules)
  • 2056309 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (internationalcricketboard .com) (exploit_kit.rules)
  • 2056310 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (internationalcricketboard .com) (exploit_kit.rules)
  • 2056348 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (innerglowjourney .com) (exploit_kit.rules)
  • 2056349 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (reputationb .com) (exploit_kit.rules)
  • 2056350 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (paperbearsweets .com) (exploit_kit.rules)
  • 2056351 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (innerglowjourney .com) (exploit_kit.rules)
  • 2056352 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (reputationb .com) (exploit_kit.rules)
  • 2056353 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (paperbearsweets .com) (exploit_kit.rules)
  • 2056377 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (indoprimitiveart .com) (exploit_kit.rules)
  • 2056378 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (indoprimitiveart .com) (exploit_kit.rules)
  • 2056386 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (thehyperfocus .quest) (exploit_kit.rules)
  • 2056387 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (yaseraljazeera .com) (exploit_kit.rules)
  • 2056388 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (thehyperfocus .quest) (exploit_kit.rules)
  • 2056389 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (yaseraljazeera .com) (exploit_kit.rules)
  • 2056432 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (tecstify .com) (exploit_kit.rules)
  • 2056433 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jerescarla .com) (exploit_kit.rules)
  • 2056434 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (shaoriffandco .com) (exploit_kit.rules)
  • 2056437 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (tecstify .com) (exploit_kit.rules)
  • 2056438 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jerescarla .com) (exploit_kit.rules)
  • 2056439 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (shaoriffandco .com) (exploit_kit.rules)
  • 2859001 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859002 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859003 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859004 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859005 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859006 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859020 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859025 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859026 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859061 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859062 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859063 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859064 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859065 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859066 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859089 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859090 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859092 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859256 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Removed rules:

  • 2014135 - ET MALWARE Zeus/Reveton checkin to /images.rar (malware.rules)
  • 2015597 - ET MALWARE DNS Query Gauss Domain *.gowin7.com (malware.rules)
  • 2015598 - ET MALWARE DNS Query Gauss Domain *.secuurity.net (malware.rules)
  • 2015599 - ET MALWARE DNS Query Gauss Domain *.bestcomputeradvisor.com (malware.rules)
  • 2015600 - ET MALWARE DNS Query Gauss Domain *.dotnetadvisor.info (malware.rules)
  • 2015601 - ET MALWARE DNS Query Gauss Domain *.dataspotlight.net (malware.rules)
  • 2015602 - ET MALWARE DNS Query Gauss Domain *.guest-access.net (malware.rules)
  • 2015618 - ET MALWARE DNS Query Gauss Domain *.datajunction.org (malware.rules)
  • 2015874 - ET MALWARE Known Reveton Domain HTTP whatwillber.com (malware.rules)
  • 2015875 - ET MALWARE DNS Query Known Reveton Domain whatwillber.com (malware.rules)
  • 2045871 - ET HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M2 (hunting.rules)
  • 2804814 - ETPRO MALWARE PWS.Win32/Reveton.A Checkin (malware.rules)
  • 2805467 - ETPRO MALWARE Gauss CnC (malware.rules)
  • 2805875 - ETPRO MALWARE Win32/Reveton.N Checkin (malware.rules)
  • 2807230 - ETPRO MALWARE Reveton Checkin (malware.rules)
  • 2808450 - ETPRO MALWARE REVETON CnC SET (malware.rules)
  • 2808451 - ETPRO MALWARE REVETON CnC OUTBOUND (malware.rules)
  • 2808475 - ETPRO MALWARE Win32/Reveton.gen!C Checkin (malware.rules)
  • 2815060 - ETPRO MALWARE Reveton.ScreenLocker Checkin (malware.rules)
  • 2829595 - ETPRO MALWARE Reveton Domain Observed (itisagooddaytodie .com in DNS Lookup) (malware.rules)
  • 2829596 - ETPRO MALWARE Reveton Domain Observed (googleprofit8 .com in DNS Lookup) (malware.rules)
  • 2829599 - ETPRO MALWARE Reveton Domain Observed (lalalablabla1313lolo .com in DNS Lookup) (malware.rules)
  • 2850488 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M1 (hunting.rules)
  • 2850490 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M3 (hunting.rules)
  • 2850491 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M4 (hunting.rules)
  • 2850492 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M5 (hunting.rules)
  • 2858827 - ETPRO HUNTING V8 JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M4 (hunting.rules)
  • 2859130 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M6 (hunting.rules)
  • 2859131 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M7 (hunting.rules)
  • 2859132 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M8 (hunting.rules)
  • 2859133 - ETPRO HUNTING JavaScript Engine JIT Forcing Observed - Investigate Possible Exploitation M9 (hunting.rules)