Ruleset Update Summary - 2024/12/09 - v10793

Summary:

33 new OPEN, 101 new PRO (33 + 68)


Added rules:

Open:

  • 2058130 - ET MALWARE Supershell CnC Activity (malware.rules)
  • 2058131 - ET MALWARE Supershell C2 Login Page (malware.rules)
  • 2058132 - ET INFO DYNAMIC_DNS Query to a *.shirokuriwaki .com domain (info.rules)
  • 2058133 - ET INFO DYNAMIC_DNS HTTP Request to a *.shirokuriwaki .com domain (info.rules)
  • 2058134 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (corkpennywj .click) (malware.rules)
  • 2058135 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (corkpennywj .click in TLS SNI) (malware.rules)
  • 2058136 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lumkecuq .shop) (malware.rules)
  • 2058137 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lumkecuq .shop in TLS SNI) (malware.rules)
  • 2058138 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (s3-eu-north-1 .travelguide-techtrends .com) (malware.rules)
  • 2058139 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (s3-eu-north-1 .travelguide-techtrends .com in TLS SNI) (malware.rules)
  • 2058140 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lumzacynuy .shop) (malware.rules)
  • 2058141 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lumzacynuy .shop in TLS SNI) (malware.rules)
  • 2058142 - ET MALWARE Ailurophile Stealer CnC Domain in DNS Lookup (ailurophilestealer .com) (malware.rules)
  • 2058143 - ET MALWARE Observed Ailurophile Stealer Domain (ailurophilestealer .com) in TLS SNI (malware.rules)
  • 2058144 - ET MALWARE RevC2 Domain in DNS Lookup (gdrive .rest) (malware.rules)
  • 2058145 - ET MALWARE Retdoor CnC Checkin (malware.rules)
  • 2058146 - ET MALWARE RevC2 Domain in DNS Lookup (nopsec .org) (malware.rules)
  • 2058147 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (groundrats .org) (exploit_kit.rules)
  • 2058148 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (groundrats .org) (exploit_kit.rules)
  • 2058149 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (iognews .com) (exploit_kit.rules)
  • 2058150 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (habfan .com) (exploit_kit.rules)
  • 2058151 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (iognews .com) (exploit_kit.rules)
  • 2058152 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (habfan .com) (exploit_kit.rules)
  • 2058153 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .material .amstillroofing .com) (malware.rules)
  • 2058154 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .material .amstillroofing .com) (malware.rules)
  • 2058155 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jitcom .info) (exploit_kit.rules)
  • 2058156 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jitcom .info) (exploit_kit.rules)
  • 2058157 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (classify-shed .biz) (malware.rules)
  • 2058158 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (classify-shed .biz in TLS SNI) (malware.rules)
  • 2058159 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fightlsoser .click) (malware.rules)
  • 2058160 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fightlsoser .click in TLS SNI) (malware.rules)
  • 2058161 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toqyxuy .shop) (malware.rules)
  • 2058162 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toqyxuy .shop in TLS SNI) (malware.rules)

Pro:

  • 2859272 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859273 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859274 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859275 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859276 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859277 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859278 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859279 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859280 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859281 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859282 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859283 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859284 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859285 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2859286 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2859287 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2859288 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2859289 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859290 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2859291 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859292 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2859293 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859294 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859295 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2859296 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859297 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859298 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859299 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859300 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859301 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2859302 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2859303 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2859304 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2859305 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859306 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2859307 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859308 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2859309 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859310 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859311 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2859312 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859313 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859314 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859315 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859316 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859317 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859318 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859319 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859320 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859321 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2859322 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859323 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859324 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859325 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859326 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859327 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859328 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859329 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859330 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859331 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859332 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859333 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859334 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859335 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859336 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2859337 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2859338 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2859339 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)

Modified inactive rules:

  • 2025319 - ET POLICY [Fidelis] Abnormal x509v3 SubjectKeyIdentifier extension (policy.rules)
  • 2025320 - ET POLICY [Fidelis] Abnormal Very Long x509v3 SubjectKeyIdentifier Extension (policy.rules)
  • 2025411 - ET INFO Secondary Flash Request Seen (no alert) (info.rules)
  • 2025428 - ET INFO Possible Sandvine PacketLogic Injection (info.rules)
  • 2025986 - ET INFO MP3 with ID3 in HTTP Flowbit Set (info.rules)
  • 2026038 - ET PHISHING Successful Generic Phish (set) 2018-08-27 (phishing.rules)
  • 2026465 - ET PHISHING Successful Generic Phish (set) 2018-10-10 (phishing.rules)
  • 2026774 - ET INFO DNS Over TLS Request Outbound (info.rules)
  • 2028879 - ET HUNTING Observed Suspicious UA (Windows) (hunting.rules)
  • 2829200 - ETPRO PHISHING Possible Successful Cyberplus (FR) Phish M1 2018-01-08 (phishing.rules)
  • 2829286 - ETPRO RETIRED APT28 DNS Lookup (retired.rules)
  • 2829688 - ETPRO MALWARE Kovter Malicious SSL Certificate Detected (malware.rules)
  • 2829923 - ETPRO MALWARE Observed MSIL/XRoS CnC Domain in TLS SNI (malware.rules)
  • 2830245 - ETPRO POLICY Request for CSS File Returning Executable (policy.rules)
  • 2832094 - ETPRO MALWARE Possible More_eggs Connectivity Check (malware.rules)
  • 2833565 - ETPRO EXPLOIT Possible Novidade EK Attempting Intranet Router Compromise M7 (Bruteforce) (exploit.rules)
  • 2833566 - ETPRO EXPLOIT Possible Novidade EK Attempting Intranet Router Compromise M8 (Bruteforce) (exploit.rules)
  • 2836766 - ETPRO MALWARE Possible Java/Unk.Backdoor Style IP Address Check (malware.rules)
  • 2850355 - ETPRO POLICY Android Device Connectivity Check (policy.rules)

Disabled and modified rules:

  • 2058120 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (best-net .biz) (exploit_kit.rules)
  • 2058124 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (best-net .biz) (exploit_kit.rules)