Summary:
33 new OPEN, 101 new PRO (33 + 68)
Added rules:
Open:
- 2058130 - ET MALWARE Supershell CnC Activity (malware.rules)
- 2058131 - ET MALWARE Supershell C2 Login Page (malware.rules)
- 2058132 - ET INFO DYNAMIC_DNS Query to a *.shirokuriwaki .com domain (info.rules)
- 2058133 - ET INFO DYNAMIC_DNS HTTP Request to a *.shirokuriwaki .com domain (info.rules)
- 2058134 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (corkpennywj .click) (malware.rules)
- 2058135 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (corkpennywj .click in TLS SNI) (malware.rules)
- 2058136 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lumkecuq .shop) (malware.rules)
- 2058137 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lumkecuq .shop in TLS SNI) (malware.rules)
- 2058138 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (s3-eu-north-1 .travelguide-techtrends .com) (malware.rules)
- 2058139 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (s3-eu-north-1 .travelguide-techtrends .com in TLS SNI) (malware.rules)
- 2058140 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lumzacynuy .shop) (malware.rules)
- 2058141 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lumzacynuy .shop in TLS SNI) (malware.rules)
- 2058142 - ET MALWARE Ailurophile Stealer CnC Domain in DNS Lookup (ailurophilestealer .com) (malware.rules)
- 2058143 - ET MALWARE Observed Ailurophile Stealer Domain (ailurophilestealer .com) in TLS SNI (malware.rules)
- 2058144 - ET MALWARE RevC2 Domain in DNS Lookup (gdrive .rest) (malware.rules)
- 2058145 - ET MALWARE Retdoor CnC Checkin (malware.rules)
- 2058146 - ET MALWARE RevC2 Domain in DNS Lookup (nopsec .org) (malware.rules)
- 2058147 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (groundrats .org) (exploit_kit.rules)
- 2058148 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (groundrats .org) (exploit_kit.rules)
- 2058149 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (iognews .com) (exploit_kit.rules)
- 2058150 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (habfan .com) (exploit_kit.rules)
- 2058151 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (iognews .com) (exploit_kit.rules)
- 2058152 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (habfan .com) (exploit_kit.rules)
- 2058153 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .material .amstillroofing .com) (malware.rules)
- 2058154 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .material .amstillroofing .com) (malware.rules)
- 2058155 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jitcom .info) (exploit_kit.rules)
- 2058156 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jitcom .info) (exploit_kit.rules)
- 2058157 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (classify-shed .biz) (malware.rules)
- 2058158 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (classify-shed .biz in TLS SNI) (malware.rules)
- 2058159 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fightlsoser .click) (malware.rules)
- 2058160 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fightlsoser .click in TLS SNI) (malware.rules)
- 2058161 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toqyxuy .shop) (malware.rules)
- 2058162 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toqyxuy .shop in TLS SNI) (malware.rules)
Pro:
- 2859272 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859273 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2859274 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2859275 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2859276 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2859277 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2859278 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2859279 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2859280 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2859281 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2859282 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2859283 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2859284 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2859285 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
- 2859286 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2859287 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
- 2859288 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
- 2859289 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2859290 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2859291 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2859292 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2859293 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2859294 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2859295 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2859296 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2859297 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2859298 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2859299 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2859300 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2859301 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
- 2859302 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2859303 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
- 2859304 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
- 2859305 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2859306 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2859307 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2859308 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2859309 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2859310 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2859311 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2859312 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2859313 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2859314 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2859315 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2859316 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2859317 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2859318 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2859319 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2859320 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2859321 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
- 2859322 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859323 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859324 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859325 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2859326 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2859327 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2859328 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2859329 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2859330 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2859331 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2859332 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2859333 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2859334 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2859335 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2859336 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
- 2859337 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
- 2859338 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
- 2859339 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
Modified inactive rules:
- 2025319 - ET POLICY [Fidelis] Abnormal x509v3 SubjectKeyIdentifier extension (policy.rules)
- 2025320 - ET POLICY [Fidelis] Abnormal Very Long x509v3 SubjectKeyIdentifier Extension (policy.rules)
- 2025411 - ET INFO Secondary Flash Request Seen (no alert) (info.rules)
- 2025428 - ET INFO Possible Sandvine PacketLogic Injection (info.rules)
- 2025986 - ET INFO MP3 with ID3 in HTTP Flowbit Set (info.rules)
- 2026038 - ET PHISHING Successful Generic Phish (set) 2018-08-27 (phishing.rules)
- 2026465 - ET PHISHING Successful Generic Phish (set) 2018-10-10 (phishing.rules)
- 2026774 - ET INFO DNS Over TLS Request Outbound (info.rules)
- 2028879 - ET HUNTING Observed Suspicious UA (Windows) (hunting.rules)
- 2829200 - ETPRO PHISHING Possible Successful Cyberplus (FR) Phish M1 2018-01-08 (phishing.rules)
- 2829286 - ETPRO RETIRED APT28 DNS Lookup (retired.rules)
- 2829688 - ETPRO MALWARE Kovter Malicious SSL Certificate Detected (malware.rules)
- 2829923 - ETPRO MALWARE Observed MSIL/XRoS CnC Domain in TLS SNI (malware.rules)
- 2830245 - ETPRO POLICY Request for CSS File Returning Executable (policy.rules)
- 2832094 - ETPRO MALWARE Possible More_eggs Connectivity Check (malware.rules)
- 2833565 - ETPRO EXPLOIT Possible Novidade EK Attempting Intranet Router Compromise M7 (Bruteforce) (exploit.rules)
- 2833566 - ETPRO EXPLOIT Possible Novidade EK Attempting Intranet Router Compromise M8 (Bruteforce) (exploit.rules)
- 2836766 - ETPRO MALWARE Possible Java/Unk.Backdoor Style IP Address Check (malware.rules)
- 2850355 - ETPRO POLICY Android Device Connectivity Check (policy.rules)
Disabled and modified rules:
- 2058120 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (best-net .biz) (exploit_kit.rules)
- 2058124 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (best-net .biz) (exploit_kit.rules)