Summary:
17 new OPEN, 20 new PRO (17 + 3)
Added rules:
Open:
- 2058176 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (youngsweays .my) (malware.rules)
- 2058177 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (youngsweays .my in TLS SNI) (malware.rules)
- 2058178 - ET MALWARE PeakLight/Emmenhtal Loader Payload Delivery Template Observed (malware.rules)
- 2058179 - ET MALWARE PeakLight/Emmenhtal Loader Payload Delivery WebPage Observed (malware.rules)
- 2058180 - ET MALWARE Observed DNS Query to PeakLight/Emmenhtal Loader Domain (maybelsrka .my) (malware.rules)
- 2058181 - ET MALWARE Observed DNS Query to PeakLight/Emmenhtal Loader Domain (dbasopma .biz) (malware.rules)
- 2058182 - ET MALWARE Observed DNS Query to PeakLight/Emmenhtal Loader Domain (carldi .org) (malware.rules)
- 2058183 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (homeservicephiladelphia .info) (exploit_kit.rules)
- 2058184 - ET MALWARE Observed PeakLight/Emmenhtal Loader Domain (maybelsrka .my in TLS SNI) (malware.rules)
- 2058185 - ET MALWARE Observed PeakLight/Emmenhtal Loader Domain (dbasopma .biz in TLS SNI) (malware.rules)
- 2058186 - ET MALWARE Observed PeakLight/Emmenhtal Loader Domain (carldi .org in TLS SNI) (malware.rules)
- 2058187 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (homeservicephiladelphia .info) (exploit_kit.rules)
- 2058188 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (enerjjoy .com) (exploit_kit.rules)
- 2058189 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (enerjjoy .com) (exploit_kit.rules)
- 2058190 - ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Write (CVE-2024-50623) (web_specific_apps.rules)
- 2058191 - ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Read (CVE-2024-50623) (web_specific_apps.rules)
- 2058192 - ET MALWARE TA397/Bitter Requesting Next Stage Payload (malware.rules)
Pro:
- 2859357 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859358 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859359 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
Modified inactive rules:
- 2020195 - ET POLICY exploitpack.com tool checkin (policy.rules)
- 2020205 - ET MALWARE Possible Mailer Dropped by Dyre SSL Cert (malware.rules)
- 2020243 - ET MALWARE Scieron Possible SSL Cert (malware.rules)
- 2020288 - ET MALWARE Possible Dyre SSL Cert Jan 22 2015 (malware.rules)
- 2020289 - ET MALWARE Possible Dyre SSL Cert Jan 22 2015 (malware.rules)
- 2020291 - ET EXPLOIT_KIT Possible Sweet Orange redirection Jan 22 2015 (exploit_kit.rules)
- 2020292 - ET MALWARE Generic DNS Query for Suspicious CryptoWall (crpt) Domains (malware.rules)
- 2020328 - ET MALWARE Possible Dridex Campaign Download Jan 28 2015 (malware.rules)
- 2020329 - ET MALWARE Unknown Mailer CnC Beacon 2 (malware.rules)
- 2020330 - ET MALWARE Unknown Mailer CnC Beacon (malware.rules)
- 2020477 - ET EXPLOIT_KIT KaiXin EK Possible Jar Download (exploit_kit.rules)
- 2020478 - ET EXPLOIT_KIT KaiXin EK Possible Jar Download (exploit_kit.rules)
- 2020492 - ET MALWARE SuperFish Possible SSL Cert CnC Traffic (malware.rules)
- 2020493 - ET MALWARE SuperFish Possible SSL Cert Signed By Compromised Root CA (malware.rules)
- 2020501 - ET EXPLOIT_KIT DRIVEBY Unknown EK Landing (exploit_kit.rules)
- 2020624 - ET MALWARE Possible Upatre SSL Cert www.eshaalfoundation.org (malware.rules)
- 2020643 - ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct M1 Feb 06 2015 (exploit_kit.rules)
- 2020731 - ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (URI data) (web_specific_apps.rules)
- 2020732 - ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (POST data) (web_specific_apps.rules)
- 2020733 - ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (cookie) (web_specific_apps.rules)
- 2020846 - ET MALWARE Possible Upatre DNS Query (jamco .com .pk) (malware.rules)
- 2020866 - ET MALWARE Possible Dridex downloader SSL Certificate srv1.mainsftdomain.com (malware.rules)
- 2020888 - ET INFO invalid.cab domain in SNI (info.rules)
- 2020901 - ET MALWARE Possible APT30 Fake Mozilla UA (malware.rules)
- 2020943 - ET MALWARE Possible Dridex downloader SSL Certificate (malware.rules)
- 2020960 - ET MALWARE Possible Graftor Downloading Dridex (malware.rules)
- 2020966 - ET MALWARE CozyDuke APT Possible SSL Cert 1 (malware.rules)
- 2020986 - ET MALWARE Possible Dridex Downloader SSL Certificate (malware.rules)
- 2020988 - ET EXPLOIT_KIT Possible Sundown EK URI Struct T1 Apr 24 2015 (exploit_kit.rules)
- 2020989 - ET EXPLOIT_KIT Possible Sundown EK Payload Struct T1 Apr 24 2015 (exploit_kit.rules)
- 2020992 - ET EXPLOIT_KIT Possible Sundown EK Payload Struct T2 M2 Apr 24 2015 (exploit_kit.rules)
- 2021216 - ET INFO Executable Downloaded from Google Cloud Storage (info.rules)
- 2021586 - ET MALWARE Possible Dyre SSL Cert (non-ASCII) Jul 21 2015 (malware.rules)
- 2021621 - ET MALWARE Possible Dridex SSL Cert Aug 12 2015 (malware.rules)
- 2021714 - ET MALWARE Careto Mask DNS Lookup (karpeskmon.dyndns.org) (malware.rules)
- 2021735 - ET MALWARE Possible Dyre SSL Cert Aug 31 2015 (malware.rules)
- 2021736 - ET MALWARE Possible Dyre SSL Cert Aug 31 2015 (malware.rules)
- 2021743 - ET MALWARE Possible Dyre SSL Cert Sept 2 2015 (malware.rules)
- 2021749 - ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 8 2015 (malware.rules)
- 2021773 - ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 14 2015 (malware.rules)
- 2021787 - ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct Sept 15 2015 (exploit_kit.rules)
- 2021946 - ET MALWARE Possible Dridex SSL Cert Oct 12 2015 (malware.rules)
- 2021948 - ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Oct 12 2015 (malware.rules)
- 2022055 - ET INFO PK/Compressed doc/JAR header (info.rules)
- 2022090 - ET EXPLOIT_KIT Possible Nuclear EK Nov 13 2015 Landing URI struct (exploit_kit.rules)
- 2022112 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 (exploit_kit.rules)
- 2022134 - ET WEB_CLIENT Possible eDellRoot Rogue Root CA (web_client.rules)
- 2022187 - ET PHISHING Generic Phishing Landing Uri Nov 25 2015 (phishing.rules)
- 2022193 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 27 2015 (exploit_kit.rules)
- 2022218 - ET POLICY Lets Encrypt Free SSL Cert Observed (policy.rules)
- 2022253 - ET MALWARE Possible Gootkit CnC SSL Cert M1 (malware.rules)
- 2022254 - ET MALWARE Possible Gootkit CnC SSL Cert M2 (malware.rules)
- 2022255 - ET MALWARE Possible Gootkit CnC SSL Cert M3 (malware.rules)
- 2022256 - ET MALWARE Possible Gootkit CnC SSL Cert M4 (malware.rules)
- 2022257 - ET MALWARE Possible Gootkit CnC SSL Cert M5 (malware.rules)
- 2022258 - ET MALWARE Possible Gootkit CnC SSL Cert M6 (malware.rules)
- 2022259 - ET MALWARE Possible Gootkit CnC SSL Cert M7 (malware.rules)
- 2022292 - ET MALWARE Possible Gootkit CnC SSL Cert M8 (malware.rules)
- 2809606 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to cyber espionage 1 (malware.rules)
- 2809607 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to cyber espionage 2 (malware.rules)
- 2809608 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to cyber espionage 3 (malware.rules)
- 2809666 - ETPRO WEB_CLIENT Possible IE Same Origin Bypass Attempt CVE-2015-0072 (web_client.rules)
- 2809667 - ETPRO WEB_CLIENT Possible IE Same Origin Bypass Attempt CVE-2015-0072 (web_client.rules)
- 2809761 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin (mobile_malware.rules)
- 2809795 - ETPRO EXPLOIT_KIT Possible Magnitude exploit payload contype check Feb 12 2015 (exploit_kit.rules)
- 2809826 - ETPRO MALWARE Generic Downloader Requesting PE (malware.rules)
- 2809847 - ETPRO MALWARE Generic KeyLogger SMTP CnC Beacon (malware.rules)
- 2809855 - ETPRO MALWARE Backdoor.Win32.Androm.ghhv Possible SSL Cert (malware.rules)
- 2810000 - ETPRO MALWARE Possible NanoCore RAT Downloading libraries (malware.rules)
- 2810409 - ETPRO POLICY ge.tt file download (policy.rules)
- 2810601 - ETPRO MALWARE Unknown Banker .dat file download 1 (malware.rules)
- 2810602 - ETPRO MALWARE Unknown Banker .dat file download 2 (malware.rules)
- 2810603 - ETPRO MALWARE Unknown Banker Checkin (malware.rules)
- 2810701 - ETPRO MALWARE Likely Win32/Obvod.H DNS Lookup (malware.rules)
- 2810749 - ETPRO MALWARE Win32/Cromptui.C Possible SSL Cert (malware.rules)
- 2810751 - ETPRO MALWARE Possible Dridex downloader SSL Certificate (malware.rules)
- 2810953 - ETPRO ADWARE_PUP Unknown Malware Checkin (adware_pup.rules)
- 2811050 - ETPRO MALWARE Likely Dridex Generic SSL Cert (malware.rules)
- 2811051 - ETPRO MALWARE KINS Possible SSL Cert (malware.rules)
- 2811536 - ETPRO ADWARE_PUP Possible PUP Win32/ExpressDownloader.E SSL Cert (adware_pup.rules)
- 2811604 - ETPRO EXPLOIT_KIT Likely Evil JS ECS Shop With Various Crypto Primatives In Page (Observed in Unknown EK) (exploit_kit.rules)
- 2811690 - ETPRO ADWARE_PUP Unknown Checkin (adware_pup.rules)
- 2811861 - ETPRO EXPLOIT_KIT Possible Nuclear EK Landing Jul 08 2015 M1 (exploit_kit.rules)
- 2811862 - ETPRO EXPLOIT_KIT Possible Nuclear EK Landing Jul 08 2015 M2 (exploit_kit.rules)
- 2811863 - ETPRO EXPLOIT_KIT Possible Nuclear EK Landing Jul 08 2015 M2 (exploit_kit.rules)
- 2811867 - ETPRO MALWARE Win32/Unknown Checkin (malware.rules)
- 2812051 - ETPRO MALWARE Possible Forucon Downloader SSL Certificate (malware.rules)
- 2812255 - ETPRO MALWARE Win32/Frethog.BP Possible SSL Cert (malware.rules)
- 2812256 - ETPRO MALWARE Win32/Caphaw.D Possible SSL Cert (malware.rules)
- 2812272 - ETPRO MALWARE KINS Possible SSL Cert (malware.rules)
- 2812350 - ETPRO PHISHING Possible Successful Linkedin Phish Aug 11 (phishing.rules)
- 2812549 - ETPRO MALWARE Possible Backdoor.Telnneru SSL Cert (malware.rules)
- 2812813 - ETPRO MALWARE Backdoor.Telnneru Possible HTTP CnC Beacon 2 (malware.rules)
- 2812862 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin (mobile_malware.rules)
- 2812965 - ETPRO MALWARE Malicious SSL Certificate detected (Variant.Barys) (malware.rules)
- 2813016 - ETPRO PHISHING Generic Unlock PDF Phish Landing Sept 14 (phishing.rules)
- 2813091 - ETPRO MALWARE Unknown .NET Credstealer (malware.rules)
- 2814026 - ETPRO MALWARE Unknown Powershell Backdoor SSL Cert Sept 21 2015 (malware.rules)
- 2814125 - ETPRO PHISHING Possible Phishing Landing Sept 28 (phishing.rules)
- 2814128 - ETPRO POLICY External IP Address Check - speed-tester.info (policy.rules)
- 2814131 - ETPRO MALWARE W32/Unknown.JP Checkin (malware.rules)
- 2814166 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash Exploit M1 (exploit_kit.rules)
- 2814303 - ETPRO EXPLOIT_KIT Possible Magnitude EK SilverLight Exploit Oct 08 2015 (exploit_kit.rules)
- 2814480 - ETPRO EXPLOIT_KIT Generic Mix Alpha-Numeric Encoded HTML Entity in Object (Observed in SunDown/Xer EK) (exploit_kit.rules)
- 2814512 - ETPRO MALWARE Unknown Banker Checkin 2 (malware.rules)
- 2814513 - ETPRO MALWARE Possible Send-Safe-based Spambot SSL Cert (malware.rules)
- 2814701 - ETPRO MALWARE Possible Upatre SSL Cert (malware.rules)
- 2814752 - ETPRO MALWARE Malicious SSL certificate detected (Possible AU Bank Fraud) (malware.rules)
- 2814766 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash Exploit M3 (exploit_kit.rules)
- 2814767 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash Exploit M4 (exploit_kit.rules)
- 2814840 - ETPRO WEB_CLIENT Possible MS Edge ASLR Bypass (CVE-2015-6088) (web_client.rules)
- 2814880 - ETPRO MALWARE W32.Unknown RAT/Keylogger/CoinMiner Checkin (malware.rules)
- 2814948 - ETPRO EXPLOIT_KIT Possible EK Redir SSL Cert (exploit_kit.rules)
- 2814961 - ETPRO MALWARE Possible Dyre SSL Cert Nov 17 2015 (malware.rules)
- 2815043 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
- 2815133 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash Exploit Nov 30 2015 IE (exploit_kit.rules)
- 2815138 - ETPRO EXPLOIT_KIT Possible Nuclear EK Payload Nov 30 2015 (fb set) (exploit_kit.rules)
- 2815139 - ETPRO EXPLOIT_KIT Possible Nuclear EK Payload Nov 30 2015 (exploit_kit.rules)
- 2815179 - ETPRO MALWARE Possible EK Redirector SSL Cert (malware.rules)
- 2815214 - ETPRO EXPLOIT_KIT Possible Nuclear EK Payload Dec 06 2015 (exploit_kit.rules)
- 2815216 - ETPRO MALWARE Unknown CnC Checkin (malware.rules)
- 2815220 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash Exploit Dec 03 2015 (exploit_kit.rules)
- 2815225 - ETPRO MALWARE Generic VBScript HeapSpray Construct (malware.rules)
- 2815291 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit CnC) (malware.rules)
- 2815315 - ETPRO MALWARE Gootkit Malicious SSL Cert Dec 10 (malware.rules)
- 2815320 - ETPRO MALWARE Evil SSL Cert Used By Unknown Trojan Dec 10 2015 (malware.rules)
- 2815338 - ETPRO MALWARE Unknown CnC Checkin (malware.rules)
- 2815456 - ETPRO MALWARE Possible BBSRAT SSL Certificate Detected (malware.rules)
- 2815457 - ETPRO MALWARE Possible BBSRAT SSL Certificate Detected (malware.rules)
- 2815504 - ETPRO MALWARE Possible EK Redirector SSL Cert (malware.rules)
- 2815505 - ETPRO MALWARE Possible EK Redirector SSL Cert (malware.rules)
- 2815506 - ETPRO MALWARE Possible EK Redirector SSL Cert (malware.rules)
- 2815507 - ETPRO MALWARE Possible EK Redirector SSL Cert (malware.rules)
- 2815534 - ETPRO EXPLOIT_KIT Possible Nuclear EK Payload Dec 30 2015 M2 (fb set) (exploit_kit.rules)
Disabled and modified rules:
- 2037211 - ET PHISHING Malicious SSL Certificate detected (Alibaba Phishing) (phishing.rules)
- 2050697 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (trust .resourcehost .net) (exploit_kit.rules)
- 2050698 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (trust .resourcehost .net) (exploit_kit.rules)
- 2056527 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (souguru .com) (exploit_kit.rules)
- 2056528 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (robotprintmoney .com) (exploit_kit.rules)
- 2056529 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (tratoragricola .com) (exploit_kit.rules)
- 2056532 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (souguru .com) (exploit_kit.rules)
- 2056533 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (robotprintmoney .com) (exploit_kit.rules)
- 2056534 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (tratoragricola .com) (exploit_kit.rules)
- 2056535 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (pushcg .com) (exploit_kit.rules)
- 2056536 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (pushcg .com) (exploit_kit.rules)
- 2056548 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ggoryo .com) (exploit_kit.rules)
- 2056549 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ggoryo .com) (exploit_kit.rules)
- 2056576 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (unsbrtng .cfd) (exploit_kit.rules)
- 2056577 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (unsbrtng .cfd) (exploit_kit.rules)
- 2056638 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (megaarmshop .com) (exploit_kit.rules)
- 2056639 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (megaarmshop .com) (exploit_kit.rules)
- 2855246 - ETPRO EXPLOIT_KIT RogueRaticate Inject M1 (exploit_kit.rules)
- 2855247 - ETPRO EXPLOIT_KIT RogueRaticate Inject M2 (exploit_kit.rules)
- 2859125 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859126 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859127 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859129 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859134 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859135 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859136 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859141 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859199 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859200 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859201 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859272 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)