Ruleset Update Summary - 2024/12/13 - v10805

rulesbot · December 13, 2024, 9:51pm

Summary:

22 new OPEN, 24 new PRO (22 + 2)

Thanks @elasticseclabs

Added rules:

Open:

2058253 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gxgsxy .info) (exploit_kit.rules)
2058254 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (nilsenfk .biz) (exploit_kit.rules)
2058255 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (poucette .info) (exploit_kit.rules)
2058256 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gxgsxy .info) (exploit_kit.rules)
2058257 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (nilsenfk .biz) (exploit_kit.rules)
2058258 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (poucette .info) (exploit_kit.rules)
2058259 - ET MALWARE SocGholish Domain in DNS Lookup (mentor .omgwowhq .org) (malware.rules)
2058260 - ET MALWARE SocGholish Domain in TLS SNI (mentor .omgwowhq .org) (malware.rules)
2058261 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (streammain .top) (exploit_kit.rules)
2058262 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (streammain .top) (exploit_kit.rules)
2058263 - ET EXPLOIT_KIT Redirect to TOAD Domain in DNS Lookup (ecomicrolab .com) (exploit_kit.rules)
2058264 - ET EXPLOIT_KIT Redirect to TOAD Domain in DNS Lookup (adflowtube .com) (exploit_kit.rules)
2058265 - ET EXPLOIT_KIT Redirect to TOAD Domain in TLS SNI (ecomicrolab .com) (exploit_kit.rules)
2058266 - ET EXPLOIT_KIT Redirect to TOAD Domain in TLS SNI (adflowtube .com) (exploit_kit.rules)
2058267 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (profusetawdy .click) (malware.rules)
2058268 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (profusetawdy .click in TLS SNI) (malware.rules)
2058269 - ET MALWARE PUMAKIT CnC Domain in DNS Lookup (sec .opsecurity1 .art) (malware.rules)
2058270 - ET MALWARE PUMAKIT CnC Domain in DNS Lookup (rhel .opsecurity1 .art) (malware.rules)
2058271 - ET MALWARE Observed PUMAKIT Domain (sec .opsecurity1 .art in TLS SNI) (malware.rules)
2058272 - ET MALWARE Observed PUMAKIT Domain (rhel .opsecurity1 .art in TLS SNI) (malware.rules)
2058273 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (opgears .com) (exploit_kit.rules)
2058274 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (opgears .com) (exploit_kit.rules)

Pro:

2859361 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859362 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Modified inactive rules:

2002133 - ET WEB_SERVER Oracle Reports OS Command Injection Attempt (web_server.rules)
2002158 - ET WEB_SERVER XML-RPC for PHP Remote Code Injection (web_server.rules)
2002362 - ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Command Execution Attempt (web_server.rules)
2002376 - ET WEB_SERVER IBM Lotus Domino BaseTarget XSS attempt (web_server.rules)
2002377 - ET WEB_SERVER IBM Lotus Domino Src XSS attempt (web_server.rules)
2002777 - ET WEB_SERVER Light Weight Calendar ‘date’ Arbitrary Remote Code Execution (web_server.rules)
2003086 - ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Command Execution (web_server.rules)
2003232 - ET ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) (activex.rules)
2003903 - ET WEB_SERVER Microsoft SharePoint XSS Attempt default.aspx (web_server.rules)
2003904 - ET WEB_SERVER Microsoft SharePoint XSS Attempt index.php form mail (web_server.rules)
2004556 - ET WEB_SERVER Cisco CallManager XSS Attempt serverlist.asp pattern (web_server.rules)
2007878 - ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow (activex.rules)
2010517 - ET WEB_SERVER Possible HTTP 404 XSS Attempt (Local Source) (web_server.rules)
2010519 - ET WEB_SERVER Possible HTTP 405 XSS Attempt (Local Source) (web_server.rules)
2010521 - ET WEB_SERVER Possible HTTP 406 XSS Attempt (Local Source) (web_server.rules)
2010524 - ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source) (web_server.rules)
2010526 - ET WEB_SERVER Possible HTTP 503 XSS Attempt (Internal Source) (web_server.rules)
2011124 - ET HUNTING Suspicious FTP 220 Banner on Local Port (spaced) (hunting.rules)
2011173 - ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt (activex.rules)
2011412 - ET ACTIVEX Apple QuickTime _Marshaled_pUnk Backdoor Param Arbitrary Code Execution Attempt (activex.rules)
2011509 - ET ACTIVEX Possible Novell iPrint Client Browser Plugin ExecuteRequest debug Parameter Stack Overflow Attempt (activex.rules)
2011526 - ET NETBIOS windows recycler request - suspicious (netbios.rules)
2011527 - ET NETBIOS windows recycler .exe request - suspicious (netbios.rules)
2012145 - ET ACTIVEX Netcraft Toolbar Remote Code Execution (activex.rules)
2012146 - ET ACTIVEX ImageShack Toolbar Remote Code Execution (activex.rules)
2012194 - ET ACTIVEX Real Networks RealPlayer SP RecordClip Method Remote Code Execution Attempt (activex.rules)
2012636 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
2012637 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
2012638 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
2012639 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
2012640 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
2013131 - ET ACTIVEX Black Ice Fax Voice SDK GetItemQueue Method Remote Code Execution Exploit (activex.rules)
2013132 - ET ACTIVEX Black Ice Fax Voice SDK GetFirstItem Method Remote Code Execution Exploit (activex.rules)
2014476 - ET MALWARE HTTP Request to Zaletelly CnC Domain zaletellyxx.be (malware.rules)
2014477 - ET MALWARE HTTP Request to Zaletelly CnC Domain atserverxx.info (malware.rules)
2022831 - ET MALWARE Hidden-Tear Ransomware Variant (.bloccato) DNS Request to CnC Domain (malware.rules)
2026680 - ET MALWARE DNS Query for DNSpionage CnC Domain (malware.rules)
2027312 - ET MALWARE AridViper CnC Domain in SNI (malware.rules)
2027602 - ET MALWARE Gift Cardshark CnC Domain in DNS Lookup (malware.rules)
2027603 - ET MALWARE Gift Cardshark CnC Domain in DNS Lookup (malware.rules)
2027604 - ET MALWARE Gift Cardshark CnC Domain in DNS Lookup (malware.rules)
2029931 - ET MALWARE 401TRG SMB Create AndX Request For Emotet Spreader (malware.rules)
2034216 - ET MALWARE IcedID CnC Domain in SSL/TLS SNI (malware.rules)
2034217 - ET MALWARE IcedID CnC Domain in SSL/TLS SNI (malware.rules)
2034218 - ET MALWARE IcedID CnC Domain in SSL/TLS SNI (malware.rules)
2035606 - ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Domain Fetch (malware.rules)
2035612 - ET WEB_SERVER Webserver Resolving Known Webshell CnC Domain (anonymousfox) (web_server.rules)
2035754 - ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader) (malware.rules)
2035755 - ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader) (malware.rules)
2035756 - ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader) (malware.rules)
2039476 - ET MALWARE Suspected POLONIUM CnC Domain (consulting-ukraine .tk) in DNS Lookup (malware.rules)
2039477 - ET MALWARE Suspected POLONIUM CnC Domain (ukrsupport .info) in DNS Lookup (malware.rules)
2042174 - ET MALWARE Playful Taurus CnC Domain (proxy .oracleapps .org) (malware.rules)
2049652 - ET MALWARE TA430/Andariel APT Related CnC Domain in DNS Lookup (tech .micrsofts .com) (malware.rules)
2049654 - ET MALWARE TA430/Andariel APT Related CnC Domain in DNS Lookup (tech .micrsofts .tech) (malware.rules)
2057903 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (copper-replace .sbs) (malware.rules)
2057905 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (looky-marked .sbs) (malware.rules)
2057909 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (plastic-mitten .sbs) (malware.rules)
2057911 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (preside-comforter .sbs) (malware.rules)
2057913 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (record-envyp .sbs) (malware.rules)
2057915 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savvy-steereo .sbs) (malware.rules)
2057917 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slam-whipp .sbs) (malware.rules)
2057919 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrench-creter .sbs) (malware.rules)
2057925 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) (malware.rules)
2057927 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) (malware.rules)
2057929 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) (malware.rules)
2057931 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) (malware.rules)
2057935 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) (malware.rules)
2057937 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lumdexibuy .shop) (malware.rules)
2057943 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) (malware.rules)
2057945 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) (malware.rules)
2057949 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) (malware.rules)
2101193 - GPL WEB_SPECIFIC_APPS oracle web arbitrary command execution attempt (web_specific_apps.rules)
2800091 - ETPRO RPC MIT Kerberos kadmind RPC Library Uninitialized Pointer Code Execution (rpc.rules)
2800104 - ETPRO IMAP Ipswitch IMail Server IMAP SEARCH Command Date String Stack Overflow (imap.rules)
2800309 - ETPRO ACTIVEX Microsoft Office Web Components DateSource Code Execution 1 (activex.rules)
2800310 - ETPRO ACTIVEX Microsoft Office Web Components DateSource Code Execution 2 (activex.rules)
2800494 - ETPRO NETBIOS Microsoft Windows SMB Negotiate Request Remote Code Execution 1 (netbios.rules)
2800495 - ETPRO NETBIOS Microsoft Windows SMB Negotiate Request Remote Code Execution 2 (netbios.rules)
2800576 - ETPRO WEB_SERVER Apache Struts2 ParametersInterceptor Remote Command Execution 1 (web_server.rules)
2800577 - ETPRO WEB_SERVER Apache Struts2 ParametersInterceptor Remote Command Execution 2 (web_server.rules)
2800582 - ETPRO WEB_SERVER Novell Teaming ajaxUploadImageFile Remote Code Execution (web_server.rules)
2800587 - ETPRO SQL Oracle WebLogic Server Node Manager Command Execution (sql.rules)
2800977 - ETPRO SMTP Exim string_format Remote Code Execution Attempt (smtp.rules)
2800979 - ETPRO SMTP Exim string_format Remote Code Execution (smtp.rules)
2801255 - ETPRO ACTIVEX Microsoft Windows Data Access Components ADO Record Code Execution (activex.rules)
2801256 - ETPRO ACTIVEX Microsoft Windows Data Access Components ADO Record Code Execution (activex.rules)
2801262 - ETPRO SQL Objectivity/DB Code Execution Unauthenticated OOAMS Shutdown (sql.rules)
2801263 - ETPRO SQL Objectivity/DB Code Execution Unauthenticated Lock Server Shutdown (sql.rules)
2801632 - ETPRO SMTP Multiple Products STARTTLS Plaintext Command Injection (smtp.rules)
2801917 - ETPRO ACTIVEX Cisco Secure Desktop CSDWebInstaller Code Execution 2 (activex.rules)
2801918 - ETPRO ACTIVEX Cisco Secure Desktop CSDWebInstaller Code Execution (activex.rules)
2801964 - ETPRO ACTIVEX Microsoft Office Web Components Remote Code Execution 1 (activex.rules)
2801965 - ETPRO ACTIVEX Microsoft Office Web Components Remote Code Execution 2 (activex.rules)
2803051 - ETPRO NETBIOS Microsoft Windows OLE Automation Remote Code Execution SMB-DS Unicode (netbios.rules)
2803052 - ETPRO NETBIOS Microsoft Windows OLE Automation Remote Code Execution SMB-DS ASCII (netbios.rules)
2803054 - ETPRO NETBIOS Microsoft Windows OLE Automation Remote Code Execution SET (netbios.rules)
2803055 - ETPRO NETBIOS Microsoft Windows OLE Automation Remote Code Execution (netbios.rules)
2803254 - ETPRO NETBIOS Microsoft Windows LNK File Code Execution SMB-DS (netbios.rules)
2803255 - ETPRO NETBIOS Microsoft Windows LNK File Code Execution SMB (netbios.rules)
2803375 - ETPRO WEB_SERVER Microsoft Remote Desktop Web Access ReturnUrl XSS Attempt (web_server.rules)
2803847 - ETPRO WEB_SERVER Microsoft Forefront Unified Access Gateway XSS Attempt (web_server.rules)
2803848 - ETPRO WEB_SERVER Microsoft Forefront Unified Access Gateway XSS Attempt 2 (web_server.rules)
2803849 - ETPRO WEB_SERVER Microsoft Forefront Unified Access Gateway XSS Attempt 3 (web_server.rules)
2804076 - ETPRO SCADA Siemens Automation License Manager Service *_licensekey serialid code execution (scada.rules)
2804102 - ETPRO ACTIVEX HP Protect Tools Device Access Manager for Windows arbitrary code execution (activex.rules)
2805187 - ETPRO MALWARE Rovnix bootkit DNS Query CnC Domain (rtttt-windows .com) (malware.rules)
2805488 - ETPRO MALWARE Ysreef DNS query to CnC Domain (atmportal .net .ru) (malware.rules)
2805489 - ETPRO MALWARE Ysreef DNS query to CnC Domain (my-files-download .ru) (malware.rules)
2821054 - ETPRO MALWARE Possible Gootkit CnC Domain in SNI (malware.rules)
2821055 - ETPRO MALWARE Possible Gootkit CnC Domain in SNI (malware.rules)
2821056 - ETPRO MALWARE Possible Gootkit CnC Domain in SNI (malware.rules)
2821057 - ETPRO MALWARE Possible Gootkit CnC Domain in SNI (malware.rules)
2821527 - ETPRO MALWARE Pony CnC Domain in SSL Client Hello SNI (malware.rules)
2821528 - ETPRO MALWARE Pony CnC Domain in SSL Client Hello SNI (malware.rules)
2821529 - ETPRO MALWARE Pony CnC Domain in SSL Client Hello SNI (malware.rules)
2821530 - ETPRO MALWARE Pony CnC Domain in SSL Client Hello SNI (malware.rules)
2821531 - ETPRO MALWARE Pony CnC Domain in SSL Client Hello SNI (malware.rules)
2828568 - ETPRO MALWARE ZeusPanda CnC Domain (henfobuthis .com) in DNS Lookup (malware.rules)
2828570 - ETPRO MALWARE ZeusPanda CnC Domain (rowrorofrat .com) in DNS Lookup (malware.rules)
2828572 - ETPRO MALWARE ZeusPanda CnC Domain (mysitothar .ru) in DNS Lookup (malware.rules)
2828576 - ETPRO MALWARE ZeusPanda CnC Domain (linghogolac .ru) in DNS Lookup (malware.rules)
2833888 - ETPRO MALWARE FIN7 GRIFFON CnC Domain in DNS Lookup (malware.rules)
2834218 - ETPRO MALWARE SSL/TLS Certificate Observed (DarkHydrus) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/11/25 - v10750 Ruleset Updates	53	November 25, 2024
Ruleset Update Summary - 2024/12/18 - v10810 Ruleset Updates	51	December 18, 2024
Ruleset Update Summary - 2024/02/19 - v10535 Ruleset Updates	494	February 19, 2024
Ruleset Update Summary - 2024/07/05 - v10639 Ruleset Updates	141	July 5, 2024
Ruleset Update Summary - 2024/12/10 - v10795 Ruleset Updates	73	December 10, 2024

Ruleset Update Summary - 2024/12/13 - v10805

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics