Ruleset Update Summary - 2024/12/17 - v10809

Summary:

42 new OPEN, 46 new PRO (42 + 4)


Added rules:

Open:

  • 2058341 - ET WEB_SPECIFIC_APPS Apache Struts2 Path Traversal Attempt Inbound M2 (CVE-2024-53677) (web_specific_apps.rules)
  • 2058342 - ET INFO Suspicious Batch Script - Allow Inbound RDP Rule Set in Windows Firewall (info.rules)
  • 2058343 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (selmanc .com) (exploit_kit.rules)
  • 2058344 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (selmanc .com) (exploit_kit.rules)
  • 2058345 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (saaadnesss .shop) (exploit_kit.rules)
  • 2058346 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (saaadnesss .shop) (exploit_kit.rules)
  • 2058347 - ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi cvmcfgupload Command Injection Attempt (CVE-2020-15415) (web_specific_apps.rules)
  • 2058348 - ET INFO DYNAMIC_DNS Query to a *.familyjam .es domain (info.rules)
  • 2058349 - ET INFO DYNAMIC_DNS HTTP Request to a *.familyjam .es domain (info.rules)
  • 2058350 - ET INFO DYNAMIC_DNS Query to a *.cloudn9ne .org domain (info.rules)
  • 2058351 - ET INFO DYNAMIC_DNS HTTP Request to a *.cloudn9ne .org domain (info.rules)
  • 2058352 - ET MALWARE Win32/SocGholish Domain in DNS Lookup (clients .dedicatedservicesusa .com) (malware.rules)
  • 2058353 - ET MALWARE Win32/SocGholish Domain in TLS SNI (clients .dedicatedservicesusa .com) (malware.rules)
  • 2058354 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) (malware.rules)
  • 2058355 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aspecteirs .lat in TLS SNI) (malware.rules)
  • 2058356 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brownyctuwh .click) (malware.rules)
  • 2058357 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brownyctuwh .click in TLS SNI) (malware.rules)
  • 2058358 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) (malware.rules)
  • 2058359 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (crosshuaht .lat in TLS SNI) (malware.rules)
  • 2058360 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) (malware.rules)
  • 2058361 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) (malware.rules)
  • 2058362 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) (malware.rules)
  • 2058363 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (energyaffai .lat in TLS SNI) (malware.rules)
  • 2058364 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) (malware.rules)
  • 2058365 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) (malware.rules)
  • 2058366 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (happyjourney .shop) (malware.rules)
  • 2058367 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (happyjourney .shop in TLS SNI) (malware.rules)
  • 2058368 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inculcate-melt .cyou) (malware.rules)
  • 2058369 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (inculcate-melt .cyou in TLS SNI) (malware.rules)
  • 2058370 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) (malware.rules)
  • 2058371 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacebudi .lat in TLS SNI) (malware.rules)
  • 2058372 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (passworoggre .click) (malware.rules)
  • 2058373 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (passworoggre .click in TLS SNI) (malware.rules)
  • 2058374 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) (malware.rules)
  • 2058375 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI) (malware.rules)
  • 2058376 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) (malware.rules)
  • 2058377 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sustainskelet .lat in TLS SNI) (malware.rules)
  • 2058378 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) (malware.rules)
  • 2058379 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sweepyribs .lat in TLS SNI) (malware.rules)
  • 2058380 - ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi trustcaupload Command Injection Attempt (CVE-2023-1162) (web_specific_apps.rules)
  • 2058381 - ET MALWARE Generic Powershell Loader Using Encryption Routine Inbound (malware.rules)
  • 2058382 - ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi commandTable parameter Command Injection Attempt (CVE-2023-24229) (web_specific_apps.rules)

Pro:

  • 2859374 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859375 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859376 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859377 - ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET) (malware.rules)

Modified inactive rules:

  • 2034088 - ET MALWARE ELF/MachO.Netwire Connectivity Check (malware.rules)
  • 2858887 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2050453 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (sync .webappclick .net) (exploit_kit.rules)
  • 2050462 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (sync .webappclick .net) (exploit_kit.rules)
  • 2051132 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (egisela .com) (exploit_kit.rules)
  • 2051133 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (egisela .com) (exploit_kit.rules)
  • 2051493 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (apicachebot .com) (exploit_kit.rules)
  • 2051494 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (apicachebot .com) (exploit_kit.rules)
  • 2051616 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (asyncawaitapi .com) (exploit_kit.rules)
  • 2051617 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (asyncawaitapi .com) (exploit_kit.rules)
  • 2051634 - ET MALWARE SocGholish Domain in DNS Lookup (welcome .visionaryyouth .org) (malware.rules)
  • 2051635 - ET MALWARE SocGholish Domain in TLS SNI (welcome .visionaryyouth .org) (malware.rules)
  • 2051684 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (apifunctioncall .com) (exploit_kit.rules)
  • 2051685 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (apifunctioncall .com) (exploit_kit.rules)
  • 2051759 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (nowordshere .org) (exploit_kit.rules)
  • 2051760 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (nowordshere .org) (exploit_kit.rules)
  • 2051771 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (testdomen .xyz) (exploit_kit.rules)
  • 2051796 - ET MALWARE SocGholish Domain in DNS Lookup (camps .topgunnbaseball .com) (malware.rules)
  • 2051797 - ET MALWARE SocGholish Domain in TLS SNI (camps .topgunnbaseball .com) (malware.rules)
  • 2052753 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (public .clickstat360 .com) (exploit_kit.rules)
  • 2052754 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (public .clickstat360 .com) (exploit_kit.rules)
  • 2053018 - ET MALWARE SocGholish Domain in DNS Lookup (scada .paradizeconstruction .com) (malware.rules)
  • 2053019 - ET MALWARE SocGholish Domain in TLS SNI (scada .paradizeconstruction .com) (malware.rules)
  • 2055207 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (informupdate .uno) (exploit_kit.rules)
  • 2055208 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (informupdate .uno) (exploit_kit.rules)
  • 2055240 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (brickedpack .com) (exploit_kit.rules)
  • 2055241 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (losttwister .com) (exploit_kit.rules)
  • 2055242 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (brickedpack .com) (exploit_kit.rules)
  • 2055243 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (losttwister .com) (exploit_kit.rules)
  • 2056647 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .rooms .fierceatfifty .com) (malware.rules)
  • 2056648 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .rooms .fierceatfifty .com) (malware.rules)
  • 2056681 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (y553488469 .top) (exploit_kit.rules)
  • 2056682 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bailingla .com) (exploit_kit.rules)
  • 2056683 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (y553488469 .top) (exploit_kit.rules)
  • 2056684 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bailingla .com) (exploit_kit.rules)
  • 2056718 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (milan77burn .top) (exploit_kit.rules)
  • 2056719 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (raptwinter .shop) (exploit_kit.rules)
  • 2056720 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (10086623 .top) (exploit_kit.rules)
  • 2056721 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (tqshoes .shop) (exploit_kit.rules)
  • 2056722 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (milan77burn .top) (exploit_kit.rules)
  • 2056723 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (raptwinter .shop) (exploit_kit.rules)
  • 2056724 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (10086623 .top) (exploit_kit.rules)
  • 2056725 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (tqshoes .shop) (exploit_kit.rules)
  • 2058312 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (poucette .info) (exploit_kit.rules)
  • 2058316 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (poucette .info) (exploit_kit.rules)
  • 2859248 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859249 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859250 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859253 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859254 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859255 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)