Ruleset Update Summary - 2025/01/06 - v10830

rulesbot · January 6, 2025, 10:15pm

Summary:

41 new OPEN, 55 new PRO (41 + 14)

Thanks Kevin, Ross, @RecordedFuture

Added rules:

Open:

2058958 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (traygullibalkerj .click) (malware.rules)
2058959 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (traygullibalkerj .click in TLS SNI) (malware.rules)
2058960 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (netgenius .life) (exploit_kit.rules)
2058961 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (netgenius .life) (exploit_kit.rules)
2058962 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .zone .ebuilderssource .com) (malware.rules)
2058963 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .zone .ebuilderssource .com) (malware.rules)
2058964 - ET MALWARE Telemiris CnC Checkin (malware.rules)
2058965 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (xaides .com) (exploit_kit.rules)
2058966 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (xaides .com) (exploit_kit.rules)
2058967 - ET MALWARE ShadowROOT RAT Malicious SSL Cert Serial Observed M1 (malware.rules)
2058968 - ET MALWARE ShadowROOT RAT Malicious SSL Cert Serial Observed M2 (malware.rules)
2058969 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exchangecumb .click) (malware.rules)
2058970 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exchangecumb .click in TLS SNI) (malware.rules)
2058971 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grubbytellek .click) (malware.rules)
2058972 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grubbytellek .click in TLS SNI) (malware.rules)
2058973 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impossiblekdo .click) (malware.rules)
2058974 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (impossiblekdo .click in TLS SNI) (malware.rules)
2058975 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (islandbreadyu .click) (malware.rules)
2058976 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (islandbreadyu .click in TLS SNI) (malware.rules)
2058977 - ET MALWARE GammaDrop CnC Domain in DNS Lookup (infected-gc-rhythm-yu .trycloudflare .com) (malware.rules)
2058978 - ET MALWARE GammaDrop CnC Domain in DNS Lookup (amsterdam-sheet-veteran-aka .trycloudflare .com) (malware.rules)
2058979 - ET MALWARE GammaDrop CnC Domain in DNS Lookup (fartodti .ru) (malware.rules)
2058980 - ET MALWARE GammaDrop CnC Domain in DNS Lookup (longitude-powerpoint-geek-upgrade .trycloudflare .com) (malware.rules)
2058981 - ET MALWARE GammaDrop CnC Domain in DNS Lookup (attribute-homework-generator-lovers .trycloudflare .com) (malware.rules)
2058982 - ET MALWARE GammaDrop CnC Domain in DNS Lookup (cod-identification-imported-carl .trycloudflare .com) (malware.rules)
2058983 - ET MALWARE GammaDrop CnC Domain in DNS Lookup (else-accommodation-allowing-throws .trycloudflare .com) (malware.rules)
2058984 - ET MALWARE GammaDrop CnC Domain in DNS Lookup (benjamin-unnecessary-mothers-configured .trycloudflare .com) (malware.rules)
2058985 - ET MALWARE Observed GammaDrop CnC Domain (infected-gc-rhythm-yu .trycloudflare .com in TLS SNI) (malware.rules)
2058986 - ET MALWARE Observed GammaDrop CnC Domain (amsterdam-sheet-veteran-aka .trycloudflare .com in TLS SNI) (malware.rules)
2058987 - ET MALWARE Observed GammaDrop CnC Domain (fartodti .ru in TLS SNI) (malware.rules)
2058988 - ET MALWARE Observed GammaDrop CnC Domain (longitude-powerpoint-geek-upgrade .trycloudflare .com in TLS SNI) (malware.rules)
2058989 - ET MALWARE Observed GammaDrop CnC Domain (attribute-homework-generator-lovers .trycloudflare .com in TLS SNI) (malware.rules)
2058990 - ET MALWARE Observed GammaDrop CnC Domain (cod-identification-imported-carl .trycloudflare .com in TLS SNI) (malware.rules)
2058991 - ET MALWARE Observed GammaDrop CnC Domain (else-accommodation-allowing-throws .trycloudflare .com in TLS SNI) (malware.rules)
2058992 - ET MALWARE Observed GammaDrop CnC Domain (benjamin-unnecessary-mothers-configured .trycloudflare .com in TLS SNI) (malware.rules)
2058993 - ET MALWARE ShadowROOT RAT Malcisous SSL Cert Subject Observed (GGliberium44) (malware.rules)
2058994 - ET MALWARE GammaLoad CnC Activity (GET) (malware.rules)
2058995 - ET MALWARE ShadowROOT RAT Malicious SSL Certificate Issuer Observed (GGliberium44) (malware.rules)
2058996 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ecrut .com) (exploit_kit.rules)
2058997 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (ecrut .com) (exploit_kit.rules)
2058998 - ET MALWARE Sheet RAT CnC Checkin (malware.rules)

Pro:

2859506 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859507 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859508 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859509 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859510 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2859511 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2859512 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2859513 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2859514 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2859515 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2859516 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2859517 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2859518 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2859519 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

2000378 - ET EXPLOIT MS-SQL DOS attempt (08) (exploit.rules)
2000379 - ET EXPLOIT MS-SQL DOS attempt (08) 1 byte (exploit.rules)
2001022 - ET EXPLOIT Invalid non-fragmented packet with fragment offset>0 (exploit.rules)
2001023 - ET EXPLOIT Invalid fragment - ACK reset (exploit.rules)
2001024 - ET EXPLOIT Invalid fragment - illegal flags (exploit.rules)
2002851 - ET FTP HP-UX LIST command without login (ftp.rules)
2002886 - ET EXPLOIT SYS get_domain_index_metadata Privilege Escalation Attempt (exploit.rules)
2034200 - ET EXPLOIT TerraMaster TOS RCE via OS Command Injection Inbound (CVE-2020-28188) (exploit.rules)
2034838 - ET SCAN WordPress HelloThinkCMF Scan (scan.rules)
2034961 - ET EXPLOIT GitLab Unauthenticated Remote ExifTool Command Injection (CVE-2021-24563) (exploit.rules)
2036392 - ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) Signed JWT Bypass (CVE-2022-21449) (exploit.rules)
2036877 - ET WEB_CLIENT [TW] WEBDAV UA (web_client.rules)
2038672 - ET EXPLOIT Jira Server/Data Center 8.4.0 Remote File Read Attempt (CVE-2021-26086) M1 (exploit.rules)
2038782 - ET EXPLOIT D-Link Remote Code Execution Attempt (CVE-2022-28958) (exploit.rules)
2850055 - ETPRO EXPLOIT VMware vCenter RCE Exploitation Attempt M1 (CVE-2021-22005) (exploit.rules)
2851734 - ETPRO ATTACK_RESPONSE PowerShell Uint16 Encoding Obfuscation Inbound (attack_response.rules)

Disabled and modified rules:

2057214 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (mercro .com) (exploit_kit.rules)
2057215 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (mercro .com) (exploit_kit.rules)
2057217 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mundiprep .com) (exploit_kit.rules)
2057218 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (vinsaca .com) (exploit_kit.rules)
2057219 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (asianchow .com) (exploit_kit.rules)
2057220 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mundiprep .com) (exploit_kit.rules)
2057221 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (vinsaca .com) (exploit_kit.rules)
2057222 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (asianchow .com) (exploit_kit.rules)
2057249 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (chat2cams .com) (exploit_kit.rules)
2057250 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (chat2cams .com) (exploit_kit.rules)
2057251 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (webapiintegration .cloud) (exploit_kit.rules)
2057252 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (webapiintegration .cloud) (exploit_kit.rules)
2057293 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (dailyfragrancedeals .com) (exploit_kit.rules)
2057294 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (girlsgifs .com) (exploit_kit.rules)
2057295 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (dailyfragrancedeals .com) (exploit_kit.rules)
2057296 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (girlsgifs .com) (exploit_kit.rules)
2057297 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (vicrin .com) (exploit_kit.rules)
2057298 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (vicrin .com) (exploit_kit.rules)
2057315 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (compugest .com) (exploit_kit.rules)
2057316 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (compugest .com) (exploit_kit.rules)
2058744 - ET INFO Observed Smart Chain Domain in DNS Lookup (bnb .rpc .subquery .network) (info.rules)
2058745 - ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-dataseed .bnbchain .org) (info.rules)
2058758 - ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-rpc .publicnode .com) (info.rules)
2058775 - ET INFO Observed Smart Chain Domain in DNS Lookup (rpc-bsc .48 .club) (info.rules)
2058793 - ET INFO Observed Smart Chain Domain in TLS SNI (bnb .rpc .subquery .network) (info.rules)
2058794 - ET INFO Observed Smart Chain Domain in TLS SNI (bsc-dataseed .bnbchain .org) (info.rules)
2058807 - ET INFO Observed Smart Chain Domain in TLS SNI (bsc-rpc .publicnode .com) (info.rules)
2058824 - ET INFO Observed Smart Chain Domain in TLS SNI (rpc-bsc .48 .club) (info.rules)
2058833 - ET MALWARE Observed CyberHaven Compromised Extension Domain in DNS Lookup (cyberhavenext .pro) (malware.rules)
2058898 - ET MALWARE Observed CyberHaven Compromised Extension in TLS SNI (cyberhavenext .pro) (malware.rules)
2856772 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)
2857472 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
2857473 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
2857474 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
2857475 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
2858018 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
2859393 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859394 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859403 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859404 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859405 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859406 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859407 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859408 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859409 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/07/05 - v10639 Ruleset Updates	142	July 5, 2024
Ruleset Update Summary - 2024/02/05 - v10524 Ruleset Updates	445	February 5, 2024
Ruleset Update Summary - 2024/07/19 - v10649 Ruleset Updates	154	July 19, 2024
Ruleset Update Summary - 2024/08/26 - v10674 Ruleset Updates	143	August 26, 2024
Ruleset Update Summary - 2024/08/22 - v10672 Ruleset Updates	72	August 22, 2024

Ruleset Update Summary - 2025/01/06 - v10830

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Related topics