Summary:
50 new OPEN, 67 new PRO (50 + 17)
Added rules:
Open:
- 2059029 - ET WEB_SPECIFIC_APPS Kerio Control CRLF Injection via dest Parameter (CVE-2024-52875) (web_specific_apps.rules)
- 2059030 - ET WEB_SPECIFIC_APPS Kerio Control HTTP Response Splitting (CVE-2024-52875) (web_specific_apps.rules)
- 2059031 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ddrmovies .fun) (exploit_kit.rules)
- 2059032 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ddrmovies .fun) (exploit_kit.rules)
- 2059033 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (raysre .com) (exploit_kit.rules)
- 2059034 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (raysre .com) (exploit_kit.rules)
- 2059035 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) (malware.rules)
- 2059036 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (apporholis .shop in TLS SNI) (malware.rules)
- 2059037 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) (malware.rules)
- 2059038 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (chipdonkeruz .shop in TLS SNI) (malware.rules)
- 2059039 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) (malware.rules)
- 2059040 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (crowdwarek .shop in TLS SNI) (malware.rules)
- 2059041 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) (malware.rules)
- 2059042 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (femalsabler .shop in TLS SNI) (malware.rules)
- 2059043 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) (malware.rules)
- 2059044 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (handscreamny .shop in TLS SNI) (malware.rules)
- 2059045 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lastlossunbag .click) (malware.rules)
- 2059046 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lastlossunbag .click in TLS SNI) (malware.rules)
- 2059047 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (parkywatter .cfd) (malware.rules)
- 2059048 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (parkywatter .cfd in TLS SNI) (malware.rules)
- 2059049 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) (malware.rules)
- 2059050 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (robinsharez .shop in TLS SNI) (malware.rules)
- 2059051 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) (malware.rules)
- 2059052 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (soundtappysk .shop in TLS SNI) (malware.rules)
- 2059053 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tawdrydadysz .icu) (malware.rules)
- 2059054 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tawdrydadysz .icu in TLS SNI) (malware.rules)
- 2059055 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (twistforcepo .cfd) (malware.rules)
- 2059056 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (twistforcepo .cfd in TLS SNI) (malware.rules)
- 2059057 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) (malware.rules)
- 2059058 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (versersleep .shop in TLS SNI) (malware.rules)
- 2059059 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (yokesandusj .sbs) (malware.rules)
- 2059060 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yokesandusj .sbs in TLS SNI) (malware.rules)
- 2059061 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (fetchdataajax .com) (exploit_kit.rules)
- 2059062 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (apistateupdater .com) (exploit_kit.rules)
- 2059063 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (hearforpower .org) (exploit_kit.rules)
- 2059064 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (goneflower .org) (exploit_kit.rules)
- 2059065 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (apivuecomponent .com) (exploit_kit.rules)
- 2059066 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (smthwentwrong .com) (exploit_kit.rules)
- 2059067 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (digdonger .org) (exploit_kit.rules)
- 2059068 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (modernkeys .org) (exploit_kit.rules)
- 2059069 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (blessedwirrow .org) (exploit_kit.rules)
- 2059070 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (fetchdataajax .com) (exploit_kit.rules)
- 2059071 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (apistateupdater .com) (exploit_kit.rules)
- 2059072 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (hearforpower .org) (exploit_kit.rules)
- 2059073 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (goneflower .org) (exploit_kit.rules)
- 2059074 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (apivuecomponent .com) (exploit_kit.rules)
- 2059075 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (smthwentwrong .com) (exploit_kit.rules)
- 2059076 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (digdonger .org) (exploit_kit.rules)
- 2059077 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (modernkeys .org) (exploit_kit.rules)
- 2059078 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (blessedwirrow .org) (exploit_kit.rules)
Pro:
- 2859541 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859542 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859543 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859544 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859545 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in DNS Lookup (zoloft-indianapolis-riders-convinced .trycloudflare .com) (malware.rules)
- 2859546 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in DNS Lookup (bidder-horizontal-wildlife-invoice .trycloudflare .com) (malware.rules)
- 2859547 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in DNS Lookup (name-kw-papua-booking .trycloudflare .com) (malware.rules)
- 2859548 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in DNS Lookup (bristol-weed-martin-know .trycloudflare .com) (malware.rules)
- 2859549 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in DNS Lookup (musicians-forestry-operation-angels .trycloudflare .com) (malware.rules)
- 2859550 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in DNS Lookup (peter-secrets-diana-yukon .trycloudflare .com) (malware.rules)
- 2859551 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in TLS SNI (zoloft-indianapolis-riders-convinced .trycloudflare .com) (malware.rules)
- 2859552 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in TLS SNI (bidder-horizontal-wildlife-invoice .trycloudflare .com) (malware.rules)
- 2859553 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in TLS SNI (name-kw-papua-booking .trycloudflare .com) (malware.rules)
- 2859554 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in TLS SNI (bristol-weed-martin-know .trycloudflare .com) (malware.rules)
- 2859555 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in TLS SNI (musicians-forestry-operation-angels .trycloudflare .com) (malware.rules)
- 2859556 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in TLS SNI (peter-secrets-diana-yukon .trycloudflare .com) (malware.rules)
- 2859557 - ETPRO PHISHING Generic Phish Landing Page 2024-01-08 (phishing.rules)
Enabled and modified rules:
- 2055240 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (brickedpack .com) (exploit_kit.rules)
- 2055241 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (losttwister .com) (exploit_kit.rules)
- 2055242 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (brickedpack .com) (exploit_kit.rules)
- 2055243 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (losttwister .com) (exploit_kit.rules)
Modified inactive rules:
- 2050785 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (ronreznick .com) (exploit_kit.rules)
- 2050786 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (ronreznick .com) (exploit_kit.rules)
- 2051132 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (egisela .com) (exploit_kit.rules)
- 2051133 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (egisela .com) (exploit_kit.rules)
- 2051616 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (asyncawaitapi .com) (exploit_kit.rules)
- 2051617 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (asyncawaitapi .com) (exploit_kit.rules)
- 2051684 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (apifunctioncall .com) (exploit_kit.rules)
- 2051685 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (apifunctioncall .com) (exploit_kit.rules)
- 2051759 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (nowordshere .org) (exploit_kit.rules)
- 2051760 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (nowordshere .org) (exploit_kit.rules)
- 2051794 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (lyddemper .com) (exploit_kit.rules)
- 2051795 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (lyddemper .com) (exploit_kit.rules)
- 2053020 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (cdnjscloudnetwork .co) (exploit_kit.rules)
- 2053021 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (cdnjscloudnetwork .co) (exploit_kit.rules)
- 2056199 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (cdngetmyname .biz) (exploit_kit.rules)
- 2056200 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (cdngetmyname .biz) (exploit_kit.rules)
- 2057251 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (webapiintegration .cloud) (exploit_kit.rules)
- 2057252 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (webapiintegration .cloud) (exploit_kit.rules)