Summary:
52 new OPEN, 81 new PRO (52 + 29)
Added rules:
Open:
- 2061120 - ET WEB_SERVER Kubernetes Ingress NGINX Controller permanent-redirect Annotation Injection (CVE-2023-5044) (web_server.rules)
- 2061121 - ET WEB_SERVER Kubernetes Ingress NGINX Controller configuration-snippet Annotation Injection (CVE-2023-5044) (web_server.rules)
- 2061122 - ET HUNTING Kubernetes Ingress NGINX Controller Annotation Injection (hunting.rules)
- 2061123 - ET WEB_SPECIFIC_APPS Discourse Backup File Disclosure via Default Nginx Configuration (CVE-2024-53991) (web_specific_apps.rules)
- 2061124 - ET WEB_SPECIFIC_APPS Github Enterprise SAML Authentication Bypass (CVE-2024-9487) (web_specific_apps.rules)
- 2061125 - ET INFO DYNAMIC_DNS Query to a *.0000004 .xyz domain (info.rules)
- 2061126 - ET INFO DYNAMIC_DNS HTTP Request to a *.0000004 .xyz domain (info.rules)
- 2061127 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (castmaxw .run) (malware.rules)
- 2061128 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (castmaxw .run) in TLS SNI (malware.rules)
- 2061129 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ferromny .digital) (malware.rules)
- 2061130 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ferromny .digital) in TLS SNI (malware.rules)
- 2061131 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (galactad .world) (malware.rules)
- 2061132 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (galactad .world) in TLS SNI (malware.rules)
- 2061133 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nextgenideas2023 .top) (malware.rules)
- 2061134 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (nextgenideas2023 .top) in TLS SNI (malware.rules)
- 2061135 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oreheatq .live) (malware.rules)
- 2061136 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI (malware.rules)
- 2061137 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rodstepv .digital) (malware.rules)
- 2061138 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodstepv .digital) in TLS SNI (malware.rules)
- 2061139 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (saturnoy .life) (malware.rules)
- 2061140 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (saturnoy .life) in TLS SNI (malware.rules)
- 2061141 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scenarisacri .top) (malware.rules)
- 2061142 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (scenarisacri .top) in TLS SNI (malware.rules)
- 2061143 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (smeltingt .run) (malware.rules)
- 2061144 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (smeltingt .run) in TLS SNI (malware.rules)
- 2061145 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (steelixr .live) (malware.rules)
- 2061146 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (steelixr .live) in TLS SNI (malware.rules)
- 2061147 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (weldorae .digital) (malware.rules)
- 2061148 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (weldorae .digital) in TLS SNI (malware.rules)
- 2061149 - ET ATTACK_RESPONSE Unknown Payload Downloader Inbound (attack_response.rules)
- 2061150 - ET MALWARE Observed DNS Query to Malicious Domain (right-championships-junior-pubs .trycloudflare .com) (malware.rules)
- 2061151 - ET MALWARE Observed Malicious Domain (right-championships-junior-pubs .trycloudflare .com in TLS SNI) (malware.rules)
- 2061152 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (lkcharles .com) (exploit_kit.rules)
- 2061153 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (lkcharles .com) (exploit_kit.rules)
- 2061154 - ET PHISHING Observed DNS Query to TA452 Domain (shj-connect .online) (phishing.rules)
- 2061155 - ET PHISHING Observed DNS Query to TA452 Domain (korektell .com) (phishing.rules)
- 2061156 - ET PHISHING Observed DNS Query to TA452 Domain (newroztelecom .digital) (phishing.rules)
- 2061157 - ET PHISHING Observed DNS Query to TA452 Domain (sharjahairport .cloud) (phishing.rules)
- 2061158 - ET PHISHING Observed DNS Query to TA452 Domain (speed-test .click) (phishing.rules)
- 2061159 - ET PHISHING Observed TA452 Domain (shj-connect .online in TLS SNI) (phishing.rules)
- 2061160 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .briansmallwood .com) (malware.rules)
- 2061161 - ET PHISHING Observed TA452 Domain (korektell .com in TLS SNI) (phishing.rules)
- 2061162 - ET PHISHING Observed TA452 Domain (newroztelecom .digital in TLS SNI) (phishing.rules)
- 2061163 - ET PHISHING Observed TA452 Domain (sharjahairport .cloud in TLS SNI) (phishing.rules)
- 2061164 - ET PHISHING Observed TA452 Domain (speed-test .click in TLS SNI) (phishing.rules)
- 2061165 - ET MALWARE Observed DNS Query to TA452 Domain (arthurshelby .click) (malware.rules)
- 2061166 - ET MALWARE Observed TA452 Domain (arthurshelby .click in TLS SNI) (malware.rules)
- 2061167 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .briansmallwood .com) (malware.rules)
- 2061168 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (iplantit .com) (exploit_kit.rules)
- 2061169 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (iplantit .com) (exploit_kit.rules)
- 2061170 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fjs95 .shop) (exploit_kit.rules)
- 2061171 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (fjs95 .shop) (exploit_kit.rules)
Pro:
- 2860919 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2860920 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2860921 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2860922 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2860923 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2860924 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2860925 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2860926 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2860927 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2860928 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2860929 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2860930 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2860931 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2860932 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2860933 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2860934 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2860935 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2860936 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2860937 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2860938 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2860939 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2860940 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2860941 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2860942 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2860943 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2860944 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2860945 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2860946 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2860947 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
Disabled and modified rules:
- 2061094 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (javascripterhub .com) (exploit_kit.rules)
- 2061100 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (javascripterhub .com) (exploit_kit.rules)