Summary:
20 new OPEN, 21 new PRO (20 + 1)
Added rules:
Open:
- 2063279 - ET HUNTING ConnectWise ScreenConnect Revoked Code Signing Certificate M1 (hunting.rules)
- 2063280 - ET HUNTING ConnectWise ScreenConnect Revoked Code Signing Certificate M2 (hunting.rules)
- 2063281 - ET WEB_SPECIFIC_APPS Four-Faith adjust_sys_time adj_time Command Injection Attempt (CVE-2024-12856) (web_specific_apps.rules)
- 2063282 - ET WEB_SPECIFIC_APPS H3C sys_dia_data_check file_name Parameter Directory Traversal Attempt (web_specific_apps.rules)
- 2063283 - ET WEB_SPECIFIC_APPS HikVision triggerSnapshot fileUrl Parameter Arbitrary File Download Attempt (web_specific_apps.rules)
- 2063284 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (git .xtertexter .com) (malware.rules)
- 2063285 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (git .xtertexter .com) (malware.rules)
- 2063286 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (images .venthalpyapp .com) (malware.rules)
- 2063287 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (images .venthalpyapp .com) (malware.rules)
- 2063288 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (casupfi .shop) (malware.rules)
- 2063289 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (casupfi .shop) in TLS SNI (malware.rules)
- 2063290 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nbcsfar .xyz) (malware.rules)
- 2063291 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (nbcsfar .xyz) in TLS SNI (malware.rules)
- 2063292 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tarewry .xyz) (malware.rules)
- 2063293 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tarewry .xyz) in TLS SNI (malware.rules)
- 2063294 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ycvduc .xyz) (malware.rules)
- 2063295 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ycvduc .xyz) in TLS SNI (malware.rules)
- 2063296 - ET WEB_SPECIFIC_APPS HikVision upload.action JSP Webshell Upload Attempt (web_specific_apps.rules)
- 2063297 - ET MALWARE UrgentBot Requesting Command From CnC Server (GET) (malware.rules)
- 2063298 - ET MALWARE UrgentBot Sending Results to CnC Server (POST) (malware.rules)
Pro:
- 2863375 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
Modified inactive rules:
- 2060145 - ET MALWARE Observed DNS Query to REF7707 Domain (update .hobiter .com) (malware.rules)
- 2060146 - ET MALWARE Observed DNS Query to REF7707 Domain (support .fortineat .com) (malware.rules)
- 2060148 - ET MALWARE Observed DNS Query to REF7707 Domain (d-links .net) (malware.rules)
- 2060150 - ET MALWARE Observed DNS Query to REF7707 Domain (cloud .autodiscovar .com) (malware.rules)
- 2060152 - ET MALWARE Observed DNS Query to REF7707 Domain (support .vmphere .com) (malware.rules)
- 2060154 - ET MALWARE Observed REF7707 Domain (support .fortineat .com in TLS SNI) (malware.rules)
- 2060155 - ET MALWARE Observed REF7707 Domain (digert .ictnsc .com in TLS SNI) (malware.rules)
- 2060159 - ET MALWARE Observed REF7707 Domain (vm-clouds .net in TLS SNI) (malware.rules)
- 2060160 - ET MALWARE Observed REF7707 Domain (support .vmphere .com in TLS SNI) (malware.rules)
- 2060199 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (ap-1739871718-ioj2rc-omeiiwaw3fgs3uq4wuooeceed5a96euw1b-s3alias .s3 .eu-west-1 .amazonaws .com) (exploit_kit.rules)
- 2060201 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (ap-1739871718-ioj2rc-omeiiwaw3fgs3uq4wuooeceed5a96euw1b-s3alias .s3 .eu-west-1 .amazonaws .com) (exploit_kit.rules)
- 2060224 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (onlinelas .com) (exploit_kit.rules)
- 2060626 - ET MALWARE Observed DNS Query to OtterCookie Domain (alchemy-api-v3 .cloud) (malware.rules)
- 2060627 - ET MALWARE Observed DNS Query to OtterCookie Domain (blastapi .org) (malware.rules)
- 2060628 - ET MALWARE Observed OtterCookie Domain (alchemy-api-v3 .cloud in TLS SNI) (malware.rules)
- 2060629 - ET MALWARE Observed OtterCookie Domain (blastapi .org in TLS SNI) (malware.rules)
- 2060680 - ET MALWARE Observed DNS Query to ClickFix Domain (lydbonkersbimpjc .blogspot .com) (malware.rules)
- 2060681 - ET MALWARE Observed DNS Query to ClickFix Domain (bookimanagerev .com) (malware.rules)
- 2060682 - ET MALWARE Observed DNS Query to ClickFix Domain (cpth-cant .com) (malware.rules)
- 2060683 - ET MALWARE Observed ClickFix Domain (lydbonkersbimpjc .blogspot .com in TLS SNI) (malware.rules)
- 2060684 - ET MALWARE Observed ClickFix Domain (bookimanagerev .com in TLS SNI) (malware.rules)
- 2060685 - ET MALWARE Observed ClickFix Domain (cpth-cant .com in TLS SNI) (malware.rules)
- 2060762 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
- 2060776 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
- 2060781 - ET MALWARE Observed DNS Query to ClickFix Domain (booking-sup-lang-eng .com) (malware.rules)
- 2060782 - ET MALWARE Observed ClickFix Domain (booking-sup-lang-eng .com in TLS SNI) (malware.rules)
- 2061094 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (javascripterhub .com) (exploit_kit.rules)
- 2061100 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (javascripterhub .com) (exploit_kit.rules)
- 2860356 - ETPRO MALWARE Observed DNS Query to TA399 Domain (malware.rules)
- 2860357 - ETPRO MALWARE Observed DNS Query to TA399 Domain (malware.rules)
- 2860358 - ETPRO MALWARE Observed TA399 Domain in TLS SNI (malware.rules)
- 2860359 - ETPRO MALWARE Observed TA399 Domain in TLS SNI (malware.rules)
- 2860786 - ETPRO MALWARE Observed DNS Query to TA453 Domain (malware.rules)
- 2860789 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)