Summary:
8 new OPEN, 18 new PRO (8 + 10)
Thanks @GroupIB, @anyrun_app
Added rules:
Open:
- 2067857 - ET HUNTING TA450 User-Agent Observed (hunting.rules)
- 2067858 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (giguoxo .cyou) (malware.rules)
- 2067859 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (giguoxo .cyou) in TLS SNI (malware.rules)
- 2067860 - ET MALWARE TA450/MuddyWater CnC Victim Checkin (malware.rules)
- 2067861 - ET MALWARE TA450/MuddyWater CnC Victim Checkin (malware.rules)
- 2067862 - ET MALWARE MoonRise CnC Commands Inbound via WebSocket (malware.rules)
- 2067863 - ET HUNTING Base64 Encoded 2 byte ROR Windows OS Name in HTTP Header (hunting.rules)
- 2067864 - ET HUNTING Base64 Encoded 2 byte ROL Windows OS Name in HTTP Header (hunting.rules)
Pro:
- 2866210 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2866211 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2866212 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2866213 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2866214 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2866215 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2866216 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2866217 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2866218 - ETPRO MALWARE TA406 Domain in DNS Lookup (malware.rules)
- 2866219 - ETPRO MALWARE Observed TA406 Domain in TLS SNI (malware.rules)
Removed rules:
- 2866182 - ETPRO HUNTING TA450 User-Agent Observed (hunting.rules)