Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/12/14

[***]            Summary:            [***]

This OOB update contains updated and optimized signatures originally released by FireEye related to the SUNBURST report. We do not anticipate additional updates at this time. Note: 2031329 is miscategorized and will be corrected during regular rule push later today.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031321 - ET TROJAN [Fireeye] Backdoor.BEACON M2 (trojan.rules)
  2031322 - ET TROJAN [Fireeye] Backdoor.BEACON M6 (trojan.rules)
  2031323 - ET TROJAN [Fireeye] Backdoor.BEACON M1 (trojan.rules)
  2031324 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to avsvmcloud
.com (trojan.rules)
  2031325 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to thedoccloud
.com (trojan.rules)
  2031326 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to deftsecurity
.com (trojan.rules)
  2031327 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to
freescanonline .com (trojan.rules)
  2031328 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to websitetheme
.com (trojan.rules)
  2031329 - ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to
highdatabase .com (malware.rules)
  2031330 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to incomeupdate
.com (trojan.rules)
  2031331 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to
databasegalore .com (trojan.rules)
  2031332 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to panhardware
.com (trojan.rules)
  2031333 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to zupertech
.com (trojan.rules)
  2031334 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to
virtualdataserver .com (trojan.rules)
  2031335 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to
digitalcollege .org (trojan.rules)
  2031336 - ET TROJAN [Fireeye] Backdoor.SUNBURST M1 (trojan.rules)
  2031337 - ET TROJAN [Fireeye] Backdoor.SUNBURST M2 (trojan.rules)
  2031338 - ET TROJAN [Fireeye] Backdoor.SUNBURST HTTP Request to
avsvmcloud .com (trojan.rules)
  2031339 - ET TROJAN [Fireeye] Backdoor.SUNBURST M3 (trojan.rules)
  2031340 - ET TROJAN [Fireeye] Backdoor.SUNBURST M4 (trojan.rules)
  2031341 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(avsvmcloud .com) (trojan.rules)
  2031342 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(digitalcollege .org) (trojan.rules)
  2031343 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(freescanonline .com) (trojan.rules)
  2031344 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(deftsecurity .com) (trojan.rules)
  2031345 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(thedoccloud .com) (trojan.rules)
  2031346 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(virtualdataserver .com) (trojan.rules)
  2031347 - ET TROJAN [Fireeye] Backdoor.SUNBURST HTTP Request to
digitalcollege .org (trojan.rules)
  2031348 - ET TROJAN [Fireeye] Backdoor.SUNBURST HTTP Request to
freescanonline .com (trojan.rules)
  2031349 - ET TROJAN [Fireeye] Backdoor.SUNBURST HTTP Request to
deftsecurity .com (trojan.rules)
  2031350 - ET TROJAN [Fireeye] Backdoor.SUNBURST HTTP Request to
thedoccloud .com (trojan.rules)
  2031351 - ET TROJAN [Fireeye] Backdoor.SUNBURST HTTP Request to
virtualdataserver .com (trojan.rules)
  2031352 - ET TROJAN [Fireeye] Backdoor.BEACON SSL Cert Inbound
(incomeupdate .com) (trojan.rules)
  2031353 - ET TROJAN [Fireeye] Backdoor.BEACON SSL Cert Inbound (zupertech
.com) (trojan.rules)
  2031354 - ET TROJAN [Fireeye] Backdoor.BEACON SSL Cert Inbound
(databasegalore .com) (trojan.rules)
  2031355 - ET TROJAN [Fireeye] Backdoor.BEACON SSL Cert Inbound
(panhardware .com) (trojan.rules)
  2031356 - ET TROJAN [Fireeye] Backdoor.BEACON M3 (trojan.rules)
  2031357 - ET TROJAN [Fireeye] Backdoor.BEACON M4 (trojan.rules)
  2031358 - ET TROJAN [Fireeye] Backdoor.BEACON M5 (trojan.rules)
  2031359 - ET TROJAN [Fireeye] Observed SUNBURST DGA Request (trojan.rules)
  2031360 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(websitetheme .com) (trojan.rules)
  2031361 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(highdatabase .com) (trojan.rules)
  2031362 - ET TROJAN [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(thedoccloud .com in TLS SNI) (trojan.rules)
  2031363 - ET TROJAN [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(incomeudpate .com in TLS SNI) (trojan.rules)
  2031364 - ET TROJAN [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(panhardware .com in TLS SNI) (trojan.rules)
  2031365 - ET TROJAN [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(freescanonline .com in TLS SNI) (trojan.rules)
  2031366 - ET TROJAN [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(databasegalore .com in TLS SNI) (trojan.rules)
  2031367 - ET TROJAN [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(highdatabase .com in TLS SNI) (trojan.rules)
  2031368 - ET TROJAN [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(websitetheme .com in TLS SNI) (trojan.rules)
  2031369 - ET TROJAN [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(zupertech .com in TLS SNI) (trojan.rules)
  2031370 - ET TROJAN [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(deftsecurity .com in TLS SNI) (trojan.rules)

Date:
Summary title:
This OOB update contains updated and optimized signatures originally released by FireEye related to the SUNBURST report.