[***] Summary: [***]
29 new OPEN, 87 new PRO (29 + 58). Various DNS over HTTPS, DangerousPassword APT, Gamaredon, sLoad
Thanks: @h2jazi, @shadowchasing1, @cyberoverdrive, @IntezerLabs, @JAMESWT_MHT
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback.
[+++] Added rules: [+++]
Open:
2025980 - ET INFO TRR DNS over HTTPS detected (info.rules)
2027671 - ET INFO Cloudflare DNS Over HTTPS Certificate Inbound (info.rules)
2027695 - ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) (info.rules)
2034912 - ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI) (info.rules)
2035125 - ET INFO Applied Privacy DNS over HTTPS Certificate Inbound (info.rules)
2035126 - ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound (info.rules)
2035151 - ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound (info.rules)
2035152 - ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound (info.rules)
2035153 - ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound (info.rules)
2035154 - ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound (info.rules)
2035155 - ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound (info.rules)
2035156 - ET INFO Keweon Center DNS Over HTTPS Certificate Inbound (info.rules)
2035157 - ET INFO Keweon Center DNS Over HTTPS Certificate Inbound (info.rules)
2035158 - ET TROJAN DangerousPassword APT Related Domain in DNS Lookup (shopapptech .com) (trojan.rules)
2035159 - ET TROJAN Observed DangerousPassword APT Related Domain (shopapptech .com in TLS SNI) (trojan.rules)
2035160 - ET TROJAN Observed DangerousPassword APT Related Domain (shopapppro .com in TLS SNI) (trojan.rules)
2035161 - ET TROJAN DangerousPassword APT Related Domain in DNS Lookup (shopapppro .com) (trojan.rules)
2035162 - ET TROJAN DangerousPassword APT Related Domain in DNS Lookup (www .datacentre .center) (trojan.rules)
2035163 - ET TROJAN Observed DangerousPassword APT Related Domain (datacentre .center in TLS SNI) (trojan.rules)
2035164 - ET TROJAN sLoad Related CnC Domain in DNS Lookup (angedionisu .eu) (trojan.rules)
2035165 - ET TROJAN Observed sLoad Related Domain (angedionisu .eu in TLS SNI) (trojan.rules)
2035166 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)
2035167 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)
2035168 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)
2035169 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)
2035170 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)
2035171 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)
2035172 - ET TROJAN Gamaredon CnC Domain in DNS Lookup (trojan.rules)
2035173 - ET INFO Commonly Abused Github-like Site (codeberg .org in DNS Lookup) (info.rules)
Pro:
2807926 - ETPRO INFO Possible UltraVNC Usage Detected (info.rules)
2838109 - ETPRO INFO Google DNS Over HTTPS Certificate Inbound (info.rules)
2838110 - ETPRO INFO Observed Google DNS over HTTPS Domain (dns .google .com in TLS SNI) (info.rules)
2838907 - ETPRO INFO Observed DNS over HTTPS Domain (doh .securedns .eu in TLS SNI) (info.rules)
2838927 - ETPRO INFO SecureDNS .eu DNS Over HTTPS Certificate Inbound (info.rules)
2844697 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (dns .hostux .net) (info.rules)
2844698 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (dns .dns-over-https .com) (info.rules)
2844699 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (uncensored .lux1 .dns .nixnet .xyz) (info.rules)
2844700 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (dns .rubyfish .cn) (info.rules)
2844701 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (dns .twnic .tw) (info.rules)
2844702 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (doh .centraleu .pi-dns .com) (info.rules)
2844703 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (doh .dns .sb) (info.rules)
2844705 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (fi .doh .dns .snopyta .org) (info.rules)
2844706 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (dns .flatuslifir .is) (info.rules)
2844707 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (doh .li) (info.rules)
2844708 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (dns .digitale-gesellschaft .ch) (info.rules)
2845027 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .cleanbrowsing .org) (info.rules)
2845028 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (dns .dnsoverhttps .net) (info.rules)
2845029 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .crypto .sx) (info.rules)
2845030 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .powerdns .org) (info.rules)
2845032 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (dns .dns-over-https .com) (info.rules)
2845033 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (dns9 .quad9 .net) (info.rules)
2845034 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (dns10 .quad9 .net) (info.rules)
2845035 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .dnswarden .com) (info.rules)
2845036 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .captnemo .in) (info.rules)
2845037 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .tiar .app) (info.rules)
2845038 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .xfinity .com) (info.rules)
2851058 - ETPRO INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI) (info.rules)
2851063 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (free .bravedns .com) (info.rules)
2851064 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (zero .bravedns .com) (info.rules)
2851065 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (basic .rethinkdns .com) (info.rules)
2851066 - ETPRO INFO BlahDNS DNS Over HTTPS Certificate Inbound (info.rules)
2851067 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (.blahdns .com) (info.rules)
2851068 - ETPRO INFO DigitalCourage DNS Over HTTPS Certificate Inbound (info.rules)
2851069 - ETPRO INFO DigitalCourage DNS Over HTTPS Certificate Inbound (info.rules)
2851070 - ETPRO INFO AdGuard DNS Over HTTPS Certificate Inbound (info.rules)
2851071 - ETPRO TROJAN Win32/Remcos RAT Checkin 771 (trojan.rules)
2851078 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish 2022-02-09 (current_events.rules)
2851079 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish 2022-02-09 (current_events.rules)
2851080 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish 2022-02-09 (current_events.rules)
2851081 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 1) (trojan.rules)
2851082 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 2) (trojan.rules)
2851083 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 3) (trojan.rules)
2851084 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 4) (trojan.rules)
2851085 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 5) (trojan.rules)
2851086 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 6) (trojan.rules)
2851087 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 7) (trojan.rules)
2851088 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 8) (trojan.rules)
2851089 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 9) (trojan.rules)
2851090 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 10) (trojan.rules)
2851091 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 11) (trojan.rules)
2851092 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 12) (trojan.rules)
[///] Modified active rules: [///]
2033203 - ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) (trojan.rules)
2033204 - ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) (trojan.rules)
2035135 - ET TROJAN Observed Maldoc Domain (travelcrimea .info in TLS SNI) (trojan.rules)
2803810 - ETPRO TROJAN Win32/Unruy.R Checkin (trojan.rules)
2822391 - ETPRO TROJAN Possible Ursnif/Gamaredon Related VNC Module CnC Beacon (trojan.rules)
[---] Removed rules: [---]
2025980 - ET POLICY TRR DNS over HTTPS detected (policy.rules)
2027671 - ET POLICY Cloudflare DNS Over HTTPS Certificate Inbound (policy.rules)
2027695 - ET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) (policy.rules)
2034912 - ET POLICY Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI) (policy.rules)
2035125 - ET POLICY Applied Privacy DNS over HTTPS Certificate Inbound (policy.rules)
2035126 - ET POLICY UncensoredDNS DNS Over HTTPS Certificate Inbound (policy.rules)
2807926 - ETPRO POLICY Possible UltraVNC Usage Detected (policy.rules)
2838109 - ETPRO POLICY Google DNS Over HTTPS Certificate Inbound (policy.rules)
2838110 - ETPRO POLICY Observed Google DNS over HTTPS Domain (dns .google .com in TLS SNI) (policy.rules)
2838907 - ETPRO POLICY Observed DNS over HTTPS Domain (doh .securedns .eu in TLS SNI) (policy.rules)
2838927 - ETPRO POLICY SecureDNS .eu DNS Over HTTPS Certificate Inbound (policy.rules)
2844697 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns .hostux .net) (policy.rules)
2844698 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns .dns-over-https .com) (policy.rules)
2844699 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (uncensored .lux1 .dns .nixnet .xyz) (policy.rules)
2844700 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns .rubyfish .cn) (policy.rules)
2844701 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns .twnic .tw) (policy.rules)
2844702 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (doh .centraleu .pi-dns .com) (policy.rules)
2844703 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (doh .dns .sb) (policy.rules)
2844704 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (doh-fi .blahdns .com) (policy.rules)
2844705 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (fi .doh .dns .snopyta .org) (policy.rules)
2844706 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns .flatuslifir .is) (policy.rules)
2844707 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (doh .li) (policy.rules)
2844708 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns .digitale-gesellschaft .ch) (policy.rules)
2845027 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .cleanbrowsing .org) (policy.rules)
2845028 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (dns .dnsoverhttps .net) (policy.rules)
2845029 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .crypto .sx) (policy.rules)
2845030 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .powerdns .org) (policy.rules)
2845031 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh-jp .blahdns .com) (policy.rules)
2845032 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (dns .dns-over-https .com) (policy.rules)
2845033 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (dns9 .quad9 .net) (policy.rules)
2845034 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (dns10 .quad9 .net) (policy.rules)
2845035 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .dnswarden .com) (policy.rules)
2845036 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .captnemo .in) (policy.rules)
2845037 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .tiar .app) (policy.rules)
2845038 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .xfinity .com) (policy.rules)
2851058 - ETPRO POLICY Observed Google DNS over HTTPS Domain (dns .google in TLS SNI) (policy.rules)