Ruleset Update Summary - 2025/01/21 - v10842

rulesbot · January 21, 2025, 9:33pm

Summary:

29 new OPEN, 53 new PRO (29 + 24)

Thanks @SpearTipCyberCI

Added rules:

Open:

2059362 - ET HUNTING Microsoft Windows MSHTML Platform Remote Code Execution (CVE-2023-35628) (hunting.rules)
2059363 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (llewen .com) (exploit_kit.rules)
2059364 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (zxcaem .com) (exploit_kit.rules)
2059365 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (llewen .com) (exploit_kit.rules)
2059366 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (zxcaem .com) (exploit_kit.rules)
2059367 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (dsdpx .top) (exploit_kit.rules)
2059368 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (kuishupai .top) (exploit_kit.rules)
2059369 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (dsdpx .top) (exploit_kit.rules)
2059370 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kuishupai .top) (exploit_kit.rules)
2059371 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (rednosehorse .com) (exploit_kit.rules)
2059372 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (rednosehorse .com) (exploit_kit.rules)
2059373 - ET USER_AGENTS FastHTTP User-Agent Observed Outbound (fasthttp) (user_agents.rules)
2059374 - ET INFO DYNAMIC_DNS Query to a *.n-et .org domain (info.rules)
2059375 - ET INFO DYNAMIC_DNS HTTP Request to a *.n-et .org domain (info.rules)
2059376 - ET MALWARE Possible Brute Force Attack Using FastHTTP (malware.rules)
2059377 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .crm .bestintownpro .com) (malware.rules)
2059378 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .crm .bestintownpro .com) (malware.rules)
2059379 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (annoyingth .click) (malware.rules)
2059380 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (annoyingth .click in TLS SNI) (malware.rules)
2059381 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fastysticke .sbs) (malware.rules)
2059382 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fastysticke .sbs in TLS SNI) (malware.rules)
2059383 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mow-saterry .cyou) (malware.rules)
2059384 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mow-saterry .cyou in TLS SNI) (malware.rules)
2059385 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quinceisoz .cam) (malware.rules)
2059386 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (quinceisoz .cam in TLS SNI) (malware.rules)
2059387 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (refeplacieud .click) (malware.rules)
2059388 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (refeplacieud .click in TLS SNI) (malware.rules)
2059389 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (secretarydiff .click) (malware.rules)
2059390 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (secretarydiff .click in TLS SNI) (malware.rules)

Pro:

2859732 - ETPRO HUNTING Microsoft MapUrlToZone Security Feature Bypass (CVE-2025-21189) (hunting.rules)
2859733 - ETPRO HUNTING Microsoft MapUrlToZone Security Feature Bypass (CVE-2025-21219) (hunting.rules)
2859734 - ETPRO HUNTING Microsoft Windows HTML Platforms Security Feature Bypass (CVE-2025-21269) (hunting.rules)
2859735 - ETPRO EXPLOIT Microsoft Windows Kerberos Security Feature Bypass (CVE-2025-21299) (exploit.rules)
2859736 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859737 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859738 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859739 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859740 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859741 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859742 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859743 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2859744 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2859745 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2859746 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2859747 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
2859748 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2859749 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
2859750 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2859751 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2859752 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2859753 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2859754 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
2859755 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

2059282 - ET WEB_SPECIFIC_APPS phpGACL acl_admin action Parameter Reflected Cross-Site Scripting (CVE-2020-13562) (web_specific_apps.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/07/11 - v10643 Ruleset Updates	93	July 11, 2024
Ruleset Update Summary - 2025/02/07 - v10855 Ruleset Updates	124	February 7, 2025
Ruleset Update Summary - 2025/01/28 - v10847 Ruleset Updates	97	January 28, 2025
Ruleset Update Summary - 2025/01/09 - v10834 Ruleset Updates	109	January 9, 2025
Ruleset Update Summary - 2024/07/05 - v10639 Ruleset Updates	144	July 5, 2024

Ruleset Update Summary - 2025/01/21 - v10842

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related topics