Ruleset Update Summary - 2025/01/29 - v10848

Summary:

45 new OPEN, 61 new PRO (45 + 16)

Added rules:

Open:

• 2059740 - ET HUNTING ZIP File Symlink External Attribute Inbound (hunting.rules)
• 2059741 - ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M1 - Title Defacement Attempt (CVE-2024-11680) (web_specific_apps.rules)
• 2059742 - ET WEB_SPECIFIC_APPS QNAP QTS/QuTS File Upload (CVE-2024-53691) (web_specific_apps.rules)
• 2059743 - ET WEB_SPECIFIC_APPS QNAP QTS/QuTS Unpack File (CVE-2024-53691) (web_specific_apps.rules)
• 2059744 - ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M2 - Account Creation Attempt (CVE-2024-11680) (web_specific_apps.rules)
• 2059745 - ET ATTACK_RESPONSE Koi Loader/Stealer CnC Config Inbound (attack_response.rules)
• 2059746 - ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M3 - PHP File Upload Attempt (CVE-2024-11680) (web_specific_apps.rules)
• 2059747 - ET WEB_SPECIFIC_APPS QNAP QTS/QuTS Decrypt File (CVE-2024-53691) (web_specific_apps.rules)
• 2059748 - ET WEB_SPECIFIC_APPS Apache Solr ConfigSet APIv1 Upload Relative Path Traversal (CVE-2024-52012) (web_specific_apps.rules)
• 2059749 - ET WEB_SPECIFIC_APPS Apache Solr ConfigSet APIv2 Upload Relative Path Traversal (CVE-2024-52012) (web_specific_apps.rules)
• 2059750 - ET MALWARE Win32/Koi Stealer CnC Checkin (GET) (malware.rules)
• 2059751 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (greatvacuutos .cyou) (malware.rules)
• 2059752 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (greatvacuutos .cyou in TLS SNI) (malware.rules)
• 2059753 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stematockeoff .shop) (malware.rules)
• 2059754 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stematockeoff .shop in TLS SNI) (malware.rules)
• 2059755 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thebeautylovelytop .top) (malware.rules)
• 2059756 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thebeautylovelytop .top in TLS SNI) (malware.rules)
• 2059757 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (traveladdicts .top) (malware.rules)
• 2059758 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (traveladdicts .top in TLS SNI) (malware.rules)
• 2059759 - ET ATTACK_RESPONSE Koi Loader/Stealer Payload Inbound (attack_response.rules)
• 2059760 - ET HUNTING Cross-Site POST Requests Without a Content-Type Header (hunting.rules)
• 2059761 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (akmcons .com) (exploit_kit.rules)
• 2059762 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (akmcons .com) (exploit_kit.rules)
• 2059763 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (patientlo .top) (exploit_kit.rules)
• 2059764 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (patientlo .top) (exploit_kit.rules)
• 2059765 - ET MALWARE SocGholish CnC Domain in DNS Lookup (webmail .ebuildingsource .com) (malware.rules)
• 2059766 - ET MALWARE SocGholish CnC Domain in TLS SNI (webmail .ebuildingsource .com) (malware.rules)
• 2059767 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (innerkomen .com) (malware.rules)
• 2059768 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (innerkomen .com in TLS SNI) (malware.rules)
• 2059769 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (guardeduppe .com) (malware.rules)
• 2059770 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (guardeduppe .com in TLS SNI) (malware.rules)
• 2059771 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) (malware.rules)
• 2059772 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) (malware.rules)
• 2059773 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (flockefaccek .org) (malware.rules)
• 2059774 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (flockefaccek .org in TLS SNI) (malware.rules)
• 2059775 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (babberstalek .org) (malware.rules)
• 2059776 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (babberstalek .org in TLS SNI) (malware.rules)
• 2059777 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (classyhelped .net) (malware.rules)
• 2059778 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (classyhelped .net in TLS SNI) (malware.rules)
• 2059779 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (carrystuppeder .net) (malware.rules)
• 2059780 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (carrystuppeder .net in TLS SNI) (malware.rules)
• 2059781 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildhurrte .com) (malware.rules)
• 2059782 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebuildhurrte .com in TLS SNI) (malware.rules)
• 2059783 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (climepunneddus .com) (malware.rules)
• 2059784 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (climepunneddus .com in TLS SNI) (malware.rules)

Pro:

• 2859830 - ETPRO MALWARE SocGholish CnC Initial Request (malware.rules)
• 2859831 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
• 2859832 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in DNS Lookup (sublime-forecasts-pale-scored .trycloudflare .com) (malware.rules)
• 2859833 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in DNS Lookup (washing-cartridges-watts-flags .trycloudflare .com) (malware.rules)
• 2859834 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in DNS Lookup (investigators-boxing-trademark-threatened .trycloudflare .com) (malware.rules)
• 2859835 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in DNS Lookup (fotos-phillips-princess-baker .trycloudflare .com) (malware.rules)
• 2859836 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in DNS Lookup (casting-advisors-older-invitations .trycloudflare .com) (malware.rules)
• 2859837 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in DNS Lookup (complement-parliamentary-chairs-hc .trycloudflare .com) (malware.rules)
• 2859838 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in TLS SNI (sublime-forecasts-pale-scored .trycloudflare .com) (malware.rules)
• 2859839 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in TLS SNI (washing-cartridges-watts-flags .trycloudflare .com) (malware.rules)
• 2859840 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in TLS SNI (investigators-boxing-trademark-threatened .trycloudflare .com) (malware.rules)
• 2859841 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in TLS SNI (fotos-phillips-princess-baker .trycloudflare .com) (malware.rules)
• 2859842 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in TLS SNI (casting-advisors-older-invitations .trycloudflare .com) (malware.rules)
• 2859843 - ETPRO MALWARE Malicious Pyinstaller CnC Domain in TLS SNI (complement-parliamentary-chairs-hc .trycloudflare .com) (malware.rules)
• 2859844 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
• 2859845 - ETPRO PHISHING Darcula Phish Landing Page 2024-01-29 (phishing.rules)