Ruleset Update Summary - 2025/03/03 - v10870

Summary:

65 new OPEN, 100 new PRO (65 + 35)

Added rules:

Open:

• 2060506 - ET WEB_SPECIFIC_APPS Naviko Unauthenticated Arbitrary File Read (CVE-2024-48248) (web_specific_apps.rules)
• 2060507 - ET INFO Anydesk Relay Domain (net .anydesk .com) in DNS Lookup (info.rules)
• 2060508 - ET INFO Observed Anydesk Relay Domain (net .anydesk .com) in TLS SNI (info.rules)
• 2060509 - ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M3 (web_specific_apps.rules)
• 2060510 - ET INFO Anydesk API Domain (api .anydesk .com) in DNS Lookup (info.rules)
• 2060511 - ET INFO Anydesk API Domain (api .anydesk .com) in TLS SNI (info.rules)
• 2060512 - ET INFO Anydesk Domain (boot .net .anydesk .com) in DNS Lookup (info.rules)
• 2060513 - ET INFO Observed Anydesk Domain (boot .net .anydesk .com) in TLS SNI (info.rules)
• 2060514 - ET EXPLOIT SaltStack Salt Exploitation Inbound M2 (CVE-2020-16846) (exploit.rules)
• 2060515 - ET EXPLOIT SaltStack Salt Exploitation Inbound M3 (CVE-2020-16846) (exploit.rules)
• 2060516 - ET EXPLOIT SaltStack Salt Exploitation Inbound M4 (CVE-2020-16846) (exploit.rules)
• 2060517 - ET MALWARE Screenshot Exfiltration via Discord Webhook (POST) (malware.rules)
• 2060518 - ET INFO DYNAMIC_DNS Query to a *.cargo-dv .com domain (info.rules)
• 2060519 - ET INFO DYNAMIC_DNS HTTP Request to a *.cargo-dv .com domain (info.rules)
• 2060520 - ET INFO DYNAMIC_DNS Query to a *.yukejang .com domain (info.rules)
• 2060521 - ET INFO DYNAMIC_DNS HTTP Request to a *.yukejang .com domain (info.rules)
• 2060522 - ET MALWARE Win32/SocGholish Domain in DNS Lookup (publication .garyjobeferguson .com) (malware.rules)
• 2060523 - ET MALWARE Win32/SocGholish Domain in TLS SNI (publication .garyjobeferguson .com) (malware.rules)
• 2060524 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (exclusive .nobogoods .com) (malware.rules)
• 2060525 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (exclusive .nobogoods .com) (malware.rules)
• 2060526 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (whcms .greendreamcannabis .com) (malware.rules)
• 2060527 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (whcms .greendreamcannabis .com) (malware.rules)
• 2060528 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (circujitstorm .bet) (malware.rules)
• 2060529 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) (malware.rules)
• 2060530 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (codxefusion .top) (malware.rules)
• 2060531 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (codxefusion .top in TLS SNI) (malware.rules)
• 2060532 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (democratoze .space) (malware.rules)
• 2060533 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (democratoze .space in TLS SNI) (malware.rules)
• 2060534 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ditgitaldream .click) (malware.rules)
• 2060535 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ditgitaldream .click in TLS SNI) (malware.rules)
• 2060536 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explorebieology .run) (malware.rules)
• 2060537 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (explorebieology .run in TLS SNI) (malware.rules)
• 2060538 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gadgethgfub .icu) (malware.rules)
• 2060539 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gadgethgfub .icu in TLS SNI) (malware.rules)
• 2060540 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (goldensounew .world) (malware.rules)
• 2060541 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (goldensounew .world in TLS SNI) (malware.rules)
• 2060542 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hardrwarehaven .run) (malware.rules)
• 2060543 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (wqenpene .com) (exploit_kit.rules)
• 2060544 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hardrwarehaven .run in TLS SNI) (malware.rules)
• 2060545 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hardswarehub .today) (malware.rules)
• 2060546 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (rimstarintl .com) (exploit_kit.rules)
• 2060547 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hardswarehub .today in TLS SNI) (malware.rules)
• 2060548 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (wqenpene .com) (exploit_kit.rules)
• 2060549 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (languarel .fun) (malware.rules)
• 2060550 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (languarel .fun in TLS SNI) (malware.rules)
• 2060551 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (moderzysics .top) (malware.rules)
• 2060552 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (todoarmarios .top) (exploit_kit.rules)
• 2060553 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (moderzysics .top in TLS SNI) (malware.rules)
• 2060554 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (phygcsforum .life) (malware.rules)
• 2060555 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (todoarmarios .top) (exploit_kit.rules)
• 2060556 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (phygcsforum .life in TLS SNI) (malware.rules)
• 2060557 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reslinsights .shop) (malware.rules)
• 2060558 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reslinsights .shop in TLS SNI) (malware.rules)
• 2060559 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tampermonkey02 .top) (malware.rules)
• 2060560 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tampermonkey02 .top in TLS SNI) (malware.rules)
• 2060561 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tampermonkey03 .top) (malware.rules)
• 2060562 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tampermonkey03 .top in TLS SNI) (malware.rules)
• 2060563 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tampermonkey08 .top) (malware.rules)
• 2060564 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tampermonkey08 .top in TLS SNI) (malware.rules)
• 2060565 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (techmindzs .live) (malware.rules)
• 2060566 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (zarantech .com) (exploit_kit.rules)
• 2060567 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techmindzs .live in TLS SNI) (malware.rules)
• 2060568 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (techspherxe .top) (malware.rules)
• 2060569 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (zarantech .com) (exploit_kit.rules)
• 2060570 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI) (malware.rules)

Pro:

• 2860508 - ETPRO HUNTING PDF Launch Action File Spec Contains Domain-Like Value (hunting.rules)
• 2860509 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2860510 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2860511 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2860512 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2860513 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2860514 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
• 2860515 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
• 2860516 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
• 2860517 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
• 2860518 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2860519 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
• 2860520 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2860521 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
• 2860522 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2860523 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2860524 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
• 2860525 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
• 2860526 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2860527 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2860528 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2860529 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2860530 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2860531 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
• 2860532 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
• 2860533 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
• 2860534 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
• 2860535 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2860536 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
• 2860537 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2860538 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
• 2860539 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2860540 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2860541 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
• 2860542 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)