Ruleset Update Summary - 2025/03/05 - v10872

Ruleset Updates
1

Summary:

55 new OPEN, 57 new PRO (55 + 2)

Thanks @djtechnocrat

Added rules:

Open:

  • 2060594 - ET WEB_SPECIFIC_APPS Hitachi Vantara Pentaho Business Analytics Server Authorization Bypass and Remote Code Execution Attempt (CVE-2022-43769, 2022-43939) (web_specific_apps.rules)
  • 2060595 - ET INFO Zoho Assist Related Domain ( .zohoassist .jp) in DNS Lookup (info.rules)
  • 2060596 - ET INFO Zoho Assist Related Domain ( .zohohost .com) in DNS Lookup (info.rules)
  • 2060597 - ET INFO Zoho Assist Related Domain ( .zohoassist .com .cn) in DNS Lookup (info.rules)
  • 2060598 - ET INFO Zoho Assist Related Domain ( .zohoassist .com) in DNS Lookup (info.rules)
  • 2060599 - ET INFO Zoho Assist Related Domain ( .assist .cs .zohohost .com) in DNS Lookup (info.rules)
  • 2060600 - ET INFO Observed Zoho Assist Related Domain ( .zohoassist .jp) in TLS SNI (info.rules)
  • 2060601 - ET INFO Observed Zoho Assist Related Domain ( .zohohost .com) in TLS SNI (info.rules)
  • 2060602 - ET INFO Observed Zoho Assist Related Domain ( .zohoassist .com .cn) in TLS SNI (info.rules)
  • 2060603 - ET INFO Observed Zoho Assist Related Domain ( .zohoassist .com) in TLS SNI (info.rules)
  • 2060604 - ET INFO Observed Zoho Assist Related Domain ( .assist .cs .zohohost .com) in TLS SNI (info.rules)
  • 2060605 - ET MALWARE InvisibleFerret CnC Activity (POST) M1 (malware.rules)
  • 2060606 - ET INFO Zoho Assist Related Domain (assistlab .zoho .com) in DNS Lookup (info.rules)
  • 2060607 - ET INFO Zoho Assist Related Domain (downloads .zohodl .com .cn) in DNS Lookup (info.rules)
  • 2060608 - ET INFO Zoho Assist Related Domain (downloads .zohocdn .com) in DNS Lookup (info.rules)
  • 2060609 - ET INFO Zoho Assist Related Domain (assist .zoho .com) in DNS Lookup (info.rules)
  • 2060610 - ET INFO Zoho Assist Related Domain (gateway .zohoassist .com) in DNS Lookup (info.rules)
  • 2060611 - ET INFO Observed Zoho Assist Related Domain in TLS SNI (info.rules)
  • 2060612 - ET INFO Observed Zoho Assist Related Domain in TLS SNI (info.rules)
  • 2060613 - ET INFO Observed Zoho Assist Related Domain in TLS SNI (info.rules)
  • 2060614 - ET INFO Observed Zoho Assist Related Domain in TLS SNI (info.rules)
  • 2060615 - ET INFO Observed Zoho Assist Related Domain in TLS SNI (info.rules)
  • 2060616 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (nevada .mandros .us) (malware.rules)
  • 2060617 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (nevada .mandros .us) (malware.rules)
  • 2060618 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (https://t .me/kz_prokla1) (malware.rules)
  • 2060619 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (https://t .me/kz_prokla1 in TLS SNI) (malware.rules)
  • 2060620 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (joyfulhezart .tech) (malware.rules)
  • 2060621 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (joyfulhezart .tech in TLS SNI) (malware.rules)
  • 2060622 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sdfwfsdf .icu) (malware.rules)
  • 2060623 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sdfwfsdf .icu in TLS SNI) (malware.rules)
  • 2060624 - ET INFO Teamviewer Frontline Domain (svc .frontlineworker .com) in DNS Lookup (info.rules)
  • 2060625 - ET INFO Observed Teamviewer Frontline Related Domain (svc .frontlineworker .com) in TLS SNI (info.rules)
  • 2060626 - ET MALWARE Observed DNS Query to OtterCookie Domain (alchemy-api-v3 .cloud) (malware.rules)
  • 2060627 - ET MALWARE Observed DNS Query to OtterCookie Domain (blastapi .org) (malware.rules)
  • 2060628 - ET MALWARE Observed OtterCookie Domain (alchemy-api-v3 .cloud in TLS SNI) (malware.rules)
  • 2060629 - ET MALWARE Observed OtterCookie Domain (blastapi .org in TLS SNI) (malware.rules)
  • 2060630 - ET INFO TeamViewer RMM Domain (teamviewer .com) in DNS Lookup (info.rules)
  • 2060631 - ET MALWARE OtterCookie Host Profile Exfil (malware.rules)
  • 2060632 - ET INFO Observed TeamViewer RMM Related Domain (teamviewer .com) in TLS SNI (info.rules)
  • 2060633 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (willchar .com) (exploit_kit.rules)
  • 2060634 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (willchar .com) (exploit_kit.rules)
  • 2060635 - ET MALWARE OtterCookie CnC Command Inbound (whour) (malware.rules)
  • 2060636 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ydh7 .shop) (exploit_kit.rules)
  • 2060637 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ydh7 .shop) (exploit_kit.rules)
  • 2060638 - ET MALWARE OtterCookie File Exfiltration (malware.rules)
  • 2060639 - ET MALWARE OtterCookie Victim Command Execution Confirmation To CnC Server (malware.rules)
  • 2060640 - ET MALWARE Malicious BOINC Server Domain in DNS Lookup (rosettahome .top) (malware.rules)
  • 2060641 - ET MALWARE Malicious BOINC Server Domain in DNS Lookup (rosettahome .cn) (malware.rules)
  • 2060642 - ET MALWARE Observed Malicious BOINC Server Domain (rosettahome .top in TLS SNI) (malware.rules)
  • 2060643 - ET MALWARE Observed Malicious BOINC Server Domain (rosettahome .cn in TLS SNI) (malware.rules)
  • 2060644 - ET MALWARE OtterCookie Payload Request (malware.rules)
  • 2060645 - ET MALWARE Malicious BOINC Server CnC Domain in DNS Lookup (rosetta .top) (malware.rules)
  • 2060646 - ET MALWARE Malicious BOINC Server CnC Domain in DNS Lookup (rosetta .cn) (malware.rules)
  • 2060647 - ET MALWARE Observed Malicious BOINC Server Domain (rosetta .top in TLS SNI) (malware.rules)
  • 2060648 - ET MALWARE Observed Malicious BOINC Server Domain (rosetta .cn in TLS SNI) (malware.rules)

Pro:

  • 2860575 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2860576 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2860508 - ETPRO HUNTING PDF Launch Action File Spec Contains Domain-Like Value (hunting.rules)