Ruleset Update Summary - 2025/03/19 - v10886

Summary:

11 new OPEN, 26 new PRO (11 + 15)


Added rules:

Open:

  • 2060957 - ET HUNTING Windows Shortcut Link Padded Whitespace in Command Line Arguments (ZDI-CAN-25373) (hunting.rules)
  • 2060958 - ET PHISHING E-Z Pass Phishing Domain (e-zpasslus .com) in DNS Lookup (phishing.rules)
  • 2060959 - ET PHISHING E-Z Pass Phishing Domain (e-zpasslus .com) in TLS SNI (phishing.rules)
  • 2060960 - ET WEB_SPECIFIC_APPS xml-crypto / Node.js SAML Authentication Bypass Forged DigestValue Comment (CVE-2025-29775) (web_specific_apps.rules)
  • 2060961 - ET WEB_SPECIFIC_APPS xml-crypto SAML Authentication Bypass Multiple SignedInfo References (CVE-2025-29774) (web_specific_apps.rules)
  • 2060962 - ET WEB_SPECIFIC_APPS Ncast DVR Command Injection Attempt (CVE-2024-0305) (web_specific_apps.rules)
  • 2060963 - ET WEB_SPECIFIC_APPS Ncast DVR Hardcoded Credentials Login Attempt (web_specific_apps.rules)
  • 2060964 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (tecnogrup .com) (exploit_kit.rules)
  • 2060965 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (tecnogrup .com) (exploit_kit.rules)
  • 2060966 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (my .kconsultinggroup .com) (malware.rules)
  • 2060967 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (my .kconsultinggroup .com) (malware.rules)

Pro:

  • 2860802 - ETPRO MALWARE XWorm Telegram C2 Response (malware.rules)
  • 2860803 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860804 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860805 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860806 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860807 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2860808 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860809 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2860810 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860811 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2860812 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2860813 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860814 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2860815 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2860816 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)