Ruleset Update Summary - 2025/03/21 - v10888

Ruleset Updates
1

Summary:

15 new OPEN, 16 new PRO (15 + 1)

Thanks @Jane_0sint, @monitorsg

Added rules:

Open:

  • 2061006 - ET MALWARE RustyStealer CnC Checkin (POST) (malware.rules)
  • 2061007 - ET MALWARE RustyStealer CnC Exfil (POST) (malware.rules)
  • 2061008 - ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in Chromium-path (CVE-2024-12971) (web_specific_apps.rules)
  • 2061009 - ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in goTTY QuickShell (CVE-2024-12992) (web_specific_apps.rules)
  • 2061010 - ET WEB_SERVER MegaRAC Redfish Authentication Bypass via X-Server-Addr Header (CVE-2024-54085) (web_server.rules)
  • 2061011 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (kkmic .com) (exploit_kit.rules)
  • 2061012 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (shairwest .com) (exploit_kit.rules)
  • 2061013 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (loycos .com) (exploit_kit.rules)
  • 2061014 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (kkmic .com) (exploit_kit.rules)
  • 2061015 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (shairwest .com) (exploit_kit.rules)
  • 2061016 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (loycos .com) (exploit_kit.rules)
  • 2061017 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (wp .pianoplaymusic .com) (malware.rules)
  • 2061018 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (wp .pianoplaymusic .com) (malware.rules)
  • 2061019 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (store .alignfrisco .com) (exploit_kit.rules)
  • 2061020 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (store .alignfrisco .com) (exploit_kit.rules)

Pro:

  • 2860856 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2860837 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2860841 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2860846 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2860851 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2860853 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)