Ruleset Update Summary - 2025/03/27 - v10892

rulesbot · March 27, 2025, 9:02pm

Summary:

52 new OPEN, 81 new PRO (52 + 29)

Added rules:

Open:

2061120 - ET WEB_SERVER Kubernetes Ingress NGINX Controller permanent-redirect Annotation Injection (CVE-2023-5044) (web_server.rules)
2061121 - ET WEB_SERVER Kubernetes Ingress NGINX Controller configuration-snippet Annotation Injection (CVE-2023-5044) (web_server.rules)
2061122 - ET HUNTING Kubernetes Ingress NGINX Controller Annotation Injection (hunting.rules)
2061123 - ET WEB_SPECIFIC_APPS Discourse Backup File Disclosure via Default Nginx Configuration (CVE-2024-53991) (web_specific_apps.rules)
2061124 - ET WEB_SPECIFIC_APPS Github Enterprise SAML Authentication Bypass (CVE-2024-9487) (web_specific_apps.rules)
2061125 - ET INFO DYNAMIC_DNS Query to a *.0000004 .xyz domain (info.rules)
2061126 - ET INFO DYNAMIC_DNS HTTP Request to a *.0000004 .xyz domain (info.rules)
2061127 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (castmaxw .run) (malware.rules)
2061128 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (castmaxw .run) in TLS SNI (malware.rules)
2061129 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ferromny .digital) (malware.rules)
2061130 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ferromny .digital) in TLS SNI (malware.rules)
2061131 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (galactad .world) (malware.rules)
2061132 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (galactad .world) in TLS SNI (malware.rules)
2061133 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nextgenideas2023 .top) (malware.rules)
2061134 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (nextgenideas2023 .top) in TLS SNI (malware.rules)
2061135 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oreheatq .live) (malware.rules)
2061136 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI (malware.rules)
2061137 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rodstepv .digital) (malware.rules)
2061138 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rodstepv .digital) in TLS SNI (malware.rules)
2061139 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (saturnoy .life) (malware.rules)
2061140 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (saturnoy .life) in TLS SNI (malware.rules)
2061141 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scenarisacri .top) (malware.rules)
2061142 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (scenarisacri .top) in TLS SNI (malware.rules)
2061143 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (smeltingt .run) (malware.rules)
2061144 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (smeltingt .run) in TLS SNI (malware.rules)
2061145 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (steelixr .live) (malware.rules)
2061146 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (steelixr .live) in TLS SNI (malware.rules)
2061147 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (weldorae .digital) (malware.rules)
2061148 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (weldorae .digital) in TLS SNI (malware.rules)
2061149 - ET ATTACK_RESPONSE Unknown Payload Downloader Inbound (attack_response.rules)
2061150 - ET MALWARE Observed DNS Query to Malicious Domain (right-championships-junior-pubs .trycloudflare .com) (malware.rules)
2061151 - ET MALWARE Observed Malicious Domain (right-championships-junior-pubs .trycloudflare .com in TLS SNI) (malware.rules)
2061152 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (lkcharles .com) (exploit_kit.rules)
2061153 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (lkcharles .com) (exploit_kit.rules)
2061154 - ET PHISHING Observed DNS Query to TA452 Domain (shj-connect .online) (phishing.rules)
2061155 - ET PHISHING Observed DNS Query to TA452 Domain (korektell .com) (phishing.rules)
2061156 - ET PHISHING Observed DNS Query to TA452 Domain (newroztelecom .digital) (phishing.rules)
2061157 - ET PHISHING Observed DNS Query to TA452 Domain (sharjahairport .cloud) (phishing.rules)
2061158 - ET PHISHING Observed DNS Query to TA452 Domain (speed-test .click) (phishing.rules)
2061159 - ET PHISHING Observed TA452 Domain (shj-connect .online in TLS SNI) (phishing.rules)
2061160 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .briansmallwood .com) (malware.rules)
2061161 - ET PHISHING Observed TA452 Domain (korektell .com in TLS SNI) (phishing.rules)
2061162 - ET PHISHING Observed TA452 Domain (newroztelecom .digital in TLS SNI) (phishing.rules)
2061163 - ET PHISHING Observed TA452 Domain (sharjahairport .cloud in TLS SNI) (phishing.rules)
2061164 - ET PHISHING Observed TA452 Domain (speed-test .click in TLS SNI) (phishing.rules)
2061165 - ET MALWARE Observed DNS Query to TA452 Domain (arthurshelby .click) (malware.rules)
2061166 - ET MALWARE Observed TA452 Domain (arthurshelby .click in TLS SNI) (malware.rules)
2061167 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .briansmallwood .com) (malware.rules)
2061168 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (iplantit .com) (exploit_kit.rules)
2061169 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (iplantit .com) (exploit_kit.rules)
2061170 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fjs95 .shop) (exploit_kit.rules)
2061171 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (fjs95 .shop) (exploit_kit.rules)

Pro:

2860919 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2860920 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2860921 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2860922 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2860923 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2860924 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2860925 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2860926 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2860927 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2860928 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2860929 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2860930 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2860931 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
2860932 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2860933 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
2860934 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2860935 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2860936 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2860937 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2860938 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
2860939 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2860940 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2860941 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2860942 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2860943 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2860944 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2860945 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2860946 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2860947 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

2061094 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (javascripterhub .com) (exploit_kit.rules)
2061100 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (javascripterhub .com) (exploit_kit.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/03/25 - v10890 Ruleset Updates	99	March 25, 2025
Ruleset Update Summary - 2025/03/11 - v10876 Ruleset Updates	102	March 11, 2025
Ruleset Update Summary - 2025/03/24 - v10889 Ruleset Updates	83	March 24, 2025
Ruleset Update Summary - 2024/08/16 - v10668 Ruleset Updates	100	August 16, 2024
Ruleset Update Summary - 2025/02/05 - v10853 Ruleset Updates	86	February 5, 2025

Ruleset Update Summary - 2025/03/27 - v10892

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related topics