Ruleset Update Summary - 2025/05/06 - v10921

Summary:

19 new OPEN, 27 new PRO (19 + 8)

Thanks @msftsecurity


Added rules:

Open:

  • 2062126 - ET INFO Teleport Service Domain (teleport .sh) in DNS Lookup (info.rules)
  • 2062127 - ET INFO Teleport Service Domain (teleport .dev) in DNS Lookup (info.rules)
  • 2062128 - ET INFO Teleport Service Domain (goteleport .com) in DNS Lookup (info.rules)
  • 2062129 - ET INFO Observed Teleport Service Domain (teleport .sh) in TLS SNI (info.rules)
  • 2062130 - ET INFO Observed Teleport Service Domain (teleport .dev) in TLS SNI (info.rules)
  • 2062131 - ET INFO Observed Teleport Service Domain (goteleport .com) in TLS SNI (info.rules)
  • 2062132 - ET MALWARE Observed DNS Query to MeshAgent Domain (mesh .i .nsat .ca) (malware.rules)
  • 2062133 - ET MALWARE Observed MeshAgent Domain (mesh .i .nsat .ca in TLS SNI) (malware.rules)
  • 2062134 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hackergala .digital) (malware.rules)
  • 2062135 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hackergala .digital) in TLS SNI (malware.rules)
  • 2062136 - ET WEB_SPECIFIC_APPS Samsung MagicINFO SWUpdateFileUploader fileName parameter Directory Traversal Attempt (CVE-2024-7399) (web_specific_apps.rules)
  • 2062137 - ET WEB_SPECIFIC_APPS DigiEver DS-2105 Pro time_tzsetup.cgi ntp Parameter Command Injection Attempt (CVE-2023-52163) (web_specific_apps.rules)
  • 2062138 - ET MALWARE Observed DNS Query to BlackByte Ransomware Domain (myvisit .alteksecurity .org) (malware.rules)
  • 2062139 - ET MALWARE Observed BlackByte Domain (myvisit .alteksecurity .org in TLS SNI) (malware.rules)
  • 2062140 - ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt (web_specific_apps.rules)
  • 2062141 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (anncrman .com) (exploit_kit.rules)
  • 2062142 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (anncrman .com) (exploit_kit.rules)
  • 2062143 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (email .gwlawgroupattorneys .com) (malware.rules)
  • 2062144 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (email .gwlawgroupattorneys .com) (malware.rules)

Pro:

  • 2861581 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861582 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861583 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861584 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861585 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861586 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861587 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861588 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

  • 2861353 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861354 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861355 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861356 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861357 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861358 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861359 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861360 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861361 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861362 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861363 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861364 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861365 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861367 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861511 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2861512 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)