Ruleset Update Summary - 2025/05/13 - v10926

rulesbot · May 13, 2025, 8:34pm

Summary:

40 new OPEN, 86 new PRO (40 + 46)

Thanks @msftsecurity

Added rules:

Open:

2062292 - ET INFO ObfusHTML Usage (info.rules)
2062293 - ET WEB_SPECIFIC_APPS F5 BIG-IP Authenticated Command Injection (CVE-2025-31644) (web_specific_apps.rules)
2062294 - ET WEB_SPECIFIC_APPS Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-7591) (web_specific_apps.rules)
2062295 - ET HUNTING PHP Serialize Object Injection M1 (hunting.rules)
2062296 - ET HUNTING PHP Serialize Object Injection M2 (hunting.rules)
2062297 - ET HUNTING PHP Serialize Object Injection M3 (hunting.rules)
2062298 - ET HUNTING PHP Serialize Object Injection M4 (hunting.rules)
2062299 - ET MALWARE Marbled Dust CnC Domain in DNS Lookup (wordinfos .com) (malware.rules)
2062300 - ET MALWARE Observed Marbled Dust CnC Domain (wordinfos .com in TLS SNI) (malware.rules)
2062301 - ET WEB_SPECIFIC_APPS Edimax N300 mp command Parameter Command Injection Attempt (CVE-2023-31983) (web_specific_apps.rules)
2062302 - ET WEB_SPECIFIC_APPS Totolink A3002R formIpv6Setup static_dns1/static_dns2 Parameter Buffer Overflow Attempt (CVE-2025-45867) (web_specific_apps.rules)
2062303 - ET INFO DYNAMIC_DNS Query to a *.innovativegovernance .com domain (info.rules)
2062304 - ET INFO DYNAMIC_DNS HTTP Request to a *.innovativegovernance .com domain (info.rules)
2062305 - ET INFO DYNAMIC_DNS Query to a *.wulabs .org domain (info.rules)
2062306 - ET INFO DYNAMIC_DNS HTTP Request to a *.wulabs .org domain (info.rules)
2062307 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (barmgek .digital) (malware.rules)
2062308 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (barmgek .digital) in TLS SNI (malware.rules)
2062309 - ET WEB_SPECIFIC_APPS Totolink A3002R formMapDel devicemac1 Parameter Command Injection Attempt (CVE-2025-45858) (web_specific_apps.rules)
2062310 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (meteorplyp .live) (malware.rules)
2062311 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (meteorplyp .live) in TLS SNI (malware.rules)
2062312 - ET WEB_SPECIFIC_APPS CraftCMS Pre-Auth Remote Code Execution (CVE-2025-32432) (web_specific_apps.rules)
2062313 - ET EXPLOIT NTLM Hash Disclosure via InternetShortcut File Inbound with UNC Path Inbound (CVE-2024-43451) (exploit.rules)
2062314 - ET WEB_SPECIFIC_APPS Totolink A3002R formDnsv6 routername Parameter Buffer Overflow Attempt (web_specific_apps.rules)
2062315 - ET WEB_SPECIFIC_APPS Totolink A3002R formDnsv6 routername Parameter Buffer Overflow Attempt (web_specific_apps.rules)
2062316 - ET WEB_SPECIFIC_APPS Totolink A3002R formMapDelDevice bandstr/macstr Parameter Buffer Overflow Attempt (CVE-2025-45859) (web_specific_apps.rules)
2062317 - ET INFO Observed DNS Query to SuperOps RMM Domain (superops .ai) (info.rules)
2062318 - ET INFO Observed SuperOps RMM Domain (superops .ai in TLS SNI) (info.rules)
2062319 - ET WEB_SPECIFIC_APPS Totolink A3002R formDhcpv6s Multiple Parameters Buffer Overflow Attempt (CVE-2025-45864,2025-45866) (web_specific_apps.rules)
2062320 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (digiscap .com) (exploit_kit.rules)
2062321 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (digiscap .com) (exploit_kit.rules)
2062322 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (linhua97 .top) (exploit_kit.rules)
2062323 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (soap2dayfree .top) (exploit_kit.rules)
2062324 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (linhua97 .top) (exploit_kit.rules)
2062325 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (soap2dayfree .top) (exploit_kit.rules)
2062326 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (photoreport .roamdetail .com) (malware.rules)
2062327 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (www .roammco .com) (malware.rules)
2062328 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (www .oceandentalcare .com) (malware.rules)
2062329 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (photoreport .roamdetail .com) (malware.rules)
2062330 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (www .roammco .com) (malware.rules)
2062331 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (www .oceandentalcare .com) (malware.rules)

Pro:

2861650 - ETPRO EXPLOIT Microsoft Windows Web Threat Defense (WTD.sys) Unauthenticated Denial of Service (CVE-2025-29971) M1 (exploit.rules)
2861651 - ETPRO EXPLOIT Microsoft Windows Web Threat Defense (WTD.sys) Unauthenticated Denial of Service (CVE-2025-29971) M2 (exploit.rules)
2861652 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
2861653 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
2861654 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
2861655 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
2861656 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
2861657 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
2861658 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
2861659 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
2861660 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
2861661 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
2861662 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
2861663 - ETPRO MALWARE Observed DNS Query to UNK_MachoMan Domain (malware.rules)
2861664 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
2861665 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
2861666 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
2861667 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
2861668 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
2861669 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
2861670 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
2861671 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
2861672 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
2861673 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
2861674 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
2861675 - ETPRO MALWARE Observed UNK_MachoMan Domain in TLS SNI (malware.rules)
2861676 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2861677 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2861678 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2861679 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2861680 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2861681 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2861682 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2861683 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2861684 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2861685 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2861686 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2861687 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2861688 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2861689 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2861690 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2861691 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2861692 - ETPRO MALWARE Observed DNS Query to ScreenConnect Domain (malware.rules)
2861693 - ETPRO MALWARE Observed ScreenConnect Domain in TLS SNI (malware.rules)
2861694 - ETPRO EXPLOIT_KIT Observed DNS Query to Compromised Domain (exploit_kit.rules)
2861695 - ETPRO EXPLOIT_KIT Observed Compromised Domain Domain in TLS SNI (exploit_kit.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/01/03 - v10498 Ruleset Updates	295	January 3, 2024
Ruleset Update Summary - 2023/04/20 - v10303 Ruleset Updates	341	April 20, 2023
Ruleset Update Summary - 2023/05/02 - v10313 Ruleset Updates	450	May 2, 2023
Ruleset Update Summary - 2023/04/18 - v10300 Ruleset Updates	330	April 18, 2023
Ruleset Update Summary - 2024/12/01 - v10768 Ruleset Updates	40	December 1, 2024

Ruleset Update Summary - 2025/05/13 - v10926

Summary:

Added rules:

Open:

Pro:

Related topics