Ruleset Update Summary - 2025/05/30 - v10937

Ruleset Updates
1

Summary:

34 new OPEN, 37 new PRO (34 + 3)

Added rules:

Open:

  • 2062633 - ET INFO Observed Event Log Information From Internal Host Over UDP (info.rules)
  • 2062634 - ET INFO Observed netstat Output From Internal Host Over UDP (info.rules)
  • 2062635 - ET INFO Observed netsh advfirewall Output From Internal Host Over UDP (info.rules)
  • 2062636 - ET INFO Observed net user Output From Internal Host Over UDP (info.rules)
  • 2062637 - ET INFO Observed tasklist Output From Internal Host Over UDP (info.rules)
  • 2062638 - ET INFO Observed net localgroup Output From Internal Host Over UDP (info.rules)
  • 2062639 - ET INFO Observed dir Command via Inbound ICMP (info.rules)
  • 2062640 - ET INFO Observed ipconfig Command via Inbound ICMP (info.rules)
  • 2062641 - ET INFO Observed netstat Command via Inbound ICMP (info.rules)
  • 2062642 - ET INFO Observed tasklist Command via Inbound ICMP (info.rules)
  • 2062643 - ET INFO Observed powershell Command via Inbound ICMP (info.rules)
  • 2062644 - ET MALWARE ICMP-GOSH Magic Bytes via ICMP Error (malware.rules)
  • 2062645 - ET INFO DYNAMIC_DNS Query to a *.readymindit .com domain (info.rules)
  • 2062646 - ET INFO DYNAMIC_DNS HTTP Request to a *.readymindit .com domain (info.rules)
  • 2062647 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (anichind .com) (exploit_kit.rules)
  • 2062648 - ET EXPLOIT_KIT LandUpdate808 Domain (anichind .com) in TLS SNI (exploit_kit.rules)
  • 2062649 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brefif .run) (malware.rules)
  • 2062650 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brefif .run) in TLS SNI (malware.rules)
  • 2062651 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (majlkj .live) (malware.rules)
  • 2062652 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (majlkj .live) in TLS SNI (malware.rules)
  • 2062653 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thundeqqbw .bet) (malware.rules)
  • 2062654 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thundeqqbw .bet) in TLS SNI (malware.rules)
  • 2062655 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (makeyrlo .top) (malware.rules)
  • 2062656 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (makeyrlo .top in TLS SNI) (malware.rules)
  • 2062657 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racueu .run) (malware.rules)
  • 2062658 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racueu .run in TLS SNI) (malware.rules)
  • 2062659 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stockyslam .top) (malware.rules)
  • 2062660 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stockyslam .top in TLS SNI) (malware.rules)
  • 2062661 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (3dmaine .com) (exploit_kit.rules)
  • 2062662 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (kanshuwang .top) (exploit_kit.rules)
  • 2062663 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (3dmaine .com) (exploit_kit.rules)
  • 2062664 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kanshuwang .top) (exploit_kit.rules)
  • 2062665 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .help4dad .org) (malware.rules)
  • 2062666 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .help4dad .org) (malware.rules)

Pro:

  • 2862006 - ETPRO PHISHING TA453 Phish Landing Page M2 2025-05-30 (phishing.rules)
  • 2862014 - ETPRO HUNTING Exploit Hunting - CL.TE HTTP Request Smuggling Attempt (hunting.rules)
  • 2862015 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)