Ruleset Update Summary - 2025/09/08 - v11010

Ruleset Updates
1

Summary:

92 new OPEN, 135 new PRO (92 + 43)

Thanks @naumovax

Added rules:

Open:

  • 2064403 - ET MALWARE TA415 CnC Host Profile Exfiltration (POST) (malware.rules)
  • 2064404 - ET INFO DYNAMIC_DNS Query to a *.krahl .com .br domain (info.rules)
  • 2064405 - ET INFO DYNAMIC_DNS HTTP Request to a *.krahl .com .br domain (info.rules)
  • 2064406 - ET INFO DYNAMIC_DNS Query to a *.itsec-ro .ro domain (info.rules)
  • 2064407 - ET INFO DYNAMIC_DNS HTTP Request to a *.itsec-ro .ro domain (info.rules)
  • 2064408 - ET INFO DYNAMIC_DNS Query to a *.kredytlinia .pl domain (info.rules)
  • 2064409 - ET INFO DYNAMIC_DNS HTTP Request to a *.kredytlinia .pl domain (info.rules)
  • 2064410 - ET INFO DYNAMIC_DNS Query to a *.odino .com .ar domain (info.rules)
  • 2064411 - ET INFO DYNAMIC_DNS HTTP Request to a *.odino .com .ar domain (info.rules)
  • 2064412 - ET INFO DYNAMIC_DNS Query to a *.bijaykandel .com .np domain (info.rules)
  • 2064413 - ET INFO DYNAMIC_DNS HTTP Request to a *.bijaykandel .com .np domain (info.rules)
  • 2064414 - ET INFO DYNAMIC_DNS Query to a *.rootcop .info domain (info.rules)
  • 2064415 - ET INFO DYNAMIC_DNS HTTP Request to a *.rootcop .info domain (info.rules)
  • 2064416 - ET INFO DYNAMIC_DNS Query to a *.sensibleinvesting .com .au domain (info.rules)
  • 2064417 - ET INFO DYNAMIC_DNS HTTP Request to a *.sensibleinvesting .com .au domain (info.rules)
  • 2064418 - ET INFO DYNAMIC_DNS Query to a *.truckoccasion .ch domain (info.rules)
  • 2064419 - ET INFO DYNAMIC_DNS HTTP Request to a *.truckoccasion .ch domain (info.rules)
  • 2064420 - ET INFO DYNAMIC_DNS Query to a *.repuestoslibertad .cl domain (info.rules)
  • 2064421 - ET INFO DYNAMIC_DNS HTTP Request to a *.repuestoslibertad .cl domain (info.rules)
  • 2064422 - ET INFO DYNAMIC_DNS Query to a *.skamaria .com domain (info.rules)
  • 2064423 - ET INFO DYNAMIC_DNS HTTP Request to a *.skamaria .com domain (info.rules)
  • 2064424 - ET INFO DYNAMIC_DNS Query to a *.mvle .com .ar domain (info.rules)
  • 2064425 - ET INFO DYNAMIC_DNS HTTP Request to a *.mvle .com .ar domain (info.rules)
  • 2064426 - ET INFO DYNAMIC_DNS Query to a *.escribaniarusso .com .ar domain (info.rules)
  • 2064427 - ET INFO DYNAMIC_DNS HTTP Request to a *.escribaniarusso .com .ar domain (info.rules)
  • 2064428 - ET INFO DYNAMIC_DNS Query to a *.mycrossfire .net domain (info.rules)
  • 2064429 - ET INFO DYNAMIC_DNS HTTP Request to a *.mycrossfire .net domain (info.rules)
  • 2064430 - ET INFO DYNAMIC_DNS Query to a *.warhawkenterprises .com domain (info.rules)
  • 2064431 - ET INFO DYNAMIC_DNS HTTP Request to a *.warhawkenterprises .com domain (info.rules)
  • 2064432 - ET INFO DYNAMIC_DNS Query to a *.malmo .cl domain (info.rules)
  • 2064433 - ET INFO DYNAMIC_DNS HTTP Request to a *.malmo .cl domain (info.rules)
  • 2064434 - ET INFO DYNAMIC_DNS Query to a *.esal .cl domain (info.rules)
  • 2064435 - ET INFO DYNAMIC_DNS HTTP Request to a *.esal .cl domain (info.rules)
  • 2064436 - ET INFO DYNAMIC_DNS Query to a *.delcarmen .cl domain (info.rules)
  • 2064437 - ET INFO DYNAMIC_DNS HTTP Request to a *.delcarmen .cl domain (info.rules)
  • 2064438 - ET INFO DYNAMIC_DNS Query to a *.ocxpressit .com domain (info.rules)
  • 2064439 - ET INFO DYNAMIC_DNS HTTP Request to a *.ocxpressit .com domain (info.rules)
  • 2064440 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dubznetwork .com) (malware.rules)
  • 2064441 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dubznetwork .com) in TLS SNI (malware.rules)
  • 2064442 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (trichcd .bet) (malware.rules)
  • 2064443 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (trichcd .bet) in TLS SNI (malware.rules)
  • 2064444 - ET INFO DYNAMIC_DNS Query to a *.stockcity .ru domain (info.rules)
  • 2064445 - ET INFO DYNAMIC_DNS HTTP Request to a *.stockcity .ru domain (info.rules)
  • 2064446 - ET INFO DYNAMIC_DNS Query to a *.skam .co domain (info.rules)
  • 2064447 - ET INFO DYNAMIC_DNS HTTP Request to a *.skam .co domain (info.rules)
  • 2064448 - ET INFO DYNAMIC_DNS Query to a *.start168 .com domain (info.rules)
  • 2064449 - ET INFO DYNAMIC_DNS HTTP Request to a *.start168 .com domain (info.rules)
  • 2064450 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .destroythebrainonline .com) (malware.rules)
  • 2064451 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .destroythebrainonline .com) (malware.rules)
  • 2064452 - ET MALWARE Kimsuky/TA406 Payload Request (GET) (malware.rules)
  • 2064453 - ET MALWARE Observed DNS Query to Kimsuky/TA406 Domain (iuh234 .medianewsonline .com) (malware.rules)
  • 2064454 - ET MALWARE Observed Kimsuky/TA406 Domain (iuh234 .medianewsonline .com in TLS SNI) (malware.rules)
  • 2064455 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (falsapa .qpon) (malware.rules)
  • 2064456 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (falsapa .qpon in TLS SNI) (malware.rules)
  • 2064457 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tetrwoo .asia) (malware.rules)
  • 2064458 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tetrwoo .asia in TLS SNI) (malware.rules)
  • 2064459 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (figueqhk .xin) (malware.rules)
  • 2064460 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (figueqhk .xin in TLS SNI) (malware.rules)
  • 2064461 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hffiahz .asia) (malware.rules)
  • 2064462 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hffiahz .asia in TLS SNI) (malware.rules)
  • 2064463 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (plataukz .xin) (malware.rules)
  • 2064464 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (plataukz .xin in TLS SNI) (malware.rules)
  • 2064465 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sprimvd .my) (malware.rules)
  • 2064466 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sprimvd .my in TLS SNI) (malware.rules)
  • 2064467 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (renohhde .xin) (malware.rules)
  • 2064468 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (renohhde .xin in TLS SNI) (malware.rules)
  • 2064469 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lithfzx .my) (malware.rules)
  • 2064470 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lithfzx .my in TLS SNI) (malware.rules)
  • 2064471 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (titlexy .my) (malware.rules)
  • 2064472 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (titlexy .my in TLS SNI) (malware.rules)
  • 2064473 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bluyypff .xyz) (malware.rules)
  • 2064474 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bluyypff .xyz in TLS SNI) (malware.rules)
  • 2064475 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diadtuky .su) (malware.rules)
  • 2064476 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (diadtuky .su in TLS SNI) (malware.rules)
  • 2064477 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sirhirssg .su) (malware.rules)
  • 2064478 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sirhirssg .su in TLS SNI) (malware.rules)
  • 2064479 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prebwle .su) (malware.rules)
  • 2064480 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (prebwle .su in TLS SNI) (malware.rules)
  • 2064481 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rhussois .su) (malware.rules)
  • 2064482 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rhussois .su in TLS SNI) (malware.rules)
  • 2064483 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (todoexy .su) (malware.rules)
  • 2064484 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (todoexy .su in TLS SNI) (malware.rules)
  • 2064485 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (acrislegt .su) (malware.rules)
  • 2064486 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (acrislegt .su in TLS SNI) (malware.rules)
  • 2064487 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (averiryvx .su) (malware.rules)
  • 2064488 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (averiryvx .su in TLS SNI) (malware.rules)
  • 2064489 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cerasatvf .su) (malware.rules)
  • 2064490 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cerasatvf .su in TLS SNI) (malware.rules)
  • 2064491 - ET INFO Anonymous Domain Registrar CnC Domain in DNS Lookup (*. njalla .net) (info.rules)
  • 2064492 - ET INFO Observed Anonymous Domain Registrar Domain (* .njalla .net in TLS SNI) (info.rules)
  • 2064493 - ET MALWARE Betruger CnC Domain in DNS Lookup (504ec1c95 .host .njalla .net) (malware.rules)
  • 2064494 - ET MALWARE Observed Betruger Domain (504ec1c95 .host .njalla .net in TLS SNI) (malware.rules)

Pro:

  • 2864482 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2864483 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864484 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864485 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864486 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864487 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864488 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864489 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864490 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864491 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864492 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864493 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864494 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864495 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864496 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864497 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864498 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864499 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864500 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864501 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864502 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864503 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864504 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864505 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864506 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864507 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864508 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864509 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864510 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864511 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864512 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864513 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864514 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864515 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2864516 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2864517 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2864518 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2864519 - ETPRO MALWARE LandUpdate808 CnC Checkin (POST) (malware.rules)
  • 2864520 - ETPRO MALWARE LandUpdate808 CnC Exfil (POST) (malware.rules)
  • 2864521 - ETPRO MALWARE Rhadamanthys CnC Domain in DNS Lookup (malware.rules)
  • 2864522 - ETPRO MALWARE Observed Rhadamanthys CnC Domain in TLS SNI (malware.rules)
  • 2864523 - ETPRO MALWARE Observed Rhadamanthys CnC Domain in TLS SNI (malware.rules)
  • 2864524 - ETPRO MALWARE Rhadamanthys CnC Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2033879 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033880 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
  • 2033908 - ET MALWARE Maldoc OneDrive Download Activity (GET) (malware.rules)
  • 2033913 - ET MALWARE Win32/Mingloa CnC Checkin (malware.rules)
  • 2033932 - ET MALWARE MSIL/Black Hat Worm Server Response (malware.rules)
  • 2033937 - ET MALWARE Sidewalk CnC Checkin (malware.rules)
  • 2033981 - ET MALWARE Gamaredon Maldoc Activity (GET) (malware.rules)
  • 2033987 - ET MALWARE APT/Bitter Maldoc Activity (malware.rules)
  • 2034020 - ET MALWARE JS/Spy.Agent.AW Download (malware.rules)
  • 2034039 - ET MALWARE Win32/Voltron/Spectre Stealer Download Activity (GET) (malware.rules)
  • 2034048 - ET MALWARE Win64/TrojanDownloader.Age Download Activity (GET) (malware.rules)
  • 2034083 - ET MALWARE Win32/Fake Anti-Pegasus AV CnC Exfil (malware.rules)
  • 2034087 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2034088 - ET MALWARE ELF/MachO.Netwire Connectivity Check (malware.rules)
  • 2034094 - ET INFO HTTP/2 Traffic (SET) (info.rules)
  • 2034097 - ET HUNTING Observed AutoDesk Domain in TLS SNI (autodesk360 .com) (hunting.rules)
  • 2034099 - ET MALWARE Observed Cobalt Strike CnC Domain (yawero .com in TLS SNI) (malware.rules)
  • 2034100 - ET MALWARE Observed Cobalt Strike CnC Domain (sazoya .com in TLS SNI) (malware.rules)
  • 2034113 - ET MALWARE Observed HTTP Request to Known PUA Host Domain (malware.rules)
  • 2034114 - ET MALWARE Observed HTTP Request to Known PUA Host Domain (malware.rules)
  • 2034119 - ET MALWARE W32.Tomiris C2 (init) (malware.rules)
  • 2034140 - ET MALWARE Observed Ursnif CnC Domain (Gloderuniok .website in TLS SNI) (malware.rules)
  • 2034141 - ET MALWARE Observed Ursnif CnC Domain (Vloderuniok .website in TLS SNI) (malware.rules)
  • 2034142 - ET MALWARE Observed Cobalt Strike CnC Domain (Gojihu .com in TLS SNI) (malware.rules)
  • 2034143 - ET MALWARE Observed Cobalt Strike CnC Domain (Yuxicu .com in TLS SNI) (malware.rules)
  • 2034147 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2034156 - ET MALWARE Gamaredon Maldoc Remote Template Retrieval (GET) (malware.rules)
  • 2034157 - ET MALWARE Gamaredon Maldoc Remote Template Retrieval (GET) (malware.rules)
  • 2034171 - ET MALWARE Android/AhMyth RAT Command Inbound (Camera Manager) (malware.rules)
  • 2034189 - ET PHISHING Possible Generic Phishkit Landing Page M1 (phishing.rules)
  • 2034192 - ET MALWARE Win32/Spy.Socelars.S CnC Activity M3 (malware.rules)
  • 2034199 - ET EXPLOIT Oracle BI Publisher Authentication Bypass (CVE-2019-2616) (exploit.rules)
  • 2034200 - ET EXPLOIT TerraMaster TOS RCE via OS Command Injection Inbound (CVE-2020-28188) (exploit.rules)
  • 2034212 - ET INFO Outbound .png HTTP GET flowbit set (info.rules)
  • 2034214 - ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC) (malware.rules)
  • 2034215 - ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC) (malware.rules)
  • 2034216 - ET MALWARE IcedID CnC Domain in SSL/TLS SNI (malware.rules)
  • 2034217 - ET MALWARE IcedID CnC Domain in SSL/TLS SNI (malware.rules)
  • 2034218 - ET MALWARE IcedID CnC Domain in SSL/TLS SNI (malware.rules)
  • 2034221 - ET MALWARE Maldoc Activity (GET) (malware.rules)
  • 2034228 - ET INFO Fake AppleWebKit User-Agent Version Number Observed (info.rules)
  • 2034230 - ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M1 (malware.rules)
  • 2034231 - ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M2 (malware.rules)
  • 2034234 - ET PHISHING Covid19 Stimulus Payment Phish Inbound M3 (2021-10-21) (phishing.rules)
  • 2034285 - ET MALWARE Observed DonotGroup Maldoc Related Domain (digitalresolve .live in TLS SNI) (malware.rules)
  • 2034286 - ET MALWARE DonotGroup Maldoc Related Domain in DNS Lookup (digitalresolve .live) (malware.rules)
  • 2034287 - ET MALWARE DonotGroup Maldoc Activity (GET) (malware.rules)
  • 2034288 - ET MALWARE Win32/Sabsik Config Downloader (malware.rules)
  • 2034293 - ET MALWARE Win32/Ciadoor.10.UPX CnC Activity M1 (malware.rules)
  • 2034294 - ET MALWARE Win32/Ciadoor.10.UPX CnC Activity M2 (malware.rules)
  • 2034305 - ET MALWARE Win32/Agent.UWW Variant Activity (Retrieving Commands) (malware.rules)
  • 2034306 - ET MALWARE Win32/Agent.UWW Variant Activity (Sending System Information) (malware.rules)
  • 2034307 - ET MALWARE Fake Google Chrome Notifications Installer (malware.rules)
  • 2034317 - ET MALWARE PinkBot CnC Domain in DNS Lookup (cnc .pinklander .com) (malware.rules)
  • 2034334 - ET MALWARE APT-C-59 Related Domain in DNS Lookup (malware.rules)
  • 2034338 - ET MALWARE Downloaded .bat Disables Windows Defender (malware.rules)
  • 2034339 - ET MALWARE Downloaded .bat Disables Real Time Monitoring (malware.rules)
  • 2034349 - ET MOBILE_MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (google-play .serveftp .com) (mobile_malware.rules)
  • 2034350 - ET MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (bitsadmin .ddns .net) (malware.rules)
  • 2034351 - ET MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (list-sert .ddns .net) (malware.rules)
  • 2034354 - ET EXPLOIT Vanguard v2.1 (Search) POST Inject Web Vulnerability (exploit.rules)
  • 2034356 - ET MALWARE Malicious Cobalt Strike SSL Certificate (cloudflace-network .digital) (malware.rules)
  • 2034357 - ET MALWARE Observed Cobalt Strike Domain in TLS SNI (stackpatc-technologies .digital) (malware.rules)
  • 2034359 - ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M1 (malware.rules)
  • 2034360 - ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M2 (malware.rules)
  • 2034391 - ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup (rackspare-technology .digital) (malware.rules)
  • 2034393 - ET MALWARE Observed Cobalt Strike Domain (asureupdate .tech in TLS SNI) (malware.rules)
  • 2034395 - ET MALWARE Downloaded Script Disables Firewall/Antivirus (malware.rules)
  • 2034396 - ET MALWARE WBK Download from dotted-quad Host (malware.rules)
  • 2034398 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akastat .app) (malware.rules)
  • 2034399 - ET MALWARE Observed Malicious Cobalt Strike SSL Cert (cdnengine .biz) (malware.rules)
  • 2034400 - ET MALWARE Observed Cobalt Strike Related Domain (azurestat .app in TLS SNI) (malware.rules)
  • 2034401 - ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup (akamaclouds .tech) (malware.rules)
  • 2034403 - ET MALWARE Observed Malicious Cobalt Strike SSL Cert (setupfastonline .com) (malware.rules)
  • 2034405 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (c2 .hax .vg) (malware.rules)
  • 2034406 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (azuresecure .tech) (malware.rules)
  • 2034407 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (securesurvey .cloud) (malware.rules)
  • 2034408 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akabox .tech) (malware.rules)
  • 2034409 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (electronicwhosaleonline .com) (malware.rules)
  • 2034410 - ET MALWARE LNK/Agent.GX CnC Traffic (malware.rules)
  • 2034437 - ET MALWARE Win32/Trojan.Nymeria CnC (malware.rules)
  • 2034441 - ET MALWARE Observed Compromised Domain (cryptoarenastore .com in TLS SNI) (2021-11-12) (malware.rules)
  • 2034442 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M1 (malware.rules)
  • 2034443 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M2 (malware.rules)
  • 2034444 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M3 (malware.rules)
  • 2034445 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M4 (malware.rules)
  • 2034446 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M5 (malware.rules)
  • 2034447 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M6 (malware.rules)
  • 2034448 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M7 (malware.rules)
  • 2034449 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M8 (malware.rules)
  • 2034450 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M9 (malware.rules)
  • 2034451 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M10 (malware.rules)
  • 2034452 - ET MALWARE Possible MalDoc Retrieving Payload 2021-07-19 (malware.rules)
  • 2034464 - ET MALWARE Possible MalDoc Retrieving Payload 2021-11-01 (malware.rules)
  • 2034471 - ET MALWARE Danabot Associated Activity (GET) (malware.rules)
  • 2034473 - ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (bg .knonwsec .com) (malware.rules)
  • 2034475 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2034479 - ET MALWARE ABCbot CnC Instruction (stop) (malware.rules)
  • 2034481 - ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Outbound (exploit.rules)
  • 2034482 - ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Inbound (exploit.rules)
  • 2034483 - ET MALWARE ABCbot CnC Exfil (malware.rules)
  • 2034484 - ET MALWARE ABCbot CnC Instruction (syn) (malware.rules)
  • 2034485 - ET MALWARE ABCbot CnC Instruction (dns) (malware.rules)
  • 2034486 - ET MALWARE ABCbot CnC Instruction (bigudp) (malware.rules)
  • 2034499 - ET ATTACK_RESPONSE Obfuscated VBS Inbound - Underscore Var/Chr/math (attack_response.rules)
  • 2034533 - ET MALWARE Dridex Dotted Quad CnC Request (flowbit set) (malware.rules)
  • 2034534 - ET MALWARE Dridex CnC Returning Email Addresses - Possible Spam Module (malware.rules)
  • 2034560 - ET MALWARE Kimsuky Related Activity Sending Windows Information (POST) (malware.rules)
  • 2034626 - ET EXPLOIT Exiftool RCE Inbound (CVE-2021-22204) (exploit.rules)
  • 2034631 - ET MALWARE Maldoc Activity (set) (malware.rules)
  • 2034632 - ET MALWARE Maldoc Retrieving Binary (malware.rules)
  • 2034645 - ET MALWARE APT15/NICKEL Related CnC Activity (POST) (malware.rules)
  • 2034670 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (bingsearchlib .com) (attack_response.rules)
  • 2034683 - ET MALWARE Linux/Tsunami Downloader (malware.rules)
  • 2034684 - ET MALWARE Linux/Tsunami Remote Shell M1 (malware.rules)
  • 2034685 - ET MALWARE Linux/Tsunami Downloader (malware.rules)
  • 2034686 - ET MALWARE Linux/Tsunami Remote Shell M2 (malware.rules)
  • 2034739 - ET MALWARE DCRat CnC Activity M11 (malware.rules)
  • 2034740 - ET MALWARE DCRat CnC Activity M12 (malware.rules)
  • 2034741 - ET MALWARE DCRat CnC Activity M13 (malware.rules)
  • 2034752 - ET MALWARE Win32/BazarLoader Activity (GET) (malware.rules)
  • 2034757 - ET EXPLOIT Apache log4j RCE Attempt (http ldap) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2034833 - ET MALWARE OWOWA Stealer CnC Domain in DNS Lookup (malware.rules)
  • 2034838 - ET SCAN WordPress HelloThinkCMF Scan (scan.rules)
  • 2034857 - ET HUNTING RDP Authentication Bypass Attempt (hunting.rules)
  • 2034875 - ET MALWARE Maldoc Retrieving Remote Template (GET) (malware.rules)
  • 2034880 - ET MALWARE Quasar CnC Domain in DNS Lookup (malware.rules)
  • 2034904 - ET MALWARE TellYouThePass Ransomware Checkin Activity (GET) (malware.rules)
  • 2034910 - ET MOBILE_MALWARE Coper Banking Trojan Related Domain in DNS Lookup (mobile_malware.rules)
  • 2034914 - ET EXPLOIT Windows Defender POWERLIKS Detection Bypass (exploit.rules)
  • 2034961 - ET EXPLOIT GitLab Unauthenticated Remote ExifTool Command Injection (CVE-2021-24563) (exploit.rules)
  • 2034962 - ET MALWARE Win32/Tiggre Variant Activity Sending System Files (POST) (malware.rules)
  • 2034970 - ET EXPLOIT Sonicwall Unauthenticated Stack-Based Buffer Overflow (CVE-2021-20038) (exploit.rules)
  • 2034982 - ET MALWARE Win32/ClipBanker.OC CnC Activity M1 (malware.rules)
  • 2034983 - ET MALWARE Win32/ClipBanker.OC CnC Activity M2 (malware.rules)
  • 2035006 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2035007 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2035118 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035171 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035214 - ET PHISHING Successful Monzo Credential Phish M3 2022-02-17 (phishing.rules)
  • 2036551 - ET HUNTING Suspicious HTTP Connection Header Observed (hunting.rules)
  • 2849840 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
  • 2849846 - ETPRO MALWARE Win32/Agent.mytwin CnC Command Inbound (malware.rules)
  • 2849850 - ETPRO ATTACK_RESPONSE Obfuscated Char/Byte Concatenation PowerShell Inbound M1 (attack_response.rules)
  • 2849854 - ETPRO HUNTING PowerShell String Concatenation Payload Inbound M1 (hunting.rules)
  • 2849858 - ETPRO MALWARE Win32/Syndicasec CnC Activity - JavaScript Command Decoder Observed (malware.rules)
  • 2849956 - ETPRO MALWARE TeamTNT Chimaera Checkin (malware.rules)
  • 2850006 - ETPRO MALWARE MSIL/ClipBanker.QS CnC Checkin (malware.rules)
  • 2850007 - ETPRO MALWARE Observed Malicious SSL Cert (Acme Co) (malware.rules)
  • 2850031 - ETPRO EXPLOIT VMWare vCenter - Server Responded to Request For Path Vulnerable to RCE (CVE-2021-22005) (exploit.rules)
  • 2850032 - ETPRO MALWARE MSIL/TrojanDownloader.Agent.IUJ User-Agent (malware.rules)
  • 2850036 - ETPRO MALWARE BazaLoader Activity (GET) (malware.rules)
  • 2850038 - ETPRO MALWARE BazaLoader Activity M2 (GET) (malware.rules)
  • 2850039 - ETPRO MALWARE BazaLoader Activity (POST) (malware.rules)
  • 2850053 - ETPRO PHISHING Successful Generic Phish Hosted at pythonanywhere .com 2021-09-27 (phishing.rules)
  • 2850057 - ETPRO MALWARE Unk.MalDoc/PowerShell Loader CnC Checkin (malware.rules)
  • 2850087 - ETPRO MALWARE Win32/VERTEX Stealer CnC Activity (GET) (malware.rules)
  • 2850089 - ETPRO PHISHING BulletProofLink Form POST M2 (phishing.rules)
  • 2850103 - ETPRO MALWARE MalDoc Reporting Infection 2021-10-04 (malware.rules)
  • 2850115 - ETPRO MALWARE Trojan:Script/Wacatac Download (malware.rules)
  • 2850116 - ETPRO MALWARE Trojan:Script/Wacatac Download (malware.rules)
  • 2850117 - ETPRO PHISHING Possible PancakeSwap Cred Phishing POST (phishing.rules)
  • 2850145 - ETPRO PHISHING Successful Generic Submission of Email (phishing.rules)
  • 2850146 - ETPRO PHISHING Generic Redirect to Password Form (phishing.rules)
  • 2850147 - ETPRO PHISHING Generic Password Form M1 (phishing.rules)
  • 2850148 - ETPRO PHISHING Successful Generic Credential Phish POST M1 (phishing.rules)
  • 2850150 - ETPRO PHISHING Successful Generic Credential Phish POST M2 (phishing.rules)
  • 2850159 - ETPRO EXPLOIT Possible Adobe Acrobat JOBOPTIONS File Parsing Out of Bounds Write Inbound M1 (CVE-2019-7111) (exploit.rules)
  • 2850266 - ETPRO HUNTING Suspicious Cookie [jOWL] (hunting.rules)
  • 2850279 - ETPRO MALWARE Observed Malicious SSL Cert (BazaLoader CnC) (malware.rules)
  • 2850280 - ETPRO MALWARE Observed Malicious SSL Cert (BazaLoader CnC) (malware.rules)
  • 2850292 - ETPRO MALWARE MSIL/TrojanDownloader.Age CnC Activity (malware.rules)
  • 2850333 - ETPRO MALWARE Powershell.WC Octopus Backdoor Activity (View) (malware.rules)
  • 2850350 - ETPRO MALWARE MSIL/Agent.DPU Reverse Shell M3 (malware.rules)
  • 2850355 - ETPRO POLICY Android Device Connectivity Check (policy.rules)
  • 2850424 - ETPRO MALWARE Unknown Spambot - Russian Language Targeting (Outbound Spam Template 1 - Email Body M1) (malware.rules)
  • 2850425 - ETPRO MALWARE Unknown Spambot - Russian Language Targeting (Outbound Spam Template 1 - Email Body M2) (malware.rules)
  • 2850426 - ETPRO MALWARE Unknown Spambot - Russian Language Targeting (Outbound Spam Template 1 - Email Body M3) (malware.rules)
  • 2850455 - ETPRO INFO URL Shortener Service Domain in DNS Lookup (info.rules)
  • 2850486 - ETPRO MALWARE Observed Malicious SSL/TLS Certificate (CobaltStrike CnC) (malware.rules)
  • 2850487 - ETPRO MALWARE Observed Malicious SSL/TLS Certificate (CobaltStrike CnC) (malware.rules)
  • 2850533 - ETPRO INFO Brandfetch API Usage for Custom Logo M1 (info.rules)
  • 2850534 - ETPRO INFO Brandfetch API Usage for Custom Logo M2 (info.rules)
  • 2850551 - ETPRO MALWARE TeerDl CnC Exfil (malware.rules)
  • 2850552 - ETPRO MALWARE Observed Malicious SSL Cert (TeerD1) (malware.rules)
  • 2850558 - ETPRO MALWARE PowerShell/MSF Stager Inbound (malware.rules)
  • 2850576 - ETPRO MALWARE WIRTE APT Group Activity (malware.rules)
  • 2850598 - ETPRO MALWARE Ettersilent MalDoc C2 Beacon (malware.rules)
  • 2850613 - ETPRO MALWARE Win32/Lmbmiad CnC User-Agent (ve3xtest) (malware.rules)
  • 2850614 - ETPRO MALWARE Win32/Lmbmiad Downloader (.cmd) (malware.rules)
  • 2850615 - ETPRO MALWARE Win32/Lmbmiad Downloader (.dll) (malware.rules)
  • 2850616 - ETPRO MALWARE Win32/Lmbmiad CnC User-Agent (noandk) (malware.rules)
  • 2850617 - ETPRO MALWARE Win32/Lmbmiad Downloader (.ps1) (malware.rules)
  • 2850647 - ETPRO MALWARE Win32/Lmbmiad .ps1 Backdoor (malware.rules)
  • 2850657 - ETPRO MALWARE Valyria Maldoc/BazarLoader Activity (GET) (malware.rules)
  • 2850671 - ETPRO MALWARE Valyria CnC Activity (GET) (malware.rules)
  • 2850704 - ETPRO MALWARE Loozer Stealer Activity M6 (malware.rules)
  • 2850800 - ETPRO MALWARE Valyria Maldoc Activity (GET) (malware.rules)
  • 2850831 - ETPRO MALWARE Valyria Maldoc Activity (GET) (malware.rules)
  • 2850838 - ETPRO MALWARE DCRAT CnC Activity (GET) (malware.rules)
  • 2850839 - ETPRO MALWARE DCRAT CnC Response (malware.rules)
  • 2850853 - ETPRO MALWARE Trojan:Win32/Wacatac Payload Download (malware.rules)
  • 2850865 - ETPRO MALWARE VBS/CageyChameleon CnC Beacon (malware.rules)
  • 2850869 - ETPRO MALWARE Win32/Vulturi CnC Activity (POST) (malware.rules)
  • 2850871 - ETPRO MALWARE Win32/Spy.Banker CnC Exfil (POST) (malware.rules)
  • 2850896 - ETPRO PHISHING Successful nic.in Phish 2022-01-20 (phishing.rules)
  • 2850940 - ETPRO MALWARE Win32/TrojanDownloader.Agent.DSF CnC Activity (malware.rules)
  • 2850941 - ETPRO MALWARE Win32/TrojanDownloader.Agent.DSF CnC Activity (malware.rules)

Disabled and modified rules:

  • 2064340 - ET INFO Observed RMM Domain in DNS Lookup (mdmsupport .comodo .com) (info.rules)
  • 2064343 - ET INFO Observed RMM Domain in TLS SNI (mdmsupport .comodo .com) (info.rules)

Removed rules:

  • 2864414 - ETPRO MALWARE TA415 CnC Host Profile Exfiltration (POST) (malware.rules)