Ruleset Update Summary - 2025/09/09 - v11011

rulesbot · September 9, 2025, 8:42pm

Summary:

25 new OPEN, 41 new PRO (25 + 16)

Added rules:

Open:

2064495 - ET INFO DYNAMIC_DNS Query to a *.rileytree .org domain (info.rules)
2064496 - ET INFO DYNAMIC_DNS HTTP Request to a *.rileytree .org domain (info.rules)
2064497 - ET INFO DYNAMIC_DNS Query to a *.lawson-engineers .co .uk domain (info.rules)
2064498 - ET INFO DYNAMIC_DNS HTTP Request to a *.lawson-engineers .co .uk domain (info.rules)
2064499 - ET INFO DYNAMIC_DNS Query to a *.elliott .ca domain (info.rules)
2064500 - ET INFO DYNAMIC_DNS HTTP Request to a *.elliott .ca domain (info.rules)
2064501 - ET INFO DYNAMIC_DNS Query to a *.dmdistribution .net domain (info.rules)
2064502 - ET INFO DYNAMIC_DNS HTTP Request to a *.dmdistribution .net domain (info.rules)
2064503 - ET INFO DYNAMIC_DNS Query to a *.lodgegomantak .org domain (info.rules)
2064504 - ET INFO DYNAMIC_DNS HTTP Request to a *.lodgegomantak .org domain (info.rules)
2064505 - ET INFO DYNAMIC_DNS Query to a *.hollandweather .net domain (info.rules)
2064506 - ET INFO DYNAMIC_DNS HTTP Request to a *.hollandweather .net domain (info.rules)
2064507 - ET INFO DYNAMIC_DNS Query to a *.copyprint .com .ar domain (info.rules)
2064508 - ET INFO DYNAMIC_DNS HTTP Request to a *.copyprint .com .ar domain (info.rules)
2064509 - ET INFO DYNAMIC_DNS Query to a *.jmmipequenomundo .com .ar domain (info.rules)
2064510 - ET INFO DYNAMIC_DNS HTTP Request to a *.jmmipequenomundo .com .ar domain (info.rules)
2064511 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ffclive .com) (exploit_kit.rules)
2064512 - ET EXPLOIT_KIT LandUpdate808 Domain (ffclive .com) in TLS SNI (exploit_kit.rules)
2064513 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leafleg .qpon) (malware.rules)
2064514 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (leafleg .qpon) in TLS SNI (malware.rules)
2064515 - ET MALWARE LimeRAT Exfiltrating RDP Credentials via Telegram (malware.rules)
2064516 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (order .assuredpestcontrolutah .com) (malware.rules)
2064517 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (order .assuredpestcontrolutah .com) (malware.rules)
2064518 - ET EXPLOIT_KIT Malicious TA2727 TDS Domain in DNS Lookup (meshsorterio .com) (exploit_kit.rules)
2064519 - ET EXPLOIT_KIT Malicious TA2727 TDS Domain in TLS SNI (meshsorterio .com) (exploit_kit.rules)

Pro:

2864525 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2864526 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2864527 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2864528 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2864529 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2864530 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2864531 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2864532 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2864533 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2864534 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2864535 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2864536 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2864537 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2864538 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2864539 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2864540 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Modified inactive rules:

2033689 - ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter Activity (POST) M4 (mobile_malware.rules)
2033690 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
2033691 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
2033692 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
2033693 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
2033694 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
2033695 - ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup (malware.rules)
2033774 - ET MALWARE Observed Karen Ransomware Domain (karen .h07 .wlh .io in TLS SNI) (malware.rules)
2033816 - ET MALWARE Javascript Click and Removal of Download Element (malware.rules)
2033844 - ET INFO Suspicious Shellcode Request (info.rules)
2033870 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2033871 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2033872 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2033873 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2033874 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2033875 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2033876 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2033878 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2033881 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2033882 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2033883 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2033884 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2033885 - ET MALWARE Magecart CnC Domain in DNS Lookup (malware.rules)
2033998 - ET INFO Outdated Browser Landing Page M3 (info.rules)
2849383 - ETPRO POLICY DCERPC ncacn_np LSASS Bind_ack (flowbit set) (policy.rules)
2849384 - ETPRO POLICY DCERPC ncacn_np EFSR Bind_ack (flowbit set) (policy.rules)
2849385 - ETPRO POLICY DCERPC ncacn_np LSARPC Bind_ack (flowbit set) (policy.rules)
2849386 - ETPRO POLICY DCERPC ncacn_np SAMR Bind_ack (flowbit set) (policy.rules)
2849387 - ETPRO POLICY DCERPC ncacn_np NETLOGON Bind_ack (flowbit set) (policy.rules)
2849388 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M1 (policy.rules)
2849389 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M2 (policy.rules)
2849391 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_ip_tcp] EfsRpcOpenFileRaw M4 (policy.rules)
2849393 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M1 (policy.rules)
2849394 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M2 (policy.rules)
2849395 - ETPRO POLICY [MS-EFSR] Microsoft Encrypting File System Remote Protocol Activity - [ncacn_np] EfsRpcOpenFileRaw M3 (policy.rules)
2849398 - ETPRO POLICY DCERPC ncacn_ip_tcp LSASS Bind_ack (flowbit set) (policy.rules)
2849399 - ETPRO POLICY DCERPC ncacn_ip_tcp EFSR Bind_ack (flowbit set) (policy.rules)
2849400 - ETPRO POLICY DCERPC ncacn_ip_tcp LSARPC Bind_ack (flowbit set) (policy.rules)
2849401 - ETPRO POLICY DCERPC ncacn_ip_tcp SAMR Bind_ack (flowbit set) (policy.rules)
2849402 - ETPRO POLICY DCERPC ncacn_ip_tcp NETLOGON Bind_ack (flowbit set) (policy.rules)
2849403 - ETPRO POLICY Possible PetitPotam Successful NTLM Relay Attack (policy.rules)
2849516 - ETPRO MALWARE Win32/ZXRMCTROL CnC Activity (malware.rules)
2849544 - ETPRO MOBILE_MALWARE AndroSpy Checkin 3 (mobile_malware.rules)
2849590 - ETPRO MALWARE Win32/Unk.Loader.msxyz Activity (malware.rules)
2849604 - ETPRO MALWARE Win32/SsStealer CnC Exfil (malware.rules)
2849637 - ETPRO PHISHING Successful Yahoo Phish 2021-08-13 (phishing.rules)
2849665 - ETPRO HUNTING Observed Suspicious URI Structure with Common Escape Character - Possible Exploit (hunting.rules)
2849666 - ETPRO HUNTING Observed Suspicious Raw URI Structure with Common Escape Character - Possible Exploit (hunting.rules)
2849676 - ETPRO MALWARE Win32/Ratfishes Checkin (malware.rules)
2849718 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
2849725 - ETPRO MALWARE Win32/StormKitty/a310Logger Exfil via SMTP (malware.rules)
2849793 - ETPRO MALWARE Win32/Unk.DiscordGrabber CnC Activity (malware.rules)

Disabled and modified rules:

2064338 - ET INFO Observed RMM Domain in DNS Lookup (* .itsm-us1.comodo .com) (info.rules)
2064339 - ET INFO Observed RMM Domain in TLS SNI (* .itsm-us1.comodo .com) (info.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/09/05 - v11009 Ruleset Updates	81	September 5, 2025
Ruleset Update Summary - 2025/09/12 - v11014 Ruleset Updates	69	September 12, 2025
Ruleset Update Summary - 2025/07/29 - v10981 Ruleset Updates	82	July 29, 2025
Ruleset Update Summary - 2024/01/26 - v10515 Ruleset Updates	218	January 26, 2024
Ruleset Update Summary - 2025/05/12 - v10925 Ruleset Updates	107	May 12, 2025

Ruleset Update Summary - 2025/09/09 - v11011

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Related topics