Ruleset Update Summary - 2025/09/15 - v11015

Ruleset Updates
1

Summary:

76 new OPEN, 88 new PRO (76 + 12)

Thanks @james_inthe_box

Added rules:

Open:

  • 2064622 - ET HUNTING schtasks change Command in HTTP Body Response (hunting.rules)
  • 2064623 - ET HUNTING schtasks delete Command in HTTP Body Response (hunting.rules)
  • 2064624 - ET HUNTING schtasks end Command in HTTP Body Response (hunting.rules)
  • 2064625 - ET HUNTING schtasks run Command in HTTP Body Response (hunting.rules)
  • 2064626 - ET HUNTING schtasks query Command in HTTP Body Response (hunting.rules)
  • 2064627 - ET MALWARE Oyster Backdoor CnC Checkin M2 (malware.rules)
  • 2064628 - ET MALWARE Oyster Backdoor CnC Checkin M3 (malware.rules)
  • 2064629 - ET MALWARE Oyster Backdoor CnC Checkin M4 (malware.rules)
  • 2064630 - ET INFO DYNAMIC_DNS Query to a *.allen-software .com domain (info.rules)
  • 2064631 - ET INFO DYNAMIC_DNS HTTP Request to a *.allen-software .com domain (info.rules)
  • 2064632 - ET INFO DYNAMIC_DNS Query to a *.bridgetech .ec domain (info.rules)
  • 2064633 - ET INFO DYNAMIC_DNS HTTP Request to a *.bridgetech .ec domain (info.rules)
  • 2064634 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (webcre8 .com) (exploit_kit.rules)
  • 2064635 - ET EXPLOIT_KIT LandUpdate808 Domain (webcre8 .com) in TLS SNI (exploit_kit.rules)
  • 2064636 - ET INFO DYNAMIC_DNS Query to a *.gsxpress .com .my domain (info.rules)
  • 2064637 - ET INFO DYNAMIC_DNS HTTP Request to a *.gsxpress .com .my domain (info.rules)
  • 2064638 - ET INFO DYNAMIC_DNS Query to a *.ultraexpress .com .ar domain (info.rules)
  • 2064639 - ET INFO DYNAMIC_DNS HTTP Request to a *.ultraexpress .com .ar domain (info.rules)
  • 2064640 - ET INFO DYNAMIC_DNS Query to a *.solucionip .com .ar domain (info.rules)
  • 2064641 - ET INFO DYNAMIC_DNS HTTP Request to a *.solucionip .com .ar domain (info.rules)
  • 2064642 - ET INFO DYNAMIC_DNS Query to a *.bewusstairleben .ch domain (info.rules)
  • 2064643 - ET INFO DYNAMIC_DNS HTTP Request to a *.bewusstairleben .ch domain (info.rules)
  • 2064644 - ET INFO DYNAMIC_DNS Query to a *.data-line .gr domain (info.rules)
  • 2064645 - ET INFO DYNAMIC_DNS HTTP Request to a *.data-line .gr domain (info.rules)
  • 2064646 - ET INFO DYNAMIC_DNS Query to a *.auszeitseminar .ch domain (info.rules)
  • 2064647 - ET INFO DYNAMIC_DNS HTTP Request to a *.auszeitseminar .ch domain (info.rules)
  • 2064648 - ET INFO DYNAMIC_DNS Query to a *.drciocan .ro domain (info.rules)
  • 2064649 - ET INFO DYNAMIC_DNS HTTP Request to a *.drciocan .ro domain (info.rules)
  • 2064650 - ET INFO DYNAMIC_DNS Query to a *.catcher .ru domain (info.rules)
  • 2064651 - ET INFO DYNAMIC_DNS HTTP Request to a *.catcher .ru domain (info.rules)
  • 2064652 - ET INFO DYNAMIC_DNS Query to a *.flowtemp .ro domain (info.rules)
  • 2064653 - ET INFO DYNAMIC_DNS HTTP Request to a *.flowtemp .ro domain (info.rules)
  • 2064654 - ET INFO DYNAMIC_DNS Query to a *.ruhezeiter .ch domain (info.rules)
  • 2064655 - ET INFO DYNAMIC_DNS HTTP Request to a *.ruhezeiter .ch domain (info.rules)
  • 2064656 - ET INFO DYNAMIC_DNS Query to a *.dewarp .me domain (info.rules)
  • 2064657 - ET INFO DYNAMIC_DNS HTTP Request to a *.dewarp .me domain (info.rules)
  • 2064658 - ET INFO DYNAMIC_DNS Query to a *.c-om .org domain (info.rules)
  • 2064659 - ET INFO DYNAMIC_DNS HTTP Request to a *.c-om .org domain (info.rules)
  • 2064660 - ET INFO DYNAMIC_DNS Query to a *.bishallimbu .com .np domain (info.rules)
  • 2064661 - ET INFO DYNAMIC_DNS HTTP Request to a *.bishallimbu .com .np domain (info.rules)
  • 2064662 - ET INFO DYNAMIC_DNS Query to a *.boringart .lt domain (info.rules)
  • 2064663 - ET INFO DYNAMIC_DNS HTTP Request to a *.boringart .lt domain (info.rules)
  • 2064664 - ET INFO DYNAMIC_DNS Query to a *.tucapelenergia .cl domain (info.rules)
  • 2064665 - ET INFO DYNAMIC_DNS HTTP Request to a *.tucapelenergia .cl domain (info.rules)
  • 2064666 - ET INFO DYNAMIC_DNS Query to a *.pralad .com .np domain (info.rules)
  • 2064667 - ET INFO DYNAMIC_DNS HTTP Request to a *.pralad .com .np domain (info.rules)
  • 2064668 - ET INFO DYNAMIC_DNS Query to a *.tcm-studios .info domain (info.rules)
  • 2064669 - ET INFO DYNAMIC_DNS HTTP Request to a *.tcm-studios .info domain (info.rules)
  • 2064670 - ET INFO DYNAMIC_DNS Query to a *.acharyabijay .com .np domain (info.rules)
  • 2064671 - ET INFO DYNAMIC_DNS HTTP Request to a *.acharyabijay .com .np domain (info.rules)
  • 2064672 - ET INFO DYNAMIC_DNS Query to a *.gagannepal .com .np domain (info.rules)
  • 2064673 - ET INFO DYNAMIC_DNS HTTP Request to a *.gagannepal .com .np domain (info.rules)
  • 2064674 - ET INFO DYNAMIC_DNS Query to a *.estudiotarzia .com .ar domain (info.rules)
  • 2064675 - ET INFO DYNAMIC_DNS HTTP Request to a *.estudiotarzia .com .ar domain (info.rules)
  • 2064676 - ET INFO DYNAMIC_DNS Query to a *.bowling .vn domain (info.rules)
  • 2064677 - ET INFO DYNAMIC_DNS HTTP Request to a *.bowling .vn domain (info.rules)
  • 2064678 - ET INFO DYNAMIC_DNS Query to a *.idempiere .com .ar domain (info.rules)
  • 2064679 - ET INFO DYNAMIC_DNS HTTP Request to a *.idempiere .com .ar domain (info.rules)
  • 2064680 - ET INFO DYNAMIC_DNS Query to a *.gert .li domain (info.rules)
  • 2064681 - ET INFO DYNAMIC_DNS HTTP Request to a *.gert .li domain (info.rules)
  • 2064682 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (math1st .com) (exploit_kit.rules)
  • 2064683 - ET EXPLOIT_KIT LandUpdate808 Domain (math1st .com) in TLS SNI (exploit_kit.rules)
  • 2064684 - ET WEB_SPECIFIC_APPS ABB Cylon Aspect multiple caldav URI endpoints skipChecksum Parameter Arbitrary File Upload Attempt (web_specific_apps.rules)
  • 2064685 - ET WEB_SPECIFIC_APPS ABB Cylon Flxeon factorySaved.php title Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
  • 2064686 - ET WEB_SPECIFIC_APPS Tenda AdvSetMacMtuWan wanMTU Parameter Buffer Overflow Attempt (CVE-2025-10432) (web_specific_apps.rules)
  • 2064687 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .trailsyamahamotor .com) (malware.rules)
  • 2064688 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (secure .happyhatterreviews .com) (malware.rules)
  • 2064689 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .trailsyamahamotor .com) (malware.rules)
  • 2064690 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (secure .happyhatterreviews .com) (malware.rules)
  • 2064691 - ET WEB_SPECIFIC_APPS Tenda exeCommand cmdinput Parameter Buffer Overflow Attempt M2 (CVE-2025-10443) (web_specific_apps.rules)
  • 2064692 - ET WEB_SPECIFIC_APPS Tenda exeCommand cmdinput Parameter Command Injection Attempt (CVE-2025-10442) (web_specific_apps.rules)
  • 2064693 - ET WEB_SPECIFIC_APPS D-Link version_upgrade.asp path Parameter Command Injection Attempt (CVE-2025-10441) (web_specific_apps.rules)
  • 2064694 - ET WEB_SPECIFIC_APPS D-Link usb_paswd.asp hname Parameter Command Injection Attempt (CVE-2025-10440) (web_specific_apps.rules)
  • 2064695 - ET WEB_SPECIFIC_APPS Intelbras Wireless Network Credentials Information Leak (CVE-2025-55976) (web_specific_apps.rules)
  • 2064696 - ET HUNTING Github Request for PNG File With PowerShell (hunting.rules)
  • 2064697 - ET HUNTING Minimal Header Github Request for PNG File (hunting.rules)

Pro:

  • 2864577 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864578 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864579 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864580 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864581 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864582 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864583 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864584 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864585 - ETPRO PHISHING Observed DNS Query to UNK_ArmyDrive Domain (phishing.rules)
  • 2864586 - ETPRO PHISHING Observed UNK_ArmyDrive Domain in TLS SNI (phishing.rules)
  • 2864587 - ETPRO PHISHING Observed DNS Query to UNK_ArmyDrive Domain (phishing.rules)
  • 2864588 - ETPRO PHISHING Observed UNK_ArmyDrive Domain in TLS SNI (phishing.rules)

Modified inactive rules:

  • 2031194 - ET MALWARE Suspected Snugy DNS Backdoor CnC Activity (Hostname Send) (malware.rules)
  • 2031206 - ET MALWARE CCleaner Backdoor DGA Domain (ab1de19d80ae6 .com) in DNS Lookup (malware.rules)
  • 2031209 - ET MALWARE ModPipe CnC Activity (Response) (malware.rules)
  • 2031252 - ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (hotspot .accesscam .org) (malware.rules)
  • 2031253 - ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (highcolumn .webredirect .org) (malware.rules)
  • 2031254 - ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (ethdns .mywire .org) (malware.rules)
  • 2031255 - ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (theguardian .webredirect .org) (malware.rules)
  • 2031428 - ET MALWARE Observed SystemBC CnC Domain in DNS Query (malware.rules)
  • 2031439 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (img565vv6 .holdmydoor .com) (mobile_malware.rules)
  • 2031440 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (crashparadox .net) (mobile_malware.rules)
  • 2031441 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (f15fwd322 .regularhours .net) (mobile_malware.rules)
  • 2031488 - ET POLICY SSLv2 Used in Session (policy.rules)
  • 2031489 - ET POLICY SSLv3 Used in Session (policy.rules)
  • 2031490 - ET POLICY TLSv1.1 Used in Session (policy.rules)
  • 2031491 - ET POLICY TLSv1.0 Used in Session (policy.rules)
  • 2031526 - ET EXPLOIT Possible NTFS Index Attribute Corruption Vulnerability (exploit.rules)
  • 2032347 - ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26877) (exploit.rules)
  • 2032358 - ET EXPLOIT Possible OpenSSL TLSv1.2 DoS Inbound (CVE-2021-3449) (exploit.rules)
  • 2844829 - ETPRO MALWARE LiteHTTP Variant CnC Activity (malware.rules)
  • 2845075 - ETPRO EXPLOIT Possible Microsoft Outlook RCE Attempt via Specially Crafted Email (CVE-2020-16947) (exploit.rules)
  • 2845197 - ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (3980a) (web_client.rules)
  • 2845427 - ETPRO EXPLOIT Windows Server Heap Overflow Inbound (CVE-2020-17051) (exploit.rules)
  • 2845610 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
  • 2845655 - ETPRO MALWARE Jupyter Stealer Activity (POST) (malware.rules)
  • 2845816 - ETPRO MOBILE_MALWARE Android/Plankton.I Checkin (mobile_malware.rules)
  • 2846476 - ETPRO MALWARE Malicious SSL Certificate detected (PlugX CnC) (malware.rules)
  • 2846661 - ETPRO POLICY External IP Address Lookup (eryaz .net) (policy.rules)
  • 2846761 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
  • 2846998 - ETPRO EXPLOIT Possible Windows IPv6 Stack DoS Attempt Inbound (CVE-2021-24086) (exploit.rules)
  • 2847146 - ETPRO MALWARE Observed Malicious SSL Cert (OrcusRAT) (malware.rules)
  • 2847151 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
  • 2847396 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
  • 2847446 - ETPRO EXPLOIT Windows DirectWrite Heap-Based Buffer Overflow Inbound (CVE-2021-24093) (exploit.rules)
  • 2847503 - ETPRO MALWARE DTLoader Variant Activity (malware.rules)
  • 2847832 - ETPRO MALWARE BazaLoader MalDoc Retrieving Payload (malware.rules)
  • 2847942 - ETPRO MALWARE Valyria Maldoc Activity (GET) (malware.rules)
  • 2848048 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
  • 2848351 - ETPRO HUNTING Suspicious HTTP Header (RAM) (hunting.rules)