Ruleset Update Summary - 2025/09/30 - v11027

Ruleset Updates
1

Summary:

32 new OPEN, 36 new PRO (32 + 4)

Added rules:

Open:

  • 2064971 - ET HUNTING Observed Query to Valve Steam Store (store .steampowered .com) (hunting.rules)
  • 2064972 - ET MALWARE Oyster Backdoor Domain (teams-install .run) in DNS Lookup (malware.rules)
  • 2064973 - ET MALWARE Oyster Backdoor Domain (teams-install .top) in DNS Lookup (malware.rules)
  • 2064974 - ET MALWARE Oyster Backdoor Domain (techwisenetwork .com) in DNS Lookup (malware.rules)
  • 2064975 - ET MALWARE Oyster Backdoor Domain (teams-download .icu) in DNS Lookup (malware.rules)
  • 2064976 - ET MALWARE Oyster Backdoor Domain (eastridge-infotech .com) in DNS Lookup (malware.rules)
  • 2064977 - ET MALWARE Oyster Backdoor Domain (teams-install .icu) in DNS Lookup (malware.rules)
  • 2064978 - ET MALWARE Oyster Backdoor Domain (teams-download .top) in DNS Lookup (malware.rules)
  • 2064979 - ET MALWARE Oyster Backdoor Domain (cybersavvynetwork .com) in DNS Lookup (malware.rules)
  • 2064980 - ET MALWARE Oyster Backdoor Domain (teams-download .buzz) in DNS Lookup (malware.rules)
  • 2064981 - ET MALWARE Oyster Backdoor Domain (witherspoon-law .com) in DNS Lookup (malware.rules)
  • 2064982 - ET MALWARE Observed Oyster Backdoor Domain (teams-install .run) in TLS SNI (malware.rules)
  • 2064983 - ET MALWARE Observed Oyster Backdoor Domain (teams-install .top) in TLS SNI (malware.rules)
  • 2064984 - ET MALWARE Observed Oyster Backdoor Domain (techwisenetwork .com) in TLS SNI (malware.rules)
  • 2064985 - ET MALWARE Observed Oyster Backdoor Domain (teams-download .icu) in TLS SNI (malware.rules)
  • 2064986 - ET MALWARE Observed Oyster Backdoor Domain (eastridge-infotech .com) in TLS SNI (malware.rules)
  • 2064987 - ET MALWARE Observed Oyster Backdoor Domain (teams-install .icu) in TLS SNI (malware.rules)
  • 2064988 - ET MALWARE Observed Oyster Backdoor Domain (teams-download .top) in TLS SNI (malware.rules)
  • 2064989 - ET MALWARE Observed Oyster Backdoor Domain (cybersavvynetwork .com) in TLS SNI (malware.rules)
  • 2064990 - ET MALWARE Observed Oyster Backdoor Domain (teams-download .buzz) in TLS SNI (malware.rules)
  • 2064991 - ET MALWARE Observed Oyster Backdoor Domain (witherspoon-law .com) in TLS SNI (malware.rules)
  • 2064992 - ET MOBILE_MALWARE Klopatra CnC Domain in DNS Lookup (adsservices .uk) (mobile_malware.rules)
  • 2064993 - ET MOBILE_MALWARE Klopatra CnC Domain in DNS Lookup (adsservice2 .org) (mobile_malware.rules)
  • 2064994 - ET MOBILE_MALWARE Klopatra CnC Domain in DNS Lookup (guncel-tv-player-lnat .]com) (mobile_malware.rules)
  • 2064995 - ET MOBILE_MALWARE Observed Klopatra Domain (adsservices .uk) in TLS SNI (mobile_malware.rules)
  • 2064996 - ET MOBILE_MALWARE Observed Klopatra Domain (adsservice2 .org) in TLS SNI (mobile_malware.rules)
  • 2064997 - ET MOBILE_MALWARE Observed Klopatra Domain (guncel-tv-player-lnat .]com) in TLS SNI (mobile_malware.rules)
  • 2064998 - ET HUNTING Sitecore Experience Platform ViewState Insecure Deserialization via Exposed ASP.NET MachineKeys (CVE-2025-53690) (hunting.rules)
  • 2064999 - ET HUNTING WebDAV Retrieving .ps1 (hunting.rules)
  • 2065000 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (quietshalecompany .com) (exploit_kit.rules)
  • 2065001 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (quietshalecompany .com) (exploit_kit.rules)
  • 2065002 - ET WEB_SPECIFIC_APPS ABB Cylon Aspect 3.08.02 Arbitrary Heap Memory Configuration (CVE-2024-51544) (web_specific_apps.rules)

Pro:

  • 2864718 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2864719 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2864720 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2864721 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

  • 2001450 - ET ADWARE_PUP Wintools Download/Configure (adware_pup.rules)
  • 2001587 - ET ADWARE_PUP MarketScore.com Spyware Upgrading (adware_pup.rules)
  • 2003422 - ET POLICY Weatherbug Command Activity (policy.rules)
  • 2004114 - ET MALWARE Bancos User-Agent Detected vb wininet (malware.rules)
  • 2004590 - ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt – weapons.php (web_specific_apps.rules)
  • 2008747 - ET POLICY Possible External FreeGate DNS Query (policy.rules)
  • 2008748 - ET POLICY Possible External FreeGate DNS Query (policy.rules)
  • 2008922 - ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2009793 - ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2010323 - ET ACTIVEX COM Object MS06-042 CLSID 32 Access Attempt (activex.rules)
  • 2010324 - ET ACTIVEX COM Object MS06-042 CLSID 33 Access Attempt (activex.rules)
  • 2012614 - ET WEB_SERVER Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks (web_server.rules)
  • 2012615 - ET ADWARE_PUP Unknown Malware PUTLINK Command Message (adware_pup.rules)
  • 2015516 - ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon (current_events.rules)
  • 2015647 - ET EXPLOIT_KIT Unknown Exploit Kit seen with O1/O2.class /search (exploit_kit.rules)
  • 2016350 - ET EXPLOIT_KIT WhiteHole Exploit Kit Payload Download (exploit_kit.rules)
  • 2017713 - ET MALWARE Taidoor Checkin (malware.rules)
  • 2018463 - ET MALWARE possible OneLouder header structure (malware.rules)
  • 2021896 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021958 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2024276 - ET MALWARE MSIL/OzazaLocker Ransomware CnC Checkin (malware.rules)
  • 2024299 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 (malware.rules)
  • 2024301 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 (malware.rules)
  • 2024302 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 (malware.rules)
  • 2024304 - ET MALWARE MSIL/May Ransomware SSL Cert Observed (malware.rules)
  • 2024324 - ET MALWARE Spora Ransomware DNS Query (malware.rules)
  • 2024373 - ET MALWARE Win32/Spectre Ransomware CnC Checkin (malware.rules)
  • 2024433 - ET MALWARE Observed Malicious SSL Cert (HiddenTear Variant CnC) (malware.rules)
  • 2024441 - ET MALWARE Tinba CnC Checkin (malware.rules)
  • 2024486 - ET MALWARE Shifr Ransomware Malicious Domain in SNI Observed (malware.rules)
  • 2024489 - ET MALWARE Win32/Bitshifter Ransomware CnC Checkin (malware.rules)
  • 2024606 - ET EXPLOIT_KIT Disdain EK URI Struct Aug 23 2017 M1 (exploit_kit.rules)
  • 2024607 - ET EXPLOIT_KIT Disdain EK URI Struct Aug 23 2017 M2 (exploit_kit.rules)
  • 2024612 - ET EXPLOIT_KIT Disdain EK Landing Aug 23 2017 (exploit_kit.rules)
  • 2024613 - ET MALWARE OSX.Pwnet.A Certificate Observed (malware.rules)
  • 2024681 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (URLzone) (malware.rules)
  • 2024682 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Adwind) (malware.rules)
  • 2024683 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM) (malware.rules)
  • 2024684 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM) (malware.rules)
  • 2024685 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM) (malware.rules)
  • 2024686 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM) (malware.rules)
  • 2024687 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM) (malware.rules)
  • 2024689 - ET WEB_CLIENT Download of Multimedia Content flowbit set (web_client.rules)
  • 2024690 - ET WEB_CLIENT Download of .MOV Content flowbit set (web_client.rules)
  • 2024757 - ET MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2024816 - ET MALWARE CCleaner Backdoor DGA Domain (ab3c2b0d28ba6 .com) Jan 2018 (malware.rules)
  • 2024817 - ET MALWARE CCleaner Backdoor DGA Domain (ab99c24c0ba9 .com) Feb 2018 (malware.rules)
  • 2024818 - ET MALWARE CCleaner Backdoor DGA Domain (ab2e1b782bad .com) Mar 2018 (malware.rules)
  • 2024819 - ET MALWARE CCleaner Backdoor DGA Domain (ab253af862bb0 .com) Apr 2018 (malware.rules)
  • 2024820 - ET MALWARE CCleaner Backdoor DGA Domain (ab2d02b02bb3 .com) May 2018 (malware.rules)
  • 2024821 - ET MALWARE CCleaner Backdoor DGA Domain (ab1b0eaa24bb6 .com) Jun 2018 (malware.rules)
  • 2024822 - ET MALWARE CCleaner Backdoor DGA Domain (abf09fc5abba .com) Jul 2018 (malware.rules)
  • 2024823 - ET MALWARE CCleaner Backdoor DGA Domain (abce85a51bbd .com) Aug 2018 (malware.rules)
  • 2024824 - ET MALWARE CCleaner Backdoor DGA Domain (abccc097dbc0.com) Sep 2018 (malware.rules)
  • 2024825 - ET MALWARE CCleaner Backdoor DGA Domain (ab33b8aa69bc4 .com) Oct 2018 (malware.rules)
  • 2024826 - ET MALWARE CCleaner Backdoor DGA Domain (ab693f4c0bc7 .com) Nov 2018 (malware.rules)
  • 2024827 - ET MALWARE CCleaner Backdoor DGA Domain (ab23660730bca .com) Dec 2018 (malware.rules)
  • 2024845 - ET WEB_CLIENT Tech Support Phone Scam Landing M2 Oct 16 2016 (web_client.rules)
  • 2024852 - ET MALWARE Possible Winnti-related DNS Lookup (malware.rules)
  • 2024864 - ET MALWARE Possible Winnti-related Destination (malware.rules)
  • 2024902 - ET MALWARE Observed Malicious SSL Cert (Snatch CnC) (malware.rules)
  • 2024903 - ET MALWARE Observed Malicious SSL Cert (Snatch CnC) (malware.rules)
  • 2024910 - ET MALWARE BadRabbit Ransomware Payment Onion Domain (malware.rules)
  • 2024989 - ET MALWARE SunOrcal Reaver Domain Observed (olinaodi .com) in DNS Lookup (malware.rules)
  • 2025185 - ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript (web_client.rules)
  • 2100560 - GPL POLICY VNC server response (policy.rules)
  • 2102696 - GPL SQL sys.dbms_repcat_utl.is_master buffer overflow attempt (sql.rules)
  • 2102848 - GPL SQL sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt (sql.rules)
  • 2800576 - ETPRO WEB_SERVER Apache Struts2 ParametersInterceptor Remote Command Execution 1 (web_server.rules)
  • 2800939 - ETPRO EXPLOIT Novell GroupWise Agents HTTP 7101 Request Remote Code Execution (exploit.rules)
  • 2800940 - ETPRO ACTIVEX Novell iPrint Client GetDriverSettings Stack Buffer Overflow (activex.rules)
  • 2801132 - ETPRO SCADA SCHWEITZER SEL2032-Level 1 Successful Login (scada.rules)
  • 2801133 - ETPRO SCADA SCHWEITZER SEL2032-Level 2 Successful Login (scada.rules)
  • 2801372 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow SMB (netbios.rules)
  • 2803080 - ETPRO EXPLOIT HP Performance Manager arbitrary file deletion (exploit.rules)
  • 2804100 - ETPRO MALWARE Trojan.Heur.VP2.nm1@aOacxkoi Checkin (malware.rules)
  • 2804441 - ETPRO MALWARE TrojanDropper.Win32/Microjoin.gen!C Checkin (malware.rules)
  • 2804710 - ETPRO MALWARE Trojan-Banker.Win32.Banz.jpb Checkin 1 (malware.rules)
  • 2805168 - ETPRO ADWARE_PUP Adware.TimeSink.P Checkin (adware_pup.rules)
  • 2809375 - ETPRO MOBILE_MALWARE AndroidOS.Riskware.DroidCoupon Checkin 2 (mobile_malware.rules)
  • 2810143 - ETPRO MALWARE Win32/Vobfus.EK C&C DNS request (malware.rules)
  • 2811199 - ETPRO MALWARE DNS Andromeda/Gamarue Query to .onion proxy Domain (74724z223r535723) (malware.rules)
  • 2814804 - ETPRO MALWARE Ursnif Payload via Document Macro Nov 5 (malware.rules)
  • 2820738 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2826225 - ETPRO MALWARE Casper/LEAD DNS Lookup (malware.rules)
  • 2826279 - ETPRO MALWARE ZLoader Malicious SSL Cert Observed (malware.rules)
  • 2826328 - ETPRO EXPLOIT Microsoft Malware Protection Engine Remote Code Execution Vulnerability (CVE-2017-0290) (exploit.rules)
  • 2826407 - ETPRO MALWARE Hidden-Tear Ransomware Variant Malicious SSL Cert Observed (malware.rules)
  • 2826437 - ETPRO MALWARE Observed Malicious SSL Cert (Orcus RAT) (malware.rules)
  • 2826562 - ETPRO MALWARE Hidden-Tear Ransomware Variant CnC Checkin (malware.rules)
  • 2826639 - ETPRO MALWARE Malicious SSL certificate detected (PupyRat) (malware.rules)
  • 2826640 - ETPRO MALWARE HiddenTear Ransomware KKK Variant DNS Lookup (malware.rules)
  • 2826641 - ETPRO MALWARE HiddenTear Ransomware KKK Variant DNS Lookup (malware.rules)
  • 2826725 - ETPRO EXPLOIT Windows Device Guard Code Integrity Policy Security Feature Bypass Vulnerability (CVE-2017-0215) (exploit.rules)
  • 2826734 - ETPRO EXPLOIT Adobe Flash Display List Structure UAF M1 (CVE-2017-3081) (exploit.rules)
  • 2826735 - ETPRO EXPLOIT Adobe Flash Display List Structure UAF M2 (CVE-2017-3081) (exploit.rules)
  • 2826737 - ETPRO EXPLOIT Adobe Flash Memory Corruption (CVE-2017-3082) (exploit.rules)
  • 2826738 - ETPRO EXPLOIT Adobe Flash Primtime SDK UAF (CVE-2017-3083) (exploit.rules)
  • 2826820 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2826821 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2827010 - ETPRO MALWARE Win32/Vortex Ransomware Domain in SNI (malware.rules)
  • 2827088 - ETPRO EXPLOIT Adobe Flash Action Script 3 OOB (CVE-2017-3099) (exploit.rules)
  • 2827117 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2827244 - ETPRO MALWARE Observed Malicious SSL Cert (URLZone CnC) (malware.rules)
  • 2827328 - ETPRO MALWARE Zyklon Malicious Domain in SNI Observed (t3rqxlhq2o2zltsrfk34g7u) (malware.rules)
  • 2827395 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2827420 - ETPRO MALWARE Ransomware/Zyklon Onion Domain Lookup (malware.rules)
  • 2827464 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2827565 - ETPRO MALWARE Win32/LockCrypt Ransomware CnC Checkin (malware.rules)
  • 2827595 - ETPRO MALWARE Win32/Agent.SPU Malicious SSL Certificate Detected (malware.rules)
  • 2827601 - ETPRO MALWARE Observed Malicious SSL Cert 2017-08-21 (MalDoc DL) (malware.rules)
  • 2827648 - ETPRO MALWARE DNS Query to Cerber Domain (tg4d0x . top) (malware.rules)
  • 2827649 - ETPRO MALWARE DNS Query to Cerber Domain (xreb38 . top) (malware.rules)
  • 2827650 - ETPRO MALWARE DNS Query to Cerber Domain (47riy1 . top) (malware.rules)
  • 2827651 - ETPRO MALWARE DNS Query to Cerber Domain (2hr4fs . top) (malware.rules)
  • 2827652 - ETPRO MALWARE DNS Query to Cerber Domain (9k6lwu . top) (malware.rules)
  • 2827679 - ETPRO MALWARE DNS Query to Cerber Domain (onl98g . top) (malware.rules)
  • 2827746 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2827764 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2827821 - ETPRO MALWARE Malicious SSL Certificate Detected (CredPhishing) (malware.rules)
  • 2827822 - ETPRO MALWARE Malicious SSL Certificate Detected (CredPhishing) (malware.rules)
  • 2827823 - ETPRO MALWARE Malicious SSL Certificate Detected (CredPhishing) (malware.rules)
  • 2827891 - ETPRO MALWARE Malicious SSL Certificate Detected (NetSupport Manager RAT) (malware.rules)
  • 2827897 - ETPRO EXPLOIT MP4 Atom Parser Vulnerability Inbound M1 (CVE-2017-11281) (exploit.rules)
  • 2827898 - ETPRO EXPLOIT MP4 Atom Parser Vulnerability Inbound M2 (CVE-2017-11281) (exploit.rules)
  • 2827906 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 201 (mobile_malware.rules)
  • 2827974 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.gen / BankBot Checkin (mobile_malware.rules)
  • 2827991 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2828027 - ETPRO EXPLOIT_KIT GrandSoft EK Exploit Usage Sep 22 2017 (exploit_kit.rules)
  • 2828030 - ETPRO EXPLOIT_KIT GrandSoft EK Exploit Usage M2 Sep 22 2017 (exploit_kit.rules)
  • 2828052 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Sep 25 2017 Domain in SNI (web_client.rules)
  • 2828061 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.PornVideo.ao / ZNIU Checkin (mobile_malware.rules)
  • 2828191 - ETPRO MALWARE Observed Malicious SSL Cert (Fake O356 Installer) (malware.rules)
  • 2828200 - ETPRO MALWARE Bladabindi Downloader Domain Observed in SNI (malware.rules)
  • 2828298 - ETPRO MALWARE Sage Ransomware Variant UDP Activity (malware.rules)
  • 2828314 - ETPRO MALWARE Magniber Ransomware Checkin 1 (malware.rules)
  • 2828315 - ETPRO MALWARE Magniber Ransomware Checkin 2 (malware.rules)
  • 2828316 - ETPRO MALWARE Orz JavaScript Backdoor Sending Password to CnC (malware.rules)
  • 2828332 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2828373 - ETPRO MALWARE Cerber Domain Observed (crw57p .bid) in DNS Lookup (malware.rules)
  • 2828379 - ETPRO MALWARE Cerber Domain Observed (le6611 .bid) in DNS Lookup (malware.rules)
  • 2828568 - ETPRO MALWARE ZeusPanda CnC Domain (henfobuthis .com) in DNS Lookup (malware.rules)
  • 2828569 - ETPRO MALWARE ZeusPanda CnC Domain (henfobuthis .com in TLS SNI) (malware.rules)
  • 2828570 - ETPRO MALWARE ZeusPanda CnC Domain (rowrorofrat .com) in DNS Lookup (malware.rules)
  • 2828576 - ETPRO MALWARE ZeusPanda CnC Domain (linghogolac .ru) in DNS Lookup (malware.rules)
  • 2828585 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda CnC) (malware.rules)
  • 2828663 - ETPRO MALWARE Gootkit Domain (sslsecure256 .com in SNI) (malware.rules)
  • 2828825 - ETPRO MALWARE Observed Malicious SSL Cert 2017-12-07 (MalDoc DL) (malware.rules)

Removed rules:

  • 2063968 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (store .steampowered .com) (malware.rules)