Ruleset Update Summary - 2025/12/09 - v11079

Ruleset Updates
1

Summary:

34 new OPEN, 65 new PRO (34 + 31)

Thanks Kailani_Del_Rio

Added rules:

Open:

  • 2066196 - ET HUNTING Javascript Prototype Pollution Attempt via proto in HTTP URI (hunting.rules)
  • 2066197 - ET HUNTING Javascript Prototype Pollution Attempt via proto in HTTP Body (hunting.rules)
  • 2066198 - ET HUNTING Javascript Prototype Pollution Attempt via prototype in HTTP URI (hunting.rules)
  • 2066199 - ET HUNTING Javascript Prototype Pollution Attempt via prototype in HTTP Body (hunting.rules)
  • 2066200 - ET EXPLOIT Zoom Linux Client Command Injection (CVE-2017-15049) (exploit.rules)
  • 2066201 - ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Authentication Bypass (CVE-2021-37415) (web_specific_apps.rules)
  • 2066202 - ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Custom Schedules Arbitrary Command Execution (CVE-2021-20081) (web_specific_apps.rules)
  • 2066203 - ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Unauthenticated Stored XSS (CVE-2021-20080) (web_specific_apps.rules)
  • 2066204 - ET WEB_SPECIFIC_APPS Zoho ManageEngine RecoveryManager Plus updateProxySettings Command Injection (CVE-2023-48646) (web_specific_apps.rules)
  • 2066205 - ET WEB_SPECIFIC_APPS SysAid On-Prem lshw XML External Entity Injection (CVE-2025-2777) (web_specific_apps.rules)
  • 2066206 - ET WEB_SPECIFIC_APPS SysAid On-Prem serverurl XML External Entity Injection (CVE-2025-2776) (web_specific_apps.rules)
  • 2066207 - ET WEB_SPECIFIC_APPS SysAid On-Prem Authenticated updateApi Arbitrary OS Command Injection (CVE-2025-2778) (web_specific_apps.rules)
  • 2066208 - ET WEB_SPECIFIC_APPS Vaultwarden Escalation of Privilege via OrgHeaders Variable Confusion (CVE-2025-24365) (web_specific_apps.rules)
  • 2066209 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (api .htscefh .com) (malware.rules)
  • 2066210 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (api .htscefh .com) (malware.rules)
  • 2066211 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crossbp .click) (malware.rules)
  • 2066212 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (crossbp .click) in TLS SNI (malware.rules)
  • 2066213 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dauphca .click) (malware.rules)
  • 2066214 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dauphca .click) in TLS SNI (malware.rules)
  • 2066215 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dianubv .cyou) (malware.rules)
  • 2066216 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dianubv .cyou) in TLS SNI (malware.rules)
  • 2066217 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (easybqy .qpon) (malware.rules)
  • 2066218 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (easybqy .qpon) in TLS SNI (malware.rules)
  • 2066219 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (glossydecentjuskwos .shop) (malware.rules)
  • 2066220 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (glossydecentjuskwos .shop) in TLS SNI (malware.rules)
  • 2066221 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reflectepatt .click) (malware.rules)
  • 2066222 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reflectepatt .click) in TLS SNI (malware.rules)
  • 2066223 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (retreaw .click) (malware.rules)
  • 2066224 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (retreaw .click) in TLS SNI (malware.rules)
  • 2066225 - ET WEB_SPECIFIC_APPS Ivanti EPM postcgi.exe Multiple Parameter Cross Site Scripting Attempt (CVE-2025-10573) (web_specific_apps.rules)
  • 2066226 - ET WEB_SPECIFIC_APPS Wordpress Sneeit Framework Plugin args Parameter Command Injection Attempt (CVE-2025-6389) (web_specific_apps.rules)
  • 2066227 - ET MALWARE BirchParalysis Payload Request (GET) M1 (malware.rules)
  • 2066228 - ET MALWARE BirchParalysis Payload Request (GET) M2 (malware.rules)
  • 2066229 - ET PHISHING Microsoft Support Phish Landing Page 2025-12-09 (phishing.rules)

Pro:

  • 2865291 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865292 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865293 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865294 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865295 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865296 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865297 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865298 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2865299 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865300 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865301 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865302 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865303 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865304 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865305 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865306 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2865307 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865308 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865309 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865310 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865311 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865312 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865313 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865314 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2865315 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2865316 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2865317 - ETPRO WEB_SPECIFIC_APPS Zoho ManageEngine Applications Manager Blind SQLi (web_specific_apps.rules)
  • 2865318 - ETPRO PHISHING UNK_ArmyDrive Exfil M1 2025-12-09 (phishing.rules)
  • 2865319 - ETPRO PHISHING UNK_ArmyDrive Exfil M2 2025-12-09 (phishing.rules)
  • 2865320 - ETPRO PHISHING UNK_ArmyDrive Landing Page M1 2025-12-09 (phishing.rules)
  • 2865321 - ETPRO PHISHING UNK_ArmyDrive Landing Page M2 2025-12-09 (phishing.rules)

Modified inactive rules:

  • 2002783 - ET EXPLOIT Java runtime.exec() call (exploit.rules)
  • 2003370 - ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS (exploit.rules)
  • 2007967 - ET MALWARE Universal1337 FTP Upload of Compromised Data (malware.rules)
  • 2008047 - ET MALWARE Egspy Infection Report via HTTP (malware.rules)
  • 2008356 - ET ADWARE_PUP Seekmo.com Spyware Data Upload (adware_pup.rules)
  • 2009190 - ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2009749 - ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan (scan.rules)
  • 2012051 - ET TFTP TFTPGUI Long Transport Mode Buffer Overflow (tftp.rules)
  • 2012248 - ET MALWARE MUROFET/Licat Trojan Checkin Forum (malware.rules)
  • 2013038 - ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server (waplove .cn) (mobile_malware.rules)
  • 2013198 - ET MALWARE Trojan/Hacktool.Sniffer Initial Checkin (malware.rules)
  • 2013514 - ET MALWARE Potential DNS Command and Control via TXT queries (malware.rules)
  • 2013515 - ET MALWARE Potential DNS Command and Control via TXT queries (malware.rules)
  • 2014616 - ET MALWARE Win32/Usteal.B Checkin (malware.rules)
  • 2016052 - ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Requested (exploit_kit.rules)
  • 2016736 - ET EXPLOIT_KIT GonDadEK Java Exploit Requested (exploit_kit.rules)
  • 2017246 - ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 4 (current_events.rules)
  • 2019414 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019596 - ET WEB_CLIENT FlashPack Secondary Landing Oct 29 (web_client.rules)
  • 2020195 - ET POLICY exploitpack.com tool checkin (policy.rules)
  • 2021392 - ET MOBILE_MALWARE Android Gunpoder Checkin (mobile_malware.rules)
  • 2021782 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2022287 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2023406 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2024112 - ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain (malware.rules)
  • 2100422 - GPL ICMP Mobile Registration Reply undefined code (icmp.rules)
  • 2100545 - GPL FTP FTP 'CWD / ’ possible warez site (ftp.rules)
  • 2101238 - GPL WEB_SERVER Tomcat sourcecode view attempt 1 (web_server.rules)
  • 2101957 - GPL RPC sadmind UDP PING (rpc.rules)
  • 2800163 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Multiple Buffer Overflows 10 (exploit.rules)
  • 2800418 - ETPRO SMTP Novell Groupwise Internet Agent RCPT Command Buffer Overflow (smtp.rules)
  • 2802013 - ETPRO MALWARE Trojan.Win32.Banker.qmd Activity - SET (malware.rules)
  • 2803422 - ETPRO WORM Worm.Win32.Ganelp.B Checkin 1 (worm.rules)
  • 2803733 - ETPRO MALWARE TrojanProxy.Ukstories.e Checkin (malware.rules)
  • 2803896 - ETPRO MALWARE TrojanDownloader.Win32/Carberp.A Checkin (malware.rules)
  • 2804329 - ETPRO MALWARE Virus.Win32.OnLineGames!IK Checkin (malware.rules)
  • 2804866 - ETPRO MALWARE Trojan-Banker.Win32.Banbra.alvy Checkin (malware.rules)
  • 2805416 - ETPRO MALWARE Unknown dnsd.me Related Trojan Checkin a (malware.rules)
  • 2806877 - ETPRO MOBILE_MALWARE Android/TheftSpy.C Checkin (mobile_malware.rules)
  • 2809301 - ETPRO WEB_CLIENT Internet Explorer Use After Free CVE-2014-6329 M3 (web_client.rules)
  • 2809795 - ETPRO EXPLOIT_KIT Possible Magnitude exploit payload contype check Feb 12 2015 (exploit_kit.rules)
  • 2809883 - ETPRO MALWARE Dridex Post Checkin Activity 4 (malware.rules)
  • 2812392 - ETPRO MALWARE Win32/VBS.Lnkget.D Checkin (malware.rules)
  • 2819692 - ETPRO EXPLOIT Possible Windows RPC Downgrade Vulnerability SMB2 (CVE-2016-0128) (exploit.rules)
  • 2820602 - ETPRO EXPLOIT Internet Explorer Memory Corruption Vulnerability (CVE-2016-3211) (exploit.rules)
  • 2823477 - ETPRO MALWARE Malicious SSL Certificate Detected (Ursnif CnC) (malware.rules)