Ruleset Update Summary - 2026/01/20 - v11107

Ruleset Updates
1

Summary:

63 new OPEN, 67 new PRO (63 + 4)

Added rules:

Open:

  • 2049257 - ET EXPLOIT F5 BIG-IP - Password Reset Attempt - Observed Post CVE-2023-46747 Activity (exploit.rules)
  • 2049258 - ET EXPLOIT F5 BIG-IP - Successful Password Reset Attempt - Observed Post CVE-2023-46747 Activity (exploit.rules)
  • 2049260 - ET EXPLOIT F5 BIG-IP - Successful Command Execution via util/bash (exploit.rules)
  • 2051432 - ET MALWARE [ANY.RUN] Impacket Framework Default SMB Server GUID Detected (malware.rules)
  • 2051433 - ET MALWARE Impacket Framework Default SMB NTLMSSP Challenge (malware.rules)
  • 2066816 - ET INFO Pastebin-like Service Domain in DNS Lookup (jsonstorage .net) (info.rules)
  • 2066817 - ET INFO Pastebin-like Service Domain in DNS Lookup (psty .io) (info.rules)
  • 2066818 - ET INFO Pastebin-like Service Domain in DNS Lookup (jsonbin .net) (info.rules)
  • 2066819 - ET INFO Pastebin-like Service Domain in DNS Lookup (my-json-server .typicode .com) (info.rules)
  • 2066820 - ET INFO Pastebin-like Service Domain in DNS Lookup (getpantry .cloud) (info.rules)
  • 2066821 - ET INFO Pastebin-like Service Domain in DNS Lookup (kvdb .io) (info.rules)
  • 2066822 - ET INFO Pastebin-like Service Domain in DNS Lookup (jsonblob .com) (info.rules)
  • 2066823 - ET INFO Pastebin-like Service Domain in DNS Lookup (npoint .io) (info.rules)
  • 2066824 - ET INFO Pastebin-like Service Domain in DNS Lookup (jsonsilo .com) (info.rules)
  • 2066825 - ET INFO Pastebin-like Service Domain in DNS Lookup (jsonkeeper .com) (info.rules)
  • 2066826 - ET INFO Pastebin-like Service Domain in DNS Lookup (jsonbin .io) (info.rules)
  • 2066827 - ET INFO Pastebin-like Service Domain in DNS Lookup (myjson .online) (info.rules)
  • 2066828 - ET INFO Observed Pastebin-like Service Domain (jsonstorage .net) in TLS SNI (info.rules)
  • 2066829 - ET INFO Observed Pastebin-like Service Domain (psty .io) in TLS SNI (info.rules)
  • 2066830 - ET INFO Observed Pastebin-like Service Domain (jsonbin .net) in TLS SNI (info.rules)
  • 2066831 - ET INFO Observed Pastebin-like Service Domain (my-json-server .typicode .com) in TLS SNI (info.rules)
  • 2066832 - ET INFO Observed Pastebin-like Service Domain (getpantry .cloud) in TLS SNI (info.rules)
  • 2066833 - ET INFO Observed Pastebin-like Service Domain (kvdb .io) in TLS SNI (info.rules)
  • 2066834 - ET INFO Observed Pastebin-like Service Domain (jsonblob .com) in TLS SNI (info.rules)
  • 2066835 - ET INFO Observed Pastebin-like Service Domain (npoint .io) in TLS SNI (info.rules)
  • 2066836 - ET INFO Observed Pastebin-like Service Domain (jsonsilo .com) in TLS SNI (info.rules)
  • 2066837 - ET INFO Observed Pastebin-like Service Domain (jsonkeeper .com) in TLS SNI (info.rules)
  • 2066838 - ET INFO Observed Pastebin-like Service Domain (jsonbin .io) in TLS SNI (info.rules)
  • 2066839 - ET INFO Observed Pastebin-like Service Domain (myjson .online) in TLS SNI (info.rules)
  • 2066840 - ET INFO Ninja/NinjaOne RMM Domain in DNS Lookup (ninjarmm .com) (info.rules)
  • 2066841 - ET INFO Observed Ninja/NinjaOne RMM Domain (ninjarmm .com) in TLS SNI (info.rules)
  • 2066842 - ET INFO DYNAMIC_DNS Query to a *.kawaiiarts .com domain (info.rules)
  • 2066843 - ET INFO DYNAMIC_DNS HTTP Request to a *.kawaiiarts .com domain (info.rules)
  • 2066844 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (wilknnson .com) (exploit_kit.rules)
  • 2066845 - ET EXPLOIT_KIT LandUpdate808 Domain (wilknnson .com) in TLS SNI (exploit_kit.rules)
  • 2066846 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (canonjo .asia) (malware.rules)
  • 2066847 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (canonjo .asia) in TLS SNI (malware.rules)
  • 2066848 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (westerrd .cyou) (malware.rules)
  • 2066849 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (westerrd .cyou) in TLS SNI (malware.rules)
  • 2066850 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (whooptm .cyou) (malware.rules)
  • 2066851 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (whooptm .cyou) in TLS SNI (malware.rules)
  • 2066852 - ET INFO Ninja/NinjaOne RMM Domain (euce1-ninjaone .sentinelone .net) in DNS Lookup (info.rules)
  • 2066853 - ET INFO Ninja/NinjaOne RMM Domain (usea1-ninjaone .sentinelone .net) in DNS Lookup (info.rules)
  • 2066854 - ET INFO Observed Ninja/NinjaOne RMM Domain (euce1-ninjaone .sentinelone .net) in TLS SNI (info.rules)
  • 2066855 - ET INFO Observed Ninja/NinjaOne RMM Domain (usea1-ninjaone .sentinelone .net) in TLS SNI (info.rules)
  • 2066856 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (operiteons .com) (exploit_kit.rules)
  • 2066857 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (touchkasablanka .com) (exploit_kit.rules)
  • 2066858 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (triplecust .com) (exploit_kit.rules)
  • 2066859 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (operiteons .com) (exploit_kit.rules)
  • 2066860 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (touchkasablanka .com) (exploit_kit.rules)
  • 2066861 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (triplecust .com) (exploit_kit.rules)
  • 2066862 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (api .fanataxservices .com) (malware.rules)
  • 2066863 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (dl .zeekitchenandbathdesign .com) (malware.rules)
  • 2066864 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (menu .etetefusioncatering .com) (malware.rules)
  • 2066865 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (static .urgaacoffeeroastery .com) (malware.rules)
  • 2066866 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (api .fanataxservices .com) (malware.rules)
  • 2066867 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (dl .zeekitchenandbathdesign .com) (malware.rules)
  • 2066868 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (menu .etetefusioncatering .com) (malware.rules)
  • 2066869 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (static .urgaacoffeeroastery .com) (malware.rules)
  • 2066870 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (joinnow .diasporamedia .net) (malware.rules)
  • 2066871 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (schedule .eznosdrivingschool .com) (malware.rules)
  • 2066872 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (joinnow .diasporamedia .net) (malware.rules)
  • 2066873 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (schedule .eznosdrivingschool .com) (malware.rules)

Pro:

  • 2865789 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865790 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2865793 - ETPRO MALWARE Observed DNS Query to Wadworth Bot Domain (malware.rules)
  • 2865794 - ETPRO MALWARE Observed Wadworth Bot Domain in TLS SNI (malware.rules)

Modified inactive rules:

  • 2013793 - ET MALWARE Dropper.Win32.Npkon Client Checkin (malware.rules)
  • 2801199 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x45 (exploit.rules)
  • 2803437 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin (malware.rules)
  • 2803751 - ETPRO MALWARE Backdoor.Win32.Ramagedos.A Checkin 2 (malware.rules)
  • 2805000 - ETPRO MALWARE HackTool.Win32.VKTools.na Checkin 2 (malware.rules)

Removed rules:

  • 2049257 - ET INFO F5 BIG-IP - Password Reset Attempt - Observed Post CVE-2023-46747 Activity (info.rules)
  • 2049258 - ET INFO F5 BIG-IP - Successful Password Reset Attempt - Observed Post CVE-2023-46747 Activity (info.rules)
  • 2049260 - ET INFO F5 BIG-IP - Successful Command Execution via util/bash (info.rules)
  • 2051432 - ET INFO [ANY.RUN] Impacket Framework Default SMB Server GUID Detected (info.rules)
  • 2051433 - ET INFO Impacket Framework Default SMB NTLMSSP Challenge (info.rules)