Summary:
19 new OPEN, 32 new PRO (19 + 13)
Added rules:
Open:
- 2067417 - ET EXPLOIT Quest KACE Desktop Authority Insecure Named Pipe AdminExec Operation (CVE-2025-67813) (exploit.rules)
- 2067418 - ET EXPLOIT Quest KACE Desktop Authority Insecure Named Pipe DllInjection Operation (CVE-2025-67813) (exploit.rules)
- 2067419 - ET EXPLOIT Quest KACE Desktop Authority Insecure Named Pipe Credentials Operation (CVE-2025-67813) (exploit.rules)
- 2067420 - ET EXPLOIT Quest KACE Desktop Authority Insecure Named Pipe ImpersonateAdmin Operation (CVE-2025-67813) (exploit.rules)
- 2067421 - ET EXPLOIT Quest KACE Desktop Authority Insecure Named Pipe InvokeCOM Operation (CVE-2025-67813) (exploit.rules)
- 2067440 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (investonline .in) (exploit_kit.rules)
- 2067441 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (investonline .in) (exploit_kit.rules)
- 2067442 - ET INFO DYNAMIC_DNS Query to a *.parcomunica .com domain (info.rules)
- 2067443 - ET INFO DYNAMIC_DNS HTTP Request to a *.parcomunica .com domain (info.rules)
- 2067444 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (benecian .com) (exploit_kit.rules)
- 2067445 - ET EXPLOIT_KIT LandUpdate808 Domain (benecian .com) in TLS SNI (exploit_kit.rules)
- 2067446 - ET WEB_SPECIFIC_APPS Roundcube Webmail SVG feImage Remote Image Bypass (CVE-2026-25916) (web_specific_apps.rules)
- 2067447 - ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (e3b0c4_12) (web_client.rules)
- 2067448 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (retiroreturn .com) (exploit_kit.rules)
- 2067449 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (retiroreturn .com) (exploit_kit.rules)
- 2067450 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (events .youranokacounty .com) (malware.rules)
- 2067451 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (infra .permianbuildersllc .com) (malware.rules)
- 2067452 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (events .youranokacounty .com) (malware.rules)
- 2067453 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (infra .permianbuildersllc .com) (malware.rules)
Pro:
- 2865992 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
- 2865993 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
- 2865994 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
- 2865995 - ETPRO EXPLOIT Microsoft Shell Security Feature Bypass (CVE-2026-21510) M1 (exploit.rules)
- 2865996 - ETPRO EXPLOIT Microsoft Shell Security Feature Bypass (CVE-2026-21510) M2 (exploit.rules)
- 2865997 - ETPRO EXPLOIT Microsoft Outlook Spoofing (CVE-2026-21511) M1 (exploit.rules)
- 2865998 - ETPRO EXPLOIT Microsoft Outlook Spoofing (CVE-2026-21511) M2 (exploit.rules)
- 2865999 - ETPRO EXPLOIT Microsoft Outlook Spoofing (CVE-2026-21511) M3 (exploit.rules)
- 2866000 - ETPRO EXPLOIT Microsoft Outlook Spoofing (CVE-2026-21511) M4 (exploit.rules)
- 2866001 - ETPRO EXPLOIT Microsoft Outlook Spoofing (CVE-2026-21511) M5 (exploit.rules)
- 2866002 - ETPRO EXPLOIT Microsoft Outlook Spoofing (CVE-2026-21511) M6 (exploit.rules)
- 2866003 - ETPRO EXPLOIT Microsoft Outlook Spoofing (CVE-2026-21511) M7 (exploit.rules)
- 2866004 - ETPRO EXPLOIT Microsoft Outlook Spoofing (CVE-2026-21511) M8 (exploit.rules)
Modified inactive rules:
- 2018622 - ET MALWARE Downloader.Win32.Tesch.A Bot Command (OK acknowledgement) (malware.rules)
- 2808407 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BX Checkin 2 (mobile_malware.rules)
Removed rules:
- 2067417 - ET INFO Quest KACE Desktop Authority Insecure Named Pipe AdminExec Operation (CVE-2025-67813) (info.rules)
- 2067418 - ET INFO Quest KACE Desktop Authority Insecure Named Pipe DllInjection Operation (CVE-2025-67813) (info.rules)
- 2067419 - ET INFO Quest KACE Desktop Authority Insecure Named Pipe Credentials Operation (CVE-2025-67813) (info.rules)
- 2067420 - ET INFO Quest KACE Desktop Authority Insecure Named Pipe ImpersonateAdmin Operation (CVE-2025-67813) (info.rules)
- 2067421 - ET INFO Quest KACE Desktop Authority Insecure Named Pipe InvokeCOM Operation (CVE-2025-67813) (info.rules)