Ruleset Update Summary - 2026/03/13 - v11146

Ruleset Updates
1

Summary:

35 new OPEN, 39 new PRO (35 + 4)

Added rules:

Open:

  • 2068194 - ET INFO External IP Lookup Domain (get-my-ip .ddns .softether-network .net) in DNS Lookup (info.rules)
  • 2068195 - ET INFO External IP Lookup Domain (get-my-ip-v6 .ddns .softether-network .net) in DNS Lookup (info.rules)
  • 2068196 - ET INFO Observed External IP Lookup Domain (get-my-ip .ddns .softether-network .net in TLS SNI) (info.rules)
  • 2068197 - ET INFO Observed External IP Lookup Domain (get-my-ip-v6 .ddns .softether-network .net in TLS SNI) (info.rules)
  • 2068198 - ET INFO SoftEther VPN Service Related Domain (vpnazure .net) in DNS Lookup (info.rules)
  • 2068199 - ET INFO SoftEther VPN Service Related Domain (softether .org) in DNS Lookup (info.rules)
  • 2068200 - ET INFO SoftEther VPN Service Related Domain (softether-network .net) in DNS Lookup (info.rules)
  • 2068201 - ET INFO Observed SoftEther VPN Service Domain (vpnazure .net in TLS SNI) (info.rules)
  • 2068202 - ET INFO Observed SoftEther VPN Service Domain (softether .org in TLS SNI) (info.rules)
  • 2068203 - ET INFO Observed SoftEther VPN Service Domain (softether-network .net in TLS SNI) (info.rules)
  • 2068204 - ET INFO Xeox RMM Agent Activity (info.rules)
  • 2068205 - ET INFO Observed DNS Query to Xeox RMM Domain (xeox .com) (info.rules)
  • 2068206 - ET INFO Observed Xeox RMM Domain (xeox .com in TLS SNI) (info.rules)
  • 2068207 - ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (almersalstore .com) (malware.rules)
  • 2068208 - ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (support .almersalstore .com) (malware.rules)
  • 2068209 - ET MALWARE Observed Cobalt Strike Domain (almersalstore .com in TLS SNI) (malware.rules)
  • 2068210 - ET MALWARE Observed Cobalt Strike Domain (support .almersalstore .com in TLS SNI) (malware.rules)
  • 2068211 - ET MALWARE Observed DNS Query to TA402 Domain (iwsmailserver .com) (malware.rules)
  • 2068212 - ET MALWARE Observed TA402 Domain (iwsmailserver .com in TLS SNI) (malware.rules)
  • 2068213 - ET MALWARE Observed DNS Query to TA473 Domain (unityprogressall .org) (malware.rules)
  • 2068214 - ET MALWARE Observed TA473 Domain (unityprogressall .org in TLS SNI) (malware.rules)
  • 2068215 - ET MALWARE Observed DNS Query to UNK_NightOwl Domain (iran .dashboard .1drvms .store) (malware.rules)
  • 2068216 - ET MALWARE Observed UNK_NightOwl Domain (iran .dashboard .1drvms .store in TLS SNI) (malware.rules)
  • 2068217 - ET MALWARE Observed DNS Query to UNK_RobotDreams Domain (defenceprodindia .sit) (malware.rules)
  • 2068218 - ET MALWARE Observed DNS Query to UNK_RobotDreams Domain (endpoint1-b0ecetbuabcdg9cp .z01 .azurefd .net) (malware.rules)
  • 2068219 - ET MALWARE Observed UNK_RobotDreams Domain (defenceprodindia .sit in TLS SNI) (malware.rules)
  • 2068220 - ET MALWARE Observed UNK_RobotDreams Domain (endpoint1-b0ecetbuabcdg9cp .z01 .azurefd .net in TLS SNI) (malware.rules)
  • 2068221 - ET MALWARE Observed DNS Query to TA453 Domain (transfergocompany .com) (malware.rules)
  • 2068222 - ET MALWARE Observed TA453 Domain (transfergocompany .com in TLS SNI) (malware.rules)
  • 2068223 - ET JA3 Hash - Possible SoftEther Server-Side Traffic (ja3.rules)
  • 2068224 - ET JA3 Hash - Possible SoftEther Windows Client SSTP Traffic (ja3.rules)
  • 2068225 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (unanistan .com) (exploit_kit.rules)
  • 2068226 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (unanistan .com) (exploit_kit.rules)
  • 2068227 - ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M1 (CVE-2021-22054) (web_specific_apps.rules)
  • 2068228 - ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M2 (CVE-2021-22054) (web_specific_apps.rules)

Pro:

  • 2866521 - ETPRO HUNTING WebAssembly Table-Based Heap Corruption Setup (hunting.rules)
  • 2866522 - ETPRO HUNTING Web Audio API OfflineAudioContext Heap Corruption with NumberFormat Spray (hunting.rules)
  • 2866523 - ETPRO HUNTING JavaScript Intl.Segmenter Iterator PAC Bypass (VTable Dispatch) (hunting.rules)
  • 2866524 - ETPRO MALWARE UNK_SmokeScreen CnC Checkin (malware.rules)

Modified inactive rules:

  • 2015575 - ET EXPLOIT_KIT KaiXin Exploit Kit Java Class (exploit_kit.rules)
  • 2015825 - ET MALWARE Zeus/Citadel Control Panel Access (Outbound) (malware.rules)
  • 2016253 - ET MALWARE Unknown POST of System Info (malware.rules)
  • 2804873 - ETPRO MALWARE Trojan-Dropper.Win32.Dapato.axvi Checkin (malware.rules)
  • 2805002 - ETPRO MALWARE HackTool.Win32.VKTools.na Checkin 4 (malware.rules)
  • 2805732 - ETPRO MALWARE Backdoor Boomie.A Checkin Response/Egg Download Command (malware.rules)