Summary:
30 new OPEN, 34 new PRO (30 + 4)
Thanks @Pb22
Added rules:
Open:
- 2068663 - ET HUNTING Executable File Hosted via Cloudflare Services (* .trycloudflare .com) (hunting.rules)
- 2068664 - ET HUNTING Executable File Hosted via Cloudflare Services (* .pages .dev) (hunting.rules)
- 2068665 - ET HUNTING Executable File Hosted via Cloudflare Services (* .workers .dev) (hunting.rules)
- 2068666 - ET HUNTING Executable File Hosted via Cloudflare Services (* .r2 .dev) (hunting.rules)
- 2068667 - ET INFO Abused File Sharing Domain in DNS Lookup (x0 .at) (info.rules)
- 2068668 - ET INFO Observed Abused File Sharing Domain (x0 .at in TLS SNI) (info.rules)
- 2068669 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (market .dianamercer .com) (malware.rules)
- 2068670 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (market .dianamercer .com) (malware.rules)
- 2068671 - ET INFO DYNAMIC_DNS Query to a *.lienenbert .com domain (info.rules)
- 2068672 - ET INFO DYNAMIC_DNS HTTP Request to a *.lienenbert .com domain (info.rules)
- 2068673 - ET INFO DYNAMIC_DNS Query to a *.maverickden .com domain (info.rules)
- 2068674 - ET INFO DYNAMIC_DNS HTTP Request to a *.maverickden .com domain (info.rules)
- 2068675 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cerebe .cyou) (malware.rules)
- 2068676 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cerebe .cyou) in TLS SNI (malware.rules)
- 2068677 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cosmozya .digital) (malware.rules)
- 2068678 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cosmozya .digital) in TLS SNI (malware.rules)
- 2068679 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grossvp .xyz) (malware.rules)
- 2068680 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grossvp .xyz) in TLS SNI (malware.rules)
- 2068681 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (waytinmedicinedskow .shop) (malware.rules)
- 2068682 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (waytinmedicinedskow .shop) in TLS SNI (malware.rules)
- 2068683 - ET MALWARE SonOyuncu Stealer User-Agent Observed (malware.rules)
- 2068684 - ET MALWARE SonOyuncu Stealer Exfil via Discord (malware.rules)
- 2068685 - ET INFO Pastebin-Like Service Domain in DNS Lookup (paste .kealper .com) (info.rules)
- 2068686 - ET INFO Pastebin-Like Service Domain in DNS Lookup (chiaselinks .com) (info.rules)
- 2068687 - ET INFO Pastebin-Like Service Domain in DNS Lookup (snippet .host) (info.rules)
- 2068688 - ET INFO Pastebin-Like Service Domain in DNS Lookup (rlim .com) (info.rules)
- 2068689 - ET INFO Observed Pastebin-Like Service Domain (paste .kealper .com in TLS SNI) (info.rules)
- 2068690 - ET INFO Observed Pastebin-Like Service Domain (chiaselinks .com in TLS SNI) (info.rules)
- 2068691 - ET INFO Observed Pastebin-Like Service Domain (snippet .host in TLS SNI) (info.rules)
- 2068692 - ET INFO Observed Pastebin-Like Service Domain (rlim .com in TLS SNI) (info.rules)
Pro:
- 2867026 - ETPRO MALWARE Adobe Reader PDF Unknown C2 Beacon (20260323) (malware.rules)
- 2867027 - ETPRO MALWARE Adobe Reader PDF Unknown C2 Exfil (20260323) (malware.rules)
- 2867028 - ETPRO HUNTING PDF JS-embedded contains JSFuck Obfuscated Code (hunting.rules)
- 2867029 - ETPRO HUNTING Adobe Reader User-Agent (non-Adobe) Outbound (hunting.rules)