Ruleset Update Summary - 2026/06/16 - v11215

Ruleset Updates
1

Summary:

22 new OPEN, 45 new PRO (22 + 23)

Due to the observation of an internal holiday, there will be no release on Friday, June 19, 2026.

Added rules:

Open:

  • 2069949 - ET EXPLOIT_KIT tdsshop Web Inject Payload Request (exploit_kit.rules)
  • 2069950 - ET EXPLOIT Observed DNS Query to tdsshop Domain (sdntds .shop) (exploit.rules)
  • 2069951 - ET EXPLOIT Observed DNS Query to tdsshop Domain (dnsnewtds .shop) (exploit.rules)
  • 2069952 - ET EXPLOIT Observed DNS Query to tdsshop Domain (newtdsone .shop) (exploit.rules)
  • 2069953 - ET EXPLOIT Observed DNS Query to tdsshop Domain (ntdnewtds .shop) (exploit.rules)
  • 2069954 - ET EXPLOIT Observed DNS Query to tdsshop Domain (nttdss .shop) (exploit.rules)
  • 2069955 - ET EXPLOIT Observed DNS Query to tdsshop Domain (dntds .shop) (exploit.rules)
  • 2069956 - ET EXPLOIT Observed tdsshop Domain (sdntds .shop in TLS SNI) (exploit.rules)
  • 2069957 - ET EXPLOIT Observed tdsshop Domain (dnsnewtds .shop in TLS SNI) (exploit.rules)
  • 2069958 - ET EXPLOIT Observed tdsshop Domain (newtdsone .shop in TLS SNI) (exploit.rules)
  • 2069959 - ET EXPLOIT Observed tdsshop Domain (ntdnewtds .shop in TLS SNI) (exploit.rules)
  • 2069960 - ET EXPLOIT Observed tdsshop Domain (nttdss .shop in TLS SNI) (exploit.rules)
  • 2069961 - ET EXPLOIT Observed tdsshop Domain (dntds .shop in TLS SNI) (exploit.rules)
  • 2069962 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (treviro .icu) (exploit_kit.rules)
  • 2069963 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (treviro .icu) (exploit_kit.rules)
  • 2069964 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (coralmanor .top) (exploit_kit.rules)
  • 2069965 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (coralmanor .top) (exploit_kit.rules)
  • 2069966 - ET WEB_SPECIFIC_APPS Microsoft SharePoint Server Upload Page Folder Path Traversal (CVE-2026-45454) (web_specific_apps.rules)
  • 2069967 - ET WEB_SPECIFIC_APPS Jenkins Arbitrary File Read via Unsafe XStream Deserialization (CVE-2026-53435) (web_specific_apps.rules)
  • 2069968 - ET WEB_SPECIFIC_APPS Splunk Enterprise Authentication REST API Authenticated Client-Side DoS (CVE-2026-20139) (web_specific_apps.rules)
  • 2069969 - ET WEB_SPECIFIC_APPS Splunk Enterprise Server Information Disclosure via REST API (CVE-2018-11409) (web_specific_apps.rules)
  • 2069970 - ET HUNTING Javascript Obfuscator Charcode+Hex Encoded Function Name (hunting.rules)

Pro:

  • 2867724 - ETPRO MALWARE Observed DNS Query to Balada Domain (malware.rules)
  • 2867725 - ETPRO MALWARE Observed DNS Query to Balada Domain (malware.rules)
  • 2867726 - ETPRO MALWARE Observed DNS Query to Balada Domain (malware.rules)
  • 2867727 - ETPRO MALWARE Observed DNS Query to Balada Domain (malware.rules)
  • 2867728 - ETPRO MALWARE Observed Balada Domain in TLS SNI (malware.rules)
  • 2867729 - ETPRO MALWARE Observed Balada Domain in TLS SNI (malware.rules)
  • 2867730 - ETPRO MALWARE Observed Balada Domain in TLS SNI (malware.rules)
  • 2867731 - ETPRO MALWARE Observed Balada Domain in TLS SNI (malware.rules)
  • 2867732 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2867733 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2867734 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2867735 - ETPRO MALWARE SOSIHVNC CnC Domain in DNS Lookup (malware.rules)
  • 2867736 - ETPRO MALWARE Observed SOSIHVNC CnC Domain in TLS SNI (malware.rules)
  • 2867737 - ETPRO MALWARE SOSIHVNC Victim Initial Checkin (malware.rules)
  • 2867738 - ETPRO MALWARE SOSIHVNC Stage 2 Payload Inbound (malware.rules)
  • 2867739 - ETPRO MALWARE SOSIHVNC Victim Beacon M1 (malware.rules)
  • 2867740 - ETPRO MALWARE SOSIHVNC CnC Beacon Response (malware.rules)
  • 2867741 - ETPRO MALWARE SOSIHVNC Victim Beacon M2 (malware.rules)
  • 2867742 - ETPRO MALWARE SOSIHVNC CnC Command Inbound (malware.rules)
  • 2867743 - ETPRO MALWARE SOSIHVNC Victim Command Execution Status Report (malware.rules)
  • 2867744 - ETPRO MALWARE SOSIHVNC CnC WatchDog Payload Inbound (malware.rules)
  • 2867745 - ETPRO PHISHING UNK_SmokeScreen Fetch User (phishing.rules)
  • 2867746 - ETPRO WEB_SPECIFIC_APPS Oracle PeopleSoft Zero-Day Remote Code Execution (CVE-2026-35273) (web_specific_apps.rules)