[Emerging-Sigs] Daily Ruleset Update Summary 2019/04/10
Travis Green
tgreen at emergingthreats.net
Wed Apr 10 14:40:51 HDT 2019
[***] Summary: [***]
15 new Open, 34 new Pro (15 + 19). (?:Powershell|Command|WMIC) Over
SMB, MSIL.Atilla Stealer, Various Phishing.
Thanks: Kevin Ross
[+++] Added rules: [+++]
Open:
2027168 - ET POLICY Powershell Activity Over SMB - Likely Lateral
Movement (policy.rules)
2027169 - ET POLICY Powershell Command With No Profile Argument Over
SMB - Likely Lateral Movement (policy.rules)
2027170 - ET POLICY Powershell Command With Hidden Window Argument
Over SMB - Likely Lateral Movement (policy.rules)
2027171 - ET POLICY Powershell Command With Execution Bypass Argument
Over SMB - Likely Lateral Movement (policy.rules)
2027172 - ET POLICY Powershell Command With Encoded Argument Over SMB
- Likely Lateral Movement (policy.rules)
2027173 - ET POLICY Powershell Command With NonInteractive Argument
Over SMB - Likely Lateral Movement (policy.rules)
2027174 - ET POLICY Command Shell Activity Over SMB - Possible Lateral
Movement (policy.rules)
2027175 - ET POLICY Command Shell Activity Over SMB - Possible Lateral
Movement (policy.rules)
2027176 - ET POLICY Command Shell Activity Over SMB - Possible Lateral
Movement (policy.rules)
2027177 - ET POLICY Command Shell ActivityOver SMB - Possible Lateral
Movement (policy.rules)
2027178 - ET POLICY Command Shell Activity Using Comspec Environmental
Variable Over SMB - Very Likely Lateral Movement (policy.rules)
2027179 - ET POLICY Command Shell Activity Using Comspec Environmental
Variable Over SMB - Very Likely Lateral Movement (policy.rules)
2027180 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral
Movement (policy.rules)
2027181 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral
Movement (policy.rules)
2027182 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral
Movement (policy.rules)
Pro:
2835793 - ETPRO TROJAN MSIL.Atilla Stealer Checkin (trojan.rules)
2835794 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-04-10 1) (trojan.rules)
2835795 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-04-10 2) (trojan.rules)
2835796 - ETPRO TROJAN PS.FrontLine Proxied Checkin (trojan.rules)
2835797 - ETPRO TROJAN PS.FrontLine Checkin (trojan.rules)
2835798 - ETPRO TROJAN PS.FrontLine C2 getCommand (trojan.rules)
2835799 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2835800 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2019-04-10
(current_events.rules)
2835801 - ETPRO CURRENT_EVENTS Successful WhatsApp Phish 2019-04-10
(current_events.rules)
2835802 - ETPRO CURRENT_EVENTS Successful Nedbank Phish 2019-04-10
(current_events.rules)
2835803 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-04-10 (current_events.rules)
2835804 - ETPRO CURRENT_EVENTS Successful Instagram Verified Badge
Phish 2019-04-10 (current_events.rules)
2835805 - ETPRO CURRENT_EVENTS Successful Generic Mailbox Phish
2019-04-10 (current_events.rules)
2835806 - ETPRO CURRENT_EVENTS Successful Bet365 Phish 2019-04-10
(current_events.rules)
2835807 - ETPRO CURRENT_EVENTS Successful Microsoft Office 365 Phish
2019-04-10 (current_events.rules)
2835808 - ETPRO CURRENT_EVENTS Successful Argos Phish 2019-04-10
(current_events.rules)
2835809 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2019-04-10
(current_events.rules)
2835810 - ETPRO CURRENT_EVENTS Successful Fidelity Phish 2019-04-10
(current_events.rules)
2835811 - ETPRO CURRENT_EVENTS Successful Alibaba Phish 2019-04-10
(current_events.rules)
[///] Modified active rules: [///]
2013017 - ET MALWARE Known Malicious User-Agent (x) Win32/Tracur.A or
OneStep Adware Related (malware.rules)
2821945 - ETPRO TROJAN Likely APT29 Retrieving Payload Embedded In PNG
(trojan.rules)
2821947 - ETPRO TROJAN Likely APT29 SSL Cert (legitimate website) (trojan.rules)
--
PGP:
travisgreen.net/tgreen at emergingthreats.net.asc
travisgreen.net/travis at travisgreen.net.asc
More information about the Emerging-sigs
mailing list