[Emerging-Sigs] Daily Ruleset Update Summary 2019/04/16

Jason Williams jwilliams at emergingthreats.net
Tue Apr 16 13:45:27 HDT 2019 

[***]            Summary:            [***]

12 new Open, 38 new Pro (12 + 26). Banload, DustySky, Various Powershell,
Various Phishing.

 Thanks: Kevin Ross

 [+++]          Added rules:          [+++]

 Open:

  2027202 - ET POLICY Powershell Activity Over SMB - Likely Lateral
Movement (policy.rules)
  2027203 - ET POLICY Possible Powershell .ps1 Script Use Over SMB
(policy.rules)
  2027204 - ET POLICY Possible Powershell .ps1 Script Use Over SMB
(policy.rules)
  2027205 - ET POLICY Possible WMI .mof Managed Object File Use Over SMB
(policy.rules)
  2027206 - ET POLICY Possible WMI .mof Managed Object File Use Over SMB
(policy.rules)
  2027207 - ET INFO HTTP Request with Double Cache-Control (info.rules)
  2027208 - ET TROJAN DustySky/Gaza Cybergang Group1 CnC Domain in DNS
Lookup (time-loss .dns05 .com) (trojan.rules)
  2027209 - ET TROJAN DustySky/Gaza Cybergang Group1 CnC Domain in DNS
Lookup (dji-msi .2waky .com) (trojan.rules)
  2027210 - ET POLICY Outbound POST Request with ps PowerShell Command
Output (policy.rules)
  2027211 - ET TROJAN Outbound POST Request with Base64 ps PowerShell
Command Output M1 (trojan.rules)
  2027212 - ET TROJAN Outbound POST Request with Base64 ps PowerShell
Command Output M2 (trojan.rules)
  2027213 - ET TROJAN Outbound POST Request with Base64 ps PowerShell
Command Output M3 (trojan.rules)

 Pro:

  2835886 - ETPRO TROJAN Trojan.Win32.Banload.BIYB Checkin 2 (trojan.rules)
  2835887 - ETPRO TROJAN Trojan.Win32.Banload.BIYB Checkin 3 (trojan.rules)
  2835888 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-04-16 1) (trojan.rules)
  2835889 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-04-16 2) (trojan.rules)
  2835890 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-04-16 3) (trojan.rules)
  2835891 - ETPRO TROJAN Unk.MalDoc Reporting System Information
(trojan.rules)
  2835892 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-04-16
(current_events.rules)
  2835893 - ETPRO CURRENT_EVENTS Successful Bet365 Phish 2019-04-16
(current_events.rules)
  2835894 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-04-16
(current_events.rules)
  2835895 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-04-16
(current_events.rules)
  2835896 - ETPRO CURRENT_EVENTS Successful Pubg Mobile Phish 2019-04-16
(current_events.rules)
  2835897 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-04-16 (current_events.rules)
  2835898 - ETPRO CURRENT_EVENTS Successful Zimbra Phish 2019-04-16
(current_events.rules)
  2835899 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2019-04-16
(current_events.rules)
  2835900 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-04-16 (current_events.rules)
  2835901 - ETPRO CURRENT_EVENTS Successful American Express Phish
2019-04-16 (current_events.rules)
  2835902 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2019-04-16
(current_events.rules)
  2835903 - ETPRO CURRENT_EVENTS Successful Adobe Cloud Phish 2019-04-16
(current_events.rules)
  2835904 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2019-04-16 (current_events.rules)
  2835905 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2019-04-16 (current_events.rules)
  2835906 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-04-16
(current_events.rules)
  2835907 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-04-16 (current_events.rules)
  2835908 - ETPRO CURRENT_EVENTS Successful Scotiabank Phish 2019-04-16
(current_events.rules)
  2835909 - ETPRO TROJAN Observed Malicious SSL Cert (Maldoc CnC)
(trojan.rules)
  2835910 - ETPRO TROJAN Observed Malicious SSL Cert (sLoad CnC)
(trojan.rules)
  2835911 - ETPRO POLICY Inbound PowerShell Checking Geo-Location via
Registry (policy.rules)

 [///]     Modified active rules:     [///]

  2022578 - ET CURRENT_EVENTS JS Obfuscation - Possible Phishing 2016-03-01
(current_events.rules)
  2025719 - ET POLICY Powershell Activity Over SMB - Likely Lateral
Movement (policy.rules)
  2025726 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement
(policy.rules)
  2027180 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement
(policy.rules)
  2027181 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement
(policy.rules)
  2027182 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement
(policy.rules)
  2027199 - ET POLICY URL Shortener Service Domain in DNS Lookup (tiny .cc)
(policy.rules)
  2027200 - ET POLICY Observed SSL Cert (URL Shortener Service - tiny .cc)
(policy.rules)
  2806834 - ETPRO TROJAN Trojan-Dropper.Win32.Injector.iucz Checkin 1
(trojan.rules)

 [---]  Disabled and modified rules:  [---]

  2807434 - ETPRO TROJAN Trojan.Win32.Agent.adecj Checkin (trojan.rules)
  2833314 - ETPRO TROJAN Win32/Agent.QP Requesting Payload (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190416/4532c64d/attachment.html>

More information about the Emerging-sigs mailing list