[Emerging-updates] Daily Ruleset Update Summary 2018/07/17

Travis Green tgreen at emergingthreats.net
Tue Jul 17 12:46:27 HDT 2018


[***]            Summary:            [***]

14 new Open, 58 new Pro (14 + 44). Powershell over SMB, Parasite HTTP,
Nanopool RCE, Simple Botnet, Various Phish, Mobile.

Thanks: Kevin Ross


[+++]          Added rules:          [+++]

Open:

 2025719 - ET POLICY Powershell Activity Over SMB - Likely Lateral Movement
(policy.rules)
 2025720 - ET POLICY Powershell Command With Hidden Window Argument Over
SMB - Likely Lateral Movement (policy.rules)
 2025721 - ET POLICY Powershell Command With Encoded Argument Over SMB -
Likely Lateral Movement (policy.rules)
 2025722 - ET POLICY Powershell Command With No Profile Argument Over SMB -
Likely Lateral Movement (policy.rules)
 2025723 - ET POLICY Powershell Command With Execution Bypass Argument Over
SMB - Likely Lateral Movement (policy.rules)
 2025724 - ET POLICY Powershell Command With NonInteractive Argument Over
SMB - Likely Lateral Movement (policy.rules)
 2025725 - ET POLICY RunDll Request Over SMB - Likely Lateral Movement
(policy.rules)
 2025726 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement
(policy.rules)
 2025727 - ET MOBILE_MALWARE iOS/Bahamut DNS Lookup (mobile_malware.rules)
 2025728 - ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 2 (mobile_malware.rules)
 2025729 - ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 3 (mobile_malware.rules)
 2025730 - ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 4 (mobile_malware.rules)
 2025731 - ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 5 (mobile_malware.rules)
 2025732 - ET WEB_SPECIFIC_APPS ELF file magic encoded ASCII Inbound Web
Servers Likely Command Execution 4 (web_specific_apps.rules)

Pro:

 2831815 - ETPRO MOBILE_MALWARE Android.Riskware.Downloader.GE Uploading
Activity (mobile_malware.rules)
 2831816 - ETPRO MOBILE_MALWARE Android Trojan-Spy Arid Viper Uploading
Device Info (mobile_malware.rules)
 2831817 - ETPRO CURRENT_EVENTS Likely Malicious JS Inbound
(current_events.rules)
 2831818 - ETPRO MOBILE_MALWARE Android Riskware Dudata Device Info Exfil
(mobile_malware.rules)
 2831819 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Configuration Download
(web_specific_apps.rules)
 2831820 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Configuration Download
(web_specific_apps.rules)
 2831821 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Configuration Download
(web_specific_apps.rules)
 2831822 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Service Stop (web_specific_apps.rules)
 2831823 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Process Kill (web_specific_apps.rules)
 2831824 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Service start (web_specific_apps.rules)
 2831825 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Service Enable (web_specific_apps.rules)
 2831826 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Change Admin Passwd (web_specific_apps.rules)
 2831827 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Add Admin Passwd (web_specific_apps.rules)
 2831828 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Add Root Htpasswd (web_specific_apps.rules)
 2831829 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Crontab (web_specific_apps.rules)
 2831830 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Startup Script (web_specific_apps.rules)
 2831831 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Disable Firewall (web_specific_apps.rules)
 2831832 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Start the Microhard Sh (msshc) service
(web_specific_apps.rules)
 2831833 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Auto-enable the Microhard Sh (msshc) service
(web_specific_apps.rules)
 2831834 - ETPRO TROJAN Parasite HTTP Checkin (trojan.rules)
 2831835 - ETPRO TROJAN W32/Chthonic CnC Domain (bookreader .bit in DNS
Lookup) (trojan.rules)
 2831836 - ETPRO TROJAN W32/Chthonic CnC Domain (doghunter .bit in DNS
Lookup) (trojan.rules)
 2831837 - ETPRO TROJAN Cerber Domain Observed (1cknbd .top in DNS Lookup)
(trojan.rules)
 2831838 - ETPRO TROJAN Cerber Domain Observed (1cknbd .top in TLS SNI)
(trojan.rules)
 2831839 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL
2018-07-17) (current_events.rules)
 2831840 - ETPRO EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution
Linux (exploit.rules)
 2831841 - ETPRO EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution
Windows (exploit.rules)
 2831842 - ETPRO TROJAN Simple Botnet CnC Checkin (trojan.rules)
 2831843 - ETPRO CURRENT_EVENTS Appleconnect Verification Code - Phishing
Landing 2018-07-17 (current_events.rules)
 2831844 - ETPRO CURRENT_EVENTS Successful ASB Bank Phish 2018-07-17
(current_events.rules)
 2831845 - ETPRO CURRENT_EVENTS Successful Human Resources Phish 2018-07-17
(current_events.rules)
 2831846 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular
Ethernet and Serial Gateway - Default Credentials (web_specific_apps.rules)
 2831847 - ETPRO TROJAN Kot1Key CnC Checkin (trojan.rules)
 2831848 - ETPRO CURRENT_EVENTS Successful Apple Find my iPhone Phish
2018-07-17 (current_events.rules)
 2831849 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2018-07-17
(current_events.rules)
 2831850 - ETPRO TROJAN MSIL/Racoon3000 CnC Exil M2 (trojan.rules)
 2831851 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-17 1) (trojan.rules)
 2831852 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-17 2) (trojan.rules)
 2831853 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-17 3) (trojan.rules)
 2831854 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-17 4) (trojan.rules)
 2831855 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-17 5) (trojan.rules)
 2831856 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-17 6) (trojan.rules)
 2831857 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-17 7) (trojan.rules)
 2831858 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-17 8) (trojan.rules)


[///]     Modified active rules:     [///]

 2011582 - ET POLICY Vulnerable Java Version 1.6.x Detected (policy.rules)
 2014297 - ET POLICY Vulnerable Java Version 1.7.x Detected (policy.rules)
 2017128 - ET TROJAN W32.Berbew Check-in (trojan.rules)
 2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)
 2025314 - ET POLICY Vulnerable Java Version 9.0.x Detected (policy.rules)
 2025518 - ET POLICY Vulnerable Java Version 10.0.x Detected (policy.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20180717/b3c81618/attachment.html>


More information about the Emerging-updates mailing list