[***]            Summary:            [***]

65 new Open, 20 new Pro (22 + 43). Rostpay, W32.Suviapen, Bloodlust, Various Phish.

Thanks: Kevin Ross and @Ledtech3

[+++]          Added rules:          [+++]

Open:

2025697 - ET TROJAN Rostpay Downloader User-Agent (trojan.rules)
2025698 - ET CURRENT_EVENTS Bank of America Phishing Landing (current_events.rules)
2025699 - ET POLICY SMB Executable File Transfer (policy.rules)
2025700 - ET POLICY SMB NT Create AndX Request For an Executable File (policy.rules)
2025701 - ET POLICY SMB2 NT Create AndX Request For an Executable File (policy.rules)
2025702 - ET POLICY SMB NT Create AndX Request For an Executable File In a Temp Directory (policy.rules)
2025703 - ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory (policy.rules)
2025704 - ET POLICY SMB NT Create AndX Request For a Powershell .ps1 File (policy.rules)
2025705 - ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File (policy.rules)
2025706 - ET POLICY SMB NT Create AndX Request For a .bat File (policy.rules)
2025707 - ET POLICY SMB2 NT Create AndX Request For a .bat File (policy.rules)
2025708 - ET POLICY SMB NT Create AndX Request For a DLL File (policy.rules)
2025709 - ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement (policy.rules)
2025710 - ET POLICY SMB NT Create AndX Request For a .sys File - Possible Lateral Movement (policy.rules)
2025711 - ET POLICY SMB2 NT Create AndX Request For a .sys File - Possible Lateral Movement (policy.rules)
2025712 - ET POLICY SMB Remote AT Scheduled Job Create Request - Possible Lateral Movement (policy.rules)
2025713 - ET POLICY SMB2 Remote AT Scheduled Job Create Request (policy.rules)
2025714 - ET POLICY SMB Remote AT Scheduled Job Pipe Creation (policy.rules)
2025715 - ET CURRENT_EVENTS Fake Adobe Software Update Landing (current_events.rules)
2025716 - ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 1 (web_specific_apps.rules)
2025717 - ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 2 (web_specific_apps.rules)
2025718 - ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 3 (web_specific_apps.rules)

Pro:

2831772 - ETPRO TROJAN W32.Suviapen Checkin (trojan.rules)
2831773 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to PDF 2018-07-16 (current_events.rules)
2831774 - ETPRO WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 1 (web_specific_apps.rules)
2831775 - ETPRO WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 2 (web_specific_apps.rules)
2831776 - ETPRO WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 3 (web_specific_apps.rules)
2831777 - ETPRO WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 4 (web_specific_apps.rules)
2831778 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to Voicemail 2018-07-16 (current_events.rules)
2831779 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish 2018-07-16 (current_events.rules)
2831780 - ETPRO TROJAN W32.Gamaredon.Variant Checkin (trojan.rules)
2831781 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to FTP 2018-07-16 (current_events.rules)
2831782 - ETPRO TROJAN Win32.Ursu.Variant Checkin (trojan.rules)
2831783 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-07-16 (current_events.rules)
2831784 - ETPRO TROJAN Hawkeye Keylogger SMTP Checkin M3 (trojan.rules)
2831785 - ETPRO CURRENT_EVENTS Successful Chalbhai Phish 2018-07-16 (current_events.rules)
2831786 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish M1 2018-07-16 (current_events.rules)
2831787 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish M2 2018-07-16 (current_events.rules)
2831788 - ETPRO CURRENT_EVENTS Successful Santander Phish M1 2018-07-16 (current_events.rules)
2831789 - ETPRO CURRENT_EVENTS Successful Santander Phish M2 2018-07-16 (current_events.rules)
2831790 - ETPRO CURRENT_EVENTS Successful Apple Phish 2018-07-16 (current_events.rules)
2831791 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-07-16 (current_events.rules)
2831792 - ETPRO CURRENT_EVENTS Successful SFR Phish 2018-07-16 (current_events.rules)
2831793 - ETPRO CURRENT_EVENTS Successful Netflix M1 Phish 2018-07-16 (current_events.rules)
2831794 - ETPRO CURRENT_EVENTS Successful Netflix M2 Phish 2018-07-16 (current_events.rules)
2831795 - ETPRO TROJAN Possible Shrug2 Ransomware Checkin (trojan.rules)
2831796 - ETPRO CURRENT_EVENTS Successful Bank of America M1 Phish 2018-07-16 (current_events.rules)
2831797 - ETPRO CURRENT_EVENTS Successful Bank of America M2 Phish 2018-07-16 (current_events.rules)
2831798 - ETPRO CURRENT_EVENTS Successful Bank of America M3 Phish 2018-07-16 (current_events.rules)
2831799 - ETPRO CURRENT_EVENTS Successful Adobe Phish 2018-07-16 (current_events.rules)
2831800 - ETPRO WEB_SPECIFIC_APPS WordPress Plugin Job Manager Stored Cross-Site Scripting (web_specific_apps.rules)
2831801 - ETPRO TROJAN W32.Suviapen Checkin M2 (trojan.rules)
2831802 - ETPRO WEB_SPECIFIC_APPS Hadoop YARN ResourceManager Unauthenticated Command Execution (web_specific_apps.rules)
2831803 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-07-16) (current_events.rules)
2831804 - ETPRO CURRENT_EVENTS Bloodlust Redirect JS Inbound Jul 16 (current_events.rules)
2831805 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 1) (trojan.rules)
2831806 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 2) (trojan.rules)
2831807 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 3) (trojan.rules)
2831808 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 4) (trojan.rules)
2831809 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 5) (trojan.rules)
2831810 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 6) (trojan.rules)
2831811 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 7) (trojan.rules)
2831812 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) (trojan.rules)
2831813 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 9) (trojan.rules)
2831814 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 10) (trojan.rules)

[///]     Modified active rules:     [///]

2017128 - ET TROJAN W32.Berbew Check-in (trojan.rules)

Date: 
Sunday, July 15, 2018 - 22:00