[***]            Summary:            [***]

7 new Open, 39 new Pro (7 + 32). Strongpity, Powershell Empire, Coinminers, Various Phishing.

[+++]          Added rules:          [+++]

Open:

2026657 - ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) (info.rules)
2026658 - ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) (info.rules)
2026659 - ET CURRENT_EVENTS Observed Malicious SSL Cert (BrushaLoader Domain) (current_events.rules)
2026666 - ET CURRENT_EVENTS Observed Malicious SSL Cert (StrongPity Domain) (current_events.rules)
2026667 - ET CURRENT_EVENTS Observed Malicious SSL Cert (StrongPity Domain) (current_events.rules)
2026668 - ET CURRENT_EVENTS Observed Malicious SSL Cert (StrongPity Domain) (current_events.rules)
2026669 - ET CURRENT_EVENTS Observed Malicious SSL Cert (StrongPity Domain) (current_events.rules)

Pro:

2833651 - ETPRO TROJAN PowerShell/BlasterEgg Checkin (trojan.rules)
2833652 - ETPRO TROJAN Neozhvnc CnC Beacon (trojan.rules)
2833653 - ETPRO POLICY WebDav Auth Request Outbound (Possible NTLM Hash Theft) (policy.rules)
2833654 - ETPRO ATTACK_RESPONSE Responder NTLM Authentication HTTP Response (attack_response.rules)
2833655 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 1) (trojan.rules)
2833656 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 2) (trojan.rules)
2833657 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 3) (trojan.rules)
2833658 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 4) (trojan.rules)
2833659 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 5) (trojan.rules)
2833660 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 6) (trojan.rules)
2833661 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 7) (trojan.rules)
2833662 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 8) (trojan.rules)
2833663 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 9) (trojan.rules)
2833664 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 10) (trojan.rules)
2833665 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 11) (trojan.rules)
2833666 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 12) (trojan.rules)
2833667 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 13) (trojan.rules)
2833668 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 14) (trojan.rules)
2833669 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 15) (trojan.rules)
2833670 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-27 16) (trojan.rules)
2833671 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-11-27) (current_events.rules)
2833672 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-11-27 2) (current_events.rules)
2833673 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-11-27 3) (current_events.rules)
2833674 - ETPRO TROJAN PowerShell Empire Proxy Hop Request (trojan.rules)
2833675 - ETPRO CURRENT_EVENTS Successful USAA Phish 2018-11-27 (current_events.rules)
2833676 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2018-11-27 (current_events.rules)
2833677 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2018-11-27 M1 (current_events.rules)
2833678 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2018-11-27 M2 (current_events.rules)
2833679 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2018-11-27 (current_events.rules)
2833680 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish 2018-11-27 (current_events.rules)
2833681 - ETPRO CURRENT_EVENTS Successful Workday Phish 2018-11-27 M1 (current_events.rules)
2833682 - ETPRO CURRENT_EVENTS Successful Workday Phish 2018-11-27 (current_events.rules)

[+++]  Enabled and modified rules:   [+++]

2013490 - ET POLICY NetBIOS nbtstat Type Query Outbound (policy.rules)
2013491 - ET POLICY NetBIOS nbtstat Type Query Inbound (policy.rules)

[///]     Modified active rules:     [///]

2832606 - ETPRO TROJAN Spytector PWS FTP Exfil (trojan.rules)
2832759 - ETPRO CURRENT_EVENTS MalDoc Requesting Ursnif Payload 2018-09-24 (current_events.rules)
2832815 - ETPRO TROJAN Spytector PWS FTP Exfil M2 (trojan.rules)

Date: 
Tuesday, November 27, 2018 - 00:00