[***]            Summary:            [***]

2 new Open, 28 new Pro (2 + 26). Gandcrab, Winnti, WinRM, Various Phishing

Thanks: Kevin Ross

[+++]          Added rules:          [+++]

Open:

2026849 - ET POLICY WinRM wsman Access - Possible Lateral Movement (policy.rules)
2026850 - ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement (user_agents.rules)

Pro:

2834510 - ETPRO POLICY External IP Address Lookup via 7fw .de (policy.rules)
2834511 - ETPRO POLICY External IP Address Lookup via ru .smart-ip .net (policy.rules)
2834512 - ETPRO TROJAN Awad Bot CnC Checkin (trojan.rules)
2834513 - ETPRO TROJAN VBS/Unk.Downloader Activity (trojan.rules)
2834514 - ETPRO TROJAN Win32/Remcos RAT Checkin 84 (trojan.rules)
2834515 - ETPRO TROJAN Observed Malicious SSL Cert (GandCrab CnC) (trojan.rules)
2834516 - ETPRO TROJAN Observed DNS Query to GandCrab CnC Domain (trojan.rules)
2834517 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2019-01-23) (current_events.rules)
2834518 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2019-01-23 (current_events.rules)
2834519 - ETPRO CURRENT_EVENTS Successful Generic_Webmail Phish 2019-01-23 (current_events.rules)
2834520 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish 2019-01-23 (current_events.rules)
2834521 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2019-01-23 (current_events.rules)
2834522 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2019-01-23 (current_events.rules)
2834523 - ETPRO CURRENT_EVENTS Successful UPS Phish 2019-01-23 (current_events.rules)
2834524 - ETPRO CURRENT_EVENTS Successful Generic View Document Phish 2019-01-23 (current_events.rules)
2834525 - ETPRO CURRENT_EVENTS Successful Generic Webmail Upgrade Phish 2019-01-23 (current_events.rules)
2834526 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online 2019-01-23 (current_events.rules)
2834527 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2019-01-23 (current_events.rules)
2834528 - ETPRO CURRENT_EVENTS Successful Blockchain Phish 2019-01-23 (current_events.rules)
2834529 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2019-01-23 (current_events.rules)
2834530 - ETPRO CURRENT_EVENTS Successful OTP Bank Phish 2019-01-23 (current_events.rules)
2834531 - ETPRO CURRENT_EVENTS Successful Mailbox Error Report Phish 2019-01-23 (current_events.rules)
2834532 - ETPRO CURRENT_EVENTS Successful Apple iTunes Phish 2019-01-23 (current_events.rules)
2834533 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2019-01-23 (current_events.rules)
2834534 - ETPRO TROJAN Winnti Umbrella Tool Reporting to CnC (trojan.rules)
2834535 - ETPRO TROJAN Tick Group HomamDownloader CnC Activit (trojan.rules)

[///]     Modified active rules:     [///]

2805993 - ETPRO TROJAN Win32/MirageRAT Client Checkin (trojan.rules)
2805994 - ETPRO TROJAN Win32/MirageRAT Server Response (trojan.rules)

Date: 
Tuesday, January 22, 2019 - 22:00