[***]            Summary:            [***]

15 new Open, 34 new Pro (15 + 19). (?:Powershell|Command|WMIC) Over SMB, MSIL.Atilla Stealer, Various Phishing.

Thanks: Kevin Ross

[+++]          Added rules:          [+++]

Open:

2027168 - ET POLICY Powershell Activity Over SMB - Likely Lateral Movement (policy.rules)
2027169 - ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement (policy.rules)
2027170 - ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement (policy.rules)
2027171 - ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement (policy.rules)
2027172 - ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement (policy.rules)
2027173 - ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement (policy.rules)
2027174 - ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement (policy.rules)
2027175 - ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement (policy.rules)
2027176 - ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement (policy.rules)
2027177 - ET POLICY Command Shell ActivityOver SMB - Possible Lateral Movement (policy.rules)
2027178 - ET POLICY Command Shell Activity Using Comspec Environmental Variable Over SMB - Very Likely Lateral Movement (policy.rules)
2027179 - ET POLICY Command Shell Activity Using Comspec Environmental Variable Over SMB - Very Likely Lateral Movement (policy.rules)
2027180 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement (policy.rules)
2027181 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement (policy.rules)
2027182 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement (policy.rules)

Pro:

2835793 - ETPRO TROJAN MSIL.Atilla Stealer Checkin (trojan.rules)
2835794 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-04-10 1) (trojan.rules)
2835795 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-04-10 2) (trojan.rules)
2835796 - ETPRO TROJAN PS.FrontLine Proxied Checkin (trojan.rules)
2835797 - ETPRO TROJAN PS.FrontLine Checkin (trojan.rules)
2835798 - ETPRO TROJAN PS.FrontLine C2 getCommand (trojan.rules)
2835799 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2835800 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2019-04-10 (current_events.rules)
2835801 - ETPRO CURRENT_EVENTS Successful WhatsApp Phish 2019-04-10 (current_events.rules)
2835802 - ETPRO CURRENT_EVENTS Successful Nedbank Phish 2019-04-10 (current_events.rules)
2835803 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-04-10 (current_events.rules)
2835804 - ETPRO CURRENT_EVENTS Successful Instagram Verified Badge Phish 2019-04-10 (current_events.rules)
2835805 - ETPRO CURRENT_EVENTS Successful Generic Mailbox Phish 2019-04-10 (current_events.rules)
2835806 - ETPRO CURRENT_EVENTS Successful Bet365 Phish 2019-04-10 (current_events.rules)
2835807 - ETPRO CURRENT_EVENTS Successful Microsoft Office 365 Phish 2019-04-10 (current_events.rules)
2835808 - ETPRO CURRENT_EVENTS Successful Argos Phish 2019-04-10 (current_events.rules)
2835809 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2019-04-10 (current_events.rules)
2835810 - ETPRO CURRENT_EVENTS Successful Fidelity Phish 2019-04-10 (current_events.rules)
2835811 - ETPRO CURRENT_EVENTS Successful Alibaba Phish 2019-04-10 (current_events.rules)

[///]     Modified active rules:     [///]

2013017 - ET MALWARE Known Malicious User-Agent (x) Win32/Tracur.A or OneStep Adware Related (malware.rules)
2821945 - ETPRO TROJAN Likely APT29 Retrieving Payload Embedded In PNG (trojan.rules)
2821947 - ETPRO TROJAN Likely APT29 SSL Cert (legitimate website) (trojan.rules)

Date: 
Tuesday, April 9, 2019 - 22:00