[***]            Summary:            [***]

12 new Open, 38 new Pro (12 + 26). Banload, DustySky, Various Powershell, Various Phishing.

Thanks: Kevin Ross

[+++]          Added rules:          [+++]

Open:

2027202 - ET POLICY Powershell Activity Over SMB - Likely Lateral Movement (policy.rules)
2027203 - ET POLICY Possible Powershell .ps1 Script Use Over SMB (policy.rules)
2027204 - ET POLICY Possible Powershell .ps1 Script Use Over SMB (policy.rules)
2027205 - ET POLICY Possible WMI .mof Managed Object File Use Over SMB (policy.rules)
2027206 - ET POLICY Possible WMI .mof Managed Object File Use Over SMB (policy.rules)
2027207 - ET INFO HTTP Request with Double Cache-Control (info.rules)
2027208 - ET TROJAN DustySky/Gaza Cybergang Group1 CnC Domain in DNS Lookup (time-loss .dns05 .com) (trojan.rules)
2027209 - ET TROJAN DustySky/Gaza Cybergang Group1 CnC Domain in DNS Lookup (dji-msi .2waky .com) (trojan.rules)
2027210 - ET POLICY Outbound POST Request with ps PowerShell Command Output (policy.rules)
2027211 - ET TROJAN Outbound POST Request with Base64 ps PowerShell Command Output M1 (trojan.rules)
2027212 - ET TROJAN Outbound POST Request with Base64 ps PowerShell Command Output M2 (trojan.rules)
2027213 - ET TROJAN Outbound POST Request with Base64 ps PowerShell Command Output M3 (trojan.rules)

Pro:

2835886 - ETPRO TROJAN Trojan.Win32.Banload.BIYB Checkin 2 (trojan.rules)
2835887 - ETPRO TROJAN Trojan.Win32.Banload.BIYB Checkin 3 (trojan.rules)
2835888 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-04-16 1) (trojan.rules)
2835889 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-04-16 2) (trojan.rules)
2835890 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-04-16 3) (trojan.rules)
2835891 - ETPRO TROJAN Unk.MalDoc Reporting System Information (trojan.rules)
2835892 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-04-16 (current_events.rules)
2835893 - ETPRO CURRENT_EVENTS Successful Bet365 Phish 2019-04-16 (current_events.rules)
2835894 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-04-16 (current_events.rules)
2835895 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-04-16 (current_events.rules)
2835896 - ETPRO CURRENT_EVENTS Successful Pubg Mobile Phish 2019-04-16 (current_events.rules)
2835897 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish 2019-04-16 (current_events.rules)
2835898 - ETPRO CURRENT_EVENTS Successful Zimbra Phish 2019-04-16 (current_events.rules)
2835899 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2019-04-16 (current_events.rules)
2835900 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-04-16 (current_events.rules)
2835901 - ETPRO CURRENT_EVENTS Successful American Express Phish 2019-04-16 (current_events.rules)
2835902 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2019-04-16 (current_events.rules)
2835903 - ETPRO CURRENT_EVENTS Successful Adobe Cloud Phish 2019-04-16 (current_events.rules)
2835904 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish 2019-04-16 (current_events.rules)
2835905 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish 2019-04-16 (current_events.rules)
2835906 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-04-16 (current_events.rules)
2835907 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2019-04-16 (current_events.rules)
2835908 - ETPRO CURRENT_EVENTS Successful Scotiabank Phish 2019-04-16 (current_events.rules)
2835909 - ETPRO TROJAN Observed Malicious SSL Cert (Maldoc CnC) (trojan.rules)
2835910 - ETPRO TROJAN Observed Malicious SSL Cert (sLoad CnC) (trojan.rules)
2835911 - ETPRO POLICY Inbound PowerShell Checking Geo-Location via Registry (policy.rules)

[///]     Modified active rules:     [///]

2022578 - ET CURRENT_EVENTS JS Obfuscation - Possible Phishing 2016-03-01 (current_events.rules)
2025719 - ET POLICY Powershell Activity Over SMB - Likely Lateral Movement (policy.rules)
2025726 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement (policy.rules)
2027180 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement (policy.rules)
2027181 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement (policy.rules)
2027182 - ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement (policy.rules)
2027199 - ET POLICY URL Shortener Service Domain in DNS Lookup (tiny .cc) (policy.rules)
2027200 - ET POLICY Observed SSL Cert (URL Shortener Service - tiny .cc) (policy.rules)
2806834 - ETPRO TROJAN Trojan-Dropper.Win32.Injector.iucz Checkin 1 (trojan.rules)

[---]  Disabled and modified rules:  [---]

2807434 - ETPRO TROJAN Trojan.Win32.Agent.adecj Checkin (trojan.rules)
2833314 - ETPRO TROJAN Win32/Agent.QP Requesting Payload (trojan.rules)

Date: 
Monday, April 15, 2019 - 22:00