[***]            Summary:            [***]

4 new Open, 12 new Pro (4 + 8). Anyplace Remote Access, CobaltStrike SMB, BlackWater, Various Miners.

Thanks: Kevin Ross, James Lay

[+++]          Added rules:          [+++]

Open:

2027323 - ET INFO Anyplace Remote Access Initial Connection Attempt (005) (info.rules)
2027324 - ET INFO Anyplace Remote Access CnC Checkin (051) (info.rules)
2027325 - ET TROJAN CobaltStrike SMB P2P Default Msagent Named Pipe Interaction (trojan.rules)
2027326 - ET TROJAN Covenant .NET Framework P2P C&C Protocol Gruntsvc Named Pipe Interaction (trojan.rules)

Pro:

2836247 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-07 1) (trojan.rules)
2836248 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-07 2) (trojan.rules)
2836249 - ETPRO TROJAN BlackWater CnC Init POST (trojan.rules)
2836250 - ETPRO TROJAN BlackWater CnC Checkin (trojan.rules)
2836251 - ETPRO TROJAN BlackWater CnC Keep-Alive (trojan.rules)
2836252 - ETPRO TROJAN Observed Malicious SSL Cert (APT32 CnC) (trojan.rules)
2836253 - ETPRO CURRENT_EVENTS Possible PowerShell CSharp Assembly/Memory Loader Inbound (current_events.rules)
2836254 - ETPRO TROJAN SSL/TLS Certificate Observed (Ursnif) (trojan.rules)

[///]     Modified active rules:     [///]

2828348 - ETPRO TROJAN Orion Logger Sending System Info to CnC (trojan.rules)

Date: 
Monday, May 6, 2019 - 22:00