[***] Summary: [***]
4 new Open, 12 new Pro (4 + 8). Anyplace Remote Access, CobaltStrike SMB, BlackWater, Various Miners.
Thanks: Kevin Ross, James Lay
[+++] Added rules: [+++]
Open:
2027323 - ET INFO Anyplace Remote Access Initial Connection Attempt (005) (info.rules)
2027324 - ET INFO Anyplace Remote Access CnC Checkin (051) (info.rules)
2027325 - ET TROJAN CobaltStrike SMB P2P Default Msagent Named Pipe Interaction (trojan.rules)
2027326 - ET TROJAN Covenant .NET Framework P2P C&C Protocol Gruntsvc Named Pipe Interaction (trojan.rules)
Pro:
2836247 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-07 1) (trojan.rules)
2836248 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-07 2) (trojan.rules)
2836249 - ETPRO TROJAN BlackWater CnC Init POST (trojan.rules)
2836250 - ETPRO TROJAN BlackWater CnC Checkin (trojan.rules)
2836251 - ETPRO TROJAN BlackWater CnC Keep-Alive (trojan.rules)
2836252 - ETPRO TROJAN Observed Malicious SSL Cert (APT32 CnC) (trojan.rules)
2836253 - ETPRO CURRENT_EVENTS Possible PowerShell CSharp Assembly/Memory Loader Inbound (current_events.rules)
2836254 - ETPRO TROJAN SSL/TLS Certificate Observed (Ursnif) (trojan.rules)
[///] Modified active rules: [///]
2828348 - ETPRO TROJAN Orion Logger Sending System Info to CnC (trojan.rules)