[***] Summary: [***]
15 new Open, 30 new Pro (15 + 15). Diezen/Sakabota DNS, Various Mimikatz via SMB/HTTP, Various Phish, Win32/Remcos.
Tks: Kevin Ross
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2029325 - ET TROJAN Observed Unk.PowerShell Loader CnC Domain in TLS SNI (trojan.rules)
2029326 - ET TROJAN Diezen/Sakabota CnC Domain Observed in DNS Query (trojan.rules)
2029327 - ET TROJAN Diezen/Sakabota CnC Domain Observed in DNS Query (trojan.rules)
2029328 - ET TROJAN Hisoka CnC Domain Observed in DNS Query (trojan.rules)
2029329 - ET WEB_CLIENT Possible Embedded NTLM Hash Theft Code (web_client.rules)
2029330 - ET TROJAN Mimikatz x86 Executable Transfer Over SMB (trojan.rules)
2029331 - ET TROJAN Mimikatz x64 Executable Transfer Over SMB (trojan.rules)
2029332 - ET TROJAN Mimikatz x86 Mimidrv.sys File Transfer Over SMB (trojan.rules)
2029333 - ET TROJAN Mimikatz x64 Mimidrv.sys File Transfer Over SMB (trojan.rules)
2029334 - ET TROJAN Mimikatz x86 Executable Download Over HTTP (trojan.rules)
2029335 - ET TROJAN Mimikatz x64 Executable Download Over HTTP (trojan.rules)
2029336 - ET TROJAN Mimikatz x86 Mimidrv.sys Download Over HTTP (trojan.rules)
2029337 - ET TROJAN Mimikatz x64 Mimidrv.sys Download Over HTTP (trojan.rules)
2029338 - ET CURRENT_EVENTS Successful Generic Phish 2020-01-29 (set) (current_events.rules)
2029339 - ET INFO Powershell Downloader with Start-Process Inbound M1 (info.rules)
Pro:
2840727 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-01-29 1) (trojan.rules)
2840728 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-01-29 2) (trojan.rules)
2840729 - ETPRO CURRENT_EVENTS Successful Bancolombia Phish 2020-01-29 (current_events.rules)
2840730 - ETPRO CURRENT_EVENTS Successful Mi Oficina Phish 2020-01-29 (current_events.rules)
2840731 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2020-01-29 (current_events.rules)
2840732 - ETPRO CURRENT_EVENTS Successful Godaddy Webmail Phish 2020-01-29 (current_events.rules)
2840733 - ETPRO CURRENT_EVENTS Successful Generic View Attachment Phish 2020-01-29 (current_events.rules)
2840734 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish 2020-01-29 (current_events.rules)
2840735 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-01-29 (current_events.rules)
2840736 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-01-29 (current_events.rules)
2840737 - ETPRO CURRENT_EVENTS Successful Microsoft Outlook Web App Phish 2020-01-29 (current_events.rules)
2840738 - ETPRO TROJAN Win32/Remcos RAT Checkin 322 (trojan.rules)
2840739 - ETPRO TROJAN Observed Malicious SSL Cert (IcedID CnC) (trojan.rules)
2840740 - ETPRO TROJAN Observed Malicious SSL Cert (IcedID CnC) (trojan.rules)
[///] Modified active rules: [///]
2820695 - ETPRO CURRENT_EVENTS Terse POST to Wordpress Folder - Probable Successful Phishing M2 (current_events.rules)
2823399 - ETPRO CURRENT_EVENTS Terse POST to Wordpress Folder - Probable Successful Phishing M4 (current_events.rules)
2838753 - ETPRO TROJAN Win32/Koadic CnC Checkin (trojan.rules)
2840392 - ETPRO TROJAN ProstoClipper Checkin via Telegram (trojan.rules)