Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/07/22

[***]            Summary:            [***]

7 new OPEN, 32 new PRO (7 + 25). Various SAP NetWeaver CVE-2020-6287, Win32/Fujacks, Likely Evil Powershell Inbound, Jacard Banker, Various Large DNS over TCP Inbound, Win32/Alyak.G, VARIOUS PHISH.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030574 - ET CURRENT_EVENTS Possible Successful Phish - Saved Website
Comment Observed (current_events.rules)
  2030575 - ET POLICY EXE File Downloaded from Discord (policy.rules)
  2030576 - ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Probe
(exploit.rules)
  2030577 - ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Vulnerable
Response (exploit.rules)
  2030578 - ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Exploit Attempt
(exploit.rules)
  2030579 - ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Exploit Success
(exploit.rules)
  2030580 - ET TROJAN Win32/Fujacks Variant CnC Activity (trojan.rules)

Pro:

  2843620 - ETPRO TROJAN Likely Evil Powershell Inbound (.DownloadString)
(trojan.rules)
  2843621 - ETPRO TROJAN Likely Evil Powershell Inbound (Invoke-Expression)
(trojan.rules)
  2843622 - ETPRO TROJAN Likely Evil Powershell Inbound (Invoke-Mimikatz)
(trojan.rules)
  2843623 - ETPRO TROJAN Likely Evil Powershell Inbound
(System.Net.FTPWebRequest) (trojan.rules)
  2843624 - ETPRO TROJAN Likely Evil Powershell Inbound
(.System.Net.NetworkCredential) (trojan.rules)
  2843625 - ETPRO CURRENT_EVENTS Successful RBC Royal Bank Phish 2020-07-22
(current_events.rules)
  2843626 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-07-22 (current_events.rules)
  2843627 - ETPRO CURRENT_EVENTS Successful Made in China Phish 2020-07-22
(current_events.rules)
  2843628 - ETPRO CURRENT_EVENTS Successful BNP Paribas Phish 2020-07-22
(current_events.rules)
  2843629 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-07-22
(current_events.rules)
  2843630 - ETPRO CURRENT_EVENTS Successful Office Product Key Phish
2020-07-22 (current_events.rules)
  2843631 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-07-22
(current_events.rules)
  2843632 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-07-22
(current_events.rules)
  2843633 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-07-22 (current_events.rules)
  2843634 - ETPRO TROJAN Jacard Banker Variant CnC Host Checkin
(trojan.rules)
  2843635 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-22 1) (trojan.rules)
  2843636 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-22 2) (trojan.rules)
  2843637 - ETPRO POLICY Large DNS over TCP Inbound - ELF Header Observed
(policy.rules)
  2843638 - ETPRO POLICY Large DNS over TCP Inbound - DOC Header Observed
(policy.rules)
  2843639 - ETPRO POLICY Large DNS over TCP Inbound - PDF Header Observed
(policy.rules)
  2843640 - ETPRO POLICY Large DNS over TCP Inbound - ZIP Header Observed
(policy.rules)
  2843641 - ETPRO TROJAN Win32/Alyak.G Variant CnC Activity (trojan.rules)
  2843642 - ETPRO TROJAN Win32/Alyak.G Variant CnC Activity (Server
Response) (trojan.rules)
  2843643 - ETPRO TROJAN Observed SocGholish Domain in TLS SNI
(trojan.rules)
  2843644 - ETPRO TROJAN Win32/Remcos RAT Checkin 500 (trojan.rules)

[///]     Modified active rules:     [///]

  2525000 - ET 3CORESec Poor Reputation IP group 1 (3coresec.rules)
  2525001 - ET 3CORESec Poor Reputation IP group 2 (3coresec.rules)
  2525002 - ET 3CORESec Poor Reputation IP group 3 (3coresec.rules)
  2525003 - ET 3CORESec Poor Reputation IP group 4 (3coresec.rules)
  2525004 - ET 3CORESec Poor Reputation IP group 5 (3coresec.rules)
  2525005 - ET 3CORESec Poor Reputation IP group 6 (3coresec.rules)
  2525006 - ET 3CORESec Poor Reputation IP group 7 (3coresec.rules)
  2525007 - ET 3CORESec Poor Reputation IP group 8 (3coresec.rules)
  2525008 - ET 3CORESec Poor Reputation IP group 9 (3coresec.rules)
  2525009 - ET 3CORESec Poor Reputation IP group 10 (3coresec.rules)
  2525010 - ET 3CORESec Poor Reputation IP group 11 (3coresec.rules)
  2525011 - ET 3CORESec Poor Reputation IP group 12 (3coresec.rules)
  2525012 - ET 3CORESec Poor Reputation IP group 13 (3coresec.rules)
  2525013 - ET 3CORESec Poor Reputation IP group 14 (3coresec.rules)
  2525014 - ET 3CORESec Poor Reputation IP group 15 (3coresec.rules)
  2525015 - ET 3CORESec Poor Reputation IP group 16 (3coresec.rules)
  2525016 - ET 3CORESec Poor Reputation IP group 17 (3coresec.rules)
  2828069 - ETPRO TROJAN Oiram CnC Beacon (trojan.rules)
  2830822 - ETPRO TROJAN Observed MalDoc Retrieving EXE Payload 2018-05-14
(trojan.rules)

Date:
Summary title:
7 new OPEN, 32 new PRO (7 + 25). Various SAP NetWeaver CVE-2020-6287, Win32/Fujacks, Likely Evil Powershell Inbound, Jacard Banker, Various Large DNS over TCP Inbound, Win32/Alyak.G, VARIOUS PHISH.