[***] Summary: [***]

14 new OPEN, 82 new PRO (14 + 68). OneDrive/Discord/Google Drive related requests, StrifeWater, CVE-2020-11978, DBatLoader, Cobalt Strike

Thanks @cybereason

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback.

[+++] Added rules: [+++]

Open:

2035024 - ET TROJAN Possible Gamaredon MalDoc CnC Exfil (trojan.rules)

2035025 - ET TROJAN VBS/Dojos Downloader Activity M2 (trojan.rules)

2035026 - ET INFO SUSPICIOUS .LNK File Inside of Zip (info.rules)

2035027 - ET INFO Double Extension ZIP File Downloaded from Discord (Request) (info.rules)

2035028 - ET INFO Double Extension VBS File Downloaded from Discord (Request) (info.rules)

2035029 - ET INFO Double Extension PIF File Downloaded from Discord (Request) (info.rules)

2035030 - ET INFO Double Extension EXE File Downloaded from Discord (Request) (info.rules)

2035031 - ET TROJAN StrifeWater Rat CnC Activity (trojan.rules)

2035032 - ET USER_AGENTS Suspicious User-Agent (example/1.0) (user_agents.rules)

2035033 - ET CURRENT_EVENTS lordspartner Phish Kit (current_events.rules)

2035034 - ET CURRENT_EVENTS DAWN Comment in Phish Landing Page 2022-02-01 (current_events.rules)

2035035 - ET EXPLOIT Possible Apache Airflow DAG Example RCE Attempt - Create DAG (CVE-2020-11978) (exploit.rules)

2035036 - ET EXPLOIT Possible Apache Airflow DAG Example RCE Attempt - Unpause (CVE-2020-11978) (exploit.rules)

2035037 - ET INFO Possible Apache Airflow Experimental API Authentication Bypass Attempt (CVE-2020-13927) (info.rules)

Pro:

2850976 - ETPRO INFO Double Extension VBS Download from OneDrive (Request) (info.rules)

2850977 - ETPRO INFO Double Extension VBS Download from OneDrive (Response) (info.rules)

2850978 - ETPRO INFO Double Extension PIF Download from OneDrive (Request) (info.rules)

2850979 - ETPRO INFO Double Extension PIF Download from OneDrive (Response) (info.rules)

2850980 - ETPRO INFO Double Extension ZIP Download from OneDrive (Request) (info.rules)

2850981 - ETPRO INFO Double Extension ZIP Download from OneDrive (Response) (info.rules)

2850982 - ETPRO INFO Double Extension EXE Download from OneDrive (Request) (info.rules)

2850983 - ETPRO INFO Double Extension EXE Download from OneDrive (Response) (info.rules)

2850984 - ETPRO INFO Double Extension VBS Download from Google Drive (Response) (info.rules)

2850985 - ETPRO INFO Double Extension PIF Download from Google Drive (Response) (info.rules)

2850986 - ETPRO INFO Double Extension ZIP Download from Google Drive (Response) (info.rules)

2850987 - ETPRO INFO Double Extension EXE Download from Google Drive (Response) (info.rules)

2850988 - ETPRO INFO VBS Download from OneDrive (Request) (info.rules)

2850989 - ETPRO INFO VBS Download from OneDrive (Response) (info.rules)

2850990 - ETPRO INFO Powershell Download from OneDrive (Request) (info.rules)

2850991 - ETPRO INFO Powershell Download from OneDrive (Response) (info.rules)

2850992 - ETPRO INFO Powershell String Observed from OneDrive (Reflection.Assembly) (info.rules)

2850993 - ETPRO INFO Powershell String Observed from OneDrive (New-ScheduledTask*) (info.rules)

2850994 - ETPRO INFO Powershell String Observed from OneDrive (Register-ScheduledTask) (info.rules)

2850995 - ETPRO INFO Powershell String Observed from OneDrive (System.Io.MemoryStream) (info.rules)

2850996 - ETPRO INFO Powershell String Observed from OneDrive (New-Item) (info.rules)

2850997 - ETPRO INFO Powershell String Observed from OneDrive (New-Object) (info.rules)

2850998 - ETPRO INFO Powershell String Observed from OneDrive (Invoke-Command) (info.rules)

2850999 - ETPRO INFO Powershell String Observed from OneDrive (Invoke-WmiMethod) (info.rules)

2851000 - ETPRO INFO Powershell String Observed from OneDrive (Get-WmiObject) (info.rules)

2851001 - ETPRO INFO Powershell String Observed from OneDrive (Stop-Process) (info.rules)

2851002 - ETPRO INFO Powershell String Observed from OneDrive (Start-Process) (info.rules)

2851003 - ETPRO INFO Powershell String Observed from OneDrive (Get-Process) (info.rules)

2851004 - ETPRO INFO Powershell String Observed from OneDrive (Set-Content) (info.rules)

2851005 - ETPRO INFO Powershell String Observed from OneDrive (DownloadString) (info.rules)

2851006 - ETPRO INFO Powershell String Observed from OneDrive (DownloadFile) (info.rules)

2851007 - ETPRO INFO Powershell String Observed from OneDrive (Hidden Window) (info.rules)

2851008 - ETPRO INFO VBS Download from Google Drive (Response) (info.rules)

2851009 - ETPRO INFO Powershell Download from Google Drive (Response) (info.rules)

2851010 - ETPRO INFO Powershell String Observed from Google Drive (Reflection.Assembly) (info.rules)

2851011 - ETPRO INFO Powershell String Observed from Google Drive (New-ScheduledTask*) (info.rules)

2851012 - ETPRO INFO Powershell String Observed from Google Drive (Register-ScheduledTask) (info.rules)

2851013 - ETPRO INFO Powershell String Observed from Google Drive (System.Io.MemoryStream) (info.rules)

2851014 - ETPRO INFO Powershell String Observed from Google Drive (New-Item) (info.rules)

2851015 - ETPRO INFO Powershell String Observed from Google Drive (New-Object) (info.rules)

2851016 - ETPRO INFO Powershell String Observed from Google Drive (Invoke-Command) (info.rules)

2851017 - ETPRO INFO Powershell String Observed from Google Drive (Invoke-WmiMethod) (info.rules)

2851018 - ETPRO INFO Powershell String Observed from Google Drive (Get-WmiObject) (info.rules)

2851019 - ETPRO INFO Powershell String Observed from Google Drive (Stop-Process) (info.rules)

2851020 - ETPRO INFO Powershell String Observed from Google Drive (Start-Process) (info.rules)

2851021 - ETPRO INFO Powershell String Observed from Google Drive (Get-Process) (info.rules)

2851022 - ETPRO INFO Powershell String Observed from Google Drive (Set-Content) (info.rules)

2851023 - ETPRO INFO Powershell String Observed from Google Drive (DownloadString) (info.rules)

2851024 - ETPRO INFO Powershell String Observed from Google Drive (DownloadFile) (info.rules)

2851025 - ETPRO INFO Powershell String Observed from Google Drive (Hidden Window) (info.rules)

2851026 - ETPRO INFO Terse Request for Discord Attachment (info.rules)

2851027 - ETPRO INFO Terse Request for OneDrive File (info.rules)

2851028 - ETPRO TROJAN DBatLoader Payload Request via Discord (set) (trojan.rules)

2851029 - ETPRO TROJAN DBatLoader Payload Response via Discord (trojan.rules)

2851030 - ETPRO TROJAN DBatLoader Payload Response via OneDrive (trojan.rules)

2851031 - ETPRO CURRENT_EVENTS Successful Generic Phish 2022-02-01 (current_events.rules)

2851032 - ETPRO CURRENT_EVENTS Successful Generic Phish 2022-02-01 (current_events.rules)

2851033 - ETPRO TROJAN Cobalt Strike Activity (GET) (trojan.rules)

2851034 - ETPRO TROJAN Cobalt Strike Activity (GET) (trojan.rules)

2851035 - ETPRO TROJAN Cobalt Strike Related Domain in DNS Lookup (trojan.rules)

2851036 - ETPRO TROJAN Cobalt Strike Related Domain in DNS Lookup (trojan.rules)

2851037 - ETPRO TROJAN Cobalt Strike Related Domain in DNS Lookup (trojan.rules)

2851038 - ETPRO USER_AGENTS Websocket-Sharp User-Agent (websocket-sharp) (user_agents.rules)

2851039 - ETPRO USER_AGENTS Suspcious User-Agent (APK) (user_agents.rules)

2851040 - ETPRO MALWARE AndroidOS/Trojan.OJNF-2 Variant Sending Phone Information (POST) (malware.rules)

2851041 - ETPRO CURRENT_EVENTS Successful Generic Phish 2022-02-01 (current_events.rules)

2851042 - ETPRO TROJAN Trojan:Win32/Sabsik Payload Request M2 (trojan.rules)

2851043 - ETPRO TROJAN Trojan:Win32/Sabsik Payload Request M1 (trojan.rules)

[///] Modified active rules: [///]

2850889 - ETPRO TROJAN Possible Win32/Yax.Mole Variant Activity (GET) (trojan.rules)

[---] Removed rules: [---]

2845049 - ETPRO TROJAN VBS/Dojos Downloader Activity M2 (trojan.rules)

2848229 - ETPRO TROJAN Possible Gamaredon MalDoc CnC Exfil (trojan.rules)