by Contributed | Aug 8, 2022 | Dynamics 365, Microsoft 365, Technology
This article is contributed. See the original author and article here.
Today’s customers expect more engaging, personalized service experiences from the brands they choose. They want intelligent self-service that offers always-on digital convenience. And they expect agents, whether human or virtual, to not just know who they are, but to already have an idea why they are reaching out and how to help.
That’s why we launched the Microsoft Digital Contact Center Platforman open, extensible, and collaborative platform for delivering seamless, omnichannel customer engagement at scalebuilt with AI at its heart, powered by Nuance technologies.
Bringing the power of AI to the contact center
AI is fast becoming an essential part of every contact center strategy, helping improve customer experiences while reducing costs, and helping contact center leaders accomplish their customer acquisition, retention, and revenue goals.
And now, enterprises have even more ways to optimize their digital experience strategy with AI.
The launch of the Microsoft Digital Contact Center Platform shows our commitment to putting our customers first. It brings together innovation from Nuance and Microsoft to power unmatched self-service experiences, live customer engagements, collaborative agent experiences, business process automation, advanced telephony, and fraud prevention capabilities. In this series of articles, we’ll outline how Nuance solutions enable the Microsoft Digital Contact Center Platform to deliver value across every engagement channelstarting with digital.
Creating standout digital experiences
As we enter a new, AI-powered era for the contact center, we look forward to stories from enterprise customers about how they’ve optimized their digital engagement strategies with the capabilities of Nuance’s intelligent engagement solutions and Microsoft Dynamics 365, Microsoft Teams, Microsoft Power Platform, and Azure.
Flexibility and choice, with an open platform
Many enterprises want to augment their digital capabilities to provide intelligent, omnichannel experiences. But they also need to protect the investments they’ve made in their existing customer engagement solutions, contact center platforms, and back-office systems.
The Microsoft Digital Contact Center Platform uses open, vendor-agnostic Nuance digital engagement solutions to offer complete flexibility and investment protection for organizations that want to:
- Integrate best-of-breed virtual assistant or live chat solutions with a third-party customer relationship management (CRM) from any vendor.
- Have a third-party virtual assistant, but need to integrate it with an industry-leading live agent platform.
- Add powerful new messaging capabilities to a third-party agent desktop.
- Surface third-party product recommendations, next best actions, knowledgebase information, tech support, or order management systems to their agents on a unified desktop.
And now that Microsoft and Nuance innovations are on a single platform, it’s even simpler for organizations currently using the Nuance Digital Engagement Platform to benefit from everything the Microsoft cloud has to offer, including CRM, knowledge management, case management, collaboration tools, and many other services.
A proven track record of increasing self-serviceand driving sales
The Nuance solutions on the Microsoft Digital Contact Center Platform have a strong record of enabling intelligent self-service and increasing containment.
For example, the AI-powered targeting engine behind Nuance Virtual Assistant and Live Assist uses customer profiles and purchase history to engage customers with personalized incentives and relevant offers at the right moment in their journey. That creates more valuable upsell and cross-sell opportunities, helping increase sales in digital channels. Esurance, for instance, generated live chat incremental sales of $4.4 million in just one quarter after implementing Nuance Live Assistand also saw 86 percent increased customer satisfaction with live chat.
Advanced capabilities built on decades of contact center AI experience
The powerful functionality of Nuance digital solutions comes from long experience in delivering AI-powered innovations for all customer engagement channels.
With Nuance AI on the Microsoft Digital Contact Center Platform, organizations can use proactive targeting to deliver the right kind of engagement for each customerat exactly the right time. They can enhance digital experiences by using rich media widgets in messaging channels. They can reduce the time and cost of ramping up new agents by delivering real-time guidance and recommendations straight to the agent desktop. The list goes on.
Plus, Nuance biometric authentication and intelligent fraud prevention solutions help streamline customer experiences and protect every interaction. And everything is delivered through a highly secure, compliant, and capable web interface that meets the stringent data privacy and security standards that regulators, businesses, and customers demand.
A roadmap for the future of the digital contact center
It’s an exciting time to be working with customer engagement leaders. We’re developing an evergreen roadmap for the Microsoft Digital Contact Center Platform, and while we’ll continuously add new capabilities, we’ll also ensure our customers’ existing investments are protected, enabling them to migrate seamlessly to our combined platform at their own pace.
Together with our trailblazing customers, discover how Nuance and Microsoft can offer limitless flexibility, unmatched operational efficiency, amazing customer and agent experiencesand better business outcomes with the Microsoft Digital Contact Center Platform.
The post The AI-powered contact center, part 1: Create engaging digital experiences appeared first on Microsoft Dynamics 365 Blog.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
by Contributed | Aug 6, 2022 | Technology
This article is contributed. See the original author and article here.
Hi,
Azure networking can sometimes give headaches. Here are a few tips which may make your life easier.
1. Private link effect – episode 1 – route tables
When enabling Azure Private Link for a given resource, say a Storage Account, you may end up with the following configuration
where you have routed all traffic to Azure Firewall (or an NVA) and noticed that the VM (or anything else) is directly connecting to the private endpoint, bypassing the firewall…This might come as a surprise to you but this is due to the fact that whenever you enable private link for a given resource, a direct (more specific) route is propagated to the underlying NICs. In the above example, Azure will write the 10.1.5.4/32 route to the NIC(s) of the VM pointing directly to the InterfaceEndpoint of the resource. Because this route is more specific than 0.0.0.0/0, the firewall will be bypassed. To overcome this, you have to write a /32 route to the subnet’s route table to overwrite the one written by Azure, which can be itself challenging because of the 400 routes limit per route table. Microsoft wrote a good guidance on that topic.
2. Private link effect – episode 2 – route tables
Ok, now you think you understood private link routing, right? So what about this?
You thought Azure was pushing a route to underlying NICs but you realize that the VM in VNET 3 does not have such a route…Why is that? Well, it makes sense but you do not especially think about it. The reason why VNET 3’s VM does not get the route is because VNET 3 is not peered with VNET 1. Because peering is non-transitive, writing such a route would anyway lead to a dead-end. So, if you had a 0.0.0.0/0 UDR on VNET 3’s subnet, this would this time be correctly routed to the firewall…So as you guessed it, if you put a private endpoint in an intermediate VNET:
this time, the /32 route is propagated to all peered VNETs. Long story short, putting private endpoints into the hub, would propagate into every spoke, and thus, you’d better follow the guidance if you want to route that to the firewall.
3. Private link effect episode 3 – Network Security Groups
Ok great, that’s for routing but fortunately, we don’t have to worry about NSGs. Well…
How come VM2 is able to connect to my private endpoint??? My deny all rule should have kicked in..What’s going on here? Well, for the same reason as before, the InterfaceEndpoint is non-sensitive to NSGs. So, you must make sure to route things correctly to make sure, the InterfaceEndpoint is not used.
4. Private link effect episode 4 – forget the first 3 episodes?
Well, I’m sorry for you if you read the first 3 episodes because all of that is *almost* part of the past…but you will surely still likely see this for quite a while. Microsoft has revamped the way private link works, and there is a preview (UDR) and preview (NSG) available (not in all regions), which allows you to deal with private link traffic, like with any other type of traffic, but meanwhile, you’d better still understand how it currently works :).
5. Private link and outbound traffic
Repeat after me:
– Private link is inbound traffic only
– Private link is inbound traffic only
– Private…(well you got it, right?)
I still see a huge confusion with many folks about private link, where people think that enabling private link for an app service, APIM, etc. will give them access to the resources sitting in a given VNET. That is wrong, to gain access to such resources, you have to focus on outbound traffic, not inbound!
6. Private link and public traffic
Remember one rule of thumb: private link does not automatically deny public traffic for all services. It does for some but not for all. So, remember to always double-check that public traffic is indeed correctly denied.
7. The propagate gateway routes effect
Whenever you establish private connectivity between your datacenter and Azure, you will use the hub vnet to bridge both worlds. You’re likely going to have (not mandatory) a VPN Gateway to establish a S2S and/or Expressroute connection. From there on, each spoke VNET should be able to connect to your on-premises systems and vice-versa. You, of course, want to make sure, traffic is routed through your firewall. If you encounter a different behavior (traffic directly flying from on-prem to spoke and vice versa), you’re likely forgot to deactivate the “propagate gateway routes” property of the route table.
So, make sure to turn it off :).
8. The Kubenet effect of NSGs
Many companies struggle to decide whether they want to implement Azure CNI (now BYO CNI is available) or Kubenet for their AKS clusters. The main reason is the shortage of IP addresses. Kubenet is IP-friendly because it only allocates IPs to nodes, while CNI allocates one IP per pod, which results in many more consumed IPs. You can use Kubenet if you’re willing to fully embrace a programmable network approach such as the use of Service Meshes and internet Network Policies (Calico for ex. which also works with Kubenet). However, if you plan to rely on Azure networking capabilities, such as using NSGs and the likes, then you’d better switch to CNI. Consider the following scenario:
where you want to share the same cluster for multiple tenants but you want to isolate tenants in their own node pool. So, in the above scenario, you only want system to be able to connect to tenants but tenant 1 and tenant 2 cannot talk together. You do not trust logical isolation (K8s network policies & service meshes) and want to rule this with Network Security Groups instead, or even combine both. Easy, you simply add the following inbound rules to tenant 1 & tenant 2’s NSGs:
– Priority: 100 – source IP: 10.0.0.0/28 destination: * – ALLOW (let’s skip the ports for sake of simplicity)
– Priority: 110 – source IP: * destination: * – DENY
So, that way, this should fly…Well, it appears that this won’t fly at all. Why is that? Because Kubenet makes use of network address translation (NAT) to allocate POD CIDRs dynamically, and what the NSGs see are not the subnet ranges but the POD CIDRs…, which can change at any time. Indeed, Azure constantly rewrites the route table associated to the subnets to map POD CIDRs with nodes, whenever the cluster restarts or whenever a node gets added/removed to/from a node pool. Therefore, you can’t predict how this allocation will be done, which defeats the use of NSGs to rule internal traffic. Of course, you could still use them to rule what comes from outside.
9. Localhost in APIM policies
Did you know that you can use the keyword localhost in APIM policies? If you have a set of APIs and want APIM to let them call each other while never leaving the boundaries of APIM itself (not resolve again the IP through the DNS), you can use localhost…
10. The troubleshooting tool
Whenever you encounter a network issue in Azure, I recommend you to use Network Watcher and more specifically, its next hop feature. It helped me already a few times figure out what was misconfigured.
by Contributed | Aug 5, 2022 | Technology
This article is contributed. See the original author and article here.
Hello hello, MTC! The first week of August is in the books, so let’s see what went down in the Community.
MTC Moments of the Week
We had a great AMA in the Community this week that focused on Azure Deployments, featuring @Mark Gray, @adotfrank, @stephanieyen, and @stevenjma with @Eric Starker moderating. As a quick reminder, an AMA is a live text-based online event similar to a “YamJam” on Yammer or an “Ask Me Anything” on Reddit, and there is no audio or video component at this time.
Over on the blogs, @lucyhitz announced the general availability of Microsoft Viva Goals, “a goal-setting and management solution that aligns teams to your organization’s strategic priorities, driving results and a thriving business.” Head over to the post to watch an overview and learn more!
We also want to give a shoutout this week to @ScottLamond, a new MTC’er, for providing several helpful responses in the Excel Community! Welcome and keep being awesome! :)
Unanswered Questions – Can you help them out?
Every week, users come to the MTC seeking guidance or technical support for their Microsoft solutions, and we want to help highlight a few of these each week in the hopes of getting these questions answered by our amazing community!
@Jenny_Bruce is seeking advice from the Community about compliance policies and document version history limits in SharePoint Online.
Meanwhile, @JohnHogan20224k is encountering an error in the Microsoft 365 admin center having to do with Teams for Organization, so maybe you can help figure out what’s causing it.
Next Week – Mark your calendars!
Lastly, we have no events next week, but check back soon for updates!
Have a great weekend, everyone!
by Contributed | Aug 5, 2022 | Technology
This article is contributed. See the original author and article here.
This is a follow-up post on a recently published article on sharing data in near real-time with Microsoft Purview in-place data sharing for Azure Storage. I highly encourage you to read Share data near real-time with Microsoft Purview in-place data sharing for Azure Storage first before you pore over this article on how to share Azure storage solutions such as Azure Blob Storage and Azure Data Lake Gen2 with VNET traffic restrictions or even with no public endpoints i.e. private endpoints only.
Now, using Microsoft Purview in place data share you can also create shares that can connect to Azure storage PaaS such as blob storage and data lake storage with VNET restrictions and to further up the ante – even with storage accounts with no public endpoints.
This is a critical feature that has been made available only in Microsoft Purview data share and is not part of the standalone Azure data share services.
In this article, I will present a few quick pointers and considerations that you have to know before you get started with Purview data sharing using restricted Azure storage accounts.
Premise – Share data with Microsoft Purview for Azure storage with private endpoints or VNET restrictions.
Solution – In a nutshell, with Purview private endpoints i.e. account, ingestion, and portal (being optional) you can deliver new data shares while connecting to storage accounts with VNET restrictions and/or no public endpoint i.e. private endpoints only. This assumes that the private endpoint for the storage account and purview are created in the same VNET or, this is created in a networking landing zone in case you follow the learnings of the enterprise scale landing zone.
Here’s a quick overview of key steps which will help you set up a data share with restricted storage accounts –
Step 1 – Create purview private endpoints i.e. account, ingestion, and portal (being optional). This is required for private connectivity between Purview and target storage accounts. This is a required step regardless of how the storage account is configured i.e. with VNET restrictions or with no public endpoint.
You can create the private endpoints in the same VNET i.e. of storage account or in a dedicated VNET which may be part of your networking scaffold in the enterprise scale landing zone. Make sure the different networks i.e. Purview VNET and storage account VNET is peered if you were to follow this topology.
You can also learn more about this configuration here – Connect to your Microsoft Purview to data sources privately and securely
Here’s a quick overview of a typical Purview deployment with private endpoints enabled.
Purview firewall settings
Purview account and portal private endpoints
Purview ingestion private endpoint
Step 2 – Depending on the storage account networking configuration, let’s break this section into 2 sub parts –
#1 Deliver data share from a storage account with VNET restrictions
Selected VNET’s only
This setup assumes that you have storage accounts with VNET restrictions and in-bound traffic from only selected VNET’s are permitted. In this case, you can create Purview endpoints in the same VNET as of storage account or in a separate VNET as long as both are peered.
You can read more about this configuration here – Configure Azure Storage firewalls and virtual networks
#2 Deliver data share from a storage account with private endpoints only
No public endpoint
This setup assumes that you have storage accounts with no public endpoints and the only way an application can communicate is via private endpoints only. In this case, you will have to create private endpoints for the storage account in a VNET which is accessible by Purview via ingestion private endpoints. So, this can be done in the same VNET as Purview ingestion private endpoints or in a VNET that is accessible and peered to Purview private endpoints in case of enterprise scale landing zone.
If you create a private endpoint for the Data Lake Storage Gen2 storage resource, then you should also create one for the Blob storage resource. That’s because operations that target the Data Lake Storage Gen2 endpoint might be redirected to the Blob endpoint. By creating a private endpoint for both resources, you ensure that operations can complete successfully.
You can read more about this configuration here – Use private endpoints – Azure Storage
Step 3 (optional) – I always recommend running nslookup for querying the Domain Name System (DNS) records to obtain the mapping between domain name and IP address. The expectation here is that the name resolution for the storage account and Purview endpoints should return their respective private IP addresses.
If you have followed these steps, with appropriate permissions on the storage account via RBAC’s you can then deliver new data shares with your consumer groups with restricted storage accounts which earlier was not possible using Azure data share.
My objective for this post was to introduce you to how you can connect and deliver share with storage accounts that have network restrictions such as VNET restrictions and private endpoints only. Hence, I would not talk about the user journey or customer experience regarding how to create and manage a share. I encourage you to read our post on this subject at How to share data – Microsoft Purview.
by Scott Muniz | Aug 4, 2022 | Security, Technology
This article is contributed. See the original author and article here.
|
Agent Tesla
|
alert any any -> any any (msg:”HTTP GET request /aw/aw.exe”; flow:established,to_server; sid:1; rev:1; content:”GET”; http_method; content:”/aw/aw.exe”; http_uri; reference:url, https://www.datto.com/blog/what-is-agent-tesla-spyware-and-how-does-it-work; metadata:service http;)
|
|
AZORult
|
alert tcp any any -> any any (msg:”HTTP Server Content Data contains ‘llehS|2e|tpircSW'”; sid:1; rev:1; flow:established,from_server; file_data; content:”llehS|2e|tpircSW”; nocase; fast_pattern:only; pcre:”/GCM(?:x20|%20)*W-O*/i”; reference:url,maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/; metadata:service http;)
|
|
AZORult
|
alert tcp any any -> any any (msg:”HTTP POST Client Body contains ‘J/|fb|’ and ‘/|fb|'”; sid:1; rev:1; flow:established,to_server; content:”POST”; http_method; content:”.php”; http_uri; content:”J/|fb|”; http_client_body; fast_pattern; content:”/|fb|”; http_client_body; depth:11; content:!”Referer|3a 20|”; http_header; metadata:service http;)
|
|
FormBook
|
alert tcp any any -> any any (msg:”HTTP URI POST contains ‘&sql=1’ at the end”; sid:1; rev:1; flow:established,to_server; content:”&sql=1″; http_uri; fast_pattern:only; content:”POST”; http_method; pcre:”/(?(DEFINE)(?’b64std'[a-zA-Z0-9+/=]+?))(?(DEFINE)(?’b64url'[a-zA-Z0-9_-]+?))^/[a-z0-9]{3,4}/?(?P>b64url){3,8}=(?P>b64std){40,90}&(?P>b64url){2,6}=(?P>b64url){4,11}&sql=1$/iU”; reference:url,www.malware-traffic-analysis.net/2018/02/16/index.html; metadata:service http;)
|
|
alert tcp any any -> any any (msg:”HTTP URI GET/POST contains ‘/list/hx28/config.php?id='”; sid:1; rev:1; flow:established,to_server; content:”/list/hx28/config.php?id=”; http_uri; fast_pattern:only; content:”Connection|3a 20|close|0d 0a|”; http_header; reference:url,www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html; metadata:service http;)
|
|
Ursnif
|
alert tcp any any -> any any (msg:”HTTP POST Data contains .bin filename, long URI contains ‘/images/'”; sid:1; rev:1; flow:established,to_server; urilen:>60,norm; content:”/images/”; http_uri; depth:8; content:”POST”; nocase; http_method; content:”Content-Disposition|3a 20|form-data|3b 20|name=|22|upload_file|22 3b 20|filename=|22|”; http_client_body; content:”|2e|bin|22 0d 0a|”; http_client_body; distance:1; within:32; fast_pattern; reference:url,www.broadanalysis.com/2016/03/23/angler-ek-sends-data-stealing-payload/; metadata:service http;)
|
|
alert tcp any any -> any any (msg:”HTTP URI GET/POST contains ‘/images/’ plus random sub directories and an Image File (Ursnif)”; sid:1; rev:1; flow:established,to_server; content:”/images/”; http_uri; fast_pattern:only; content:!”Host: www.urlquery.net”; http_header; pcre:”//images(/(?=[a-z0-9_]{0,22}[A-Z][a-z0-9_]{0,22}[A-Z])(?=[A-Z0-9_]{0,22}[a-z])[A-Za-z0-9_]{1,24}){5,20}/[a-zA-Z0-9_]+.(?:gif|jpeg|jpg|bmp)$/U”; metadata:service http)
|
|
LokiBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|Mozilla/4.08 (Charon|3b| Inferno)'”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|Mozilla/4.08 (Charon|3b| Inferno)|0d 0a|”; http_header; fast_pattern:only; metadata:service http; )
|
|
LokiBot
|
alert tcp any any -> any any (msg:”HTTP URI POST contains ‘/*/fre.php’ post-infection”; sid:1; rev:1; flow:established,to_server; content:”/fre.php”; http_uri; fast_pattern:only; urilen:<50,norm; content:”POST”; nocase; http_method; pcre:”//(?:alien|lokyd|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll/NW|wrk|job|fived?|donemy|animationdkc|love|Masky|vd|lifetn|Ben)/fre.php$/iU”; metadata:service http;)
|
|
LokiBot
|
alert tcp any any -> any any (msg:”HTTP URI POST contains ‘/w.php/'”; sid:1; rev:1; flow:established,to_server; content:”/w.php/”; http_uri; fast_pattern:only; content:”POST”; nocase; http_method; pcre:”//w+/w.php/[a-z]{13}$/iU”; metadata:service http;)
|
|
MOUSEISLAND
|
alert tcp any any -> any any (msg:”HTTP URI GET contains ‘/assets/<8-80 hex>/<4-16 alnum>?<3-6 alnum>='”; sid:9206287; rev:1; flow:established,to_server; content:”/assets/”; http_uri; fast_pattern:only; content:”HTTP/1.1|0d 0a|”; depth:256; content:!”|0d 0a|Cookie:”; content:!”|0d 0a|Referer:”; pcre:”//assets/[a-fA-F0-9/]{8,80}/[a-zA-Z0-9]{4,16}?[a-z0-9]{3,6}=/U”; metadata:service http;)
|
|
NanoCore
|
alert tcp any any -> any 25 (msg:”SMTP Attachment Filename ‘Packinglist-Invoice101.pps'”; sid:1; rev:1; flow:established,to_server,only_stream; content:”Content-Disposition|3a 20|attachment|3b|”; content:”Packinglist-Invoice101.pps”; nocase; distance:0; fast_pattern; pcre:”/Content-Dispositionx3ax20attachmentx3b[x20trn]+?(?:file)*?name=x22*?Packinglist-Invoice101.ppsx22*?/im”; reference:cve,2014-4114; reference:msb,MS14-060; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Sight-Body-FINAL.pdf; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Sight-Appendix-FINAL.pdf;)
|
|
NanoCore
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘Host|3a 20|frankief hopto me’ (GenericKD/Kazy/NanoCore/Recam)”; sid:1; rev:1; flow:established,to_server; content:”Host|3a 20|frankief|2e|hopto|2e|me|0d 0a|”; http_header; fast_pattern:only; metadata:service http;)
|
|
NanoCore
|
alert tcp any any -> any any (msg:”HTTP GET URI contains ‘FAD00979338′”; sid:1; rev:1; flow:established,to_server; content:”GET”; http_method; content:”getPluginName.php?PluginID=FAD00979338″; fast_pattern; http_uri; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI GET /t?v=2&c= (Qakbot)”; sid:1; rev:1; flow:established,to_server; content:”/t?v=2&c=”; http_uri; depth:9; fast_pattern; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf;)
|
|
Qakbot
|
alert tcp any any -> any 21 (msg:”Possible FTP data exfiltration”; sid:1; rev:1; flow:to_server,established; content:”STOR si_”; content:”.cb”; within:50; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; metadata:service ftp-ctrlchan;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”Malicious executable download attempt”; sid:1; rev:1; flow:to_client,established; file_type:MSEXE; file_data; content:”|52 DB 91 CB FE 67 30 9A 8E 72 28 4F 1C A9 81 A1 AA BE AC 8D D9 AB E4 15 EF EA C6 73 89 9F CF 2E|”; fast_pattern:only; reference:url,virustotal.com/#/file/ad815edc045c779628db3a3397c559ca08f012216dfac4873f11044b2aa1537b/detection; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP POST URI contains ‘odin/si.php?get&'”; sid:1; rev:1; flow:to_server,established; content:”/odin/si.php?get&”; fast_pattern:only; http_uri; content:”news_slist”; http_uri; content:”comp=”; http_uri; reference:url,www.virustotal.com/en/file/478132b5c80bd41b8c11e5ed591fdf05d52e316d40f7c4abf4bfd25db2463dff/analysis/1464186685/; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI contains ‘/random750x750.jpg?x='”; sid:1; rev:1; flow:to_server,established; content:”/random750x750.jpg?x=”; fast_pattern:only; http_uri; content:”&y=”; http_uri; content:”Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|”; http_header; content:”Cache-Control|3a 20|no-cache|0d 0a|”; http_header; content:!”Accept-“; http_header; content:!”Referer”; http_header; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI contains ‘/datacollectionservice.php3′”; sid:1; rev:1; flow:to_server,established; content:”/datacollectionservice.php3″; fast_pattern:only; http_uri; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP header contains ‘Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|'”; sid:1; rev:1; flow:to_server,established; urilen:30<>35,norm; content:”btst=”; http_header; content:”snkz=”; http_header; content:”Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|”; fast_pattern:only; http_header; content:”Cache-Control|3a 20|no-cache|0d 0a|”; http_header; content:!”Connection”; http_header; content:!”Referer”; http_header; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any 21 (msg:”Possible ps_dump FTP exfil”; sid:1; rev:1; flow:to_server,established; content:”ps_dump”; fast_pattern:only; pcre:”/ps_dump_[^_]+_[a-z]{5}d{4}x2Ekcb/smi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service ftp;)
|
|
Qakbot
|
alert tcp any any -> any 21 (msg:”Possible seclog FTP exfil”; sid:1; rev:1; flow:to_server,established; content:”seclog”; fast_pattern:only; pcre:”/seclog_[a-z]{5}d{4}_d{10}x2Ekcb/smi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service ftp;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI contains ‘/cgi-bin/jl/jloader.pl'”; sid:1; rev:1; flow:to_server,established; content:”/cgi-bin/jl/jloader.pl”; fast_pattern:only; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI contains ‘/cgi-bin/clientinfo3.pl'”; sid:1; rev:1; flow:to_server,established; content:”/cgi-bin/clientinfo3.pl”; fast_pattern:only; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI contains ‘/u/updates.cb'”; sid:1; rev:1; flow:to_server,established; content:”/u/updates.cb”; fast_pattern:only; http_uri; pcre:”/^Hostx3A[^rn]+((upd+)|(adserv))/Hmi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP response content contains ‘|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 4C 6F 61 64 52 65 73 6F 75 72 63 65 28 29 20 66 61 69 6C 65 64|'”; sid:1; rev:1; flow:to_client,established; file_data; content:”|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 4C 6F 61 64 52 65 73 6F 75 72 63 65 28 29 20 66 61 69 6C 65 64|”; fast_pattern:only; content:”|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 43 72 65 61 74 65 46 69 6C 65 28 29 20 66 61 69 6C 65 64|”; content:”|52 75 6E 45 78 65 46 72 6F 6D 52 65 73 28 29 20 73 74 61 72 74 65 64|”; content:”|73 7A 46 69 6C 65 50 61 74 68 3D|”; content:”|5C 25 75 2E 65 78 65|”; reference:url,www.virustotal.com/en/file/23e72e8b5e7856e811a326d1841bd2ac27ac02fa909d0a951b0b8c9d1d6aa61c/analysis; metadata:service ftp-data,service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP POST URI contains ‘v=3&c='”; sid:1; rev:1; flow:to_server,established; content:”/t”; http_uri; content:”POST”; http_method; content:”v=3&c=”; depth:6; http_client_body; content:”==”; within:2; distance:66; http_client_body; reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; metadata:service http;)
|
|
Qakbot
|
alert tcp any any -> any any (msg:”HTTP URI GET contains ‘/<alpha>/595265.jpg'”; sid:1; rev:1; flow:established,to_server; content:”/595265.jpg”; http_uri; fast_pattern:only; content:”GET”; nocase; http_method; pcre:”/^/[a-z]{5,15}/595265.jpg$/U”; reference:url,www.virustotal.com/gui/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/detection; metadata:service http;)
|
|
Remcos
|
alert tcp any any -> any any (msg:”Non-Std TCP Client Traffic contains ‘|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|’ (Checkin #23)”; sid:1; rev:1; flow:established,to_server; dsize:<700; content:”|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|”; depth:11; fast_pattern; content:”|da b1|”; distance:2; within:2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/analysis-new-remcos-rat-arrives-via-phishing-email/; reference:url,isc.sans.edu/forums/diary/Malspam+using+passwordprotected+Word+docs+to+push+Remcos+RAT/25292/; reference:url,www.malware-traffic-analysis.net/2019/09/03/index.html; reference:url,www.malware-traffic-analysis.net/2017/10/27/index.html;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘host|3a 20|tpsci.com'”; sid:1; rev:1; flow:established,to_server; content:”host|3a 20|tpsci.com”; http_header; fast_pattern:only; metadata:service http;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|*Loader'”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|”; http_header; content:”Loader|0d 0a|”; nocase; http_header; distance:0; within:24; fast_pattern; metadata:service http;)
|
|
TrickBot
|
alert udp any any <> any 53 (msg:”DNS Query/Response onixcellent com (UDP)”; sid:1; rev:1; content:”|0B|onixcellent|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; priority:1; metadata:service dns;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”SSL/TLS Server X.509 Cert Field contains ‘C=XX, L=Default City, O=Default Company Ltd'”; sid:1; rev:2; flow:established,from_server; ssl_state:server_hello; content:”|31 0b 30 09 06 03 55 04 06 13 02|XX”; nocase; content:”|31 15 30 13 06 03 55 04 07 13 0c|Default City”; nocase; content:”|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd”; nocase; content:!”|31 0c 30 0a 06 03 55 04 03|”; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”SSL/TLS Server X.509 Cert Field contains ‘C=AU, ST=Some-State, O=Internet Widgits Pty Ltd'”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:”|31 0b 30 09 06 03 55 04 06 13 02|AU”; content:”|31 13 30 11 06 03 55 04 08 13 0a|Some-State”; distance:0; content:”|31 21 30 1f 06 03 55 04 0a 13 18|Internet Widgits Pty Ltd”; distance:0; fast_pattern; content:”|06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff|”; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘boundary=Arasfjasu7′”; sid:1; rev:1; flow:established,to_server; content:”boundary=Arasfjasu7|0d 0a|”; http_header; content:”name=|22|proclist|22|”; http_header; content:!”Referer”; content:!”Accept”; content:”POST”; http_method; metadata:service http;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|WinHTTP loader/1.'”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|WinHTTP loader/1.”; http_header; fast_pattern:only; content:”.png|20|HTTP/1.”; pcre:”/^Hostx3ax20(?:d{1,3}.){3}d{1,3}(?:x3ad{2,5})?$/mH”; content:!”Accept”; http_header; content:!”Referer|3a 20|”; http_header; metadata:service http;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Server Header contains ‘Server|3a 20|Cowboy'”; sid:1; rev:1; flow:established,from_server; content:”200″; http_stat_code; content:”Server|3a 20|Cowboy|0d 0a|”; http_header; fast_pattern; content:”content-length|3a 20|3|0d 0a|”; http_header; file_data; content:”/1/”; depth:3; isdataat:!1,relative; metadata:service http;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP URI POST contains C2 Exfil”; sid:1; rev:1; flow:established,to_server; content:”Content-Type|3a 20|multipart/form-data|3b 20|boundary=——Boundary”; http_header; fast_pattern; content:”User-Agent|3a 20|”; http_header; distance:0; content:”Content-Length|3a 20|”; http_header; distance:0; content:”POST”; http_method; pcre:”/^/[a-z]{3}d{3}/.+?.[A-F0-9]{32}/d{1,3}//U”; pcre:”/^Hostx3ax20(?:d{1,3}.){3}d{1,3}$/mH”; content:!”Referer|3a|”; http_header; metadata:service http;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP URI GET/POST contains ‘/56evcxv'”; sid:1; rev:1; flow:established,to_server; content:”/56evcxv”; http_uri; fast_pattern:only; metadata:service http;)
|
|
TrickBot
|
alert icmp any any -> any any (msg:”ICMP traffic conatins ‘hanc'”; sid:1; rev:1; itype:8; icode:0; dsize:22; content:”hanc”; depth:4; fast_pattern; pcre:”/hanc[0-9a-f]{16}../i”; reference:url,labs.sentinelone.com/anchor-project-for-trickbot-adds-icmp/;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains POST with ‘host|3a 20|*.onion.link’ and ‘data='”; sid:1; rev:1; flow:established,to_server; content:”POST”; nocase; http_method; content:”host|3a 20|”; http_header; content:”.onion.link”; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content:”data=”; distance:0; within:5; metadata:service http;)
|
|
TrickBot
|
alert tcp any 80 -> any any (msg:”Non-Std TCP Client Traffic contains PowerView Script Download String”; sid:1; rev:1; flow:established,from_server; content:”PowerView.ps1″; content:”PSReflect/master/PSReflect.psm1″; fast_pattern:only; content:”function New-InMemoryModule”; metadata:service else-ports;)
|
|
TrickBot
|
alert tcp any any -> any 445 (msg:”Non-Std TCP Client SMB Traffic contains ‘44783m8uh77g818_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl'”; sid:1; rev:1; flow:established,to_server; content:”44783m8uh77g818_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl”; fast_pattern:only; metadata:service netbios-ssn,service and-ports;)
|
|
TrickBot
|
alert tcp any any -> any [80,443,8082] (msg:”Non-Std TCP Client Traffic contains ‘–aksgja8s8d8a8s97′”; sid:1; rev:1; flow:established,to_server; content:”–aksgja8s8d8a8s97″; fast_pattern:only; content:”name=|22|proclist|22|”; metadata:service else-ports;)
|
|
TrickBot
|
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|WinHTTP loader/1.0′”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|WinHTTP loader/1.0|0d 0a|”; http_header; fast_pattern:only; pcre:”//t(?:oler|able).png/U”; metadata:service http;)
|
|
TrickBot
|
alert tcp any any -> any [443,8082] (msg:”Non-Std TCP Client Traffic contains ‘_W<digits>.'”; sid:1; rev:1; flow:established,to_server; content:”_W”; fast_pattern:only; pcre:”/_Wd{6,8}./”; metadata:service else-ports;)
|
|
TrickBot
|
alert tcp any [443,447] -> any any (msg:”SSL/TLS Server X.509 Cert Field contains ‘example.com’ (Hex)”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:”|0b|example.com”; fast_pattern:only; content:”Global Security”; content:”IT Department”; pcre:”/(?:x09x00xc0xb9x3bx93x72xa3xf6xd2|x00xe2x08xffxfbx7bx53x76x3d)/”; metadata:service ssl,service and-ports;)
|
|
TrickBot
|
alert tcp any any -> any any+F57 (msg:”HTTP URI GET contains ‘/anchor'”; sid:1; rev:1; flow:established,to_server; content:”/anchor”; http_uri; fast_pattern:only; content:”GET”; nocase; http_method; pcre:”/^/anchor_?.{3}/[w_-]+.[A-F0-9]+/?$/U”; metadata:service http;)
|
|
TrickBot
|
alert udp any any <> any 53 (msg:”DNS Query/Response kostunivo com (UDP)”; sid:1; rev:1; content:”|09|kostunivo|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;)
|
|
TrickBot
|
alert udp any any <> any 53 (msg:”DNS Query/Response chishir com (UDP)”; sid:1; rev:1; content:”|07|chishir|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;)
|
|
TrickBot
|
alert udp any any <> any 53 (msg:”DNS Query/Response mangoclone com (UDP)”; sid:1; rev:1; content:”|0A|mangoclone|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;)
|
|
GootLoader
|
No signature available.
|
Recent Comments