Community Review - May 31, 2024

Greetings all! We’re back today to talk about the importance of community contributions to ET! Our ET Open ruleset (Proofpoint Emerging Threats Rules) is available free to download and part of suricata’s default configuration. Your tip-ups to us get turned into rules that are out there helping our infosec community. Here’s a few recent shares:

From @0xrb on twitter, the shared hashes on #CrimsonRAT informed not only an alert against a DNS query for an involved domain (SID 2052908) and the TLS handshake (2052910) but byte-pattern content matching on enumerated infected host file paths on the outbound exfiltration activity (2052908).

Friend @suyog41 with hash shares on TA450 MuddyWater APT - SID 2052911 alerts on the outbound activity from an infected host crafted from the UA string observed!

Not only SIDs alerting on lookups against the domain involved (2052802) and the TLS handhsake (2052803) but both inbound (2052805) and outbound (2052804) #Winnti activity from these hash and @hatching_triage and @app_any_run sandbox runs from @naumovax!

Many thanks as always to friend of ET @travisbgreen for his FP tips, particularly one that helped us tighten up SID 2000488. You can help us out too! Give us a shout out on twitter, at support (at), or here on our discourse site:

ET Contributor @cosmicgumbo helped out with his ETOpen submissions related to OpenTSDB RCEs. Sigs 2052823-2052825 covering different inbound methods attempting command injection #CVE_2023_25826 are now in the ruleset!

Friend of ET @jt42 contributed SID 2052949 - this alerts on observed #Smokeloader outbound Payload activity

SID 2053200 came from these @JAMESWT_MHT and @c_APT_ure tweets - it alerts on the #AgentaTesla download activity outbound:

This @malware_traffic writeup cites @rerednawyerg provided samples for us to detonation and model for SID 2052950 triggering on the unique URI pattern identified in the GET and the obserfved UA string in-use:

We love our Discourse community here - it’s not just a place where you can get support but you can submit rules for addition to ETOpen as well. Check out these two submission from user @kevross33 : W32/Badspace.Backdoor. These became outbound alerting SIDs 2052557 (C2 GET) and 2052558 (C2 POST).

We find value in IOC-based signatures as well - and these are powered by researchers and industry partners relaying their findings and laying them bare for all of us to alert against. Here, @karol_paciorek shares multiple Remcos domains. For SIDs 2052849-2052858 we keep an eye on their continued activity and assign a TTR (time-to-review) that ensures our ruleset stays accurate and relevant!

On the homefront, great work by the @threatinsight, @infosectimmy and @selenalarson prove that anything, even a ‘free’ piano, can be used to scam victims into falling for #AFF #scams.

And lastly, give a listen to the #Discarded podcast, as it returns into inform and progress the state of #infosec knowledge forward!

“Decrypting Cyber Threats: Tactics, Takedowns, and Resilience” by Proofpoint via #spreaker: Decrypting Cyber Threats: Tactics, Takedowns, and Resilience