It’s the end of a great week here at @ET_Labs. Thanks to our friends and contributors to our #Suricata and #Snort ET Open rules, we’ve had 48 new entries. Lets chat about a few of them, some tweaks we made to the #IDS rules this week, and a few other things we’ve got coming up!
A reminder - these rules can be found here FREE for all our supported engines: Suricata 4, Suricata 5, Suricata 6 (using the 5 ruleset), and Snort 2.9.x: https://rules.emergingthreatspro.com/open/
From@Cryptolaemus1, #Qakbot intel rendering SID 2044920 which alerts on content path literals for a C2 payload request grab.
https://twitter.com/Cryptolaemus1/status/1645836544580648984
Multiple #ScarCruft #APT alerts came from@RexorVc0’s tweet - allowing us to model several C2 GET methods across SIDs 2044934-2044936 and the coresponding payload reception in SID 2044937. Thanks!
https://twitter.com/RexorVc0/status/1646407684936048640
ET Style Classroom time! What does M(int) mean in an ET Open or ETPRO sig? We use this naming when sigs are detecting several behaviors of the same malware. Example: “Yowza Ransomware CnC Checkin M1”, “Yowza Ransomware CnC Checkin M2”. And now you know!
We got multiple #Keitaro domain sigs (2044957-2044959) from@500mk500’s tweet here. Remember: Keitaro TDS use within your environs may be legitimate–but you’ll never know if you’re not alerted and don’t investigate!
https://twitter.com/500mk500/status/1646410976839847936
Some@ThreatBookLabs intel gave us SID 2044956, a #DonotGroup DNS alert on a domain from this - take a look!
Continued great work on #Gamaredon from@StopMalvertisin! SIDs 2044918 and 2044919 came from their tweets on C2 activity:
https://twitter.com/StopMalvertisin/status/1645771054462402560
Our friend@suyog41 has been all over #Telegram as a comms method for malwares. SID 2044925 #Agartha #Stealer inbound/response and 2044916 #KWNClipper Checkin come from their kind hash shares.
https://twitter.com/suyog41/status/1645694318756220928
SID 2044933 from @TLP_R3D, thanks for the tweet and @virustotal guidance to sig up the admin console push for #Raccoon #Stealer:
https://twitter.com/TLP_R3D/status/1646246721293520898
Keep an eye out on malicious domains being queried by your hosts - SIDs 2044928-2044930 from @C0ryInTheHous3 which will alert on lookups for these #TA444 domains.
https://twitter.com/C0ryInTheHous3/status/1646161233458999297
And another #APT Domain for #CloudAtlas in SID 2044927 thanks to @t3ft3lb sharing intel - thanks!
https://twitter.com/t3ft3lb/status/1645819685370249216
From the industry, @Unit42_Intel provided hashes to #CylanceRansomware which gave us detection logic to alert on the #exfil of system information in SID 2044917. Thanks for sharing your intel!
https://twitter.com/Unit42_Intel/status/1641588431221342208
More SIDs from a @ahnlab_secuinfo post, both 2044931 and 2044932 with http URI and header content alerting on Tick Group #APT activity!
On the homefront, we take the performance of the rulesets very seriously - and as such we work hard to render out rules which may not be performant. This week, our own @EcOzurie worked hard to cut some fat and keep us fit and trim!
https://twitter.com/EcOzurie/status/1645112610134605824
On our #IDS #infosec community #Discourse site, Tony lays out the steps we’ve taken to prepare our #Snort 2.9 ruleset for #snort2lua conversion to #Snort3 - these steps are necessary for our eventual ruleset fork for full #Snort3 support! (date TBD)
That’s it for this week - take care everyone and be well. Have some fun this weekend!