Weekly Community Review - April 14, 2023

It’s the end of a great week here at @ET_Labs. Thanks to our friends and contributors to our #Suricata and #Snort ET Open rules, we’ve had 48 new entries. Lets chat about a few of them, some tweaks we made to the #IDS rules this week, and a few other things we’ve got coming up!

A reminder - these rules can be found here FREE for all our supported engines: Suricata 4, Suricata 5, Suricata 6 (using the 5 ruleset), and Snort 2.9.x: https://rules.emergingthreatspro.com/open/

From@Cryptolaemus1, #Qakbot intel rendering SID 2044920 which alerts on content path literals for a C2 payload request grab.

Multiple #ScarCruft #APT alerts came from@RexorVc0’s tweet - allowing us to model several C2 GET methods across SIDs 2044934-2044936 and the coresponding payload reception in SID 2044937. Thanks!

ET Style Classroom time! What does M(int) mean in an ET Open or ETPRO sig? We use this naming when sigs are detecting several behaviors of the same malware. Example: “Yowza Ransomware CnC Checkin M1”, “Yowza Ransomware CnC Checkin M2”. And now you know!

We got multiple #Keitaro domain sigs (2044957-2044959) from@500mk500’s tweet here. Remember: Keitaro TDS use within your environs may be legitimate–but you’ll never know if you’re not alerted and don’t investigate!

Some@ThreatBookLabs intel gave us SID 2044956, a #DonotGroup DNS alert on a domain from this - take a look!

Continued great work on #Gamaredon from@StopMalvertisin! SIDs 2044918 and 2044919 came from their tweets on C2 activity:

Our friend@suyog41 has been all over #Telegram as a comms method for malwares. SID 2044925 #Agartha #Stealer inbound/response and 2044916 #KWNClipper Checkin come from their kind hash shares.

SID 2044933 from @TLP_R3D, thanks for the tweet and @virustotal guidance to sig up the admin console push for #Raccoon #Stealer:

Keep an eye out on malicious domains being queried by your hosts - SIDs 2044928-2044930 from @C0ryInTheHous3 which will alert on lookups for these #TA444 domains.

And another #APT Domain for #CloudAtlas in SID 2044927 thanks to @t3ft3lb sharing intel - thanks!

From the industry, @Unit42_Intel provided hashes to #CylanceRansomware which gave us detection logic to alert on the #exfil of system information in SID 2044917. Thanks for sharing your intel!

More SIDs from a @ahnlab_secuinfo post, both 2044931 and 2044932 with http URI and header content alerting on Tick Group #APT activity!

On the homefront, we take the performance of the rulesets very seriously - and as such we work hard to render out rules which may not be performant. This week, our own @EcOzurie worked hard to cut some fat and keep us fit and trim!

On our #IDS #infosec community #Discourse site, Tony lays out the steps we’ve taken to prepare our #Snort 2.9 ruleset for #snort2lua conversion to #Snort3 - these steps are necessary for our eventual ruleset fork for full #Snort3 support! (date TBD)

That’s it for this week - take care everyone and be well. Have some fun this weekend!