Weekly Community Review - April 21, 2023

Last week here ended with snow yesterday–and with 271 (!) additional rules for ET Open! Thanks go to the wonderful sharing efforts within our #infosec #Suricata #IDS Community as they were built from that intel & the moving of several PRO rules to Open! Lets chat on a few…

First, lets talk about ET Open - they’re free! Free, as in BSD licensed, which allows you to do what you like with them. All we ask is that when you have an idea, a new signature, feedback, or even just a theory, that you send it in to benefit everyone.

And how do you do that? On our twitter, here on Discourse, on our mailing list via support[at]emergingthreats[dot]net, or on our Discord (hit us up via DM for an invite!).

And I mentioned ETPRO rules moving to open…check out our FAQ for the answers to how that can happen as well as get insight on several other questions you might have. Or ask your own!

Back to the sigs - continued #Gamaredon #APT shares from @Cyber0verload- thanks for the tags, they’re much appreciated, and they led to SIDs 2044994-2044997 (DNS alerts) as well as 2044353 alerting on outbound GET activity.

Friend @Jane_0sint tagged us in on a thread with @crep1x and @James_inthe_box on what we called #LeftHook #Stealer - SIDs 2044999, 2045002-2045006 on its various C2 activities:

And from that same thread,@crep1x with SID 2045000 on the inbound connection check response - #RedLine #Stealer in our Attack_Response #Suricata category.

For #Suricata “Attack Response”, these are sigs that identify responses indicative of intrusion, results of a successful attack, and scripts (including common obfuscation methods) used in the delivery of malware or other malicious payloads.

Back to the action! @ViriBack with a kind tag for 3 #Nemesis domains - these are DNS lookup alerts within SIDs 2045035-2045037. Thanks!

Another great tag to us from @MavericksInt, thanks much for Hunting SIDs 2045046 and 2045047 for potential #Gamaredon activity:

From @Yeti_Sec, a @urlscanio layout allowing us to alert on the incoming push of a #Nemesis admin panel in SID 2045055!

For some housekeeping this week, shout-out to @500mk500, @Gi7w0rm,@StopMalvertisin,
@threatinsight’s own @greglesnewich, and @TLP_R3D who all helped us tidy up some mis-attribution and FP’ing signatures - all your feedback helps us do what we do!

On the industry side, this @HuntressLabs post enabled SIDs 2045131-2045139 - these are alerts on activity to post-exploit domains from #PaperCut.

From Google TAG - a #Sandworm report on #Russia focusing on #Ukraine rendered DNS alerting on SIDs 2045110-2045120 for the associated IOCs within:

A regular reminder on IOC sigs: - since items like domains can be transitory these rules are created with a Time-To-Review value and within those points a rule can be set to be permanent, be deferred for review, or be disabled. Investigate fires responsibly!

Lastly, from our friends at @nao_sec, further SIDs from their report on compromised sites using fake Chrome errors to push malware, 2045127-2045129.