Weekly Community Review - August 15, 2023

Greetings all - we had over 500 (574!!) rules added to our etopen community ruleset. Again, thanks for the contributions on that score all, and I want to call out some of those that helped.

And lets remember - these etopen rules are free. Yes, Free as in BSD licensed, which allows you to do what you like with them. All we ask is that when you have an idea, a new signature, feedback, or even just a theory, that you send it in to benefit everyone.

Lots of rules added last week - and many of them from kind shares by - from this intel shared by Cyber0verload we added alerts for #Gamaredon #APT related DNS lookup alerts (2047084-2047112) and detections for TLS SNI traffic to same (2047126-2047154).

And for those DNS alerts and the TLS SNI when they fire - Since malware-related domains can be transitory these alerts are the beginning of an investigation - not the end. Triage them appropriately, dig-in to what you see from indicated hosts within your network(s), and good luck!

From @MalGamy12, alerts on #Agniane stealer exfil activity (SIDs 2047124) from shared hashes and intel here:

And more #Agniane stealer from @ViriBack - another exfil method covered with 2047492:

This domain share from Recorded Future enabled SIDs 2047162-2047251 (DNS alerts) and 2047252-2047341 (TLS SNI activity), thanks!

Thanks to @g0njxa for this share of a @anyrun_app run allowing us to model the patters and http body for alerting on this #stealer for SID 2047615:

Turning to our #Discourse - check it out! Such great discussion and wonderful sharing of intel, rule submissions, and FP reports. This @Jane0sint rule submission on #DarkCloud came from their analysis of an external IP check w/ a custom header allowing tight alert logic (SID 2047083)

And read this full analysis of #StealC #Stealer which starts with a coverage hole, proceeds with anyrun forensics, iterates through multiple analytical steps and the resulting pcaps, and ends us up with 2047625 (checkin) and multiple payload request methods (2047626-2047627). This is great collaboration @Jane0sint !

From our own @infosectimmy, dozens of TLS SNI signatures (SID 2047479-2047491, 2047493-2047614) and DNS lookup alerts (SID 2047344-2047478) covering TOAD Domains! Not sure what TOAD is? Check it out here:

Lastly, shout-out to @attcyber for the MacOS/Adload sigs SID 2047628 (C2 beacon), 2047629 & 2047630 (Proxy node beacons) and mentioning us in their blog Mac systems turned into proxy exit nodes by AdLoad

Thanks all!