Weekly Community Review - August 7, 2023

Greetings! We had a short week last week here at @et_labs, but thanks to the sharing of our #infosec community we were able to add over 100 (105!) rulese into our free community etopen ruleset. We’ll share a few neat ones here…

Thanks to @ViriBack (with additional chime-in by @James_inthe_box and @Jane_0sint) here for the hash and sandbox run for 2047004 - alerting on a XKeyBot C2 checkin/POST!

Much appreciation to friend @suyog41 for the hash leading to SID 2047021 - #Bitter #APT #C2 activity.

From industry partners, this @cyfirma writeup on #Bahamut #APT mobile malware led to the creation of a DNS (2047016) and TLS SNI traffic (2047017) SIDs!

From @SentinelOne, SID 2047005 alerting on C2 Traffic for the MacOS Realst stealer. Initial Checkin traffic contains the buildname and buildversion of the malware along with a UUID.

From @DrWeb_antivirus, SIDs 2046972-2047003 for both DNS and TLS SNI alerts from the IOCs reference within their github page at the end:

We release great research as well - this @threatinsight blog on #wikiloader offers great analysis and intelligence as well as references etopen signatures 2046966-2046971, alerting on multiple methods of identified activity!

And this tweet thread by our amazing @threatinsight team here shows how we layer protections within our product ecosystem (check out those free community ET Open signatures cited!) to detect and prevent compromise:

And on our #Discourse - it’s not just for signature submissions! You can file FP/FN reports and support questions as well. We’ll address them! Check out this one here: Possible FP - JA3 Hash - [Abuse.ch] Possible Adware

Lastly, from #OISF @oisfoundation, a webinar on using jq to parse and filter suricata’s JSON files: Using jq for Suricata Log Parsing - YouTube