Hello again! These past couple weeks have been a busy time here at community.emergingthreats.net, - and we’re very thankful for all the tips, submissions, and shared intelligence that allowed us to share 195 rules into the free community ETOpen ruleset. We wanted to take the time to go over a few of them so we might thank the contributors and show them just how much they’ve helped.
Keep in mind - these ETOpen rules are free. Free, as in BSD licensed, which allows you to do what you like with them. All we ask is that when you have an idea, a new signature, feedback, or even just a theory, that you send it in to benefit everyone. And you can do that here on twitter, right here at our discourse site or by mailing us at support(at)emergingthreats(dot)net.
From @StopMalvertisin, this tweet featuring malicious domains rendered from the provided hash and intelligence allowed SIDs 2049283-2049284 (DNS queries for downloads) and the HTTP GET method and header content for SID 2049285 to alert on the imageres C2 payload request:
This @AhnLab_ASEC writeup discusses their investigation of #Andariel group activity stemming from what’s assumed to be exploitation of Apache ActiveMQ #CVE-2023-46604. SID 2049380 alerts on the Nukesped check-in thanks to the demonstrated potential HTTP header values:
Thanks to @threatinsight’s Josh Miller for the tip-up on this shared intel, SIDs 2049410-2049411 cover SugarGh0st RAT domain lookups and 2049409 the Checkin activity alerting from the consistent heartbeat byte pattern shown here in this @TalosSecurity writeup :
These releases from both @cpresearch and @intezerlabs provided not only SysJoker Domain query alerts (SIDs 2049296-2049298) but allowed us to model observed UA strings (2049303 & 2049304), bot registration (2049302), config requests (2049301), infected host profile exfil (2049299), command exec success (2049300), and bot checkin (2049305).
From this @JAMESWT_MHT tweet and kind @anyrun run RemCosRat domain alert SIDs 2049172-2049177
For those domain alert sigs, and really and disclosed IOC-based signature: these rules are created with a Time-To-Review value and within internal ET guidance a rule can be set to be permanent, be deferred for subsequent review, or be disabled. We don’t expect these domains to be forever viable for escalation. Investigate fires responsibly!
SID 2049408 was born from this @Unit42_Intel share - with an initial email vector, JinxLoader can lead to Formbook or other badness - this SID will fire on identified checkin traffic, as shown here:
Multiple response deviations from the norm present in malicious HTTP servers are showcased in this @foxit blog, and SIDs 2049204-2049211 alerts on the differences documented within. Typos happen, but in these cases they should be investigated.
Lots of activity covered by new SIDs from this @eSentire fake QuickBooks TOAD scam writeup. With a phone session with a bogus “support” person as a vector, successful infections are detailed and allowed SIDs 2049221-2049222 (request for dload locations& response), 2049226 & 2049223 (checkin/response), and 2049224-2049225 (details request/response):
Here, @g0njxa @Jane0sint share vidar #Stealer insights - leading to observation of a new TLS certificate in use and a new alert (SID 2049253) on its presentation:
We love sig submissions! User @kevross33 with this Turla #APT #C2 activity firing on observed malicious HTTP POST content. It’s SID 2049264:
From @g0njxa , a kind tip up on @AnFam17’s #MetaStealer work - this became SID 2049282 - check out the collaboration and citation that happens within this #infosec community - it’s wonderful!
And this site isn’t just for sig submissions - we take FP reports as well! Here, @Jane0sint gives us a kind alert that etpro SID 2825567 is a little too loud - this Lets Encrypt SSL Cert alert is now disabled.
It’s all about helping the community - user @prime69 asks after signature reference content and ET staff and community users spring into action - stop by and be a part of it.
That’s it for us this week all - be well and enjoy the weekend.