Weekly Community Review - December 22, 2023

Greetings all! As we close off 2023 we wanted to talk about some recent contributions to the etopen suricata and Snort rulesets and thank everyone who not only tips us up about new detection possibilities but gives us feedback on those detections we have within the sets already.

You can reach us on twitter of course - but there’s other options too. Here on our Discourse site (community.emergingthreats.net) and mail alias support(at)emergingthreats(dot)net are great options too. We’ve also got a #Discord channel - DM us here for an invite!

It’s been quite a busy year for Exploits and because of that we are challenged to provide #IDS coverage however we can. We don’t do this alone - our APT and Crimeware teams are always hard at work collaborating with us on Intel and identified TTPs. We have over 6,000 rules in the ruleset focused on documented CVE alone!

Here, SIDs 2049617 and 2049618 cover the attempted and subsequently successful exploit of ownCloud CVE-2023-49105 - a vulnerability which when exploited can lead to privilege escalation, and remote code execution! Thanks to this @ambionics blog:

This @anyrun_app post lent the SSL Cert content for #BrushaLoader - SID 2049634 will alert you on the presentation of this malicious cert during the TLS connection!

Speaking of #IOC-based signatures, this @talossecurity #TA430 writeup contains #Andariel network intelligence we were able to craft into DNS (2049652 & 2049654) query and TLS SNI presentation (2049653 & 2049655) as well as technique/activity-based #POST (2049656) coverage as well! Thanks @greglesnewich for the tip!

From the Ukrainian CERT (@_CERT_UA) SIDs 2049743-2049767 (DNS queries) 2049768-2049792 (TLS SNI) for #UAC-0177. Thanks https://twitter.com/bry_campbell!

We mentioned our Discord before, thanks to @viriback for directly sharing the anyrun generated pcaps for BlackRain coverage - both c2 (2049802) and observed UA string (2049803) are from that kind share!

Friend @suyog41 with some Axile Stealer intel shared in this tweet - we’ve got the full outbound chain here! A DNS query (2049687), TLS connection (2049688), then the c2 for exfiltration via telegram (2049689)! If you see these firing in concert within your monitored environments, check it out.

Here on our #Discourse it’s not just a place for rule submissions. We appreciate feedback too! Here, friend @Jane0sint identifies an issue with rule messages - and @ishaughnessy dips in to make it right!

But wait - there’s more! As we work with suricata we use our platforms to educate as well. Here, our own @bingohotdog shares some tips around troubleshooting your #opensource #IDS analysis:

From friend @g0njxa, SID 2049812 alerts on outbound #Lumma #Stealer activity based on identified method (http POST) and content from the provided anyrun and virustotal correlative models for detection!

This @reecdeep #TA577 (and referenced anyrun run) led us to SIDs 2049708-2049713 alerting on the presence of malicious SSL certs during the TLS handshake connection process:

And wrapping up, this recent @threatinsight #Darkgate blog featuring a mail vector, identified TTPs, and RogueRaticate FakeBrowser activity includes etopen Community signatures for WebDAV potentially malicious file grabs, Downloader and Checkin coverage, and NetSupport RAT activity!

Have a joyful holiday all - #EmergingThreats is back with rule releases Tuesday, December 26.