Weekly Community Review - February 24, 2023

Greetings all, we are back with Free Sigs Friday and an overview of the week that was in ourSuricata IDS community - your help got us over the century mark with 102 (!) sigs added to ET Open this week - free for everyone to protect & defend your data. https://rules.emergingthreatspro.com/open/

Lets start with a link to our Discourse FAQ page here and a bit on the differences between ET Open and ETPRO. ETPRO is our paid rule release - purely fed by intel, analysis, & insight from our internal Threat Research team & the great work they do every day.

ET Open is our community ruleset - these are sigs contributed by the community or signatures that are written by ET/Proofpoint based on community research. Feel free to drop us tips and samples runs on twitter, on our Discourse, or ask for a Discord invite!

That said, lets run through a few SIDs that wouldn’t exist without help like that. From @crep1x, SID 2044290, alerting on outbound activity indicating an Atlantida stealer POSTing out system information.

From @suyog41, GurcuStealer aiding detection logic on exfiltration activity via a POST to telegram–SID 2044309 will alert!

Noticing a detection gap,@StopMalvertisin tipping up a hash and @cyb3rops correlating which enabled us to close that gap with SID 2044311, thank you!

And in the same thread,@AzakaSekai_ tipping an associated C2 domain - this enabled SID 2044310 to alert for a DNS query against it.

Thanks to @aRtAGGI and @Myrtus0x0 and the great work they do within the Threat Research team, we got to tighten up detection in our Kumquat sigs, featured here:

From @c7rl4ltd3l and a @urlscanio run, SIDs 2044318-2044322 modeling multiple stages of HiYu phishing activity.

Publicly posted blogs and writeup help too. From @CPResearch 0xtaRAT C2 GET activity, SIDs 2044261 and 2044291:


From this @sekoia_io writeup, SIDs 2044243-2044249 allowing us to alert on multiple Win32/Stealc intostealer activities.

And finally, from @TrendMicroRSRCH, their writeup on a new WhiskerSpy Backdoor allowed us to provide alerts on its activity from Machine Registration to data exfiltration - SIDs 2044250 to 2044256.


One last bit - when possible we push out-of-band to get our detections out into the community ASAP. Tuesday, @James pushed 2044270 to address recently discovered ITW activity of CVE-2022-39952. We do our best to keep on top of active exploits and meet that challenge!

That’s all for this week - enjoy the weekend all!