Weekly Community Review - February 3, 2023

It’s Friday, and this week we’ve had over 100 #suricata signatures contributed to our ET Open rulset from the #infosec community! Lets take a walk through a few…

There are many ways to reach out to us with a tip-up on an interesting hash, article, or detection logic you’ve created - on twitter, here on Discourse, on our mailing list via support[at]emergingthreats[dot]net or on our Discord (hit us up via DM for an invite!).

SID 2044022, a TLS SNI signature alerting on an outbound connection to an identified APT actor-controlled domain, thanks to@h2jazi!

On the same score, SID 2044023 which was aided by@k3yp0d’s follow up observation!

SID 2044044, our friend@jaydinbas posting a sample that allowed us to write a sig alerting on an identified URL and UA string pattern identifying potential Lazarus APT outbound GET activity.

Here on our Discourse site, @cosmicgumbo submitting multiple GCleaner sigs–aided by ET’s @trobinson667 these became SIDs 2044031-2044034 and ETPRO SID 2852925 was moved to ET Open 2044037 Great submission, feedback, and collaboration. Check it out!

Discourse member @NoahWolf with a sig from an@anyrun_app sample & our own @bmurphy providing analysis and feedback: advising to focus on identifying the consistent meat to write detection logic on so the sig will be more resilient. SID 2043206 is born!

Publicly posted information is important to us too - this @WithSecure report allowed us to write SID 2044086 modeling the GET URL path for identified DPRK malware.

A friend of ET passes on this post, listing domains being used by Microsoft for phishing attack simulation training. Detect this, with SIDs 2044087-2044110!

Giving back to the community @threatinsight Josh Miller gave a recorded talk at @SANSInstitute Cyber Threat Intelligence summit on TA453.

This week@OISFoundation released #suricata 6.0.10 and 7.0.0 RC1. ET and other community contributions are thanked in the release notes, and ET support for Suricata 7 is coming soon! https://suricata.io/2023/01/31/suricata-6-0-10-released/

Enjoy the weekend everyone, and thanks again for all the great submissions, collaboration, and feedback!

1 Like