Weekly Community Review - July 24, 2023

Welcome back to our wrap-up threads! While a little delayed we wanted to still talk about the (last) week that was - through the efforts of the information security community’s researchers and partners we were able to add 60 rules to the etopen ruleset! Again, these are free to download via flat download directly, or a rule management helper like suricata-update (et/open) at any time. Have at them.

And we love feedback - you can use the feedback portion of our #Discourse site here Feedback & Support - Emerging Threats, hit us up here on twitter, or the mail us at support@emergingthreats[dot]net.

In any case, lets talk about some recent rules and how they came to be.

From friend @StopMalvertisin, SID 2046825 came from this tweet, a sample hash whose detonation allowed us to craft detection logic matching the method around the GET for this #Konni #APT #C2 activity.

From @maddiestone, @_clem1, and @_JohnHammond, this link to a @Zimbra disclosure blog allowed SID 2046829 to alert on an inbound XSS attempt against your Zimbra instance.

here, @AnFam17 gives a breakdown of #RogueRaticate dropping #NetSupportRAT - SIDs 2046863 & 2046864 alert on #RogueRaticate DNS lookups by clients within your monitored infrastructure, 2046869-2046871 the TLS SNI for associated domains, and 2046865 Keitaro TDS cooking sent to #RogueRaticate.

From zscaler, this writeup of #BanditStealer, a Golang malware targeting desktop cryptocurrency wallets aided SID 2046856 which will alert on its exfil via #Telegram.

Forever thanks to friend of ET @travisbgreen, tipping up findgs that led to SID 2046861 firing on an identified Kaiten user agent.

and Lastly, thanks to @h2jazi and @greglesnewich on two TA430/Andariel check-in methods - SIDs 2046881 & 2046882 reflecting alerts on POST activity observed - much appreciated!

Thanks all - we’ll be back at our regularly scheduled weekly summation time on Friday!