Weekly Community Review - July 29, 2023

Greetings all! We’re back to talk about the week that was - 78 rules were added to the ET Open ruleset in a bunch of different ways. Big thanks to all the contributors! Here’s (some) of how it all happened…

Remember, if you deploy #Snort or suricata within your network(s), you can download etopen for free. These rules are BSD licensed - the only ‘cost’ is the download and a simple request from us: tell us how we’re doing!

How can you do that? You can post something here at our discourse site (https://community.emergingthreats.net/), email us at support[at]emergingthreats[dot]net, or tweet us at @et_labs.

Each of these rules came either from investigating openly-released intelligence, a tip-up on our #Discourse site, or from kind twitter tags from researchers like you.

For this week - great conversations on our Discourse. from @h2jazi, 2 checkins for the conshost.exe process, SIDS (2046881 & 2046882) - but look at the note from @Jane_0sint and see how the nature and naming evolves! Thanks also to @bingohotdog, @jaydinbas, and @greglesnewich!

From @g0njxa on our #Discouse, thanks for the tip on the coverage miss for cryptbot - this allowed 2046886 for cover the new variant!

Thanks go to @0x0v1 for sharing the POST params giving us guiidance to create #Kimsuky #Keylogger exfil (2046892) and pattern to alert on user-agent string used on check-in (2046893).

Friend @suyog41 providing a #RageStealer hash giving us POST URI pattern content to create 2046900 alerting on exfil via #telegram:

This tweet from @ian_kenefick giving us domain intelligence to create 2046894-2046906 for both DNS domain lookups as well as alerts on TLS connections to those domains.

A kind signature contribution on our community #Discourse site - user kevross33 passes along an alert firing on #Gamaredon #C2 activity. See how easy sharing can be? SID 2046949 is born and free for all.

That #Discourse site isn’t just for sig contributions - you can ask us support questions too. Here, user samjenk asks after a perceived severity mismatch w/r/t our documentation - check it out!

In this thread, @Jane_0sint not only contributes a SID, they come back after further investigation and analysis and provide more intel in order to create a more perfect solution - SID 2046950 on an additional method for #Hydrochasma fast reverse proxy is within! Hydrochasma (Fast Reverse Proxy) - #7 by Jane0sint

Another from @g0njxa, #Pennywise #Stealer intel shared (and sandbox runs) allowed for 2046957 to be written and alert on this further method: PennyWise Stealer - Update on rules

And from our industry partners, contained domain IOCs that led to #TraderTraitor DNS and TLS SNI sigs within SIDs 2046922-2046945 for #DPRK #APT.

Pull up a chair and read how our own @bingohotdog learned by doing when it came to writing suricata http.header_name and translating that content to an analagous #Snort signature: Translating Suricata http.header_names content to Snort

And from ET’s JT, a writeup on directionality and its importance with #IDS signatures: Understanding Signature Direction

That’s all from us - thanks all, and enjoy the weekend!