Greetings all! It’s the end of the week at @et_labs and it’s been a great one for our etopen suricata and #Snort IDS rules. 118 rules were created from contributions from researchers and the industry, and we’ll take this time to review a few…
from @crep1x, SIDs 2046103-2046106 covering #Redline #Stealer chain from stage page inbound presentation through out C2 activity.
https://twitter.com/crep1x/status/1666132533912776725
from @StopMalvertisin, Request and Retrieval sigs for #SharpPanda #APT within 2046146-2046148…
twitter.com/StopMalvertisin/status/1663461621120000010
Kind twitter tags from friend @Cyber0verload rendering #Gamaredon #APT domain SIDs: 2046080-2046097. Remember, malicious domains found in your DNS alerts and logs are the beginning of an investigation, not the end.
twitter.com/Cyber0verload/status/1665076262191218690
From @kaspersky, Network Security Monitoring of Apple devices within their environment revealed compromise with iOS. Details are spare, but they did publish this report giving us multiple C2 domains (SIDs 2046131-2046145) noticed from the malware’s external connections. If you’re smartly monitoring network traffic your devices can reveal compromise! Their analysis continues and we await further developments.
We use our #Discourse site to dig a little deeper into the ruleset and the choices we make than we can here on twitter. Here, our own @James talks about the challenges we have - the pitfalls and possibilities that suricata and #Snort present and how we use metadata tags for exploit coverage sigs: Rule Metadata & Exploit Signature Difficulties
And speaking of Discourse - stop by and drop us a line. Friend @Jane0sint posts up sigs for ruleset adoption and you can too! Check this thread out - SIDs 2046150-2046155 and 2046169-2046170 on Win32/ObserverStealer (various) activities and response. They’ve posted a tweet thread and gh link with more info - check it out!
Another as well - read how the medium article from @Gi7w0rm and @tosscoinwitcher inspires the @Jane0sint rule submission (2046187) into etopen
And also from @Gi7w0rm, SIDs covering 3 checkin methods for DarkVision RAT infections: 2045618-2045620
twitter.com/Gi7w0rm/status/1655327430372995075
Lastly, big thanks and continuing best wishes to friend of ET @kk_onstantin for his tip-up of the @nextronsystems & @eclecticiq links here which led to 2046076 covering Win32/DarkPink KamiKakaBot outbound/exfil modeling http content literals for alerting! Dark Pink APT Group Strikes Government Entities in South Asian Countries Rule Info APT_DarkPink_KamiKakaBot_Mar23 - Valhalla
Take care all, be well!