Weekly Community Review - March 24, 2023

It’s time for our weekly Suricata IDS community update - through tags and tips on twitter, posts here on our Discourse page, & comms to our mail list we had 84 rules for to ET Open this week - free for you to use to protect your networks. Here’s the stories on a few of them.

A reminder - these rules can be found here for all our supported engines: Suricata 4, Suricata 5, Suricata 6 (using the 5 ruleset), and Snort 2.9.x: Proofpoint Emerging Threats Rules

Lots of help from the community this week! Thanks to @ShadowChasing1 for their tweet - hash and URL allowing us to create the detection logic for SID 2044694 - an alert on Konni APT GET activity.

Our friend @James_inthe_box pivoting on a @0xToxin tweet tipped us to Amadey host profile exfiltration traffic - catch these alerts with SIDs 2044695-2044697. Thanks to you both!

Next is @1ZRR4H with some evidence of Keitaro code injection against a compromised site - SIDs 2044703 and 2044704 alert on DNS looks against identified Keitaro TDS domains.

Lets remember - Keitaro is a legitimate commercial tool. Like most things it can be used for positive or negative purposes. But when it comes to detection logic, signatures, and alerts–we’re not here to talk about the “good uses”.

In that same thread,@1ZRR4H points out a #SocGholish infection flow - look at those ET sig fires! They tell the story:

More WinterVivern Domain DNS signatures - thanks to @felixaime for SIDs 2044711 and 2044712.

And @malPileDiver keeping on Gamaredon with a few more domains - these are SIDs 2044709 and 2044710. Thanks for the tag!

A reminder on DNS sigs - since domains can be transitory these rules are created with a Time-To-Review value. We have the ability to set a rule to be reviewed within different time windows. At those points a rule can be set to be permanent, be deferred for review, or be disabled.

Here’s @Yeti_Sec with a @urlscanio run that led us to SID 2044738 - Xaview Stealer Admin Panel Inbound - alerting on the c2panel malicious manipulation of clients within your view!

SID 2044748 is due to @crep1x, alerting on a PennyWise stealer exfiltrating a host’s profile and data. Thank you!

Two SIDs from @suyog41 - thanks for the MuggleStealer hash which allowed us to model exfil activity within the detection logic for 2044752 and 2044753!

Kevin Ross on the mailing list tips up this @pentestmonkey blog showcasing a technique using the Expect *nix language to pull a reverse shell in cases where you don’t have a TTY - SID 2044751 will detect.


And lastly for this week, a couple Gamaredon SIDs from @Cyber0verload - thanks for the tag and thank you for 2044761 (payload request) and 2044762 (DNS query).