Weekly Community Review - March 3, 2023

Hey folks, it was a short week for us with no ruleset release today, but that didn’t keep us from creating almost 90 ET Open rules since Monday (2/27) - with your help! Lets talk about a few of them and the people that helped us make them happen.

From @500mk500, hashes and VT runs modeling user agent and HTTP header content for #Gamaredon APT Maldoc-related activity for an observed POST. Alerting via SID 2035363:

And more Gamaredon APT activity alerts - from@Cyber0verload. Thanks for helping with 2044353 and 2044386!

From @GGGGh0st (with additional sample hashes by @cs0sf), 2 Donot Group APT Related Domain DNS sigs - SID 2044382.

Two SIDs with our thanks to @souiten, SIDs 2044379 and 2044380, tipping C2 checking traffic for ReverseRat.

From@0xToxin, who tipped a @hatching_io run where analysis revealed meaty literals for content matches that rendered 2044430, ET ATTACK_RESPONSE VBS/TrojanDownloader.Agent.YLH Payload Inbound.

On the industry side,@mandiantblog was full of indicators, and SIDs: 2044423-2044429.

Back on the home front, part 2 of @ex_raritas’ wonderful @threatinsight #TA569 writeup is out. SocGholish and Beyond!

And related, on our own #Suricata #Discourse community site, guidance on how you can interpret #SocGholish alerts in your networks, and what you might do going forward:ET SocGholish Rules Response Guidance

We love to hear feedback on our signatures! Here, take a look at how a user’s question on our Confidence metadata tag led to us sharing our thought process behind it! Confidence metadata tag and its impact & meaning

On the housekeeping side, we’re always working to populate more metadata in our ruleset. We try to do this carefully–and cherish accuracy over completeness. This week, we populated over 3,000 Dynamic DNS rules with their@MITREattack Tactic (TA0011) and Technique (1568) tags!

Thanks all - we really value the collaboration! Take care!