Greetings! Last week here at Emerging Threats we kept moving forward with 71 entries into our ET Open IDS free and open ruleset.
We had talked previously about #Cisco #IOSXE #CVE-2023-20198 and the exploit coverage we were able to release - thanks to more pcap information released by @SI_FalconTeam we were able to make sure our alerts were tightened and accurate!
Thanks to @James_inthe_box for their tweet allowing us to alerts off of DNS Queries (SIDs 2049172-2049174) and TLS conenctivity (SIDs 2049175-2049177) for #RemCosRat connections out of your monitored environments
Remember, these sigs created from this burnt intel may have short lifespans w/r/t efficacy. For ET, each rule is created with a TTR (Time-To-Review) value which enables us to set the rule to be up for regular review!
This @zscaler #BanditStealer blog provided research for SID 2049122 (inbound config) and 2049123 (exfiltration of infected host details):
Shout out to @g0njxa (and @Jane0sint follow-up) for this post to our #Discourse - we want to make this a platform for #infosec #community discussions around the detection choices we all make, and this is a great contribution!
Check out this #TA402 @threatinsight blog - read about the #IronWind initial access downloader and the campaign details and mitigating detections (including ET Open rules!) within:
And speaking of great @threatinsight content, check out our own @dumiller talking about his adventures detecting #FakeBrowser updates:
That’s it from us, take care all!