Weekly Community Review - November 15, 2023

Greetings! Last week here at Emerging Threats we kept moving forward with 71 entries into our ET Open IDS free and open ruleset.

We had talked previously about #Cisco #IOSXE #CVE-2023-20198 and the exploit coverage we were able to release - thanks to more pcap information released by @SI_FalconTeam we were able to make sure our alerts were tightened and accurate!

Thanks to @James_inthe_box for their tweet allowing us to alerts off of DNS Queries (SIDs 2049172-2049174) and TLS conenctivity (SIDs 2049175-2049177) for #RemCosRat connections out of your monitored environments

Remember, these sigs created from this burnt intel may have short lifespans w/r/t efficacy. For ET, each rule is created with a TTR (Time-To-Review) value which enables us to set the rule to be up for regular review!

This @zscaler #BanditStealer blog provided research for SID 2049122 (inbound config) and 2049123 (exfiltration of infected host details):

Shout out to @g0njxa (and @Jane0sint follow-up) for this post to our #Discourse - we want to make this a platform for #infosec #community discussions around the detection choices we all make, and this is a great contribution!

Check out this #TA402 @threatinsight blog - read about the #IronWind initial access downloader and the campaign details and mitigating detections (including ET Open rules!) within:

And speaking of great @threatinsight content, check out our own @dumiller talking about his adventures detecting #FakeBrowser updates:

That’s it from us, take care all!

1 Like