Weekly Community Review - November 2, 2023

Greetings all! We’re here to talk about a few sigs from last week’s batch. Thanks to some great contributions to our #infosec community we were able to add 207 (!) rules into our free suricata and snort offerings as part of ETOpen.

Over 200 free detections went out into ETOpen this week - and the bulk of those are from the great work of our friend @infosectimmy and his battle against TOAD (Telephone-Oriented Attack Delivery). Tim bats #TOAD actors around like a cat and its ball of yarn! Read more here:

We had other help too! Here, @naumovax posts kind sandbox runs we used to sig an exfiltration method for PovertyStealer. SID 2048736 is born!

From friend @suyog41, hashes for NewsRAT allowing us to alert on an inbound C2 response in SID 2048924:

The ETOpen ruleset is built upon community sharing. Intel, tips, pcaps, sandbox runs, or direct sig submissions help us put those these free protections for your use - for everyone’s use! Get in touch with us at support(at)emergingthreats(dot)net, feedback.emergingthreats.net, or at our #Discourse site!


You’re here, so heck out this thread! @Jane0sint @James_inthe_box @ Racco42 collective work becomes SIDs 2048900-2048902 covering two #PureLogs connection methods and an exfiltration attempt - follow the thrad, check out the bytes, and see how those sigs were worked out!

Last wrap-up thread we talked about the new @nsacyber ELITEWOLF signatures added to open - in this post, ET’s @trobinson667 talks about his analysis process and the trials and tribulations of alert intake!

We’ve worked hard on CVE-2023-20198 last week and continued to do so - many thanks to those that’ve shared their observations, experiences, & analysis to help make our protections better, including @foxit, @greynoiseIO, @SI_FalconTeam , and @Horizon3ai!

From other industry sharing - two SIDs on Golang EasyStealer POST methods (2048896-2048897) went out past and available byte patterns identified from this @bridewellsec post:

And from our @CISAgov friends, identification of a VoltTyphoon user agent is the alerting in SID 2048899 thanks for their sharing in this write of the PRC state-sponsored actor:

Listen to ET’s own @dumiller on the @threatinsight
DISCARDED podcast - Dusty talks about SocGholish, RogueRaticate, SmartApeSG, and ClearFake covering the world of Fake Browser updates and the sigs he’s written to protect us all:

That’s it for us and last week’s additions - take care and be well!