Weekly Community Review - October 11, 2023

Greetings all! We had another great week here at Emerging Threats - the #IDS suricata and #Snort community gave tips, intel, and straight-up rule submission to power our etopen ruleset to 123 new rules last week. Thank you all for that! We’ll dive in and discuss a few here…

SIDs 2048374-2048376 come from this @naumovax tweet and included hatching_io run - they’ll alert on #Agniane #Stealer outbound #C2 activity.


From this longform @1ZRR4H #404TDS#Lumma #Stealer tweet, SID 2048391 now alerts on the data exfil activity which encodes that precious data in its destination URI!


Both @PRODAFT and @banthisguy9349’s great sharing helped our own @bingohotdog with #BlackDolphin #Ransomware builder tips for SIDs 2048392-2048396 covering observed landing pages.


SIDs 2048484 (DNS query alert), 2048485 (Payload Downloader Inbound), 2048486 (DNS Query), and 2048487 (TLS SNI alert) came from this @reecdeep tweet on #Ursnif - if a host is doing a query against these #Ursnif domains look for 2048485 to fire as well to indicate infection!


Now these are all etopen signatures - meaning they’re BSD licensed and free for your use! But what about ETPRO sigs? Those are created as a result of Proofpoint internal research and are available via paid license. We do move Open sigs to Pro in some situations - but why? And what happens then?

That’s our #Discourse site. And check this out: here, friend @Jane0sint submits a couple new #Gh0stRat sigs - investigate the rule logic and the any.run link!

The site is a great tool not only for the community and our customers to post up support questions and rule queries - but it’s our shared documentation site as well. Here, ET’s JT focuses on how @OISFoundation has updated keywords between suricata 5 → 6 and 6 → 7. Look for our full Suricata 7 release in Q4 this year!

From industry contributors, this @IBMSecurity #NetScaler #CVE_2023_3519 blog included IOCs as reference that fed DNS lookup alerting SIDs 2048471-2048475.

Those are IOC sigs based on disclosed intelligence. As such, they might not be viable for very long - for ET, aach rule is created with a TTR (Time-To-Review) value. In that process a rule writer, when creating their rule, has the ability to set the rule to be up for review in 30/60/90 day increments. We do this to make sure the ruleset is performant and up-to-date!

On the homefront, check out the Proofpoint Five-Minute Forecast this week! In this episode, ET’s @trobinson667 discusses his recent #ZenRAT blog: Five-Minute Forecast for the Week of 10/09/2023

That’s it for us this week - take care all, and be safe and well.