Weekly Community Review - October 27, 2023

Greetings all - we had a short week last week here at @et_labs - but thanks to shared intel and a treasure trove of shared ICS rules we converted we were able to add 157 (!) rules into our etopen shared #IDS suricata and #snort ruleset! That’s amazing. And it’s all free to you!

Thanks to @nsacyber for making #ELITEWOLF #snort rules available. We’ve converted them to suricata syntaxes across our supported engines. Be warned - these signatures aren’t necessarily alerting on malicious activity within a #SCADA #ICS network. The overall goal is to help analysts detect anomalous activity originating from unexpected sources. This isn’t about a silver bullet.

After observing alerts firing in your environment, analysts will need to invest time to determine whether these rules represent anomalous activities. #IDS #IPS #NSM operators may need to utilize methods to reduce alerts for legitimate Industrial Control System traffic such as Suppressions, Thresholds, pass rules, and modifying the rule header to more accurately reflect “external” hosts attempting to access ICS assets to gain more value out of these rules. Alerts are the beginning of an investigation - not the end!

Thanks go to @g0njxa for their #FakeUpdate landing pages - SIDs 2048570-2048576 cover the landing page DNS queries and TLS SNI connections.

Speaking of #FakeBrowserUpdates - check out our own @dumiller here on the Five-Minute Forecast. He takes about the malicious URL lures and the malicious payload download!

A couple #RAT SIDs 2048661 (C2 activity) and 2048662 (host checkin) from this @reecdeep tweet which allowed us to hotel the GET strings for accurate alerting!

This @TalosSecurity technical writeup of their #CVE-2023-20198 disclosure aided two SIDs we created for detection of the interactive implants (2048583-2048584) left behind on compromised devices for later malicious activity. In total, we’ve got multiple detections in place - including inbound and outbound implant checks and implant responses.

This @RecordedFuture tweet and subsequent linked report contained multiple #IOC intel that led to SIDs 2048695-2048702 #TA401 DNS query and TLS connection detections!

That’s it for us all - be safe and well this week!