Weekly Community Review - September 21, 2023

Greetings all! We had a great week of research and community collaboration last week - over 100 (109!) rules were added to our free etopen ruleset thanks to these efforts, and we wanted to spend some time going over how we were helped and what came from that sharing.

Thanks for @tiresearch1 and our own @greglesnewich for the sharing and intel tip-up that became DNS and TLS SNI SIDs 2047995-2048032!

That’s a lot of intel and it translates into a lot of sigs and potentially a lot of alerts! To what end? We’ve talked about DNS query alerts before - these fires can indicate hosts within your visibility are making queries for domains for purposes that may be malicious - but they’re not a silver bullet for infection. They should be correlated with other activities and alerts and are the beginning of a DFIR investigation–not the end.

So why do we write sigs like that? Well sometimes it’s because some of the more involved traffic is encrypted–and that’s hard for us to dig-in to. In this post, ET’s own Brandon Murphy talks about our challenges with IOC-based rules and TLS encryption - within you’ll see what our options are and why we make some of the detection logic and naming choices we do:

Friend @Jane0sint provides some bytes and siggable args along with some @virustotal intel which guided us to SID 2048043 - alerting on Chifrax.a exfil to a C2:

Here on our Discourse, user @j0hnb3r00t shares an updated #ScreenConnect checkin packet byte pattern via a linked @anyrun analysis - this became SID 2048051 - another method to alert on ScreenConnect-ConnectWise activity which may be against policy within your environs:

We say policy there distinctly - those rule fires may mean everything to you, or nothing at all. They category exists for filtering like that! It’s distinctly for signatures that may indicate violations to an organization’s policy. This can include protocols prone to abuse and other application-level transactions which may be of interest.

From @twinwavesec friendly sharing, SIDs 2048044-2048048, all observed phishing domain alerts - be on the lookout!

From @Jane0sint on our #Discourse, referencing up a @James_inthe_box tweet on #darkcrystal #rat they submit a rule referencing the observed byte patterns in network traffic for the check-in. Off to etopen which becomes SID 2048095!

Great sigs off industry intel shares last week as well! From @symantec, SID 2048088 for referenced #ShadowPad #Trojan #C2 domain lookup:

And from @TrendMicro, SIDs 2048084-2048086 with a wonderful writeup full of analysis & guidance by ET’s @trobinson667 :