Weekly Community Review - September 6, 2023

Greetings from ET! It was a full week last week for us–and thanks to the collaborative efforts of the #InfosecCommunity and shared industry research we were able to add 130 rules to our etopen suricata and #snort #IDS rulesets. We’ll shout-out a few of those in this thread.

Thanks to @rmceoin’s writeup on what they’re calling #ClearFake malware, we were able to release SIDs 2047858-2047861 for both DNS alerts and TLS communication to identified domains!


Friend @suyog41 with the hashes that led to two #IOC-based (#TA409 #APT37) SIDs: 2047881 (DNS lookup alert) and 2047882 (TLS SNI identification):

This from @fr0s7_ (and supplemental information from @JAMESWT_MHT) - a hash and c2 share with an anyrun sandbox run powered 2047883 - that research allowed us to model and alert against the outbound checkin behavior for #Konni #APT:

Looking at those rules - notice the MITRE ATT&CK Framework metadata tags. C2 checkin activity (Tactic TA0011, Technique T1071) is labeled here - and MITRE tagging is available within etpro and etopen signatures where possible. Take a look at our other tags: Signature Metadata

Speaking of our #Discourse site (which we love to do) friends @Jane0sint and @James_inthe_box collaborated on this #BoxClipper research leading to @Jane0sint’s submission of 3 new SIDs (2047821-2047823) - read their analysis here!

We post-up our own research and guidance there on #Discourse. In this post ET’s own @ishaughnessy talks about ntopng and integrating suricata #IDS alerts into its processing and visualizations: How To: Integrate Suricata Events and Ntopng

From @kevross33 , a kind rule submission alerting on #APT28 #Sandworm data exfiltration became SID 2047880:

Old friend of ET @tgreen posted to our #Discord (hit us up for an invite!) and wrote a rule to provide coverage on CVE-2023-32315 #Openfire in SID 2047862.

On the partner and community research and intelligence sharing side, our friends at the @TheDFIRReport published this investigation on HTML Smuggling and their observations of ISO–>IcedID–>CobaltStrike–>Nokoyawa @Ransomware. Check out the etopen signatures referenced at the end which can aid detection on IcedID, Cobalt Strike use, lateral movement, and file transfer:

Lastly, From @watchtowrcyber (thanks @alizthehax0r!) their writeup on #Juniper #JunOS vulnerabilities provided intelligence to coverage multiple steps of the associated chain: unauthenticated arbitrary file upload attempt (2047867), success (2047868), and PHPRC Environmental Variable Modifications (2047869-2047870) for CVE-2023-36846/CVE-2023-36847 coverage: