Share this page!

ET Labs Profile picture
Twitter logo
Jan 21 8 tweets 4 min read
Happy Friday! Powered by #FreeSigFriday today, we've had 120 (!) new #suricata #IDS rules which were added to our ET Open (rules.emergingthreatspro.com/open) ruleset this week. Lets take a look at what was shared with us this week to make this happen...
Sigs to enumerate and detection payload requests from the Pyramid framework (SIDs 204307-204315) github.com/naksyn/Pyramid
Vector Stealer Data Exfil via Telegram, SID 2043289 via @suyog42...
Kimsuky C2 activity, SIDs 2043369 and 2043370 created from public post by @ahnlab: asec.ahnlab.com/en/45658/
SID 2043333, a Qakbot C2 POST activity alert, from @EclecticIQ blog.eclecticiq.com/qakbot-malware…
Nighthawk server response activity, SID 2043331, from a tip-up from @1ZRR4H...
And also a great post on our Discourse, "Vidar Stealer Picks Up Steam!" by our own Isaac Shaughnessy!
community.emergingthreats.net/t/vidar-steale…
Thanks for the great week of collab, community! Enjoy the weekend!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ET Labs

ET Labs Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ET_Labs

ET Labs Profile picture
Mar 12, 2022
A quick thread examining the network artifacts of the HermeticWizard spreading. Found an inaccuracy? Plz let us know!
1⃣ WMI Spreading supports SMB1 and SMB2, copies HermeticWizard as a .dll file in the C:\Windows directory via the ADMIN$ share in the format of c[A-F0-9]{12}.dll A screenshot of Wireshark s...Image
After it copies the file, HermeticWizard creates a remote service with the same c[A-F0-9]{12} service/display name.The exact process varies between SMB1 & SMB2. The WMI spreader uses the service command line, documented by @welivesecurity to execute the binary on the endpoint.
When connecting via SMB1 the SVCCTL DCERPC interface was used to invoke RCreateServiceWOW64W (OpNum 45) to create the service. docs.microsoft.com/en-us/openspec… After creating the service, it then starts the service, checks the status, and then deletes the service. ImageA screenshot of wireshark h...
Read 11 tweets
ET Labs Profile picture
Dec 14, 2021
If you're looking for network indicators of #log4j exploitation - this thread is for you. Every detection in this thread is freely available for use RIGHT NOW.
#snort #suricata #CVE202144228
We have tons of inbound rules that'll hit on scanners and we've tried to cover ITW obfuscation methods, but let's be real, there are more ways to obfuscate these attacks than we can cover.
For outbound traffic (generated by a successful "landing" of the attack strings) there are some good rules now.
1) 2014474 and 2014475
These existing sigs alert on java (as determined by the UA) downloading a class file. Today we tweaked flowbits (2013035) for better coverage.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(