ET Labs Profile picture
ET Labs is the research team of Emerging Threats - Bionic threat intelligence specialists from Fantasia.
Jan 21, 2023 8 tweets 4 min read
Happy Friday! Powered by #FreeSigFriday today, we've had 120 (!) new #suricata #IDS rules which were added to our ET Open (rules.emergingthreatspro.com/open) ruleset this week. Lets take a look at what was shared with us this week to make this happen... Sigs to enumerate and detection payload requests from the Pyramid framework (SIDs 204307-204315) github.com/naksyn/Pyramid
Mar 12, 2022 11 tweets 6 min read
A quick thread examining the network artifacts of the HermeticWizard spreading. Found an inaccuracy? Plz let us know!
1⃣ WMI Spreading supports SMB1 and SMB2, copies HermeticWizard as a .dll file in the C:\Windows directory via the ADMIN$ share in the format of c[A-F0-9]{12}.dll A screenshot of Wireshark s...Image After it copies the file, HermeticWizard creates a remote service with the same c[A-F0-9]{12} service/display name.The exact process varies between SMB1 & SMB2. The WMI spreader uses the service command line, documented by @welivesecurity to execute the binary on the endpoint.
Dec 14, 2021 7 tweets 5 min read
If you're looking for network indicators of #log4j exploitation - this thread is for you. Every detection in this thread is freely available for use RIGHT NOW.
#snort #suricata #CVE202144228 We have tons of inbound rules that'll hit on scanners and we've tried to cover ITW obfuscation methods, but let's be real, there are more ways to obfuscate these attacks than we can cover.