This digest includes rules from both members of the Threat Bounty Program and the SOC Prime Team. Let’s start with rules by Arunkumar Krishna which will debut in our Rule Digest with CVE-2020-0932: A Remote Code Execution Bug in Microsoft SharePoint. CVE-2020-0932 was patched in April, it allows authenticated users to execute arbitrary code on […]
This week we want to highlight the community Sigma rule by Emir Erdogan that helps detect Nefilim/Nephilim ransomware used in destructive attacks. This ransomware family was first discovered two months ago, and its code is based on NEMTY ransomware which emerged last summer as a public affiliate program. It looks like NEMTY forked into two […]
Remcos RAT was first spotted in 2016. Now it hat purports to be a legitimate remote access tool but it was used in multiple global hacking campaigns. On various sites and forums, cybercriminals advertise, sell, and offer the cracked version of this malware. Since the end of February, security researchers have discovered several campaigns that […]
Floxif Trojan is primarily known for being used by the Winnti group, they distributed it with the infected CCleaner, which was downloaded by users from the official site. The attack occurred in September 2017, attackers allegedly gained access to CCleaner’s build environment. Floxif Trojan was used with Nyetya Trojan to collect information about infected systems […]
We continue to draw your attention to rules whose capabilities are beyond the more common detection content analyzing Sysmon logs. Today in our digest there are two rules for detecting attacks on Web Servers, a continuation of a series of rules (1, 2) for discovering traces of Outlaw hacking group attacks, and detection content that […]
Most of the rules published on the Threat Detection Marketplace are aimed at detecting attacks on Windows systems. This is not surprising since most of the threats specifically targeted at the Microsoft operating system, as it is the most popular. But there are serious threats for other operating systems, so today we will tell you […]
A recently published article “SIGMA vs Indicators of Compromise” by Adam Swan, our Senior Threat Hunting Engineer demonstrates the benefits of threat hunting Sigma rules over IOCs-based content. Although we can’t brush off IOC Sigma rules, since they can help identify a fact of compromise, in addition, not all adversaries quickly make changes to their malware, […]
Purpose The purpose of this post is to highlight the benefits of using SIGMA vs IOC based detections. Introduction Indicators of Compromise (IOCs) – ips, domains, hashes, filenames, etc as reported by security researchers are queried against systems and SIEMs to find intrusions. These indicators work against known attacks and have short useful lifespans and […]
New Sigma rule by Osman Demir helps to detect COVID-19 related phishing attacks targeted at medical suppliers. https://tdm.socprime.com/tdm/info/IkntTJirsLUZ/uowd33EB1-hfOQirsQZO/ The campaign became known at the end of last week, and researchers believe that it is associated with 419 scammers who exploit the COVID-19 pandemic for Business Email Compromise attacks. Adversaries send highly targeted phishing emails with […]
SOC Prime Team released a new Sigma rule based on IOCs that can detect the known indicators of the Outlaw hacking group. Check the link to view the available translations on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/yyiW6rvv5a00/JiEBzHEBjwDfaYjKqEwv/ Also, you can use Uncoder to convert Sigma rule to a number of supported platforms without access to your SIEM environment. […]