Tag: Sigma

Threat Hunting Content: Remcos RAT COVID19 Campaigns
Threat Hunting Content: Remcos RAT COVID19 Campaigns

Remcos RAT was first spotted in 2016. Now it hat purports to be a legitimate remote access tool but it was used in multiple global hacking campaigns. On various sites and forums, cybercriminals advertise, sell, and offer the cracked version of this malware. Since the end of February, security researchers have discovered several campaigns that […]

Read More
Detection Content: Floxif Trojan
Detection Content: Floxif Trojan

Floxif Trojan is primarily known for being used by the Winnti group, they distributed it with the infected CCleaner, which was downloaded by users from the official site. The attack occurred in September 2017, attackers allegedly gained access to CCleaner’s build environment. Floxif Trojan was used with Nyetya Trojan to collect information about infected systems […]

Read More
Rule Digest: Web Server Security and Trojan Detection
Rule Digest: Web Server Security and Trojan Detection

We continue to draw your attention to rules whose capabilities are beyond the more common detection content analyzing Sysmon logs. Today in our digest there are two rules for detecting attacks on Web Servers, a continuation of a series of rules (1, 2) for discovering traces of Outlaw hacking group attacks, and detection content that […]

Read More
Threat Hunting Content: Suspicious Execution Place
Threat Hunting Content: Suspicious Execution Place

Most of the rules published on the Threat Detection Marketplace are aimed at detecting attacks on Windows systems. This is not surprising since most of the threats specifically targeted at the Microsoft operating system, as it is the most popular. But there are serious threats for other operating systems, so today we will tell you […]

Read More
IOC Rule: Banking Trojan Grandoreiro
IOC Rule: Banking Trojan Grandoreiro

A recently published article “SIGMA vs Indicators of Compromise” by Adam Swan, our Senior Threat Hunting Engineer demonstrates the benefits of threat hunting Sigma rules over IOCs-based content. Although we can’t brush off IOC Sigma rules, since they can help identify a fact of compromise, in addition, not all adversaries quickly make changes to their malware, […]

Read More
SIGMA vs Indicators of Compromise
SIGMA vs Indicators of Compromise

Purpose The purpose of this post is to highlight the benefits of using SIGMA vs IOC based detections. Introduction Indicators of Compromise (IOCs) – ips, domains, hashes, filenames, etc as reported by security researchers are queried against systems and SIEMs to find intrusions. These indicators work against known attacks and have short useful lifespans and […]

Read More
Detection Content: COVID-19 Related Attack at Medical Suppliers
Detection Content: COVID-19 Related Attack at Medical Suppliers

New Sigma rule by Osman Demir helps to detect COVID-19 related phishing attacks targeted at medical suppliers. https://tdm.socprime.com/tdm/info/IkntTJirsLUZ/uowd33EB1-hfOQirsQZO/ The campaign became known at the end of last week, and researchers believe that it is associated with 419 scammers who exploit the COVID-19 pandemic for Business Email Compromise attacks. Adversaries send highly targeted phishing emails with […]

Read More
Sigma Rule: Outlaw Hacking Group
Sigma Rule: Outlaw Hacking Group

SOC Prime Team released a new Sigma rule based on IOCs that can detect the known indicators of the Outlaw hacking group. Check the link to view the available translations on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/yyiW6rvv5a00/JiEBzHEBjwDfaYjKqEwv/ Also, you can use Uncoder to convert Sigma rule to a number of supported platforms without access to your SIEM environment. […]

Read More
Rule Digest. APT & Malware: Content Released This Week
Rule Digest. APT & Malware: Content Released This Week

This week, the rules to detect malware and APT activity from both our team and the participants of the SOC Prime Threat Bounty Program got into the spotlight. In digests, we try to draw your attention to interesting rules published over the past week.   APT StrongPity by Ariel Millahuel https://tdm.socprime.com/tdm/info/lC2OEeruDxdg/fos3nHEB1-hfOQir9NI-/?p=1 StrongPity APT (aka Promethium) […]

Read More
Rule of the Week: Possible Malicious File Double Extension
Rule of the Week: Possible Malicious File Double Extension

Adversaries can mask malicious executables as images, documents or archives, replacing file icons and adding fake extensions to the file names. Such “crafted” files are often used as attachments in phishing emails, and this is a fairly effective way to infect Windows systems due to “Hide known file types extensions” option enabled by default for […]

Read More