Tag: Sigma

IOC Rule: Banking Trojan Grandoreiro
IOC Rule: Banking Trojan Grandoreiro

A recently published article “SIGMA vs Indicators of Compromise” by Adam Swan, our Senior Threat Hunting Engineer demonstrates the benefits of threat hunting Sigma rules over IOCs-based content. Although we can’t brush off IOC Sigma rules, since they can help identify a fact of compromise, in addition, not all adversaries quickly make changes to their malware, […]

Read More
SIGMA vs Indicators of Compromise
SIGMA vs Indicators of Compromise

Purpose The purpose of this post is to highlight the benefits of using SIGMA vs IOC based detections. Introduction Indicators of Compromise (IOCs) – ips, domains, hashes, filenames, etc as reported by security researchers are queried against systems and SIEMs to find intrusions. These indicators work against known attacks and have short useful lifespans and […]

Read More
Detection Content: COVID-19 Related Attack at Medical Suppliers
Detection Content: COVID-19 Related Attack at Medical Suppliers

New Sigma rule by Osman Demir helps to detect COVID-19 related phishing attacks targeted at medical suppliers. https://tdm.socprime.com/tdm/info/IkntTJirsLUZ/uowd33EB1-hfOQirsQZO/ The campaign became known at the end of last week, and researchers believe that it is associated with 419 scammers who exploit the COVID-19 pandemic for Business Email Compromise attacks. Adversaries send highly targeted phishing emails with […]

Read More
Sigma Rule: Outlaw Hacking Group
Sigma Rule: Outlaw Hacking Group

SOC Prime Team released a new Sigma rule based on IOCs that can detect the known indicators of the Outlaw hacking group. Check the link to view the available translations on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/yyiW6rvv5a00/JiEBzHEBjwDfaYjKqEwv/ Also, you can use Uncoder to convert Sigma rule to a number of supported platforms without access to your SIEM environment. […]

Read More
Rule Digest. APT & Malware: Content Released This Week
Rule Digest. APT & Malware: Content Released This Week

This week, the rules to detect malware and APT activity from both our team and the participants of the SOC Prime Threat Bounty Program got into the spotlight. In digests, we try to draw your attention to interesting rules published over the past week.   APT StrongPity by Ariel Millahuel https://tdm.socprime.com/tdm/info/lC2OEeruDxdg/fos3nHEB1-hfOQir9NI-/?p=1 StrongPity APT (aka Promethium) […]

Read More
Rule of the Week: Possible Malicious File Double Extension
Rule of the Week: Possible Malicious File Double Extension

Adversaries can mask malicious executables as images, documents or archives, replacing file icons and adding fake extensions to the file names. Such “crafted” files are often used as attachments in phishing emails, and this is a fairly effective way to infect Windows systems due to “Hide known file types extensions” option enabled by default for […]

Read More
Threat Hunting Content: Uncover Bladabindi Backdoor
Threat Hunting Content: Uncover Bladabindi Backdoor

Bladabindi backdoor has been known since at least 2013, its authors monitor cybersecurity trends and improve backdoor to prevent its detection: they recompile, refresh, and rehash it, so IOCs-based detection content is almost useless. In 2018, the Bladabindi backdoor became fileless and was used as a secondary payload delivered by njRAT / Njw0rm malware. The […]

Read More
Sigma Rule: Sophos Firewall Asnarok Malware Campaign
Sigma Rule: Sophos Firewall Asnarok Malware Campaign

An emergency security update for Sophos XG Firewall was released this Saturday. The update patches a zero-day SQL injection remote code execution vulnerability that is actively exploited in the wild. It allows cybercriminals to compromise Sophos firewalls via their management interface and deploy Asnarok malware. The Trojan steals the firewall’s license and serial number, user […]

Read More
Detection Content: Finding Ursnif Trojan Activity
Detection Content: Finding Ursnif Trojan Activity

The ‘Process Injection by Ursnif (Dreambot Malware)’ exclusive rule by Emir Erdogan is released on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/IIfltgwf9Tqh/piHTv3EBjwDfaYjKDztK/  Ursnif banking Trojan has been used by adversaries in various modifications for about 13 years, constantly gaining new features and acquiring new tricks to avoid security solutions. Its source code was leaked in 2014, and since […]

Read More
Threat Hunting Content to Spot Traces of Buer Loader
Threat Hunting Content to Spot Traces of Buer Loader

New community rule by Ariel Millahuel that enables detection of Buer loader is available on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/5F93tXFdZmx9/ Buer is a modular loader that was first spotted at the end of last summer and since then this malware has been actively promoted on the underground marketplaces. Proofpoint researchers tracked multiple campaigns spreading Buer loader, […]

Read More