Summary: NVISO has released detection and hunting rules to help identify and combat the BRICKSTORM espionage backdoor and its command-and-control mechanisms. These rules include YARA detection rules, Suricata rules for monitoring Active Command & Control servers, and KQL queries for monitoring suspicious process activity. The report is aimed at enhancing cybersecurity defenses against BRICKSTORM.
Affected: Organizations utilizing Windows systems and cloud services
Keypoints :
- YARA rule detects BRICKSTORM’s Windows backdoor executables using specific strings and conditions.
- Suricata rule alerts on traffic to domains associated with BRICKSTORM’s command-and-control servers.
- KQL hunting rules identify rare long-running unsigned processes and those interacting with Cloudflare IP ranges.
Source: https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor