[pawpatrules.fr] Wineloader (Nobelium / MidnightBlizzard / APT 29) : detection with Suricata IDS/NSM 

On June 19, the French national CERT published a report and IOCs on the Nobelium / MidnightBlizzard group (or APT29), known for its intrusions, most likely for espionage purposes, into the information systems of European and American administrations, but also into those of major IT companies such as SolarWinds, Microsoft and TeamViewer this week.
An interesting point in the indicators of compromise published by CERT-FR is the use of Wineloader. From a sample, I was able to observe that Wineloader, like many legitimate applications, relies on the Microsoft HTML Application system binary, in this case, to download its payload. Detecting a TLS connection established by Microsoft HTML Application to a server not responding to a known application seems to be an interesting weak signal for the early detection of an attack of this type.
cert.ssi.gouv....
cert.ssi.gouv....
To download PAW Patrules rules collection for Suricata :
pawpatrules.fr/
SELKS solution is used in this video : www.stamus-net...
EveBox is used in this video : evebox.org/