Det. Eng. Weekly #103 - Chiefs Lose, America Wins
And I'm still mad about the Bills' 1-yard spot on 4th down..
Welcome to Issue #103 of Detection Engineering Weekly!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Detection engineering at scale: one step closer (part two) by Guillaume C., Erwan Chevalier and Sekoia TDR
This blog post is Part 2 of Sekoia’s “Detection Engineering at Scale” series. Part 1 is an interesting read, so go check it out if you can, but I thought this Part 2 post was much more technical and helpful. If you’ve ever been in a situation where you want to set up a detection engineering function, this post can serve as a super useful reference tool for setting up guardrails in your detection-as-code strategy.
Maturity matrices are excellent, and I’ve linked several of them in the past, but explaining how you’ve built out parts of the matrix is a great way to communicate the maturity of your organization. Here’s an example of how Sekoia sets up their detection-as-code pipeline:
There are two particular parts in the four boxes underneath “Documentation” that I rarely see people write about, and I’m glad Sekoia covers them. Tests with collected events after re-parsing and tests with collected events are the most important things you can do to check for rule AND telemetry drift. It’s the Acceptance Test part of detection rules.
The documentation-building pipeline is also excellent. You can see the example they link here, and it’s extensive. I love seeing posts about the actual DevOps part of detection-as-code!
🔬 State of the Art
CopyObjection: Fending off ransomware in AWS by Jesse Griggs
Cloud object storage ransomware was a theoretical attack for several years but has been observed in the wild in the last few years. Griggs describes the attack, which involves doing an in-place CopyObject with Customer Provided Keys that the attacker controls. What I love about this post is that Griggs asked a simple question: How can someone stop this when detected?
Griggs explored two ways to respond to this attack: revoke the compromised keys, apply an RCP, and deny any more API actions. The bummer about this attack is Amazon’s Cloudtrail log delay, which takes 5-10 minutes to deliver.
Breaking AMSI: How Malware Avoids Windows Script Scanning by Andrew Petrus
The Antimalware Scan Interface (AMSI) is a Windows-native security feature with a producer/consumer architecture for monitoring and blocking potential security events. In this post, Petrus dives into AMSI to target each part of its architecture to evade detection. Some examples include targeting the DLL via patching or intercepting the call to AMSI processes altogether. For example, products send telemetry to amsi.dll, so if you patch the DLL, you can evade logging altogether. They include an in-the-wild implementation of intercepting the call altogether and provide all the code for you to try yourself.
Linux Detection Engineering - A Continuation on Persistence Mechanisms by Ruben Groenewoud
Continuing on Groenewoud’s Linux Persistence Mechanism Series [1] [2], he provides a super-in-depth post on how different persistence techniques work, how to do them yourself, and how to detect and hunt for them. I particularly enjoyed Groenewoud's details on how the underlying OS mechanisms work alongside the techniques, and it reads almost like an Operating Systems book (any Tanenbaum of T. Rex book fans that read this newsletter?)
Seeing the telemetry come into Kibana after the attack setup is a great visual tool for people wanting to try this live. I can confidently say I’ve used these techniques in engagements and red team exercises, so it’s cool to see how far detection tooling has come to help replicate these scenarios.
The Art of Linux Kernel Rootkits by Matheuz and Humzak11
This is an excellent follow-up post for Linux Rootkits after you read Groenewoud’s section on detecting them. With another Operating Systems focus, you can explore different types of rootkits using modern hooking functions. Lots of these new rootkit mechanisms spawn from the development of tracing and observability toolsets being leveraged by developers. So, naturally, where you see developers making progress, you can make progress from the red team front.
I love the eBPF focus in some of these sections because many new rootkits seen on GitHub and in the wild leverage tracing capabilities in eBPF programs to persist.
nt-load-order Part 2: More than you ever wanted to know by Colin Finck
This is a continuation of Finck’s WinDbg blog, which I posted on Issue 101. The idea behind the series was to rewrite the Windows bootloader from scratch. Still, since there’s little technical documentation, Finck developed many ways to investigate and try to replicate the bootloader. In “A trip to the registry”, you can see how much Microsoft invested into making their Windows ecosystem as forward-compatible as possible with hardware profiles and legacy drivers.
Trying to replicate the boot order gets weird once you enumerate all the different boot drivers in the Windows Registry. The cool security tidbit here is around Early-Launch Anti-Malware drivers. This is where security vendors can inject themselves early into the boot process to monitor for any maliciousness in the boot order.
For a good reason, Microsoft gatekeeps have access to developing and deploying these drivers via their Microsoft Virus Initiative. But if you can write a bootloader like Finck from scratch, you can probably circumvent these altogether!
☣️ Threat Landscape
No need to RSVP: a closer look at the Tria stealer campaign by Securelist/Kaspersky
At first, I thought this title was random, but it’s cheeky considering how Kaspersky researchers uncovered this Android-based infostealer. According to the researchers, Tria stealer is an Android stealer framework sold on Telegram and targets users in SE Asia, disguising itself inside Wedding Invitation Android apps. Unlike other pure infostealers on endpoints, this one hijacks SMS to perform account takeover and blast the malware to the victim’s contact list.
CISA Adds Four Known Exploited Vulnerabilities to Catalog by CISA
Two Zyxel and two Microsoft vulnerabilities were added to CISA’s KEV list. The Zyxel vulnerabilities were found in the wild by firms like GreyNoise and tied exploitation attempts directly to Mirai. It looks like the Microsoft vulnerabilities shipped on Patch Tuesday were confirmed by Microsoft as exploited in the wild, but I couldn’t find any stories or research posts discussing them.
Babuk Ransomware: A Victim of Indodax Hack by Rakesh Krishnan
Ladrón que roba a ladrón, tiene 100 años de perdón.
This is a fun little investigation where Krish found wallets tied to Babuk and analyzed how they attempted to launder it via INDODAX, an Indonesian exchange. According to Krish, this wallet had their funds drained by a breach at the exchange in 2024.
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks by Peter Girnus
This is a neat vulnerability writeup where Girnus and Trendmicro researchers found a 0-day exploited in the wild by actors deploying SmokeLoader. The homoglyph word in the title is an old method of bypassing character validation logic and is also used in social engineering attacks. In this case, a double-encapsulated archive in 7zip wouldn’t preserve mark of the web protections in Windows. The actors exploited this vulnerability and leveraged homoglyphs to spoof a Microsoft login phishing page.
The only thing I’m confused about in this scenario is that browsers treat homoglyphs as Punycode. So, if you see one in a domain, it should translate to an ASCII representation. The screenshots say otherwise.
🔗 Open Source
tuxtape by Geico
TuxTape is a toolkit for creating and deploying livepatches for Linux kernels. According to the README, livepatching is typically sold by the Linux enterprise behemoths (Canonical, Red Hat or Oracle, for example).
Stifle by logangoins
Post-exploitation tool that provides an easy way for operators to perform ADCS abuse techniques. This follows a blog post by Specter Ops researchers, who described different techniques to abuse Active Directory’s altSecurityIdentities attribute for account takeover.
sharem by Bw3ll
SHAREM is a Windows emulator that boasts emulation of over 20,000 WindowsAPIs and user-mode Windows syscalls. It looks like it can allow the encoded shellcode to deobfuscate itself so you can see inside the decoded payload in a disassembler.
ArgFuscator.net by wietze
Website codebase for https://argfuscator.net/, which is a neat way to obfuscate command line binaries and arguments. You can host it offline if you don’t want to use the site, and it looks like a cool tool for testing your detections against various obfuscation methods.
raccoon by nettitude
Fun Windows-based tool where you specify a PID, and it’ll open minimized windows on the desktop and take a screenshot.