Det. Eng. Weekly #104 - I need you to email me your top 5..
cat and dog pics from ur furry frendz ok thx
Welcome to Issue #104 of Detection Engineering Weekly!
It feels good to be back and somewhat functional! I usually NEVER take unannounced breaks, but oh my god the flu sucked every ounce of energy out of me.
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
2025 State of Detection Engineering Report by Anvilogic and SANS
The State of Detection Engineering Report is a comprehensive survey of hundreds of detection engineers on how their threat detection programs function at their jobs. My friends at Anvilogic partnered with SANS to ask all kinds of detection questions, collate the responses, and get some great insights from them. It’s a free survey, so you don't have to sign up for access. It’s super easy to read and comprehend, and it looks great, too.
One thing you’ll notice is the sheer number of quotes from Detection Engineers in the field, many of whom have been featured in this newsletter (by the way, I’m in there, too). The two spots I had a quote listed revolve around detection-as-code and behavioral detections.
I’m sure, at this point, all of you are sick of me talking about these two topics, but it’s important to emphasize resiliency in finding badness and getting your code into a production system. It was cool to see these themes come to the surface, and I hope you all take some time to read through this and participate next time so we can get even better data!
🔬 State of the Art
What is Event Sourcing? by Sid
In this detection engineering adjacent post, Sid describes the concept of event-sourcing from a pure software architecture point of view. I hope as y’all read this, you can see how applicable it is to our work in detection engineering, but let me break it down for you.
Sid starts by describing event sourcing architectures by drawing an example from an e-commerce site. This site has customers, and each customer is assumed to be a repeat customer. At any time, customers can enter your site, fill their shopping carts, remove items, apply coupons, and eventually check out. The idea for an architecture like this is understanding and rebuilding the state, that is, the E-Commerce customer’s history and journey on your platform.
The building state graphic and section is what caught my eye:
This is super useful if you need to rebuild the system or understand how a customer arrived at their current state. Do you see how this applies to security? I think the most about UEBA or RBA when considering an entity's state. This can be a human identity from an IDP provider or a newly deployed host in your environment. If you can track the state of an entity, you should be able to reconstruct how it got to a known malicious state, and working backward can help you find out how it got hacked in the first place!
Investigating Anonymous VPS services used by Ransomware Gangs by Will Thomas
Threat research GOAT Will Thomas explains the evolution of “bullet-proof” hosting services and studies how BitLaunch differentiates itself from these types of services. Bullet-proof hosters help cybercriminals and nation-states host malicious content, such as command-and-control servers, because they typically don’t respond to researchers' law enforcement or takedown requests.
BitLaunch is a nuanced story: It has an “Anonymous VPS” feature where you can pay cryptocurrency and rent out a VPS on their network, no questions asked. Does that make it a bullet-proof hoster? Will tries to answer this question with some excellent threat research analysis of known C2s hosted by the company over the years, the groups who’ve abused this service, and some commentary on how the company has responded.
Cerbos Game by Cerbos
This was a fun and clever way to visualize how policy enforcement works from a programmatic perspective. Policy can mean many things in the infosec world, but the example I relate to the most is policy enforcement in cloud environments. Is your user allowed to spin up a resource, a piece of blob storage, or obtain a critical key?
You are given a set of rules corresponding to shapes and colors and made to “think fast” as incoming shapes match the policy. This is how far I got. Can you beat me?
See Evil, Thrunt Evil – Modelling Behaviors is a Critical Thrunting Prerequisite by Jamie Williams
Like detection engineering, threat hunting goes hand-in-hand with creating resilience hunts and detections. Thrunting has an extraordinary assumption: it assumes your detection strategy failed and there is an intrusion in your network. Many of the thought processes after this assumption follow the same mantras of detection engineering. You want to focus on behaviors as much as you can! In this post, Williams outlines how behavior hunting can help in a hunting session and discusses some of the pitfalls behind focusing too much on a singular behavior. He gave a link to Katie Nickel’s talk at Shmoocon, which outlines how over-prioritization on specific events, such as exploiting a vulnerability, can weaken other detection and mitigation mechanisms later on.
Hierarchy of Needs - Predefender Threat Hunt Book by Roger Johnsen
We love triangles in threat detection and intelligence, don’t we? This cool e-book by Johnsen tries to give readers a sound basis for setting up a threat-hunting program, starting from a basic hierarchy of needs. Johnsen describes an “Incident Response Hierarchy of Needs” from Swannman, which looks more like Maslow’s than Bianco’s Pyramid of Pain.
Basically, incident response is impossible without data, and once you have the data, you need to understand behaviors and threats; only then can you start kicking the adversary out. Johnsen interleaves his own “plateau” of maturity, starting with basic awareness to proactive threat hunting, so it’s pretty easy for readers to lay out a comprehensive plan for building a program like this.
☣️ Threat Landscape
BlackBasta Chat Logs Leak Analysis by Thomas Roccia
Internal chats for BlackBasta leaked over the weekend, and the research community has been ALL over it. This has been the most significant Ransomware gang chat-log leak since Conti, and you’ll notice a lot of the same actors intersect between both communities. Thomas put together a thorough analysis of the logs, outlining the times when the chat is most active, the chattiest users, and a neat IoC extractor for additional intelligence gathering.
Leveraging Transparency for Collaboration in the Wake of Record-Breaking Bybit Theft by Chainalysis
The largest heist in cryptocurrency happened this week, where suspected DPRK actors stole nearly $1.5 billion in Ethereum from the Bybit cryptocurrency exchange. The in-product screenshot from the laundering process by DPRK is impressive, and I hope the company publishes a more thorough analysis to show how intricate this process can be.
Confluence Exploit Leads to LockBit Ransomware by The DFIR Report
New DFIR Report! This time, the gang follows an intrusion that leads to LockBit. The actors achieved an impressive time to ransomware infection, 2 hours and 6 minutes from initial exploitation to deploying LockBit. The infection has all sorts of detection opportunities, from an n-day exploit to using Metasploit and installing AnyDesk (and failing once) on the beachhead host.
CISA Adds Two Known Exploited Vulnerabilities to Catalog by CISA
CISA adds another two vulnerabilities, CVE-2017-3066 and CVE-2024-20953, to their Known Exploited Vulnerabilities database. One I cannot believe I’m reading is an exploit affecting Adobe ColdFusion. I found one notebook and vulnerable-by-design environment to check out on GitHub, but it’s a classic Java deserialization vulnerability.
🔗 Open Source
captaincredz by synacktiv
Modular password spraying framework written in Python. You supply wordlists, a target and some configuration options such as delay between requests, run it and wait for a successful login.
JonMon by jsecurity101
JonMon is an open-source EDR on Windows and just got it’s 2.0 release. If you haven’t tried it out yet, or read Jonathan Johnson’s Medium with excellent articles on the space, go check it out.
PurpleLab by Krood9d
Purple teaming toolkit that spins up a full detection simulation pipeline to test for Windows. Has some beefier requirements (8 CPU cores, 13GB ram) but might work on lab machines you have laying around your house. The frontend is pretty cool and you can simulate everything from malware executions to MITRE ATT&CK techniques.
implant.js by captainGeech42
Javascript V8 based implant framework. You write your implant in Javascript, ship them inside the client and it executes it inside the V8 engine on the target host.
StreetCred by RITRedTeam
Fun Golang binary that you preload in a set of credentials and post-exploitation scripts to autopwn a bunch of target hosts. I found these tools useful in Attack/Defend competitions where you know the default credentials ahead of time.