Det. Eng. Weekly #105 - I'm assembling a team
Let's take out Lazarus.
Welcome to Issue #105 of Detection Engineering Weekly!
It’s been yet another wild week in security, but I thought the byline this week required some explanation. You’ll see some more Bybit hack news under threat landscape, but they launched a bug bounty program to pay out 10% of their frozen assets to various exchanges. What a world we live in!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
DIY — Evaluating AWS Native Approaches for Detecting Suspicious API Calls by Adan Alvarez
I don’t think I’ve ever read this type of detection engineering type of blog before. I enjoy survey-type blogs, not surveys like the ones you send out and people fill in answers, but a study of methodologies. In this post, Alvarez investigates different ways to set up alerting pipelines in Amazon AWS and compares and contrasts the various detection strategies. Each strategy he investigates documents Ease of Use, Time to Aler,t and Pricing. There are things you can expect, such as CloudTrail. Still, you start to see the complexity of scaling out an AWS environment with multi-org and multi-availability zone logging strategies.
This strategy was pretty interesting:
Basically, you can convert CloudTrail logs to Metrics using AWS’s native observability technology, CloudWatch. Imagine converting 100 separate CloudTrail logs to a counter of just “100”, and you can see a line graph moving up and down based on time. This is a great way to alert on spikes in logs, for example, someone getting access to your AWS account and spamming API calls to see what they have access to. You set a threshold, like 50, and receive an alert whenever that threshold is met.
🔬 State of the Art
macOS Extended Attributes: Case Study by Stephan Berger
I love reading macOS detection and incident response content. It’s close enough to Linux systems where you get to see binaries, file structures, and a shell that you are familiar with, but different enough where you need pieces like this one to help fill knowledge gaps. Extended attributes are, from what I can tell, key/value items on a file that the operating system and developers use for additional context. Berger does a great job describing how this works with a goodware binary he downloaded and then goes into much more detail on how this can be used in incident response.
Leveraging Metrics in Google SecOps SIEM by Daniel Koifman
Aggregate and window metrics are great tools for threat hunting and detection. Koifman gives a quick tl;dr on how YARA-L performs these detections in Google’s SIEM and then dives into some hunting scenarios with live rules. You can even play around with these rules in their demo environment. It seems like YARA-L is pretty configurable from a querying perspective: you set an initial query via their events field with various matching, then within the outcome field is how you do your metrics aggregation and set an output variable. Lastly, you compare the events to the outcome variable with your standard YARA-esque boolean operators.
Abusing VS Code’s Bootstrapping Functionality To Quietly Load Malicious Extensions by Cas van Cooten
VS Code Extensions are like the npm and pypi of IDEs. You can search a marketplace and install all kinds of plugins on top of your VScode for functionality, or for.. pets?
Anyways, Microsoft has invested a lot into protecting the ecosystem from abuse. For example, giving you a prompt when you install an extension from an untrusted developer. But, according to van Cooten, there are still ways to load extensions if you know where to look. The best part? He gives detection opportunities at the end of the blog!
Visualizing process trees with marimo and anywidget by Kyrre Wahl Kongsgård and Anja Olsen
This is a super interesting implementation-style blog for creating and visualizing process trees. Kongsgård and Olsen collate several DeviceProcessEvents from Microsoft Defender for Endpoint and begin extracting, transforming, and loading those events into a pipeline to generate an interactive front-end for exploring process trees. They convert the events into a common information model ported from KQL, send the events to process on an Apache Spark cluster, and then build the process tree.
I think the cool part here is using a marimo (Jupyter-style) notebook to create and maintain a state of the process tree and using any widget to pass back and forth the state of the tree so it’s easy to use and manipulate in the frontend.
☣️ Threat Landscape
BlackBasta Leaks: Lessons from the Ascension Health attack by Will Thomas
This is another BlackBasta leak analysis, but with the context of Will’s expertise in the cybercrime space. Specifically, Will looks at the operational tempo of BlackBasta during the Ascension Health incident and gleans some new insights on how ransomware actors view healthcare as a target. It was wild seeing how someone from BlackBasta volunteers to negotiate, understands that Mandiant will be on the other side of the negotiation table, and how they attempt to calculate loss by looking at ransomware breaches at other healthcare companies.
Bybit Incident Investigation Preliminary Report by Thanh Nguyen
Following the news of the Bybit hack last week, it was cool to see this investigation report get published and/or leaked. It goes into much more detail on what happened and how clever the DPRK is getting with its cryptocurrency targeting operations. DPRK compromised a dev laptop of a hosted multi-signature wallet service and waited for Bybit developers to log in to perform a multi-signature transaction. Once they knew they were conducting a transaction, DPRK switched out static Javascript resources with malicious ones, replaced the destination wallets in the front end, and were off to the races.
Phishing Email Attacks by the Larva-24005 Group Targeting Japan by AhnLab
More North Korea news? In this post, AhnLab researchers dissect a phishing campaign targeting South Korean and Japanese victims who are associated with researching the North Korean regime. They are still (!) using BlueKeep for initial access and installing an XAMPP server afterward to send spear-phishing emails.
how to gain code execution on millions of people and hundreds of popular apps by xyzeva
This is a cool vulnerability write-up that starts with looking at an Electron app and moving to taking over the backend cloud infrastructure. To me, it showcases the complexity of the software supply chain and how sifting through many layers (literally) of indirection can lead to the keys of the kingdom.
Havoc: SharePoint with Microsoft Graph API turns into FUD C2 by Yurren Wan
SharePoint as a C2- is anyone surprised? Jokes aside, this threat analysis by Wan is on how a phishing campaign leveraged ClickFix social engineering techniques and hid malware behind an attacker-controlled SharePoint. After installing Havoc, the victim machine uses the Microsoft Graph API to initialize C2 callbacks to their deployed SharePoint server.
🔗 Open Source
twilio-security-scanner by relayhawk
Open-source posture management toolset focused on finding insecure configurations in your Twilio deployment. It checks configurations on several of Twilio’s product suite, everything from securing Webhooks to API key security. I can tell you firsthand that threat actors LOVE going after Twilio environments to abuse it during the resource development phase of phishing infrastructure.
SysmonCommunityGuide by trustedsec
This repo is over 4 years old, and I can’t believe this is the first time I’ve seen it! This is an e-book on Sysmon for threat detection. It gives you a rundown of how the Sysmon driver works and what kind of events the tool generates, and it brings receipts with rich examples.
XenonRecomp by hedge-dev
Have you ever wanted to play Xbox games on your native OS without using an emulator? Well, the gaming and cracking community strikes again with a tool to convert Xbox 360 games into C++ code so you can compile them for any OS platform of choice. It’s not completely finished but still impressive nonetheless.
FIR by certsocietegenerale
Fast Incident Response is an security incident management platform. It uses Django with a MySQL backend and some basic Boostrap frontend design. You can even extend it with plugins for additional functionality.
baby-naptime by faizann24
Open-source (re)implementation of Google Project Zero’s Project Naptime. You connect your LLMs, run the tool, load a binary and it leverages the LLM to reason through reverse engineering the binary to find vulnerabilities. It’ll even generate and test exploit payloads for you!