Det. Eng. Weekly #107 - Youu arrrre a cinemaaa
I can triage you foreverrrr
Welcome to Issue #107 of Detection Engineering Weekly!
📣 SANS Livestream Alert 📣
I’m excited to announce that I’m joining Katie Nickels for the SANS Threat Analysis Rundown. We’ll discuss detection engineering, cloud security, and the latest trends in the threat landscape.
It’s TODAY, 1pm-2pm US Eastern time. The LinkedIn event link is below:
LinkedIn event link: https://www.linkedin.com/events/7305253848619618306/
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Measuring the Success of Your Adversary Simulations by Jason Lang
This blog outlines a fantastic, modern, and applicable approach to Adversary Simulation. Lang describes the differences between a pure pentest and a more collaborative red team engagement, and you can see that detection validation and gap analysis are front-and-center. To me, an adversary simulation exercise is akin to a threat-hunting exercise. You start with a hypothesis, in this case, a technical control you want to test, and then you have the red team work backward to find weaknesses and attack paths that can test that technical control.
I love the defensive enlightenment section. The red team should never be positioned as “us versus defenders” because it doesn’t drive outcomes other than who was right and who was wrong. Instead, a productive engagement, as Lang puts it, should result in testing the controls and detection and providing expertise to ensure the organization fills in the gaps found in controls and detections.
Honestly, red teamers make some of the best detection engineers.
🔬 State of the Art
How threat actors get their names by Ryan Dewhurst
This was a funny title along the same vein of an explainlikeimfive post but in security terms. Listen, attribution is hard, and it matters, but market-y names can ruin the seriousness of some of these operations if done in poor taste.
My take here, and what Dewhurst alludes to at the end of this post, is that threat intel companies have to assign names, or they can’t talk about what they see. And what they see is the important factor here: you may think you have Charming Kitten in your network, but does Crowdstrike have all of the telemetry you do? It could be a subset of Charming Kitten or a completely new group, so drawing lines in the sand does help. </sandbox>
Vintage Detection: Applying RADAR Research from 1953 to Detect Modern Cyber Threats by David Burkett
Have you ever done research for a paper or blog and referenced background material? I hope so. But, have you ever done the research for a paper or blog in security referencing an academic paper from 1953? David gets the award for this one, but it’s a SUPER relevant paper to threat detection. According to Burkett, we can learn from this methodology, which was originally intended for radars, and apply it to modern threat detection practices.
I love it when detection blogs give massive props to statistics and its application to our field. Burkett outlines some of the statistics methodologies from the paper, including likelihood ratios and Gaussian noise, to help tune out false positives. He then ends the blog with some potential applications of this science for a SecOps team: risk-based alerting frameworks, false positive management via error costs, and queue prioritization.
C2 Beaconing Detection with MDE Aggregated Report Telemetry by Mehmet Ergene
In this post, Ergene does some digging and detection ideation around Microsoft Defender for Endpoint’s newest aggregated reports feature. This feature aims to have a NetFlow-esque style report that looks at packet flows in MDE to find interesting and potentially malicious traffic. In Ergene’s example, he seems to detect beaconing activity by taking advantage of the beacon intervals used in some (Sliver, Cobalt Strike) post-exploitation frameworks. The idea is to find similar connection counts from endpoints across several days of data and pick up on consistent outgoing beacon connections.
AMSI Bypass: In-memory patching by drop_tables
This is a fun foray into evading Microsoft’s Anti-malware scan interface (AMSI). This system detects and blocks malicious VBS, Javascript, or PowerShell scripts. They target amsi.dll and hook the exported functions in the DLL to return an error on every call to AmsiScanBuffer(), which allows malicious scripts to run. At the end of the post, they give lots of detection and prevention opportunities.
This is an incredible open-source detection workbench. You can choose from a library of Sigma rules, import them into the rule editor, and select transforms through pySigma backends. Out pops a rule you can test on your SIEM of choice.
How to Streamline Data Access With Valet Key Pattern? by Sid
I’ve enjoyed reading Sid’s newsletter, The Scalable Thread, to understand data engineering problems and design patterns. Many of these patterns apply to detection engineering because it is data engineering at its core! In this deep dive on Valet Key patterns, Sid describes a client/server access pattern where an application server doesn’t serve as a proxy between the client and the backend storage but rather as a resource that delivers “valet keys” so clients can access storage directly.
By generating pre-signed keys, you can simplify storage access (think of pre-signed URLs in Amazon S3) without scaling the application. Some issues you have to account for are key security, expiration, and key revocation mechanisms, so you aren’t handing out keys willy-nilly.
☣️ Threat Landscape
Understanding and Re-Creating the tj-actions/changed-files Supply Chain Attack by James Berthoty
If you were paged over the weekend for the tj-actions/changed-files supply chain attack, this might be a good post to read as a recap. GitHub action runners are a super popular CI/CD remote-code-execution-as-a-service feature for developer teams. Think of it like Jenkins on steroids. These actions download stuff, build code, and ship it to production and other environments.
Since many people use these actions, compromising a popular GitHub action can have some downstream effects, such as stealing credentials or sensitive source code. The maintainer says a long-lived GitHub PAT token was compromised, and malicious code was in their main repository.
Death to long-lived access tokens!
This post is CINEMA.
According to this post by Rippling, a competitor allegedly used a spy (?!?!) to get a job at Rippling to do corporate espionage. Here’s a crazy quote:
According to the lawsuit, Deel’s spy spent over four months obsessively and systematically accessing Slack channels where he had no legitimate business interest. He searched Slack more than 6,000 times – allegedly swiping confidential sales pipeline data and internal customer interactions.
You’d think they’d have more operational security, but this shows you should collect Slack audit logs :).
Use one Virtual Machine to own them all — active exploitation of VMware ESX hypervisor escape ESXicape by Kevin Beaumont
Broadcom published three vulnerabilities earlier this month, and oh boy, they are juicy. According to the security advisory they published on their GitHub, these are classified as a VM escape. Basically, if a VM is compromised, you can jump through the hypervisor into the host system. Beaumont also found threat actors advertising an ESXi escape before the release, so it looks like it was being peddled on the criminal underground before Microsoft found it.
Lazarus Group Bybit Heist: C2 forensics by Kenneth Kinion
This is a cool external threat-hunting post looking at public IOCs from the Bybit hack using Validin’s platform. I typically don’t post product blogs unless, like Validin, they have a community offering where you can try this on your own.
They start with domains and IPs shared by Mandiant/SlowMist and uncover additional infrastructure through DNS history, banner and host header hashes, and some good old-fashioned PTR records.
🔗 Open Source
triage.zip by Digital-Defense-Institute
This is an out-of-the-box triage collector for the Velociraptor project. Once you collect all the forensics, you can pass them through timeline frameworks like Plaso. A one-click download is available at https://triage.zip
NullGate by 0xsch1zo
Yet another EDR-style bypass mechanism using indirect syscalls. It uses some C++ trickery with consteval (link for the sadistic who enjoy reading preference). It generates a hash instead of the syscall function name, hopefully bypassing EDR detections.
detection.studio by northsh
Source code for the detection studio I linked above in State of the Art.
SSH-Steal by DarkSpaceSecurity
I linked DarkSpaceSecurity’s RunAs-Stealer in a previous issue, and seeing this stealer in C++ rather than PowerShell was a neat find. It looks for ssh.exe and tries to hook into it like a keylogger to steal passwords and private keys.
glance by glanceapp
This is a cool dashboard news aggregator that reminds me of Feedly.