Welcome to Issue #109 of Detection Engineering Weekly!

📢 I’m going to RSA! Wanna hang out? 📢

I’ll be speaking at RSA this year, and Datadog is hosting a big booth with lots of networking events! We’ll have our own booth, “Meet the Research Team”, and we are gonna have security researchers run the booth showing everything we are working on, as well as talking shop about the latest in security research.

If you want to come see what we are up to, or to grab some Detection Engineering Weekly stickers, sign up here: https://www.datadoghq.com/event/rsa2025/

⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:

Det. Eng. Weekly #108 - Can any1 in the IC add me to their Signal group?

Zack 'techy' Allen

·

Apr 2

Read full story

The Security Research Product Function

Zack 'techy' Allen

·

Mar 26

Read full story

💎 Detection Engineering Gem 💎

Detecting C2-Jittered Beacons with Frequency Analysis by Diego Valero Marco

Heck yes, a detection blog using mathematics! In Issue 107, I listed a blog by Mehmet Ergene using a bucketing technique with MDE to detect C2 callouts. The assumption behind C2 callbacks is that infected machines check in with the C2 server to help the attacker know that the infection is still active. Using Window techniques helps catch "bins" of time, where you can possibly find spikes in traffic. Diego builds on top of Mehmet's technique by using Fourier analysis.

The basic foundation of Fourier analysis rests in decomposing a Signal, in this example C2 flow log traffic, and finding "spikes" in that Signal that could indicate something unusual. The above picture (stolen from Diego's blog) represents what they are trying to find. Blue indicates network traffic, red indicates the C2 beacon, and green means the combined traffic. Using a Fourier transform over the three datasets helped him find a C2 beacon traffic calling out.

They go into much more detail on using bucketed time Windows, similar to Mehmet's work, on top of many FFT's to detect spikes. It's definitely worth the read!

🔬 State of the Art

UEBA - A Key Detection Ingredient by Adam Barnett

I feel like UEBA is a dirty word in security. It had a ton of promise in its beginnings (starting in 2015, according to Barnett). Companies who delivered a product for it were way ahead of their time. First, Identity Providers (IdPs) took off but were not part of the best practices of the security fabric until several years later. Secondly, the cloud didn't exist in the same capacity as it does today, and the federation of IDps to SaaS and Cloud products wasn't as connected as it is now.

So, we learned a ton, but we now have data sources with a much more reduced Attack surface for a User. We aren't purely on-prem anymore, and a set of APIs against a SaaS product is much easier to track with Audit logs than setting up Windows event logs across a massive on-prem fleet with thousands of APIs.

This is what Barnett demonstrates in this blog. They highlight a straightforward Detection rule, several login failures against Azure followed by a login success. The hypothesis states that many login failures followed by success can mean password brute forcing. But there's a strong confirmation bias this hypothesis produces.

Before you read Barnett's solution in the blog, can you spot the problems here?

events:
    $blocked_login.metadata.vendor_name = "Microsoft"
    $blocked_login.metadata.log_type = "AZURE_AD"
    $blocked_login.metadata.event_type = "USER_LOGIN"
    $blocked_login.security_result.action = "BLOCK"
    $blocked_login.security_result.summary = "Failed login occurred"
//Error 50140 - This error occurrs due to "Keep me signed in" interrupt when the user was signing-in.This can occur conjunction with succesful logins
    $blocked_login.security_result.rule_id != "50140" 
    $allowed_login.metadata.vendor_name = "Microsoft"
    $allowed_login.metadata.log_type = "AZURE_AD"
    $allowed_login.metadata.event_type = "USER_LOGIN"
    $allowed_login.security_result.action = "ALLOW"
    (
      $allowed_login.target.application = "Microsoft Azure PowerShell" or
      $allowed_login.target.application = "Microsoft Azure CLI" or
      $allowed_login.target.application = "Azure Active Directory PowerShell"
    )
    $targetAccountId = $blocked_login.target.user.userid
    $targetAccountId = $allowed_login.target.user.userid
    $blocked_login.metadata.event_timestamp.seconds < $allowed_login.metadata.event_timestamp.seconds

  match:
    $targetAccountId over 4h 

  outcome:
    $failed_logins_count = count_distinct($blocked_login.metadata.id)
    $victim_name = array_distinct($blocked_login.target.user.userid)
    $failed_logins_count_threshold = 9

  condition:
    $blocked_login and $allowed_login and $failed_logins_count >= 9

Understanding Latency in Distributed Systems by Sid

I'm sure most of us know the command line and swear by tools like ping and traceroute (or tracert for Windows friends). Latency is a foundational concept for security engineers since we focus so much on the network. But what else causes higher or lower latency, regardless of the network topology you traverse? This is where modern Software Engineering and Architecture come into play.

Sid lists five reasons for latency increases, only one of which is the result of pure networking delays. He then describes two networking and three data strategies to reduce latency, which is genuinely "full-stack."

This is super relevant to Detection Engineering. The "software engineering" part of our field requires timely and consistent delivery of telemetry. If, for example, high latency from a logging endpoint results from a distant geographic location, and the logs arrive outside a rule detection window, you are blind.

Combining Dll Sideloading and Syscalls for Evasion by Lain Kusanagi

This was a nice overview blog post on weaponing DLL Sideloading to evade EDR and other security tooling. The basic idea behind DLL sideloading is leveraging a "trusted" executable (signed by Microsoft), and through this trust chain, you can find one or many DLLs loaded by the executable.

You can use a malicious DLL that the trusted executable calls in a folder that the attacker owns to evade security protections. There's a cool project called Hijack Libs, where, much like lolbins, you can find all sorts of candidate DLLs to leverage this technique.

The cool part of this blog is seeing how Kusanagi uses Defender and Elastic's YARA ruleset to check for positive detections. My only question for this post is whether or not Direct Syscalls DO get detected by EDRs. Based on my knowledge, Windows tends to avoid direct syscalls (unlike Linux) for backward compatibility reasons and prefers indirect syscalls via ntdll.

Hijack Libs by Wietze Beukema

I referenced this project in Kusanagi's blog analysis above, but I think it deserves its own callout. This is a great compendium of publicly disclosed Windows libraries that serve as great candidates for DLL sideloading. There are other DLL candidates outside of sideloading ones, including phantom DLLs, search order hijacking DLLs, and an attacker-controlled environment variable of a trusted executable.

We found the atop bug everyone is going crazy about by Bismuth

This is a fun vulnerability breakdown from this cryptic blog about a vulnerability in atop. According to the vulnerability writeup on openwall, atop tries to connect to a server on a local port to collect GPU statistics. This in itself is fine, except that the parsing logic behind that parsing can result in a heap overflow, and that local server may not always run, so you can spawn a malicious one. Bismuth reproduced this bug, exploited it, and responsibly disclosed it.

They provided helpful commentary about the cryptic blog and how responsible disclosure helps prevent speculation and panic. However, I think the blog referenced isn't helpful at all and can do more harm from a fire drill perspective than good.

☣️ Threat Landscape

Tracking Adversaries: EvilCorp, the RansomHub affiliate by Will Thomas a.k.a. BushidoToken

This is an excellent survey behind the messy affiliate ecosystem of ransomware gangs. Evil Corp has been around the crimeware scene since at least 2015, and has moved between affiliations and malware families since then. They are responsible for creating several ransomware strains and are sanctioned by the U.S. Government.

Will, of course, goes into much more detail than my analysis, but what you should take away from posts like these is that these operations don't exist in a silo and typically have a lineage going back decades in some scenarios.

DPRK IT Workers Expanding in Scope and Scale by Jamie Collier

According to researchers from Google's Threat Intelligence Group, DPRK IT workers have expanded operations to Europe. According to Collier, DPRK has recruited facilitators in Europe, and now the IT workers are making headwinds into IT companies across the continent. The more concerning disclosure in the blog is the increase in the number of extortion cases by IT workers. It suggests in the blog that since the stakes are higher for IT workers, they tend to get employment and expect to get caught. So they focus on stealing data while they are in as leverage for payments.

Ivanti Releases Security Updates for Connect Secure, Policy Secure & ZTA Gateways Vulnerability (CVE-2025-22457) by CISA

From the CVE writeup:

“A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.”

Operation HollowQuill: Malware delivered into Russian R&D Networks via Research Decoy PDFs by Subhajeet Singha

APT writeups of groups against Russian targets are few and far between, but it's nice to read them to compare and contrast what others see and report on. It's a multi-stage infection with your usual suspects: malicious RAR archive, an executable stored in a PDF's resource section, and ending in Cobalt Strike. Even Western APTs use Cobalt Strike!

🔗 Open Source

awesome-mcp-servers by appcypher

If you haven’t read about Model Context Protocol (MCP) servers, it’s probably one of the more exciting developments in LLM technology I’ve read in the last 6 months. MCP servers allow you to map LLM prompts locally to other LLMs in remote servers, and can help build integrations with LLMs. I think there’s going to be some exciting security use cases for this, so my hope is this list has security MCP servers.

SysCall_ShellcodeLoad_Csharp by Kara-4search

Shellcall loader written in CSharp. Leverages direct syscalls to bypass EDR hooks.

markitdown by microsoft

Python utility that converts all kinds of documents into pure Markdown. The idea behind this is to build analysis pipelines of blogs, PDFs, docs, send it to markdown, and then use LLMs over it. Also has it’s own MCP!

falsecho by BEND0US

This repository is advertised as an advanced phishing framework, but it’s a little different than the likes of evilginx. It pulls data from webcams, microphones and clipboard content, so it’s more like a stealer but you can also load phishing pages.

peeko by b3rito

peeko is an XSS-based C2 framework that you can inject on victim pages. It’s a post-exploitation framework kind of like Cobalt Strike. It has a surprising amount of functionality: local LAN scanning, file delivery and running arbitrary javascript.