Welcome to Issue #44 of Detection Engineering Weekly!
You’ve probably noticed a few changes in the style of the newsletter. I worked closely with the amazing folks at Miscreants to give Detection Engineering Weekly a more professional look. Some of the subtle changes, including the colors, logo (with Pasha, the Detection Engineering logo and my dog) and some typeface. I am going to get stickers and t-shirts printed, with some limited edition coins to give out at conferences as well as for folks who are featured on my newsletter.
This week’s recap:
💎 by Jared Atkinson, his latest “On Detection” series, on scrutinizing telemetry and our perception of attacks to conceive new detections
Invictus Incident Response gives us the skinny on Microsoft Graph logs, Demystifying Threat Intel by Archetypes and Objectives, Anton Chuvakin on using intel for Detection Engineers, SSO detection gotchas by Martin Connarty and lastly GCP SSO detection ideation by Peter Sologna
A new Detection Podcasts series, featuring my favorite or recently listened to Detection episodes. Ran Levi on game theory in ransomware, Lima Charlie’s Christopher Luft & Nas Bencherchali talk about Sigma’s latest releases and detection engineering, and Sherrod Degrippo on Empathy in Incident Response
Yet Another Okta Breach (YAOB), bring your own munchkin VM by Unit 42, Government actors use WinRAR vuln, Jabber gets pwned and MacOS malware trends
Plus so much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
On Detection: Tactical to Functional Part 9: Perception vs. Conception by Jared Atkinson
Continuing Atkinson's "On Detection" series, he brings all of the concepts from previous blogs into a Detection Engineering process. Atkinson builds an "Operation Chain" for a classic remote thread injection attack and scrutinizes the Microsoft Defender Endpoint (MDE) documentation to map event types in MDE to the 4-step general process for the attack.
Atkinson finds some limitations in MDE's implementation of event types as they map to this attack, showing how hard it is to catch the technique, even in Microsoft's flagship EDR. Atkinson then pivots to Sysmon as a counter-example and compares and contrasts the telemetry sources.
The lessons learned across these series fall into Atkinson's two mantras:
We cannot detect that which we do not understand
We must align our conception with our perception
State of the Art
Everything you need to know about the MicrosoftGraphActivityLogs by Invictus Incident Response
The good folks at Invictus IR give readers the skinny on Microsoft's latest audit log source: the Microsoft Graph Activity Log. Microsoft learned a thing or two from recent incidents and bestowed upon us plebeians the ability to monitor our Azure environments. Invictus gives a quick tutorial on enabling the feature, details what fields were made available, and provides three detection examples on how you'd query the new data source.
Fargate and Cribl (Stream): How We Got It Working by Page Glave
Great follow-up post to the 💎 from last week, "Is log centralization dead?". Specifically, how technologies like Cribl emerged from the graveyard known as our log stores and how we can use it to shape logs and reduce costs. In this post, Glave helps readers use cloud-native technologies, like AWS Fargate, to deploy Cribl and forward logs into Panther. This gives more control over how you extract, transform, and load security logs before it hits that expensive SIEM.
Demystifying Threat Intelligence: The Top 3 Misunderstood Aspects by Archetypes and Objectives
Cyber threat intelligence is one of the most misunderstood and misused disciplines inside cybersecurity. Perhaps my bias from this comes from working at a threat intelligence firm for years, but how I see folks try to implement practices behind threat intelligence makes me a bit sad. This is one of the areas of cybersecurity where you are supposed to be pedantic, so stick with me.
A good intelligence program doesn't start with a CTI tool like a Threat Intelligence Platform; it ends with one. A good intelligence program starts with Intelligence requirements and the intelligence lifecycle. The author reviews these concepts and tries to frame the objective of threat intelligence by beginning with the human element first (the most critical part).
Focus Threat Intel Capabilities at Detection Engineering (Part 4) by Anton Chuvakin
I hope you read the post above by Archetypes and Objectives, because these two posts are like peas in a pod. Hopefully, readers of this newsletter have read posts I've linked that talk about the Detection Engineering backlog and how threat intelligence is a crucial ingredient to keep it healthy and up-to-date. Chuvakin frames the misconceptions behind threat intelligence as a pseudo-intelligence requirements list for intel teams to deliver high-quality intel to the detection team.
Sheep in Wolves’ Clothing : How our IP based authentication rules need to change by Martin Connarty
This excellent post details the intricacies and gotchas behind IP classification detection. Threat actors have gotten REALLY good at making sure they appear as legitimate as possible when interacting with a service. For example, the sellers would list the victim's geolocation on popular "Stealer" websites like Russia Market and Genesis Market (RIP). You could use a specialized browser to log in and impersonate them, too.
Free and Commercial VPN detection can help low-level abuse, but baddies use far more valuable tools. Connarty summarizes these toolsets, like residential proxies, and argues for better detection criteria other than-IP.
Detection of Inbound SSO persistence techniques in GCP by Peter Solagna
Speaking of Sheeps in Wolves’ Clothing: Sologna details how SSO works on GCP and the various persistence mechanisms that an attacker can use to stay in a target environment. This is especially spicy this week after the Okta news (more below). There is no Just in Time provisioning that allows impersonation of GCP tenants, but there are plenty of other ways for a malicious user to gain a foothold in an environment. This mostly surrounds identity pools for resources and SSO profiles, which Sologna describes in detail.
Detection Engineering Podcasts
The social media section from previous issues has gotten tough on Substack, mainly because Elon is ruining the embedding and cross-linking of Substack posts on Twitter. Some of the takes and tweets were fun, but I want folks to have access to content that makes them a lot smarter, not just memes.
So, I'm going to link Detection Engineering-related podcasts or adjacent from now on. It looks much better, and you get a better experience, too!
These are the latest episodes I've listened to in a week. For a complete list of my favorite episodes and past episodes, check my playlist on Spotify here:
Threat Landscape
Tracking Unauthorized Access to Okta's Support System by David Bradbury
Okta CSO Bradbury disclosed an incident where actors gained access to Okta's support system portal. These actors downloaded customer-uploaded HTTP Archive (HAR) files, which Okta recommends customers upload for troubleshooting issues. These HAR files can contain session tokens and other sensitive information. Hence, during the incident, the threat actors used the HAR files to pivot into customer tenants.
How Cloudflare mitigated yet another Okta compromise by Sourov Zaman, Lucas Ferreira, Kimberly Hall and Grant Bourzikas
Not a good look for Okta. Cloudflare was aware of the compromise days before Okta was aware, and Cloudflare semi-accuses Okta of not responding promptly to reports about a compromise. Cloudflare had enough defense-in-depth to prevent the compromise from having any material impact but sounds like they were frustrated with Okta, especially after learning BeyondTrust reported it 16 days before Okta published their report.
BlackCat Climbs the Summit With a New Tactic by Unit 42
BlackCat ransomware operators developed a utility called Munchkin, and Unit42 incident responders got a copy. Munchkin is an Alpine-based virtual machine that allows operators and affiliates to deploy the ransomware strain to victims. It's impressive how much tooling Munchkin provides operators. Unit42 got a hold of a ton of Python files that were made for operators to perform all kinds of tactics on victim environments.
Government-backed actors exploiting WinRAR vulnerability by Kate Morgan
CVE-2023-38831 affecting WinRAR has moved from cybercrime use to government-backed actor use, according to Kate Morgan of Google Threat Analysis Group. After describing the WinRAR vulnerability in detail, Morgan highlights several government-backed campaigns that targeted users in Ukraine and Papua New Guinea. They have a great conclusion at the end:
The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available.
This is a wild story. Basically, the biggest XMPP-based service for Russia, jabber[.]ru, was allegedly "wiretapped" and had traffic intercepted on two VPS servers on Hetzner and Linode. It's a great breakdown of network forensic investigations, which I last saw quite some time ago, especially since the detection space focuses primarily on endpoints.
macOS Malware 2023 | A Deep Dive into Emerging Trends and Evolving Techniques by Phil Stokes
It might be recency bias, but I’ve seen a lot more news surrounding malware targeting MacOS since starting this newsletter. The detection opportunities differ greatly between this target set versus other endpoints like Windows. According to Stokes, some actors forgo persistence mechanisms since they can typically get everything they need once malware executes. Companies and security engineers should worry about supply chain attacks against MacOS than others as well, since we’ve seen more campaigns targeting legitimate software itself, such as 3CX.
Open Source
GraphRunner by dafthack
Powershell-based M365 post-exploitation toolkit. With Graph audit logs being released by Microsoft, a great tool to use for blue teams to write detections against. The corresponding blog post is massive and has much information for users.
WolfPack by RoseSecurity-Research
A wrapper around Terraform and Packer for red team tool deployment. You can set redirectors, a common red-team tool technique, to increase OPSEC on any C2 servers you have running in the wild. Let's hope bad guys commit their User-Agent "secret," and we can see that code in the wild :).
har-sanitizer by Google
I was searching for ways to scrub or find secrets in HAR files and stumbled upon this 6 year old repo from Google. It hasn’t been updated in a while, but maybe my Google-fu stinks. Trufflehog and other secrets scanners had nothing on scrubbing HAR files, so can we really blame Okta?
CVE-2023-22515 module for Metasploit by rapid7
P/R for Confluence CVE-2023-22515 now shipped into Metasploit. Now all the hackerz will use it and we are doomed!1
cisco-ios-xe-implant-detection by fox-it
Repo with Python code to check for implants for the latest CVE-2023-20198 vulnerability in Cisco IOS Xe web portals. It’s interesting that it doesn’t check for a vulnerable device itself, but whether a device is compromised.
Looks great, thanks for all the work!