Welcome to Issue #46 of Detection Engineering Weekly!
This week’s recap:
Sean Hutchinson 💎 on benign positives and filtering via enrichments
Simone Kraus gives a masterclass on CTI-driven detection opportunities
Luke Jennings on threat actor opportunities when compromising Slack workspaces
I get confused by the CVSS 4.0 calculator, Raj Patel on using legacy features in Excel to move laterally, Invictus Incident Response’s detection opportunities on GraphRunner, and Nasreddine Bencherchali launches Sigma Rule Creation GUI
On podcasts: “Hunt Forward” teams in Ukraine, Allison Nixon on the not-so-nice parts of the cybercriminal underground, an Microsoft gives a detailed view into Octo Tempest
Apache ActiveMQ exploitation, A taxi scam, ZDI drops some Exchange 0-days, Mozi dies and cloud threat reports by Google
plus so much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
📣 Issue #46 Sponsor: Miscreants
If you don't know about Miscreants already, let me put you on. They are a hacker-led creative company designing for the cybersecurity space (they did the new DEW branding). Their design team also makes the coolest shirts in cybersecurity and their most popular shirts just restocked (I have the Eternal Blue one, naturally).
Link: Shop Miscreants
💎 Detection Engineering Gem 💎
Dealing with Noisy Behavioral Analytics in Detection Engineering by Sean Hutchinson
In this blog by CMU researcher Sean Hutchinson, he tries to offer prescriptive guidance on tuning alerts and introduces the concept of "benign positives". When you try to balance the idea of precision and recall, it's hard to place security alerts into two buckets: true positives and false positives. The reason behind this is that some alerts may need more context and enrichment than others to make a decision, and you'd rather have to triage and investigate false positive alerts if you can minimize the cost.
By learning patterns of true positives and filtering out benign patterns, you can layer filtering logic that filters out benign activity. Hutchinson offers a table of context types that you can use when creating these filters to reduce cost in the overall tuning strategy.
State of the Art
Ransomware & Data Extortion Landscape by Simone Kraus
This article is an excellent application of CTI-informed detection engineering. Kraus uses TidalCyber's Community Edition to overlap public ransomware reporting and turn it into a heatmap on MITRE ATT&CK. Kraus then overlaps MITRE Engenuity's post on Summiting the Pyramid, a gem from a previous issue, to study how LockBit performs T1562.001 (Impair Defenses: Disable or Modify Tools) to find detection opportunities.
Phishing through Slack for initial access by Luke Jennings
If you are unfamiliar with the SaaS Attack Matrix, this is an excellent post implementing ideas from the matrix. It also happens to feature the company that created it. Jennings goes into detail on two techniques involving Instant Messaging attacks. Besides Instant Messenger being a blast in the past for me (AIM anyone?), it's interesting to see how you can phish users who are external to an internal Slack and how someone can abuse features of Slack to make it seem like they are being contacted by a trusted user. Jennings proposes an interesting "Chameleon attack" that has a threat actor change their Slack profile over time.
CVSS 4.0 by FIRST
CVSS 4.0 was released by FIRST at their annual conference in Montreal this year, but the blog posts and user guides went up last week. You can read the linked user guide or play with the calculator here. My initial feedback is that there's much more specificity, but the calculator is challenging to use. Qualys has an informative visual diagram of the changes in their blog here.
Lateral Movement: Abuse the Power of DCOM Excel Application by Raj Patel
DCOM is Microsoft's solution to have Windows processes load remote software components. So, where there are Microsoft building features, attack techniques lurk! Patel and the team found a peculiar API method, ActivateMicrosoftApp()
, present in Microsoft Excel applications that attackers can use to initiate malicious DCOM connections. You'll need a few things, like local admin on the remote host and the ability to write a file in specific directories. Still, it allows attackers to launch malicious executables as child processes of Excel.
A Defenders Guide to GraphRunner — Part I by Invictus Incident Response
What better way to provide research and detection opportunities on red team tools than an Incident Response firm like Invictus IR? The firm reviews everything GraphRunner does, from authentication, permission enumeration, reconnaissance, and other post-exploitation activities. And like good Internet citizens, Invictus updated their GitHub with useful KQL queries.
Introducing SigmaHQ Rule Creation GUI by Nasreddine Bencherchali
If you ask me what open source project contributes the most brain power and does the best for the detection community, hands down, it would be Sigma. The project hit 7k stars on GitHub and launched its own GUI for building, testing, and generating rules. Make sure to go check it out and give feedback to Nas and the team, as this will evolve a ton over the following months!
Detection Engineering Podcasts
Do you ever think threat hunting could reduce wartime effectiveness? I didn't think so until I listened to this podcast where a Ukrainian official talks about working with U.S. "hunt-forward" teams to neutralize some Russian badness before the ground invasion.
I've been following Allison's research for years, and she's one of the best in the field for tracking threat actors and improving people's lives with threat intelligence. I enjoyed her analogy of cyber threat research as a "drama" you follow, almost like a trash T.V. show. If you want more insight into the origins of "The Comm" A.K.A. Scattered Spider, you should listen to this episode.
Speaking of "The Comm" and "Scattered Spider," Octo Tempest is Microsoft's designation for this loose association of threat actors from Western countries. These researchers and responders have first-hand experience with incidents involving this group, including listening to the social engineering phone calls the group performs.
Threat Landscape
Suspected Exploitation of Apache ActiveMQ CVE-2023-46604 by Tom Elkins, John Fenninger, Evan McCann, Matthew Smith, and Micah Young
HelloKitty ransomware group quickly pounced on this RCE vulnerability in Apache ActiveMQ and successfully exploited it within two customer environments, according to Rapid7 researchers. The operators moved to ransom the server and not perform the ransomware playbook - initial access, escalate privileges, lateral movement to a D.C., then deploy the malware.
New Microsoft Exchange zero-days allow RCE, data theft attacks by Bill Toulas
TrendMicro researchers, under their Zero Day Initiative Program, dropped four Microsoft Exchange vulnerabilities last Friday. According to Microsoft, these vulnerabilities did not necessarily meet their severity classification guidelines for a vulnerability due to the prerequisite of authentication on systems to perform the attacks. I don't know how someone could look at an RCE vulnerability, even if authenticated, and think: 'yah, not severe enough', but here's a quote Microsoft gave Toulas:
Regarding ZDI-23-1578: Customers who have applied the August Security Updates are already protected.
Regarding ZDI-23-1581: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to gain elevation of privilege.
Regarding ZDI-23-1579: The technique described requires an attacker to have prior access to email credentials.
Regarding ZDI-23-1580: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to access sensitive customer information.
Two Russian Nationals Charged For Conspiring To Hack The Taxi Dispatch System At JFK Airport by US Department of Justice
Have you ever sat back and wondered if you could be a great criminal? You've read all about different intrusions, schemes, and personalities that perform these things, right? What's your perfect crime? This announcement by the US DoJ is my perfect crime. It reads like a mix between an It's Always Sunny and a Law & Order episode. The gang gets involved with some local mobsters to help taxis skip the line as long as they pay a fee.
Nitrogen Campaign 2.0: Reloads with Enhanced Capabilities Leading to ALPHV/BlackCat Ransomware by eSentire Threat Response Unit
eSentire's IR unit traced a compromise that started with a Nitrogen infection on a customer's unmanaged device that led to ALPHV. ESentire has been tracking Nitrogen since June of this year, and the malware strain relies heavily on drive-by downloads from malicious ads. This was a unique infection chain since it relied heavily on Sliver obfuscated with Python.
Threat Horizons Q3 2023 Threat Horizons Report by Google
Google's "Cybersecurity Action Team" Quarterly report is out. It's good to see how Google tracks threats across its environment and within customers who use Google Cloud. A key finding that aligns with some of the news around SCATTERED SPIDER/Octo Tempest is a threat actor's ability to adapt and target several SaaS-connected products to pivot in, out, and between cloud environments.
Who killed Mozi? Finally putting the IoT zombie botnet in its grave by Ivan Bešina, Michal Škuta and Miloš Čermák
ESET researchers note a peculiar stop to the Mozi botnet, and they go down the rabbit hole of observing "kill switch" commands in the wild to Mozi. I've always read takedowns from the lens of law enforcement reports or indictments, but I liked this report because you can see how it was taken down as an outside observer with access to some of the Mozi infrastructure. According to the researchers, the likely scenario is that the creators took the botnet down or Chinese law enforcement.
Open Source
Active_Directory_Advanced_Threat_Hunting by tomwechsler
Informative repository of threat hunting scenarios across Active Directory environments. I like how you can follow tomwechsler’s methodology throughout each individual markdown and follow along on the hunts. Lots of detection opportunities in here!
kubernetes-for-soc by abdullahgarcia
SOC teams need to understand emerging technologies, especially as threat actors pivot to them to compromise victims. This repo has two directories: one describing getting the right amount of observability to do Kubernetes threat detection, and the other deep diving the threat model behind Kubernetes environments.
macho_similarity by g-les
Cleverly conceived, this cluster tool (Greg Lesnewich) is a cunning conveyor that coalesces Mach-O binaries with categorical clarity. I don’t know why I wanted to describe this as an alliteration, maybe it’s because when I think about researchers who are excellent at clustering threat actor activity, I think of Greg? Anyways, see this in action with the latest KANDYKORN sample.
FARA by bartblaze
One of the best ways to learn a technology is trying to implement it, screwing up royally, then digging yourself out of a perpetuating hole of despair. It’s the adage of pulling something apart and putting it back together. Well, bartblaze did the pulling apart for us, and you can practice your YARA debugging skills by fixing this YARA rules. It covers all sorts of errors and edge cases.
honeypots-detection by UnaPibaGeek
As much as I love honeypots, I imagine it can be annoying trying to interpret Internet scans to determine impact of a vulnerability, misconfiguration or a botnet and you get a large percentage of honeypots. UnaPibaGeek released this tool after they published it at Ekoparty. It can focus our analysis of publicly accessible resource, but also make honeypots stronger against the baddies.