Det. Eng. Weekly #47 - My GPT is hallucinating again
How would I know it'd eat the whole mushroom chocolate bar?!
Welcome to Issue #47 of Detection Engineering Weekly!
This week’s recap:
💎 by Jon Hencinski on capacity modeling a SOC - it’s a great view into how SOC leaders think about triaging alerts, and how we as detection engineers can help move that needle
mthcht on hunting suspicious TLDs in your telemetry
Ian Cooper on the pain of telemetry collection and detection in the cloud, and he brings receipts
Olaf Hartong debuts FalconHound
Shaun Vlassis on importance of enrichment for detection, Zachary Reichert and Joel Uckelman rip out and study a malicious and sneaky webserver module from Confluence, Diego Perez on threat informed defense gotchas
The Darknet Diaries, Cybersecurity Defender’s Podcast and DISCARDED podcast episodes
Sandworm takes out a powergrid, LockBit in the news (again), Dockerized DDoS botnets, Wipers targeting Israel institutions and a deepdive on SystemBC
plus so much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Capacity Modeling: Enhancing Analyst Well-being & SOC Efficiency Jon Hencinski
Whether you are an aspiring or experienced detection engineer who delivers alerts to a SOC, this post is for you! Hencinski is one of the best minds regarding building and scaling a security operations program. In this post, he reviews a Twitter poll that asked users if they use a capacity model in their SOC program. Since SOC analysts are the end customers of alerts, we, as detection engineers, must plug into their modeling and try to reduce time to work on things via automation, enrichment, and, of course, accurate alerts!
State of the Art
Threat Hunting - Suspicious TLDs by mthcht
We all know suspicious TLDs exist, but are they worth adding as an alerting scenario for your SIEM? In this post, mthcht uses several sources of malware and suspect TLD research to curate a list of these TLDs to hunt within your SIEM environment. I like how prescriptive the advice here is: do this research for threat hunting or low signal alerts only; don’t ever try to do this with alerts you send to a SOC!
FalconHound, attack path management for blue teams by Olaf Hartong
Do you think red teamers would get mad if we used their tools to build detections? Heck no! In fact, I think they’d be delighted. This is where FalconHound comes in. FalconHound aims to supplement Sharphound, Azurehound, and Bloodhound (how many hounds can there be?) data to set up real-time alerting on attack paths with data inside your Entra/Active Directory environment. It’s an integration layer with several security tools other than BloodHound. I like the enrichments it offers via Sentinel, the Azure Graph API, and some M365 goodies.
Fog in the sky: logging & visibility issues in the cloud by Ian Cooper
You would think that 3 hyperscaler companies, Amazon, Microsoft, and Google, all have logging figured out, so you don’t have to worry or pay a lot when you turn it on. According to Cooper, that’s not always the case. Log format, availability, control plane accuracy and availability of security-relevant data vary wildly within and between services. Cooper gives three examples from Azure, GCP, and AWS, and I got progressively frustrated as I read each one
The importance of reference data for effective threat detection by Shaun Vlassis
This blog post plugs in nicely as a complement to last week’s gem by Sean Hutchinson. Context is vital with alerts because it removes manual tasks for analysts and investigators, making decision-making “more automated” than trying to chase something down via email or another Chrome tab. It’s a bit more of a checklist blog post than Hutchinson’s in-depth blog, but validating these theories across posts and researchers is nice.
Detecting “Effluence”, An Unauthenticated Confluence Web Shell by Zachary Reichert and Joel Uckelman
Confluence and vulnerabilities go together like butter on rice. Or butter on bread, wait.. how about butter on waffles? Erm, this is a super interesting post about a Confluence incident. The responder found a web shell on a Confluence server, usually loaded as a Confluence plugin. This most likely requires authentication. However, this web shell abused the underlying Tomcat server plugin architecture so that it could be accessed without authenticating to Confluence. The crazy part here is that it’s unauthenticated. Still, it allows interaction with the underlying Confluence technology, making it a powerful backdoor on unpatched servers.
The Problem of Why: Threat-Informed Prioritization in Security Operations. Part 1. by Diego Perez
Have you ever heard of organic problem-solving? The idea is that you are working to solve the following problem in front of you. Although you may think you are making progress, you are straying so far from solving systemic issues or implementing a strategy that you fail your task. I use the idea of organic problem-solving for threat-informed defense - many people talk about this defense style, but folks rarely take the time to think about how to solve it.
Perez gives a cautionary tale on this very topic. I quite like the analogy of the SecOps “Rube Goldberg Machine” he uses in this post. I LOVE the questions Perez asks towards the end even more: basically, what processes do you have to help you arrive at your security decisions? If you can’t effectively answer, you are probably solving problems organically.
Detection Engineering Podcasts
Threat Landscape
Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology by Ken Proksa, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan and Chris Sistrunk
Myself and many others in the security industry held our breadth during the initial days and weeks of Russia’s invasion of Ukraine. Since many of us consider Russia a cyber powerhouse, morbid curiosity took over, waiting for the first “big” cyber-to-physical attack. Well, it never really happened at the scale we thought of, but it did happen.
In this post, Mandiant researchers and responders document an engagement where they helped a critical infrastructure organization in Ukraine respond to Sandworm. The attackers turned off a power grid, which aligned with a missile strike in a similar timeframe. The actors subsequently deployed a wiper to disrupt IT operations further in an attempt to respond to this incident.
LockBit ransomware group assemble strike team to breach banks, law firms and governments by Kevin Beaumont
LockBit has been dominating ransomware headlines lately. Beaumont gives the scoop on how they do it with “Citrix strike teams”. These teams of initial access brokers exploit CitrixBleed to access a Citrix-specific remote desktop that allows actors to pivot into victim networks. The problem with this exploit is it boots off a logged-in user, who then boots the actors off when they log in, so the teams deploy an RMM tool that helps prevent this from happening again. Beaumont included Shodan screenshots showing the likely initial access point for some of their recent victims, including Boeing, ICBC, and DP World.
SumoLogic Security Notice - Nov 8 2023 by Sumo Logic
On or around Nov 3, 2023, Sumo Logic identified a compromised credential that was leveraged to access their AWS account. According to the firm, no network impact was determined, and customer data is protected. I like to look at these incidents from security companies because it should hopefully show a transparent and straightforward response, and this was the case with Sumo Logic.
OracleIV - A Dockerised DDoS Botnet by Nate Bill and Matt Muir
Interesting Docker-as-a-DDoS botnet writeup by the Cado Research team. This one was particularly novel due to the payload being compiled Python via Cython. It’s cool (to me, maybe?) to see Dockerhub being used as a staging environment. I’m waiting for the day when a much more sophisticated actor uses Dockerhub in their TTPs.
Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors by Or Chechik, Tom Fakterman, Daniel Frank and Assaf Dahan
Another blog about wipers deployed by Nation States, this time by Unit 42 researchers. According to the researchers, since January of 2023, an Iranian-backed APT they dub “Agonizing Serpens” (Pink Sandstorm for you Microsoft weirdos) targets education and technology firms in Israel. The actor gets initial access via publicly facing, vulnerable webservers. Then, they move to databases and other network servers to pilfer and wipe everything off the network. Apparently, they failed to load vulnerable drivers onto the target machines to kill EDR processes.
THE SWISS KNIFE - SYSTEMBC | COROXY by Aaron Jornet
A great writeup of a post-infection toolchain SystemBC, or “Coroxy,” that has been observed in use by several major ransomware players and botnet operators. It’s typically seen after the loader stage. Still, it can come earlier or later, much like everything in the initial access broker world. The malware also turns machines into SOCKS5 proxies, so you can sell traffic to infected hosts or leverage its malware capabilities for initial access.
Open Source
machofile by pstirparo
Self-contained Python module that parses Mach-O binary files. Inspired by pefile, you can use this for MacOS malware analysis.
Awesome-GPT-Agents by fr0gger
OpenAI released their custom GPT feature, which allows you to basically train a ChatGPT instance and provide it to others for prompting. The obvious use case here is cybersecurity, and there’s already a ton of custom agents out there! Luckily, fr0gger collected a bunch of them and is continuously updating this awesome-* list with new ones.
MDE-DFIR-Resources by cyb3rmik3
A short-but-sweet Microsoft Defender resources repo, containing all kinds of DFIR-related knowledge bases for the Microsoft security ecosystem.
WhoamiAlternatives by ricardojoserf
The whoami memes keep coming, and I’m all about it. I hope this list keeps growing and we can use it for detection opportunities. Only threat actors use whoami on the command line. We got to catch those pesky red teamers!
Adversary Emulation Plans/2022_Top35_Mitre by Sam0x90
A CTI-driven purple team / adversary emulation plan using 2022’s top 35 MITRE ATT&CK techniques. What’s cool about this is that it’s basically an infection chain/compromise, and Sam0x90 gives links to samples and step-by-step instructions to execute the exact technique or procedure.