Welcome to Issue #49 of Detection Engineering Weekly!
This week’s recap:
💎 by Yazid Benjamaa on their DIY EDR and bypassing it with various techniques, for fun and profit
Daniel Miessler helps readers get over their fear of public speaking, Phil Moore finds useful logs for his RULER project, Augusto Barros on SIEM alternatives, Omer Singer helps us dive into security data lakes, Ron Marom on Entra ID detection opportunities, and Mohit Gupta launches IceKube
Podcast episodes by Google’s Cloud Security podcast on Canned Detection Content, Cybersecurity Defenders Podcast guest reimagines the cyber killchain and the Naked Pravda on USSR hegemony
Ransomware takedown, DarkGate as the new hotness, Owncloud’s phpinfo is a CVSS 10, Intezer finds a new threat cluster, and Cows get pwned
plus so much more!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
🌐 Newsletter Network:
Return on Security by Mike Privette
My good friend, Mike, just rebranded his newsletter with our friends at Miscreants and it looks amazing! If you want a weekly newsletter dedicated to research around the cybersecurity market, look no further. Mike puts a ton of his time and expertise into building this, and I’ve definitely stolen been inspired by his newsletter format and marketing to help build mine!
💎 Detection Engineering Gem 💎
Best EDR Of The Market by Yazid Benjamaa
I linked the open-source repo for this project last week, found the associated blog afterward, and knew quickly that this should be a gem. One of the best ways to learn a technology, IMHO, is to try to build your own "bad" version. You quickly become oriented around the trade-offs, techniques, and problems with rolling something out with minimal expertise.
"BEOTM" aims to do this for EDRs using function-level hooking, and it does a great job of surfacing attack techniques that get caught and unwind the call stack so you can see every piece of information traveling through the various Windows API calls.
🔬 State of the Art
How to Permanently Remove Your Fear of Public Speaking by Daniel Miessler
This post is adjacent to security and threat-detection but is an important one. Note that Public Speaking doesn't mean main stage DEFCON, but also presenting your work to peers and your organization. Miessler uses inspiration from a Jocko Willink book and creates a "slider" framing system, speaking from a big, unattainable goal (such as perfection) to something more realistic, like being enthusiastic about the topic.
Really Useful Logging and Event Repository (RULER) Project by Phil Moore
Not all logging is the same, and if you read the gem from last week, it gets worse if you need forensic data after an incident. I'm a big fan of knowledge bases like RULER, which aims to document numerous security and remote management logging sources and provides investigators a cheat sheet on the best logging data to collect them. This is just as useful to detection engineers for logging and alerting opportunities.
The SIEM Alternatives Fallacies by Augusto Barros
Interesting take on how marketing teams can finagle themselves into your search results by claiming their SIEM is not a SIEM, although it can replace your toolset. It's a clever sleight-of-hand that can help bolster your product's search results, especially if you try to claim something "next-gen" or "cloud-first." As Barros puts it:
..it walks like a SIEM, it quacks like a SIEM, so it must be a SIEM
This is a security data lake by Omer Singer
This post by Singer is an excellent follow-up to Barros' abovementioned post. A security data lake is sometimes marketed as a SIEM alternative, and it definitely "is not a SIEM," but it sure does some SIEM "stuff". I like how Singer breaks down the idea of a data lake using cloud-native examples and focuses on technologies like object storage and separation of compute and storage. The conclusion gives a great, succinct answer to the interview question: "What's the difference between a traditional SIEM and a data lake?" Answer: traditional SIEM tightly couples compute and storage, whereas data lakes separate them.
Defending Azure Active Directory (Entra ID) by Ron Marom
This is an excellent introduction to Azure AD threat detection. Marom breaks down the types of logs that Azure AD (ugh, Entra) produces, where to enable them AND find them, then gives ten (!) different detection opportunities you can use to find badness inside your Azure AD environment.
IceKube: Finding complex attack paths in Kubernetes clusters by Mohit Gupta
IceKube is a Hound-like open-source tool for identifying attack paths in Kubernetes deployments. The WithSecure team has a ton of experience in client engagements where they needed a tool like this to help pentest their client's environments, and the initial release has 25 attack paths for users. The examples Gupta gives in the blog were real-world examples the team faced on client engagements, so it's nice to know it finds interesting things.
🎙️ Detection Engineering Podcasts
Great episode on Canned Detections, or "Out of the Box" detection rules, from the Google Security team. There's a bit of a philosophy behind buying a threat detection vendor: if you don't trust the content the vendor gives you, how can you trust the platform itself? (Hint: you shouldn't!) The team here goes over this in detail and provides a sweet shoutout to this newsletter at the end!
This is a follow-up podcast episode to Burkett's talk at MSSN CTRL. A good way for detection engineers to frame building our content is through frameworks like ATT&CK and the Cyber Kill Chain. Burkett describes retrofitting the Cyber Kill Chain to be a bit more modern and less military-focused to help show listeners that you don't need to be so rigid and follow these frameworks without changing things to work for you.
I'm fascinated by nation-state history because it allows me to understand the background of their cyber operations, either in government or through organized crime. Hegemony is a massive topic for "superpower" countries, and understanding the struggle for hegemony for Russia will help you understand how their various cyber arms emerged into the world scene.
☣️ Threat Landscape
International collaboration leads to dismantlement of ransomware group in Ukraine amidst ongoing war by Europol
We always have to celebrate wins in security, especially when it comes to those who caused harm to others. A ransomware "ringleader" and four accomplices were arrested in Ukraine by a joint task force and several countries. Europol claims this group operated several ransomware strains, including LockerGaga, MegaCortex, HIVE, and Dharma. They also leveraged the Trickbot botnet for initial access.
DarkGate Internals by Pierre Le Bourhis
DarkGate is the new hotness and loader-du-jour for initial access in malware circles. It is sold as a malware-as-a-service on several crime forums and developed using Delphi. The evolution of loaders has led to multi-functional families, so although this is used for initial access, there are several features of RATs (reverse shells, execute PowerShell scripts) and stealer functionality, like stealing Discord tokens.
Disclosure of sensitive credentials and configuration in containerized deployments by Owncloud
It's been a bit since I've seen a vulnerability with a CVSS Base Score of 10, but here we are. And it's about as bad as you think. Owncloud, an open-source file-sharing tool (among a few other SaaS-like collaboration capabilities), has a third-party dependency that exposes several endpoints. One of those endpoints is *drumroll*, a file that calls phpinfo and leaks all kinds of sensitive data! GreyNoise recorded internet scanning activity for the vulnerability, so hold on to your butts.
WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel by Nicole Fishbein
Fishben, a threat researcher at Intezer, exposes and attributes a new APT and threat cluster targeting Israeli critical sectors. WildCard (the name of the cluster from Intezer), allegedly operates several malware families, the most notable being SysJoker. Fishbein compares several samples from the actor, noting similarities, such as a (somewhat) hilariously, a "custom" alphabet missing "jk" and cloud-hosted dead drop resolvers.
The Internet of Insecure Cows - A Security Analysis of Wireless Smart Devices Used for Dairy Farming by Samuel Barnes-Thornton, Joseph Gardiner, and Awais Rashid
A bit more of a deep-dive on an area of cybersecurity I’m sure you’ve never seen, agritech cybersecurity. The research in this paper explores how devices used for health monitoring of livestock (in this case, cows), aren’t that secure. It reminds me a lot of early medical technology research: insecure protocols with weak encryption, and ease-of-attacks via an SDR and a bit of time.
🔗 Open Source
awskillswitch by secengjeff
A "kill switch" setup for AWS that allows security engineers privileged access to lockdown specific accounts through deleting of IAM roles or applying restrictive SCPs. This is super interesting because you can set up a dedicated "Security" account and then deploy SCPs to allow an AssumeRole from that account. That said, it's probably ineffective for an actor to delete the AssumeRole relationship.
ruler-project by Ruler-Project
Mkdocs repo to the RULER project listed above in “State of the Art.”
AD-Canaries by AirbusProtect
Windows-native AD canary project. It's based on a talk and a 3-part blog series, but the premise is you can use this to detect enumeration or reconnaissance techniques in an AD environment. Tools like BloodHound et al. are noisy with resource enumeration during the recon phase, so this can serve as a tripwire to find infections using these tools and techniques.
IMDSpoof by grahamhelton
Lots of canary tools for this issue! You can deploy this fake AWS IMDS service on machines and workloads to find active infections that try to use the IMDS service to pivot to cloud accounts. You can combine these with Thinkst's AWS honeytoken to alert not only the IMDS token but also an AWS canary.