Det. Eng. Weekly #53 - 🏃 Run it back
Let's do this newsletter thing for another year and see what happens!
Welcome to Issue #53 of Detection Engineering Weekly!
I’m back and ready to get this year started with fresh content. I missed you all!
This week’s recap:
💎 by Marcus Hutchins Introducing readers to Windows internals and bypassing User-mode EDR hooks. Honestly, it’s one of the best explanations I’ve seen of this topic and I’m excited it’s a multi-part series
Daniel Wyleczuk-Stern on iterating on detection suppressions and making your detections resilient, Regan Carey gives the 101 on building an effective detection engineering capability, Luke Jennings is back with more Okta shenanigans via poisoned tenants, Ondra Rojčík demystifies threat intelligence reporting and common gotchas in these reports, Joe Slowik drops some threat intel truth bombs on aligning intel with business requirements
Podcasts by Detection:Challenging Paradigms with MITRE Engenuity folks talking about their Summiting the Pyramid project, Security Conversations talks with CISO-turned-founder Allison Miller, and Hacker History with friend of the newsletter Christopher Luft on the Colonial Pipeline hack
A Dutchman was responsible for deploying Stuxnet? Kevin Beaumont unveils the BGP hijack shenanigans of Orange Spain, a CVE Year 2023 in Review by Jerry Gamblin, Brian Krebs is back and finds a long-lost spammer, and a singular character argument creates an auth bypass for OFBiz
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
📣 DEW @ Shmoocon in Washington D.C.:
I'll be in Washington, D.C., at Shmoocon this week! If you are attending, I'll drop stickers off around the con and give them away to people I talk to. I also have some t-shirts to give out on Saturday, so if you see me with a Detection Engineering Weekly shirt, come say hi and grab some swag!
💎 Detection Engineering Gem 💎
An Introduction to Bypassing User Mode EDR Hooks by Marcus Hutchins
This is Part 1 of many series of bypassing EDR hooks. Hutchins reviews Windows system calls and how they are implemented via a series of call stacks, similar to Jared Atkinson's research on function call stacking. Windows is a fascinating ecosystem in that it relies heavily on users interacting with user-mode functionality to proxy into the kernel. In contrast, in Linux, you expect everything to perform syscalls directly.
According to Hutchins, EDRs focus on hooking functions in user space within ntdll.dll, trampoline to the EDR function for evaluation, and then back to the ntdll.dll call to proxy into the kernel. He gives examples of how to bypass these hooks and some background on why direct syscalls are bad news bears on Windows:
Well, on systems like linux it’s completely normal for application to initiate system calls directly. But remember that I mentioned system call ids change between Windows versions? As a result it’s highly impractical to write Windows software that relies on direct system calls. Due to the fact ntdll already implements every system call for you, there’s almost no reason to do a manual syscall. Unless, of course, you’re writing malware to bypass EDR hooks. Are you writing malware to bypass EDR hooks?
🔬 State of the Art
Building Resilient Detection Suppressions by Daniel Wyleczuk-Stern
I've been thinking about detection drift lately, and it's an infosec way to describe the Law of Large Numbers. You write a rule, test it, deploy it, and keep seeing new data that introduces false positives you didn't account for before. If you accept that this will happen and build processes around dealing with it, you start building "resilient" rules.
In this blog, Wyleczuk-Stern takes us on a journey of tuning a rule several times with different suppression strategies. It takes a village to understand alerting scenarios, especially if you are dealing with end-users (or, in this case, software engineers).
An introduction to building an effective Detection Engineering Capability by Regan Carey
This is a great introductory blog post for maturing a detection engineering capability for any team. Carey works at an MSSP and has written several posts on different problems within the space. It is always good to hear from a practitioner how they would advise a team to boot up a new program.
From a technical level, Carey does an excellent job of detailing a solid scaffolding of a detection program: where to store your backlog, how to test your environment, where to store your code, how to deploy, and how to measure? My favorite part is that they tell the reader this is a similar process to the SDLC but with a security twist!
Oktajacking by Luke Jennings
Posts like this remind me that identity security should be at the forefront of most detection strategies, or at least in the top 3 things a detection team should prioritize while building rules. Like any technology in the market, identity providers (Okta, Microsoft) rushed to build integrations so customers could be on their products. This uncovers implementation details until an actor/researcher discovers how it can be abused.
Jennings describes Oktajacking and the concept of "poisoned tenants" in this post. The design of how Okta <> Active Directory works basically means Okta is shepherding credentials to and from AD, which means if you control a malicious tenant, you can sniff credentials out from the victims!
Communicating Uncertainties: A Guide to Estimative Language and Confidence Levels in CTI Reporting by Ondra Rojčík
Posts like this remind me that identity security should be at the forefront of most detection strategies, or at least in the top 3 things a detection team should prioritize while building rules. Like any technology in the market, identity providers (Okta, Microsoft) rushed to build integrations so customers could be on their products. This uncovers implementation details until an actor/researcher discovers how it can be abused.
Jennings describes Oktajacking and the concept of "poisoned tenants" in this post. The design of how Okta <> Active Directory works basically means Okta is shepherding credentials to and from AD, which means if you control a malicious tenant, you can sniff credentials out from the victims!
Orienting Intelligence Requirements to the Small Business Space by Joe Slowik
CTI left to its own devices remains aloof.
Mic drop. No, but seriously, Slowik is an expert in cyber threat intelligence implementations and is starting to use it as a bridge to prioritizing the detection backlog. In this post, he notes that without business requirements turned into intelligence requirements, CTI teams typically waste a lot of time and energy, imposing costs on themselves and their firm for little payoff. If you are considering building a CTI function in your detection organization, you should read this post.
🎙️ Detection Engineering Podcasts
Great episode by the DCP team who interviewed MITRE CTID engineers, Luke and Daszczuszak, both of whom helped create the “Summiting the Pyramid” research. It’s a modern way to apply the Pyramid of Pain to detections, and grading these detections by telemetry efficacy and presence of other indicators.
I enjoyed this Security Conversations episode because it’s rare to hear an executive/former CISO who is as technical as Allison Miller is. I thought she had some interesting viewpoints on where detection is heading inside the fraud space as well.
I like this “Hacker History” format that Christopher is doing on his podcast. If you weren’t reading the news during the Colonial Pipeline hack, or located anywhere on the US East Coast during this ransomware event, then give it a listen! As a community, we’ve come a long way for going after ransomware crews, and with the help of the US intelligence and law enforcement apparatus, we are imposing a ton of cost on these gangs.
☣️ Threat Landscape
Dutch man sabotaged Iranian nuclear program without Dutch government's knowledge: report by NL times
I remember first learning about Stuxnet in undergrad and it’s fascinating story behind turning “cyber” impact into “real-world” physical impact. The big story of this week is that according to Volksrant (and several syndications, like this NL times piece), a Dutch man was responsible for sneaking USB sticks into Natanz to deploy the malware.
How 50% of telco Orange Spain’s traffic got hijacked — a weak password by Kevin Beaumont
I used to work for Fastly, one of the major content delivery network companies (like Cloudflare & Akamai). I thought I knew networking until I saw how the CDNs and Internet backbone providers network. The other crazy thing I learned is how the operation is resilient and brittle. A singular BGP misconfiguration or an anchor dropping on a sea cable can take down parts of the Internet (I've witnessed both at Fastly).
The scarier part is how Internet providers managed BGP, the Internet's routing protocol, and how we inherently trusted BGP configs pushed out from providers. Well, this story goes into how one weak password caused an actor to deploy a BGP config that hijacked Orange Spain's traffic.
2023 CVE Data Review by Jerry Gamblin
A VC firm should fund CVE disclosure because its growth curve looks like a hockey stick :). It's nice to have someone run the numbers on CVE data. It gives you a good idea of what to expect for years. Gamblin comes with receipts (aka ipython notebooks). The most exciting finding for me is the 36 "perfect 10.0" CVSS CVEs, so about 3 a month, we have to drop everything to analyze to make sure our environments aren't vulnerable.
Meet Ika & Sal: The Bulletproof Hosting Duo from Hell by Brian Krebs
There's nothing like a fresh KrebsOnSecurity investigation to start the year with a bang. In this post, Krebs details close to 20 years of investigation into a massive spam operation and how it interconnects with some of the most notorious botnets and spam operations of the 2000s. My favorite "pivot" Krebs used was a unique password, "19871987gr", to move from one known perpetrator's e-mail address to another.
SonicWall Discovers Critical Apache OFBiz Zero-day -AuthBiz by Hasib Vhora
Published right after Christmas day, SonicWall researcher Vhora details an authentication bypass in Apache OFBiz. GreyNoise has yet to see much exploitation, but this story is interesting to me because OFBiz is used as an add-on to major knowledge-based technologies, such as Atlassian Jira. The vulnerable code path involved a parsing error between resetting credentials, a username, and a password, and if you _did not_ supply the username and password combination but supplied the password reset flag, you get authed in!
🔗 Open Source
HTTP-Shell by JoelGMSec
Microsoft Dev Tunnel reverse-shell-as-a-service. Whoever side Microsoft isn’t customer focused?
AuthLogParser by YosfanEilay
Powershell-based Linux auth.log parser for quick digital forensic investigations. Lots of valuable group-bys and summaries for all kinds of events, such as account modifications, successful logins, and root activity.
Linux-Incident-Response by vm32
Great resource for performing incident response on Linux hosts. Use the above AuthLogParser to look at authentication events. Go through this runbook to find other interesting events when looking at a compromised server.
honeydet by referefref
Honeypot detection framework written in Golang. According to refrefref (on their Reddit post, where I found this), honeypot detection tools typically rely on finding one type of honeypot. This framework creates a way to write signatures for detecting honeypots so the underlying code stays the same.
galah by 0x4D31
OpenAI powered honeypot. It takes in a web request, derives the technology the request tries to access, and dynamically returns a response. Fun payloads include: /are-you-a-honeypot/
and /i-mean-are-you-a-fake-server/
.