Det. Eng. Weekly #55 - Don't delete my test tenant, bro
I promise its just for testing, it wont give you unfettered access to everything!
Welcome to Issue #55 of Detection Engineering Weekly!
This week’s recap:
💎 by hexacorn on the motivations and shortfalls of security research
afx_IDE gives a crash course on threat hijacking, Daniel Feichter uses vectored exception handling for indirect syscall invocation, Invictus Incident Response makes sure we get the right logs from Azure during an investigation, Nathan Eades on the structure of Azure control plane logs and the nuances behind them, Nihad Hassan on using OSINT to uncover cybercriminals, and intel471 gives us a crash course on bullet proof hosters
Podcasts: Detection at Scale interviews Remitly’s Head of D&R, Risky Biz special edition and Cyberwire interviews Bishop Fox on their research into Sonic Wall
Microsoft gets owned, Datadog on new action on objective techniques from actors accessing AWS tenants, Greynoise studies Ivanti Connect n-days that lead to cryptominers, pompompurin is out? and Dave Truman gives us the skinny on SYSTEMBC
Plus so much more!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
How to become/continue to be a security researcher? by hexacorn
This short but concise blog post encapsulates what motivated me to get into security and what continues to motivate me every time I work on something new or exciting. Security research, to me, embodies the "spirit of the tinkerer" and, unlike any other field in tech, doesn't necessitate academic rigor to contribute something unique to the ecosystem.
That being said, that's what a lot of research is: thoughtful tinkering. So, according to Hexacorn, we tend to overcorrect on research and assume that whoever publishes something on a topic means they've explored everything in that topic. This is a false assumption, and whether you are a researcher in the pure sense or do research in detection, red team, or threat intelligence, you should assume there's more to uncover than what's published.
🔬 State of the Art
An Introduction to Local Thread Hijacking by afx_IDE
Thread hijacking is an execution technique that hijacks a thread belonging to a target process to execute malicious code. It relies on the fact that processes want to be concurrent, so they can have many threads, and using one of these threads in a legitimate process may help evade detection. afx_IDE does a great job of explaining this technique in detail, and it is a must-read for folks doing detection on Windows systems.
Syscalls via Vectored Exception Handling by Daniel Feichter
I've enjoyed diving deep into Windows internals in the threat detection context for the past year. EDR implementation and EDR evasion techniques go hand in hand. In this post, Feichter shows how to execute indirect syscalls via Vectored Exception Handling (VEH). The basic premise behind VEH is abusing how the Windows environment handles access violations in the operating system. You can copy shellcode and other indirect syscall addresses into the stack so the handler doesn't need to worry about assembly code.
Do not use the Get-MgAuditLogSignIn for your investigations! by Invictus Incident Response
What happens when you rely on a cloud service provider to give you APIs and tools to do your job, but those APIs and tools don't provide you with everything you need? This is especially scary for something critical, like a security incident. Invictus IR identified a well-known and used cmdlet for Azure AD/Entra response that doesn't return some necessary fields to do just that. Luckily, there are workarounds in KQL and a beta cmdlet. Still, it shows that it's hard to assume that CSPs will get everything right in security. You should always explore other detection opportunities and/or forensic acquisition techniques, just in case.
Azure Logs: Breaking Through the Cloud Cover by Nathan Eades
If you are familiar with AWS and not Azure, or just want to start your journey into Azure control plane logging, this is the post you should read! I cut my teeth on AWS logging and threat detection early on, and seeing Azure evolve into what it is today seems like a tall mountain to climb. Eades does a great job of showing the importance of each field within the control plane (and a separate data plane log too), and the underlying complexities and gotchas with the structure. The important part here is Microsoft logs attempts via the status field, and sometimes they succeed or fail. So you need efficient group-by’s to see the whole picture.
Uncovering individual backgrounds in financial crime investigations with OSINT by Nihad A. Hassan
This post highlights the importance of OSINT when investigating actors who perform various financial crimes. Following the criminal enterprise behind a phishing operation is a good application of this approach. By learning who the actors are, where they operate, and their history of abuse, you can build better defensive strategies rather than just focusing on the technical components.
Bulletproof Hosting: A Critical Cybercriminal Service by intel471
Enriching as much information about a specific IP address when writing detections for your perimeter or identity services can help make or break a detection opportunity. Bulletproof hosting providers really throw a wrench into this for several reasons. Whether rotating and buying new IP space or creating a network of infected proxies, these networks have operated for over a decade and have been tied to some of the most prolific crime operations. The intel471 team here describes the potential impact of these types of networks and gives examples of how they are leveraged.
🎙️ Detection Engineering Podcasts
Great conversation between Remitly’s Head of D&R Jason Craig and Jack Naglieri, with a particular focus on detection opportunities and peculiarities surrounding LAPSUS$/”The Com”.
This was a surprise episode by the Risky Biz crew. This time, they dived deep into a few more news topics since they counted it as a "bonus" episode. My favorite story was the Airdrop news from China, where the country's government uses rainbow tables to crack Airdrop logs to capture dissenters spreading propaganda.
This podcast by the folks at Cyberwire Daily dives deep into Bishop Fox’s research around SonicWall vulnerability research. I think it shows the importance of generalizing detection opportunities in a unique way. The researchers “piggy backed” vulnerabilities disclosed against SonicWall and found additional, almost identical vulnerabilities in separate URI paths on the device that eventually led to RCE. Links nicely to the gem post above about removing your assumptions about security research.
☣️ Threat Landscape
Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard by MSRC
Midnight Blizzard, AKA Nobelium, is a Russian-state aligned threat actor group that targeted Microsoft and managed to get access to, and I quote:
a legacy non-production test tenant account and gain a foothold
It shouldn't seem too bad, right? Well, according to the tech giant, the actor pivoted from there into Microsoft employee email accounts. I'd love to see the post-mortem on this because it seems crazy that a test tenant account had that much access.
Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining by Martin McCloskey & Christophe Tafani-Dereeper
*Note that my employer is Datadog and Martin & Christophe are my colleagues*
The security research team at Datadog uncovered some interesting post-compromise attack techniques in Amazon tenants. Many cloud incidents end with cryptomining, but the two interesting questions that came to mind were: what else did they do, and how did they do cryptomining?
Our extremely-diabolically-low-confidence assumption is that these actors are signing up for those pesky AWS training classes on which we all get served ads. (Kidding)
Ivanti Connect Secure Exploited to Install Cryptominers by Ron Bowes
Speaking of cryptominers, the Greynoise team observed an actor exploiting the latest Ivanti CVEs to gain access to their honeypots and try to install cryptominers. This shows how essential detection opportunities are for N-day or "emerging" vulnerabilities like this because actors quickly copy these exploits from code hosting services and start blasting the internet.
BreachForums Founder Sentenced to 20 Years of Supervised Release, No Jail Time by The Hacker News
pompompurin, the notorious Breached Forums admin, was finally sentenced! A lot of time and energy was put into this takedown. Still, I find it interesting they got no jail time, especially with their additional charges of CSAM material.
Inside the SYSTEMBC Command-and-Control Server by Dave Truman
In this post, Truman does a deep dive into the SYSTEMBC C2 service that you can grab on the dark web and deploy to your infected machines. SYSTEMBC uses a clever SOCKS5 proxy technique to establish outbound connections to the C2 panel. Still, you can push commands through this panel back through the connection. According to Truman, RHYSIDA ransomware uses SYSTEMBC extensively, and the malware can be used for everything from the backdoor via the proxy to loader functionality and managing initial access.
🔗 Open Source
etwunhook by Meowmycks
Lots of Windows internals for this issue! This “PoC” unhooks ETW event generation, so it literally turns off logging on an infected host.
GraphStrike by RedSiege
Fun way to leverage Microsoft Graph API to hide Cobalt Strike beacon traffic. The goal (I hope) is to emulate several APT campaigns using the Graph API. Red teamers and defenders can see how a commercial C2 can interact with this API for detection opportunities.
pulse-meter by rxwx
Python script that leverages YARA to sweep Ivanti devices for potential IoCs related to recent Ivanti n-day campaigns.