Det. Eng. Weekly #56 - We are all one team here
So just accept this chat request and click this link!
Welcome to Issue #56 of Detection Engineering Weekly!
This week’s recap:
💎 by Alex Stamos critiquing Microsoft’s late-stage capitalistic response to their Midnight Blizzard compromise
David French helps us get started with detection-as-code on Google Chronicle, and has the code to help too! Luke Jennings shows us how to fool Microsoft teams effectively, Brendan O’Leary launches cvemap, assume-breach on their lessons-learned breaking into security and pentesting, and William Burgess squashes Cobalt Strike detection opportunities using LLVM and some sleep mask shenanigans
Podcasts by the good folks at Mandiant and Microsoft on the CTI lifecycle and the North Korea threat landscape
MSTIC drops it’s Midnight Blizzard guidance (the one that Stamos criticizes), Cyberteam pivots on Vidar infrastructure to uncover even more, Yaniv Nizry drops some Jenkins vulns, Peter Boyle on DarkGate being delivered via Teams, and a good ol’ fashioned CVE writeup on OpenWall targeting.. syslog?
plus so much more!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Microsoft's Dangerous Addiction To Security Revenue by Alex Stamos
The Midnight Blizzard Microsoft story gets spicier and spicier. In this LinkedIn post, Stamos analyzes Microsoft Threat Intelligence's post on defending against this style of attack (linked below in Threat Landscape). The way I read this post, it felt like several stakeholders with potentially different desired outcomes tried to come together and do the right thing, but left a bad taste in my mouth (and Stamos' too).
The frustration stems from gatekeeping security features behind expensive licenses, which indicate that these features can protect against sophisticated actors. What happened to the shared responsibility model here? I understand the lines drawn between on-prem and cloud. Still, I imagine victims of this attack (other than Microsoft) will be upset when they receive the disclosure e-mail and then realize that the only way to protect themselves is to... buy more product.
Again, I think several stakeholders wrote the MSTIC report, and it smells like an identity issue (and not Entra identity) that the 3 trillion dollar company needs to figure out soon.
🔬 State of the Art
Getting Started with Detection-as-Code and Chronicle Security Operations (Part 1 of 2) by David French
This is a short but sweet post on how to leverage Google Chronicle to build a detections-as-code pipeline. French summarizes how detections-as-code generally works, citing their experience building this type of content at prior companies and now at Google. I like the call out of "audit-ability" of code - we may overlook it as a community since big companies like Google have auditing requirements and need to show change management even with their threat detection capabilities.
Phishing Microsoft Teams for initial access by Luke Jennings
Security research is like time; it's circular! As technologies emerge and fall into everyday use, I keep seeing the same abusive patterns that can confuse the end user. In this post, Luke explores how Microsoft Teams handles external invites and message previews and how an attacker can leverage both "features" to confuse an end user and phish them for external access or link to malware.
Announcing cvemap from ProjectDiscovery by Brendan O’Leary
Exciting (free) tool release from the Project Discovery team. In 2023, "..an astounding 24,804 new CVE entries.." (Project Discovery) were released into the National Vulnerability Database. So, which ones matter? The golden path forward to CVE prioritization is enrichment with other data sources. This is what cvemap tries to accomplish: by combining CVE data with several sources, such as CISA's KEV, FIRST's EPSS, and 5 others, you can start creating your vulnerability prioritization strategy.
I’m Not A Pentester (And You Might Not Want To Be One Either) by assume-breach
The blog-o-sphere and Twitter/LinkedIn passed this story around all last weekend and this week. It's sparked much debate on what it means to be a pentester, or what it means to break into cybersecurity in general. It offers a somewhat bleak view of entry-level jobs, pivoting into security as an entry-level person and consulting. Although I may not agree with everything in here, as we all have biases in these situations, it's a good discussion point regarding what you want to get out of being in this field.
Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM by William Burgess
Detection opportunities yield opportunities to evade red and purple teamers. Burgess explores this concept in Cobalt Strike's sleep mask capability. There are high-fidelity YARA rules that can find binaries compiled with Cobalt Strike's unique sleep mask configuration. This is a problem if you look at this "at scale," running YARA over many memory regions and files to find infections. Classic precision and recall problem :). So, Burgess recommends attacking the recall feature of this detection by obfuscating the sleep mask and forcing the hand of detection engineers to look at different ways to find Cobalt Strike.
🎙️ Detection Engineering Podcasts
Renze Jongman (Mandiant Intelligence) joins The Defender's Advantage Podcast to discuss the pitfalls of the CTI lifecycle and how it needs a facelift. On the show and their blog, they propose a " hyperloop " that splits the lifecycle into several tactical and strategic production and dissemination phases.
According to Greg Schloemer and Matthew Kennedy, North Korea puts the "P" (Persistent) in APT. Check out this episode if you want a crash course on DPRK cyber activity. What fascinates me about everything about North Korea and security is that it's a nation-state that is performing Ocean's 11-style heists on firms as a policy objective.
☣️ Threat Landscape
Midnight Blizzard: Guidance for responders on nation-state attack by Microsoft Threat Intelligence
MSTIC published more details on Microsoft's recent Midnight Blizzard compromise. I would read this, then go read the gem (if you still need to read the gem above) to see what Stamos was talking about regarding their incentive structure as a security company.
Identifying Vidar Infrastructure using Shodan by Cyberteam
Attacker infrastructure mapping is still one of my favorite things to do with free Shodan, Censys & Binary Edge accounts :). The pivot points section from known C2s, such as JARM/JA3S fingerprints, can help uncover more, even though you may still need to get all the samples associated with Vidar.
Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins by Yaniv Nizry
What would you do if someone wanted to expose a remote code execution as a service technology to the Internet? Close it down, right? Well, have no fear - Jenkins is here, and much of it is exposed on the Internet :(. The team at SonarSource found a vulnerability in Jenkins that could lead attackers to read sensitive files on a Jenkins server. This isn't a full remote code execution, as the number of files an unauthenticated user can read is limited. However, a read-only authenticated user could read any file on the filesystem.
DarkGate malware delivered via Microsoft Teams - detection and response by Peter Boyle
This post was timed perfectly with Luke Jennings' post about the Microsoft team's phishing. Luke reviewed the attack scenario from the theoretical perspective. In contrast, Boyle and the AT&T team reviewed it from the MDR and investigative perspective.
CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog() by Qualys Security Advisory
A heap-based buffer overflow in the most popular logging library in the world, what could go wrong if this was exploitable remotely? Luckily, it isn't, but it made the hair on my neck stand up for a bit! This is an excellent post by the Qualys team on the investigation flow of finding crashes via fuzzers and building exploits. This could turn into an LPE given a motivated actor. Still, unlike other hilarious LPEs in the Linux kernel over the last few years, it requires more work.
🔗 Open Source
Fairplay by Hackcraft-Labs
Maybe Twitter/X sees I am more interested in red team drama so it serves me more red team drama, but I saw a post a few days ago about how it’s unfair that blue teamers upload red teamer binaries to online repositories. Cost aside, I thought it was neat that this repo queries several of these online IOC collections for implants that red teamers create so they know if they’ve been burnt.
DefaultCreds-cheat-sheet by ihebski
Aggregation of default credentials with products, usernames and passwords. Would be interesting to see some hashes next to this data as well since most of these are stored in that format.
kunai by kunai-project
Kunai is a “Sysmon equivalent for Linux”. Leverages Rust and eBPF to monitor Kernel/syscall telemetry on a target Linux system for hunting for badness.
PurpleLab by Krook9d
Yet another Purple team lab seems bespoke in the sense that you can leverage their web app for testing detections and attack scenarios.
TeamsBreaker by ASOT-LABS
Lots of Microsoft Teams research this issue! TeamsBreaker helps automate the phishing of users in teams, and tries to bypass or mitigate some of the warning messages that Luke Jenning’s post above references.
Micro$oft's corporate greed is unmatched, followed by some of the worst technical management I've seen in my 43 year career. I do like some of what they've done, but withholding security features like this is tantamount to hostage taking.