Welcome to Issue #58 of Detection Engineering Weekly!
This week’s recap:
💎 by Omer Singer on the emergence of two-SIEM deployments
Justin Ibarra adds false positives to the lolol farm, James Forshaw reverse-engineers Windows new sudo feature, KarmaX on evading YARA rules and the cat & mouse game of threat detection, Matthew Brennan gives readers a crash course on malware infrastructure tracking, Regan Carey offers a warning on using Azure technology to send non-joined devices to Azure
Podcasts by Srsly Risky Biz, the Darknet Diaries & Microsoft Threat Intelligence
LockBit gets got via a forum dispute, Chainalysis records over $1 billion in ransom payments in 2023, CISA warns of Volt Typhoon lurking in critical infrastructure, Drainer-as-a-service targets crypto holders, and Orange Cyberdefense shares details on Ivanti compromises and a perl webshell
plus so much more!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
The Two-Headed SIEM Monster by Omer Singer
Since SIEM and Detection Engineering go hand in hand, this post offered a unique view of the idea of multiple SIEMs being deployed at an organization. I've heard these be called several things: cloud SIEM, side-SIEM (what), and pre-SIEM (a SIEM before you send it to your... SIEM?), so it's definitely a change in the market that we should, as defenders, pay attention to.
Singer calls out the opportunity of Splunk getting Cisco'd (lol), and that several competitors to "pure-SIEM" are trying to eat up everything that Splunk will probably start to lose in the next few years. I post a lot of content here related to Sentinel (Microsoft's Azure SIEM) and Chronicle (Google's Cloud SIEM), so the question is: do you try to put it all into one place, or do you split it up? How do you address change management of rules and log pipelines across two behemoths? What about automation for enrichment and response? All great questions that Singer brings up.
🔬 State of the Art
Living off the False Positive by Justin Ibarra
🤠 the lolol farm just got it's latest addition: false positives! I love love love this approach to detection ideation and sharing. We (the detection and infosec community) focus so heavily on 1 of the 4 labels of statistics: true positives. What about the other 3? Knowing how false positives can affect your detection strategy means you can create robust detections and then build in automation (code) and capacity (humans) to compensate to ensure you have the right balance.
Sudo On Windows a Quick Rundown by James Forshaw
Sudo on Windows is a headscratcher for me. The Linux kernel & Windows have very different security models, and adding it seemed to be primarily an ergonomic feature, according to Jordi Adoumie from Microsoft:
It is an ergonomic and familiar solution for users who want to elevate a command without having to first open a new elevated console.
In this post, Forshaw dives into the new feature and explains why it's primarily used as an elevation of privilege feature with few features related to sudo, such as SUID. According to Forshaw, much of this functionality is just a wrapper around already existing mechanisms for privilege escalation in Windows. After digging a bit deeper, Forshaw finds some concerning design decisions around how the elevated Sudo process keeps an RPC server open for others to connect to.
The Problem With YARA: Evading Elastic Security EDR with a NOP instruction by KarmaX
Is adversarial Detection Engineering a term I can make up? Alright, I've coined it; send royalties to the newsletter anytime you use it. It's great to see red teamers publicly disclose how they evade detection rules. It makes us better defenders in the long run, as it can highlight how we need to adjust the scale of what we need to catch to find a true positive. In this post, KarmaX takes several YARA Elastic rules detecting Havoc and shows their process on how to defeat the
A Beginner’s Guide to Tracking Malware Infrastructure by Matthew Brennan
Guest blog post by Brennan (embeeresearch) on using Censys for infrastructure hunting. Threat actors automate just as much as we do, so making sure you can abuse the fact that they want to work smarter via automation can help identify infrastructure as it's being instantiated. I'm a big fan of using Censys for TLS certificate hunting and HTTP Response (Headers & Title) hunting.
Why you shouldn’t deploy the Azure Monitor Agent on Client Devices, and the Cost of Closing Detection Gaps by Regan Carey
This post by Carey is an excellent companion to the Singer's gem listed previously. Running a full Microsoft shop in Azure seems fabulous until you start hitting transfer costs of telemetry. And sometimes, that telemetry is already ingested elsewhere in another product and can fit all your use cases. Carey explores the case of non-Azure joined devices needing to send security events, like Sysmon, to Azure. From a change management perspective, it's a mess, and he notes the costs may not be worth the benefit.
Carey offers several arguments to do this, not do this, and an in-between solution for critical endpoints.
🎙️ Detection Engineering Podcasts
Listen to this, then read the CISA disclosure about Volt Typhoon below. Or maybe the reverse, or maybe at the same time? I've enjoyed these short and to-the-point episodes from Srsly Risky Biz on significant threat developments. This one is inspired by the CISA disclosure on the subject
It is not necessarily Detection-related, but Darknet Diaries offers much insight into criminal networks, which I think helps frame our approach to threat detection. This wild episode follows a call center worker in Pakistan selling fake degrees from fake universities to victims worldwide.
Awesome update from the DPRK-focused researchers at Microsoft Threat Intelligence. It's cool to see how they approach studying APTs, and why DPRK has a unique twist compared to any other APT in the world. They take a modern-day/real Ocean's 11-style approach to nation-state ops: crypto heists.
☣️ Threat Landscape
“This Forum is a Bunch of Communists and They Set Me Up”, LockBit Spills the Tea Regarding Their Recent Ban on Russian-Speaking Forums by Anastasia Sentsova and Jon DiMaggio
Following crime actors is like watching Trash TV: It's funny when they fight, and you get addicted to the ridiculousness of their exchanges. But, unlike Trash TV, infighting shows a lot of intelligence value since these actors air dirty laundry on each other.
LockBit/LockBitSupp, one of the strain's main admins, was banned from two long-standing "underground" forums, Exploit and XSS, due to a dispute about payouts. Sentsova and DiMaggio discuss the implications of this ban, the Russian cybercrime ecosystem, and the "honor" system used by CIS-based cybercriminals and why this played a huge factor in their ban.
Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline by Chainalysis
538 new ransomware variants in 2023. Like V.C. funding, ransomware groups are spinning up their own operations and using everything from leaked builds and lessons learned from other groups. Some of the best ways to study large-scale attacks is to follow the money, and Chainalysis has the data to allow us to follow along.
Chainalysis provided insights into payment size, frequency, and trends in "big game hunter" groups and small splinter groups. The picture below shows the interesting network and community effects of Ransomware-as-a-Service.
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure by CISA
This is a great companion post to the Risky Biz news segment above about Volt Typhoon. It's a harrowing finding from the U.S. intel community that the APT group is targeting U.S. critical infrastructure in CONUS and OCONUS (in the U.S. and outside of the U.S.). Though the report says nothing about action on objective, they talk about "potential impact" via strategic network prepositioning, just in case they need it.
Russian Threat Actors Abuse Cloudflare and Freenom Services to run DaaS Program by CYFIRMA
It's hard for me to empathize with crypto bros, but I'm amazed at how much work goes into targeting crypto holders. By leveraging several TTPs from the phishing industry, Infostealer ecosystems, and straight-up spam networks, these networks of "wallet-drainers" target victims on popular websites like X to connect their wallet to a malicious service and have it drained of funds.
Ivanti Connect Secure: Journey to the core of the DSLog backdoor by Orange Cyberdefense
(pdf warning)
Ivanti exploitation continues, and Orange reports on a novel backdoor used by an actor abusing CVE-2024-21893, an SSRF in Ivanti Connect Secure. It's a clever payload - an SSRF exploit is sent to the device, partially overwriting a core logging script used by Ivanti to inject a webshell. It also shows how one singular investigation can give enough intel to find more compromised hosts. Starting from 1 victim, the team at Orange identified close to 700 other compromised hosts.
🔗 Open Source
DetectRaptor by mgreen27
Open-source Detection content, baby! This repository takes several practical Windows-based forensics artifacts and packages them into a Velociraptor-compatible pack. Combines several resources from loldrivers to Sigma rules.
vger by JosephTLucas
Jupyter post-exploitation toolkit. The author listed user stories at the beginning of the README, which shows who might find this tool useful. "A.I. Red Teamer" is new to me, but if you compromise a Jupyter instance belonging to an AI/ML team, you can do some fun stuff to poison models before they go out to production.
mindns by sammwyy
Mini DNS server implemented in Rust. Seems like a dnsmasq/PowerDNS replacement, and has a toml based rule language for filtering and proxying.
lolcerts by WithSecureLabs
Are lolcerts being added to the lolfarm? I hope so! It's crazy to think that we have to store stolen / legally acquired certificates as an indicator of compromise, but it should be a high-fidelity detection nonetheless.
ROADtools by dirkjanm
ROAD stands for “Rogue Office 365 and Azure (active) Directory tools). I guess it sounds better than ROENTRA. It contains 3 separate tools: a library, an enumeration/reconaissance module and a token exchange module. Seems like a great toolset to build red team/emulation efforts against Azure to test your detections against.