Det. Eng. Weekly #60: ScreenConnect: factory-reset-as-a-service
You don't need a paperclip to reset this device!
Welcome to Issue #60 of Detection Engineering Weekly!
This week’s recap:
💎 by Matthew O’Brien on deploying metrics to score your detection program, and not just your MITRE ATT&CK coverage
Andrew VanVleet splits the detection ideation process into two necessary (or sufficient) parts, Dave Addison uncovers Havoc C2s with just 1 header, Mark Lester Dampios compares and contrasts anti-cheat with EDR bypass techniques, NIST releases Version 2.0 of their cybersecurity framework
Podcasts by Microsoft Threat Intelligence and Risky Biz, both on information and cyber operations (or the lack thereof) from two different countries
Huntress with a banger of a post on the latest ScreenConnect vulnerabilities, CISA and the gang shed light on SVR operations in the cloud, LockBit’s unhinged return, and an incredible deep dive on the Chinese cybercrime ecosystem by SpyCloud researchers Kyla Cardona and Ashley Allocca
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
📣 Issue #60 Sponsor: Intel-ops
I've been working my way through Intel-ops/ (Michael Koczwara, a regular author I link in this newsletter) "Hunting Adversary Infrastructure" course. I've reiterated in my writing that proactive infrastructure hunting will be a staple in a mature threat detection and intelligence team. Michael was kind enough to approve my access to it, and I thought I knew how to do this until I started taking his class.
It's updated frequently, and there are all kinds of techniques here that you can use with community tool access and open-source tools. Please check it out and let me know what y'all think!
💎 Detection Engineering Gem 💎
Detection Engineering Metric Scoring Framework by Matthew O’Brien
This gem is probably the most comprehensive exploration into detection metrics I've ever read in my 60 newsletter issues. O'Brien graciously discloses his organization's detection scoring framework, which is a combination of Palantir's Alerting and Detection Strategy Framework, Roberto Rodriguez's Scoring System on "How Hot is your Hunt Team?" post, and of course, MITRE ATT&CK.
Their team measures detection metrics via several factors, such as data quality, detection coverage, confidence levels, and validation scores. The product of the values yields a general score, the "magic number," between 0-100. This number helps their detection and analyst teams
..answer the fundamental question of "how well our organization able to detect a particular technique?".
I'd love to see concrete examples of different detection scenarios because they sound comprehensive enough to answer these tough questions.
🔬 State of the Art
Identifying and Classifying Attack Techniques by Andrew VanVleet
VanVleet is on fire with some fantastic detection content as of late! In this blog, he approaches the general concept of building a detection with two asks: finding an event that is necessary to log or investigate when generated and the classification of events into benign or malicious label categories. Imagine a population of events that a system logs when a potential attack technique occurs. A rule is basically lines drawn within that population window where the rule labels one side benign and the other malicious.
Jared Atkinson calls this information "necessary" or "sufficient" telemetry, where you want to work towards necessary as much as possible before relying on sufficient telemetry. You can see this in VanVleet's Event Subscription example, where relying on CLI arguments for finding event subscription findings is sufficient information to find this technique. Still, Sysmon event 21 is necessary to show that a WMI binding occurred.
Hunting For Havoc C2s by Dave Addison
Who said open-source OSTs aren't good for threat detection? While you read this post by Addison, you'll notice a ton of static signatures within Havoc C2 that detection engineers and threat researchers can use to identify Havoc C2s even before their first infection. That being said, a competent operator can change these static values, but several sophisticated threat actor groups run default settings on many of these OSTs, so your threat actor OPSEC may vary.
A Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass by Mark Lester Dampios
Are game cheat developers APTs in the making? Or are they the heroes we need but don't deserve? If it weren't for cheating in games like Counter-Strike, Diablo II, or Starcraft, I wonder if I would have developed an interest in cybersecurity later in life.
I like this blog post because it compares how similar the anti-cheat and EDR ecosystem are, and many techniques for EDR bypasses came from the anti-cheat community. Dampios builds a table of common Windows API functions that both communities abuse, but they contrast quickly as soon as process execution is achieved. Basically, cheaters don't need to evade base OS defenses or perform privilege escalation.
NIST Releases Version 2.0 of Landmark Cybersecurity Framework by NIST
NIST released the 2.0 version of their cybersecurity framework with the intention of making it applicable to any organization or firm rather than just critical infrastructure from CSF 1.0. NIST published the CSF 1.0 in 2014 (10 years ago!). Just like Version 1.0, 2.0 has sections for detection (DE) and response (RS), which would be relevant to readers of this newsletter. For example, the 2.0 version of detection splits into two subsections: continuous monitoring (CM) and adverse event analysis (AE). CM was in the 1.0 version, but AE replaced "anomalies and events" from 1.0. There's a lot more emphasis on information correlation from multiple sources, though it could be more explicit if that means separate telemetry, cyber threat intelligence, or both.
Unlike its predecessor, NIST also added a new category: governance, which showcases organizational maturity and the importance of cybersecurity within a board environment.
Microsoft identity platform app types and authentication flows by Microsoft
I pulled this documentation page for Microsoft identity from the blueteamsec subreddit and laughed while reading it. I kept adding "and red teamers/threat actors" to the end of any sentence containing "app." Basically, if you want to access a "protected API or App" within a Microsoft tenant, you need to retrieve a token to access the app. This token can be on behalf of users or other "daemon apps" without users. This is an excellent article for red and blue teamers to look for ways to get into a customer environment.
🎙️ Detection Engineering Podcasts
Influence & information operations are a fascinating field of study that emerged especially in the 2016 US presidential campaign. In this podcast, Sherrod Degrippo interviews two researchers from Microsoft’s Threat Analysis Center who focus on Iranian influence operations. This is especially interesting when you consider that influence operations occur all over the world, and in Iran’s case (according to Microsoft), they target Israeli news and topics.
Speaking of information operations, The grugq and Tom Uren go into the (lack of) Russian cyber doctrine. The team announces a mea culpa of misattributing some previous quotes for Russian Cyber doctrine, so they deep dive into this phenomenon of studying Russian warfare. They explore, compare, and contrast assumed Russian cyber doctrine to the Gerasimov doctrine.
Basically, through the fault of our own analysis biases and rush to frame opponent's military strategies, US analysts and policy wonks attributed a document titled the "Gerasimov doctrine" as the de-facto standard for Russian warfare, which is disinformation and not part of Russian warfare doctrine.
☣️ Threat Landscape
A Catastrophe For Control: Understanding the ScreenConnect Authentication Bypass (CVE-2024-1709 & CVE-2024-1708) by Team Huntress
In this week's dumpster fire N-day vulnerability, ScreenConnect rises to the top as a contender for the largest fire of the week. The good folks at Huntress published a blog detailing the vulnerability and providing a PoC for the exploit but also noting that they wouldn't publish the PoC until folks patched.
Unfortunately, other firms rushed to publish one without detection opportunities. The PoC is about as bad as you think: the "SetupWizard" inside vulnerable ScreenConenct versions is never removed, so actors can connect to a fully configured ScreenConnect instance and perform an unauthenticated setup.
SVR Cyber Actors Adapt Tactics for Initial Cloud Access by CISA
CISA, alongside several law enforcement and spy agencies, published a joint report on Russian-SVR tactics, techniques, and procedures targeting cloud infrastructure. This is especially relevant to my day job focusing on the cloud security threat landscape. Still, it's nice to see Government entities recognize this pivot and not try to sell us more products (cough Microsoft) and provide TTPs upfront. Many of these points in previous articles by Microsoft Threat Intel on Midnight Blizzard: valid accounts via token authentication, adding secondary MFA devices, and using residential proxies are all part of the latest threat capabilities for the SVR
LockBit ransomware returns, restores servers after police disruption by Ionut Ilascu
If I had to describe LockBitSupp's reaction to law enforcement in one word, the word would be "unhinged." I'd love to see a language analysis expert look at the actor's response, but according to LockBitSupp, they did not patch their PHP servers:
..because for 5 years of swimming in money I became very lazy.
Unhinged.
“Pantsless Data”: Decoding Chinese Cybercrime TTPs by Kyla Cardona and Ashley Allocca
Cardona and Allocca provide a fascinating deep dive into the Chinese cybercrime ecosystem. When I think of cybercriminal actors, my mind immediately goes to CIS countries and a spattering of cybercriminals in "the West" (think The Comm). The translations of slang into English, as well as the meaning of this slang, present a deep ecosystem of sophisticated actors that do what everyone else does in the world: steal stuff!
The usual suspects of criminal activity, such as data breaches, exploits, and stealing credentials, are all present in these communities. Still, I was surprised by the unique application of targeting SMS messages via rogue base stations.
🔗 Open Source
lotp by boostsecurityio
Another addition to the lolol farm, this time abusing CI/CD pipelines. I had a laugh at their description of some “features” in these build systems, including footguns.
go-epss by KaanSK
Golang based SDK to interact with FIRST’s EPSS API. Great for writing enrichment services when you are triaging your 100s of CVEs a day to see which ones may actually turn into a ScreenConnect no Fortinet no Ivanti emerging vulnerability.
Embedder by naksyn
This repo is an amalgamation of languages using Python embedders. It sounded like a malicious technique at first, but if you click the previous link, you’ll notice it goes right into the official Python documentation 🫠.
PEASS-ng (LINPEAS) by carlospolop
LINPEAS reared it’s ugly head in some documentation related to SCATTERED SPIDER activity, so I thought it’d be good to link it here again. It’s a very noisy tool, so there are plenty of detection opportunities for defenders who want to find LINPEAS execution in their environment.