Welcome to Issue #61 of Detection Engineering Weekly!
This week’s recap:
💎 by Vince Andino on finding the right telemetry to detect techniques, especially before they happen
Marcus Hutchins drops a new EDR bypass technique on Windows, Adan Álvarez publishes a database of CloudTrail events used for badness, Itay Angi open sources Cirrus to help responders collect forensic evidence from Google Cloud, Dakota Riley spelunks the GitHub Advisory Database to get vulnerability intelligence, Mr_Architekt shows how auditd may not be as clear-cut for monitoring as you think (especially across Linux distros)
Podcasts by ClickHere on Operation Dying Ember and Detection at Scale interviews Justin Enderson from Meta
AlphV/BlackCat Ransomware group lies and everyone is like 😱😱😱, JPCert drops an analysis on DPRK-linked pypi malware, Martin Zugec unveils two Cactus ransomware incidents linked through everyone’s favorite service, Active Directory, NCSC recommends buyers to stray away from perimeter devices and 0ALABS Research finds actors targeting video game cheat downloaders
plus so much more!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Life After SOC - The Bad Guys Use Sticky Keys Too by Vince Andino
I'm a big fan of practical applications of threat detection. As a community, we are privileged to be in a field where someone can provably showcase a concept, feature, or truth. This blog and lab, which you can do at home, demonstrate the balance of necessary versus sufficient information to decide on malicious activity. The StickyKeys backdoor has been around for as long as I've been in the industry, and I've seen it successfully used for years in red teaming competitions, especially by the one and only mubix.
Andino begins the lab by looking at a Sigma rule that helps detect sticky keys backdooring (T1546.008 for you ATT&CK geeks). Although the rule looks for command line information to copy cmd.exe to the sethc.exe binary, much more work goes into making this operation possible, specifically around Windows permissions. By the end of the lab, you will have new rules that detect the necessary (copy) and sufficient (permissions) operations.
I like Andino's premise of this newsletter/blog series, so you should subscribe and help them launch another content platform!
🔬 State of the Art
Bypassing EDRs With EDR-Preloading by Marcus Hutchins
Hutchins continues his EDR evasion research with a technique that helps run malicious code before the EDR injects itself into the target process. While reading this, I couldn't stop thinking about the classic Halting problem in Computer Science. EDR vendors experience the halting problem when trying to load themselves into processes: they must not interfere with user experience, so they must start as late as possible but not too late, or malicious code can run before the EDR can inspect it.
Hutchins shows the Windows call stack for loading a new process and compares and contrasts techniques used by early EDR bypasses to avoid inspection altogether. Many of these are now caught by the vendors, so his next objective was to find a different hook that EDRs aren't monitoring. I will let you guess if he was successful, so read this post :).
Introducing TrailDiscover: Simplifying Access to Security Insights about CloudTrail Events by Adan Álvarez
Excellent post by Álvarez that introduces a new resource, TrailDiscover, for AWS-focused detection engineers and researchers. The premise is to track CloudTrail event types publicly linked to security incidents so folks can quickly orient around a detection strategy and use real-world examples to prioritize it in their detection backlog. You can filter by Tactics and "Used in the Wild" on the website.
Announcing ‘Cirrus’ – New Opensource Tool to Combat Google Cloud Incident Response Challenges by Itay Angi
It's nice to see releases of Google Cloud forensic tooling! The team behind Cirrus published several blogs before releasing the tool, helping readers understand Google Cloud Infrastructure and Google Cloud Forensic Artifacts. Angi details the difficulty of interacting with Google Cloud, whether it's knowledge, access, or forensic collection, and then goes into technical detail about their tool. There's also the nuance behind Google Workspace & Identity working with Google Cloud (kind of like M365 and Azure). It can also be used for threat hunting, and I'm surmising detection engineering as well :).
Exploring the GitHub Advisory Database for fun and (no) profit by Dakota Riley
I feel like we are in the golden age of security data - I couldn't imagine getting access to something like this when I started in security 10+ years ago. This blog is an excellent example of the "golden age" - Dakota Riley explores GitHub's vulnerability advisory database and asks questions on several thousand vulnerabilities across several languages. They also combine additional enrichments, such as FIRST's EPSS and CISA's KEV, to derive intelligence around them. For example, which language has the most entries in CISA KEV? Or, of the vulnerabilities present in these libraries or packages, what is the most common CWE? IMHO, the most interesting are vulnerabilities in packages without CVEs.
Linux Firewall Audit and Detection with auditctl and iptables. by Mr_Architekt
This is another great example of the "necessary" vs. "sufficient" detection opportunities introduced by this week's gem, this time in Linux! Different Linux flavors wrap familiar system binaries like iptables in other ways. So, in this blog, Mr_Architekt explores how CentOS does this and leverages auditd to monitor changes to iptables, and sees that the logical detection to monitor iptables changes isn't as logical as you think.
🎙️ Detection Engineering Podcasts
Cool interview with FBI Director Wray on "Operation Dying Ember," where the FBI legally patched a bunch of routers being exploited by the Russian GRU. Lots of his answers are polished and "publicly consumable", so nothing too exciting, but great to listen to as this is such a new face of the Justice Department.
Justin Anderson from Meta joins the Detection at Scale podcast to discuss how Meta/Facebook deploy their detection engineering efforts across the massive company. Anderson plugs TTPForge as one of their main purple teaming style tools for detection ideations and opportunities, which I've linked before in this newsletter. I like TTPForge more than Atomic testing tools (like ART) because it focuses on simulation and is a bit more redteamer heavy.
☣️ Threat Landscape
Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment by Andy Greenberg
According to Greenberg and a few others studying and tracking AlphV's movements, AlphV/Blackcat received a ransom payment from Change Healthcare and ran away with the money. The best intel on criminals typically comes from disputes and trash-talking, and according to the alleged initial access broker for Change, who posted on RAMP, they handed AlphV the keys to the kingdom and lost out on a $22 million payday.
New Malicious PyPI Packages used by Lazarus by 朝長 秀誠 (Shusei Tomonaga)
JPCert uncovered several malicious PyPi packages and attributed them to Lazarus, a DPRK-aligned APT. Lazarus pushed out 4 packages that contained an XOR-encoded DLL that ran the Comebacker toolset when the package was decoded by the package during installation.
CACTUS: Analyzing a Coordinated Ransomware Attack on Corporate Networks by Martin Zugec
Bitdefender uncovered two Cactus Ransomware attacks simultaneously executed on two victims. Basically, Cactus got in via an Ivanti's CVE-2023-38035 vulnerability, and the actors pivoted into a separate victim that was domain joined with the initial victim.
Products on your perimeter considered harmful (until proven otherwise) by David C
Speaking of perimeter products like Ivanti, NCSC researcher David C. calls it like they see it: you should consider devices like this harmful and open to your network, especially if they are physical appliances. It's hard from a government and policy overview: does a school system or a local government have the technical expertise to demand a cloud appliance of the product, or do they even know how to use the cloud? Probably not, but seeing how bad your Fortinet/Ivanti/Barracuda devices are getting clobbered by fundamental and awful vulnerabilities makes me think something needs to change.
GitHub Bug Used to Infect Game Hackers With Lua Malware by 0ALABS Research
I'm conflicted. I don't like cheaters in video games, but if it weren't for ME cheating in video games, I probably wouldn't have been interested in computer security. So what happens when the cheaters are the victims? Well, the folks at 0ALABS found a clever clone of a popular Aimbot/cheat package that copied the GitHub repo and domain infrastructure to trick would-be cheaters into downloading a malicious Lua package.
🔗 Open Source
Cirrus by SygniaLabs
Automated evidence collection framework for Google Cloud. I linked their launch post above in the State of the Art section.
EDR-Preloader by MalwareTech
Source code and PoC for MalwareTech’s latest EDR bypassing technique. You can checkout the blog in the README on the GitHub, or above in the State of the Art section.
TrailDiscover by adanalvarez
CloudTrail event database that links to publicly disclosed breaches and security incidents. I also linked this launch post above in the State of the Art section (3-PEAT BABY).
bin2ml by br0kej
Automated feature extraction and data analysis tool for binaries. Uses radare2 under the hood, but you can run this on any binary and it can give you a JSON file that you can load as a feature set into several supervised and unsupervised learning algorithms.
adalanche by lkarlslund
Attack-path and identity mapping generator for Active Directory. Seems like a good competitor to BloodHound. I like the right-click → Route to target feature. I imagine this gets tougher to use as the AD databases go to thousands of nodes and edges.