Det. Eng. Weekly #65 - My rules are like a totality 🌞🌝
When they fire, everyone stops working and wants to stare into the sun instead 🫠
Welcome to Issue #65 of Detection Engineering Weekly
This week’s recap:
💎 by Jack Naglieri giving readers a primer on SIEM Correlation techniques, with some prescriptive guidance on how to implement them
BushidoToken helps us build some more proactive CTI practices, Chef Jonathan Johnson helps us cook with the fork() and pot, Christophe Tafani-Dereeper on IMDSv2 enforcement by default (finally), Mathew Duggan helps us scream into the IAM void, and Roman Rezvukhin takes us on a hunt to find suspicious WMI activity
Podcasts: I was featured live on the Cloud Security Podcast to talk Detection Engineering, Sherrod DeGrippo interviews DART responders Stella Aghakian and Holly Burmaster
MacOS Infostealers take over my news feeds, Allan Liska on Ransomware attacks ramping up for local governments, Alice Climent-Pommeret uncovers a clever anti-emulation technique in a new Raspberry Robin sample, and Sam Scholten doesn’t need a Master Ball to catch Pika bot
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Unraveling SIEM Correlation Techniques by Jack Naglieri
For this week's gem, Jack provides readers a prescriptive breakdown of Correlation Techniques in a threat detection environment. Like with any security technology, specific terminologies or definitions can be skewed by tribal knowledge, injected product marketing, and bias. It's nice to see Jack show what a correlation technique is and is not here.
The term correlation in a SIEM environment helps tie together an event or behavior with an entity. He describes several situations where a singular event can be qualified as a "correlation." Still, you can stack other events and enrichments on top of the search or alert to make something more complex. I really like how he built on this description and provided super clear examples. He also provides a helpful acronym, UPART, to describe what makes a helpful audit log.
🔬 State of the Art
Strengthening Proactive CTI Through Collaboration by BushidoToken
In this post, BushidoToken describes a common scenario in CTI teams (and, in some aspects, Detection teams): executives read news on an emerging threat and ask for more information from their internal security teams. It can be a frustrating experience—getting an interrupt request from leadership to talk about something that may not be relevant to your organization can really disrupt your day.
He outlines a 7-step process where the first step, IMHO, is the most important: acceptance that this will happen. Once you accept the "interrupt request" as a necessary evil, you can build processes around the interrupt to quickly identify and act on it. Your team is not interrupted because it's part of your daily operations.
Detection teams can learn a lot from intelligence teams since you can rip and replace a "Request for Information" with a "Request for Coverage," and it's basically the same request :).
What the Fork: Exploring Telemetry Gaps in Microsoft’s 4688 Event by Jonathan Johnson
If you want a fantastic breakdown of how to reverse-engineer a technique, derive detection opportunities in data sources, and then build the detection from there, look no further than this blog post. Johnson dove deep into process forking detection opportunities and identified several gaps within Microsoft ETW coverage of forked processes. It's also cool to see the background information on how EDR captures this information.
IMDSv2 enforcement: coming to a region near you! by Christophe Tafani-Dereeper
Instance metadata services are APIs listening on the loopback address on cloud instances and virtual machines that help provide access to keys and identity information when you are on the instance. The keyword here is "on," as in, it should only be accessible to those who have authorized access to the instance. Unfortunately, some of these were built without modern threat modeling in mind and have been the target of attacks like SSRF for years.
AWS is finally enforcing by default an SSRF-resistant version of their service, IMDSv2. It used to be "suggested," but with a forced default, this can help plug a massive hole in many modern cloud deployments. Christophe explores the history of these services, lays out the timeline for this enforcement for AWS, and then links some excellent work to update the Terraform provider to force it by default.
IAM Is The Worst by Mathew Duggan
This is a clever post on the insanity of IAM in modern cloud environments, where you can clearly tell from Duggan's janitor analogy that modern cloud access management was probably built without a clear plan in mind. IMHO, IAM is a critical component of detection opportunities in these environments. Still, with the level of indirect attack paths that these policies expose, it is much harder to find a malicious or compromised janitor than a janitor who needs to do their job because security makes it complicated to do so.
Hunting Rituals #4: Threat hunting for execution via Windows Management Instrumentation by Roman Rezvukhin
This is part 4 of a blog series on following a threat hunt with Group IB. In this particular threat hunt, Rezvukhin hypothesizes that WMI is generally used by threat actors to perform lateral movement and code execution. It's cool to see their thought process as they uncover telemetry, challenge their hypothesis, identify gaps, and arrive at a separate conclusion that differs slightly from their original hypothesis. I won't spoil the conclusion, but you should read this, copy the methodology, and format it into your threat-hunting playbooks!
🎙️ Detection Engineering Podcasts
I was featured on the Cloud Security Podcast to discuss Detection Engineering with Anton Chuvakin and Timothy Peacock! I think this will be released to podcast platforms soon, but it was cool to jump on and discuss everything about threat detection with Anton and Tim.
This is the first podcast episode I've listened to that is dedicated to interviewing incident responders, and it was great to hear their approach to helping organizations out during probably one of the worst days of their professional lives. I thought the makeup of an IR team was pretty cool: besides having a lead responder who's customer-facing, the team has several "hunters" and infrastructure folks and will tap into intel teams to get additional insight into what they are seeing.
☣️ Threat Landscape
Infostealers continue to pose threat to macOS users by Jaron Bradley, Ferdous Saljooki and Maggie Zirnhelt
This might be a recency bias on my part, but macOS infostealers are becoming "more real" and widespread. Researchers at Jamf uncovered two campaigns targeting the operating system with no real viruses. They showcased some initial access and persistence attempts using osascript. I find it amazing that the malware ecosystem in Windows is advanced enough to evade EDRs at times. Still, MacOS infostealers rely on the good old "put your password in here" prompt, and it seems to be working.
CloudChat Infostealer: How It Works, What It Does by Adam Kohler and Christopher Lopez
It's MacOS infostealer week here at Detection Engineering Weekly! Researchers at Kandji uncovered a new variant, dubbed "CloudChat," that shares some similarities with the Amos Stealer that the Jamf team documented in the story above. MacOS threat detection will become more prevalent as actors figure out the quirks of the ecosystem.
Ransomware Attacks Against Local Governments Accelerating by Allan Liska
Ransomware 🍷 Sommelier 🍷 Allan Liska drops a harrowing post about the accelerating ransomware attacks against Local Governments. Liska points out that these 54 are the only "publicly reported" attacks, ones that we can see listed on the ransomware shame websites. According to Liska, 256 attacks were recorded in 2023, and the nuance here is that the number of reported victims is some of the highest in February and March.
The question becomes: Does this mean it will continue at this rate? And, are initial access brokers and ransomware gangs changing their targeting set?
Raspberry Robin and its New Anti-Emulation trick by Alice Climent-Pommeret
In this post, Climent-Pommeret reverse-engineers a Raspberry Robin sample that leverages a unique Windows-based anti-emulation technique. The author links several techniques to a pivotal talk on Windows Defender's Antivirus emulation at BlackHat several years ago. The actors cleverly found that calling GetProcAddress on Kernel32.dll and looking for the function MpVmp32Entry only exists in an emulated environment, and the malware exits if the function call succeeds.
This works because the emulation environment uses patched DLLs called "VDLLs", and the actors seem to be clever enough to export the patched DLLs in the emulation environment to find functions that should not exist in a real one.
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques by Sam Scholten
This is a neat breakdown of an initial access/loader malware called PikaBot. Scholten does a brief review of how PikaBot works and then documents its various features to try to get unsuspecting email victims to click and run its payloads. They list several detection opportunities and open-source rules you can implement to detect payloads and run their community version to help detect them.
🔗 Open Source
RustRedOps by joaoviictorti
There's something terrifying about a crab with a knife. Well, that's the logo for RustRedOps, and it does feel like a small repository (the crab) with many amazing examples of red team techniques (the knife). The readme lists 54 techniques, and each one has a separate readme to help describe the technique it's implementing.
C2-Tracker by montysecurity
This is a cool project that uses open-source Shodan searches to find and log C2 servers across various malware and C2 families. It’s cool to see more open-source research on C2 server identification and tracking; this has been a gated (behind massive product subscriptions $$) area of research for several years.
Microsoft-Analyzer-Suite by evild3ad
An automated Microsoft 365 and Entra ID log processor. It connects to your tenants, pulls down the relevant logs, and leverages several techniques to analyze everything from SignIn logs in AD to risky user analysis.
Threat-Actors-use-of-Artifical-Intelligence by cybershujin
Awesome collection of publicly known incidents where adversaries leveraged Artificial Intelligence during an operation. It leverages several taxonomies, including MITRE's ATLAS and some of their own in the Appendix. It looks like cybershujin is also working on a list of Deepfake TTPs that I'm excited to see published, especially regarding fraud.
autoaudit by a-mess-tech
Autoaudit is a hyper-focused Linux forensics tool that tries to identify log-tampering on a source system. It's written entirely in Bash, and their Detections identify two classes of attacks: Log tampering and Identity attacks (bruteforcing).