Welcome to Issue #68 of Detection Engineering Weekly!
I’ve been having a blast at RSA!
Thank you to everyone who has come and said hi to talk about the newsletter and detection engineering with me. It’s an honor and a privilege to do this for y’all and I’ve gotten such great feedback on the newsletter over the last year. I’m around until Friday, so if you see me at the Datadog booth (or walking around in a Detection shirt) come say hi! I have stickers :^)
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
The art of artifact collection and hoarding for the sake of forensic exclusivity… by Hexacorn
This blog by Hexacorn compares and contrasts "old school" forensic collection techniques to new-age, tool-driven, automated techniques. The technical details don't matter as much as the mindset: The security industry models many of its playbooks, products, and lexicon from the military and law enforcement complex. It's sometimes good to remember why these practices are so successful in the first place, and the way Hexacorn describes it sounds like diligence to me.
A forensic investigator's dream is getting supertimelines of a breach on a host, filtered down by unknown files, visualized, and enriched with TI. But what if those tools do indeed miss something? Is your expertise called into question, or are your methodologies proven unreliable by your client? I don't think it's this black and white. Still, it shows that appreciating the diligence behind our fields, whether IR or threat detection, helps keep you sharp and removes bias as much as possible.
🔬 State of the Art
Manual LDAP Querying: Part 2 by Hope Walker
This post follows Walker's Intro to Manual Active Directory Querying. Both posts are short but contain extensive information on the underlying technology and query structures for LDAP and Active Directory.
In Part 2, Walker walks readers through some advanced features of ldapquery, like custom filtering, crazy nested group structures (which make BloodHound great!), and Service Principle Names. I particularly like the query that finds password objects inside LDAP attributes.
A Bird’s-eye view: IceID to Dagon Locker (The DFIR Report) by Casey Smith
I love how this post examines canary detection opportunities while parsing one of many DFIR Report blogs. Blogs like this challenge the security adage that red teamers/threat actors have to be right once, while blue teamers have to be right 100 to 1000 times. Leveraging detection logic across tactics while deploying canaries sets up lots of traps for blue teamers to be right and red teamers to be wrong.
Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes by Dirk-jan Mollema
The more I learn about Cloud IAM, the more sad I get. In this episode of Azure Entra shenanigans, Mollema discovers a clever way to use temporary access passes as a persistence mechanism into an Azure tenant. There are some quirks about these passes:
They count as MFA, so you don't need to worry about an MFA flow and a user being notified
Unlike a password reset, you can do TAPs as an additional temporary password without disrupting the victim user
In some scenarios, if you have a hybrid Azure environment, you can obtain a Kerberos TGT from a TAP authentication to pivot into on-premise networks
I imagine this a first _of many_ strange Azure-isms from the identity side, and we’ll continue seeing these across hybrid environments.
Hunting in Azure subscriptions by Mary Asaolu and Thabet Awad
This great community post by Microsoft helps readers quickly get set up for threat hunting in their Azure tenants. Setting all of this up could be costly, and your free tier might run out quickly. Four log types are going into four separate Microsoft products, and some are doubled up! A clever hunt or detection the authors included involves the creation of an activity policy as a detection opportunity rather than just focusing on KQL queries.
Abusing MS Windows printing for C2 communication by Diverto
Red-team-focused blog that leverages Windows Printers & Print Services to establish a foothold and create a C2 server in an environment. It's a clever way to circumvent some default configurations in Windows, which, according to the authors, allows any non-privileged user to add a printer to their machine. The funnier part is using "Microsoft Print to PDF", which isn't even an actual hardware printer, to send commands and store results.
The best part? They listed Detection Opportunities at the bottom!
🎙️ Detection Engineering Podcasts
I've been fascinated by Chinese and Western hegemony since first reading about the APT-1 report from Mandiant 10+ years ago. This topic has emerged at the top of my news feeds due to the parallels between the Russia-Ukraine war and the ongoing Chinese-Taiwan conflict. Dmitri Alperovitch and Chris Krebs join Kara Swisher here to talk about national security policy, predictions for a potential armed conflict, and how cyber is intertwined.
This is an excellent companion podcast episode to the one above. Bloomberg reporters update the CHIPS act and how America is trying to navigate imposing its hegemony strictly from an economic sense through "de-risking." Again, cybersecurity is mentioned several times during this episode.
Red Canary Detection Engineers Mak Foss and Rachel Schwalk join the Hou.Sec.Cast to discuss everything related to Business Email Compromise detection. It's interesting that Foss and Schwalk have a ton of pen testing experience and have leveraged that to get into threat detection. Red teamers make some of the best detection engineers!
☣️ Threat Landscape
Breaking down Microsoft’s pivot to placing cybersecurity as a top priority by Kevin Beaumont
The biggest news story regarding Microsoft this last month was the release of the rather scathing Cyber Safety Review Board report. Give it a read if you can, then come back here to Beaumont’s reaction to Microsoft announcements. Basically, Microsoft released several plans to prioritize cybersecurity features and filling gaps (and of course, pitching their product portfolio, because you know, shareholder value.)
Beaumont has a unique perspective being an ex-Microsoft employee, and covered several high profile intrusions involving Microsoft and their customers. He provides his analysis of the announcements and the CEO’s email to employees, and it gives me hope that they will hit a lot of their goals with putting security first. The exposure the US government has to Microsoft is staggering, so a part of me thinks they need to think more about this exposure from a pure investment perspective and “do the right thing” for citizens here and across so many other countries they serve.
Eight Arms To Hold You: The Cuttlefish Malware by Black Lotus Labs
Black Lotus Labs uncovered a malware family called Cuttlefish that targets SOHO routers with all kinds of functionality you would want right at the edge of a consumer's internet broadcast domain. It has an interesting setup that uses the botnet to exfiltrate data, so you can't see where it's going besides other victims. The other part that jumped out to me was the credential sniffer and its focus on cloud service credential exfiltration.
Identity Behind Massive Discord Spying Tool Revealed due to Infostealer Infection by Hudson Rock
Researchers at Hudson Rock allegedly uncovered the owner of Spy Pet, which recently made headlines in several security syndications due to its shady nature as a Discord chat and user intelligence collection tool. The team supposedly found an infection of a computer belonging to the administrator of Spy Pet and managed to dox them. I love it when the criminals get a taste of their own medicine!
U.S. Charges Russian National with Developing and Operating LockBit Ransomware by U.S. Department of Justice
🔗 Open Source
okta-terrify by CCob
Okta-terrify is a tool that demonstrates abuse techniques against Okta's passwordless solutions. It also works against other FIDO2/WebAuthn. The README provides great background content on password auth, making it a great tool to add to your detection simulation arsenal.
LDAPmonitor by p0dalirius
LDAPMonitor constantly interrogates LDAP changes in your environment and alerts you when objects change. p0dalirius advertises it as a red team tool, but it'd also make a great purple teaming and detection lab tool!
IPPrintC2 by Diverto
Companion GitHub to the Diverto story above, which leverages Microsoft Print Services as a command and control node.
parsnip by cisagov
Parsnip is a tool for defenders to parse network protocols using Zeek. The original intent was to reverse engineer and parse ICS protocols but it looks like it can do anything on the wire.