Det. Eng. Weekly #69 - RSA ninjas stole my badge and swag
Can someone call John Wick, or Ja Rule? I NEED HELP
Welcome to Issue #69 of Detection Engineering Weekly!
It feels good to be back from RSA! I had an amazing time hanging out with coworkers, catching up with old friends, and meeting new ones. Some of my favorite moments:
Getting Crème brûlée Boba Tea with Clint Gibler and John Hammond, and realizing it’s probably the best drink ever made. We had some great discussions about security and content creation (which I was the total n00b amongst giants there!). Clint gave me a tour of the Semgrep offices afterward and we exchanged some uber rare security stickers
Running into
, Christopher Luft and several other people at the Lima Charlie/Sublime/Panther party!Riding in my first Waymo and geeking out at the lack of a driver
I’ll be at Sleuthcon next week presenting. If you are there, come say hi!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
How to prioritize a Detection Backlog? by Alex Teixeira
The detection backlog is a fundamental attribute of a detection engineering function. It's one of the key ingredients we stole borrowed from software engineering: much like software, there are always features to add to our detection rule set. Adding, removing, or updating rules to improve accuracy or to reduce cost on rules becomes the lifeblood of a detection team. So, how do you build a backlog?
In this post, Alex offers some great insight into the many inputs of a backlog. CTI reports, threat modeling exercises, and telemetry gaps should re-prioritize your backlog. In fact, you should prepare for interruptions to your backlog: it means that your team tries to adapt to the threat landscape. The two key ingredients, as pointed out by Alex, are impact and stage in the kill chain. These work hand in hand because there's a supply and demand for almost all telemetry, where the deeper along the kill chain the attacker gets, the higher the impact gets, so those rules should naturally float to the top.
Alex's "Detection Appetite" graph tells this story beautifully, so click inside and read!
🔬 State of the Art
TI in your ETL by Daniel Stinson-Diess
This post by Daniel is a great follow-up to Issue 67’s podcast on Security ETL by Brex’s Josh Liburdi. It also makes sense because Daniel and Josh work together!
For those who need to integrate technical threat intelligence into their security operations, this is a great starter post on what you need to do to get started. At $DAYJOB, we call this TI enrichment at ingest or investigation. Basically, when should you enrich technical indicators inside your telemetry, and how can staleness affect this as this intelligence changes? Daniel answers this question by bucketing it into reactive and proactive threat intel searches.
Deterring Attackers with HoneyTrail: Deploying Deception in AWS by Adan Alvarez
HoneyTrail is a new open-source project by Adan Alvarez that automates the deployment of "deception technology" inside your AWS environment. It has similar functionality to a blog post by AWS in 2022 here, which they call decoys. This blog discusses deploying the stack and using the canary types to generate alerts. You can manage it all with just one piece of Terraform, so deploying next to the resources you use in AWS in production is excellent.
Impair Defenses [T1562.012]: Detect Linux Audit Logs Tampering (Part 1) by Aleksandar Matev
In this post, Matev provides a detailed breakdown on the "control-plane" aspects of Linux auditd. Auditd helps defenders and detection engineers in Linux systems by providing event logs on a Linux box, similar to ETW. A great way to circumvent these systems is to tamper with audits and degrade or destroy their effectiveness.
Matev approaches this detection opportunity by trying to build one Splunk query to monitor for any tampering evidence. I like how Matev also shows some tuning and usability problems you might run into so you can make an easy-to-read alert.
Cloud-Based Identity to Exfiltration Attack by LearningKijo
This is a neat blog format! It's a singular markdown among dozens, but LearningKijo attempts to create attack simulations to learn how they work in the cloud. In this specific scenario, they look at identity attacks as someone might try to compromise an M365 identity. They simulate several scenarios, including Impossible Travel, MFA fatigue, and some basic,c threat intelligence enrichment.
Kerberos Delegation Test App by Rasta Mouse
I like to read labs that walk you through a test app while looking at network traffic on the wire, since the network traffic doesn’t lie. So, if you ever wanted to see how Kerberos Delegation looks like over the wire, Rasta Mouse sets readers up with a test app to do so. You can see a bit more details on the unsecure (sic) case on Microsoft documentation here. The basic premise is that you can insecurely configure an IIS server and web application to use a domain-wide delegation, causing all sorts of funky privilege escalation with Kerberos and you can get domain administration.
Emerging Identity Threats: The Muddy Waters of Residential Proxies by Noah Carradin
Relying solely on geolocation for threat detection captures some malicious activity. Still, with the advent of residential proxies, it's much easier for threat actors to circumvent "Cotton Eye Joe" detections. I've posted several articles in this newsletter about residential proxies, and savvy cybercriminals can geolocate their victims, buy residential proxy access to route traffic, and avoid impossible travel rules. So, we have to get crafty when detecting malicious logins. I like some new TTPs posted here, specifically around Chrome version jumping.
🎙️ Detection Engineering Podcasts
My friend Silas Cutler was featured on this episode of Risky Biz news! Silas does some amazing research behind C2 protocol emulation, so you get a sneak peek into his methodology after the news bit with Patrick.
Loving this new medium for The DFIR Report! A friend of the newsletter, Nasreddine Bencherchali, is also a featured guest on this episode. The analyst crew walks through an intrusion case from an IcedID infection to Dagon Locker.
☣️ Threat Landscape
Impostor Certificates by Squiblydoo
Authenticode certificates allow legitimate businesses to sign their Windows software to prove trustworthy to the operating system and the user. This is a helpful "allowlist" so that defenders and security software can focus on software that isn't signed. But what if a malware author gains access to these certificates and then digitally signs their malware?
In this blog, Squiblydoo explores how the SolarMaker malware family leverages valid authenticode certificates, and analyzes the 100+ "valid" certificates found in these samples to find patterns. The system for authenticode is ripe for abuse, and SolarMaker is one of many malware families that abuse this technique.
LLMjacking: Stolen Cloud Credentials Used in New AI Attack by Alessandro Brucato
The baddies want our LLM credits! Resource hijacking is a top technique for cloud-based attacks. So, seeing activity in the wild that tries to steal tokens and get credits for LLMs is super interesting. I'm unsure what use these threat actors leverage LLMs for. Still, access to several models for ToS-breaking prompts may be worth it enough to steal credits from victims.
Examining the Impact of Ransomware Disruptions: Qakbot, LockBit, and ALPHV-BlackCat by Chainalysis
As ransomware sites and victims go up, payments go.. down? At least, this is the case, according to Chainalysis. There's some bias in my analysis here: just because a ransomware operator has a website and posts a victim, it doesn't mean there was a successful ransomware attack. Read: threat actors lie.
The Chainalysis team attributes the drop in payments to ransomware gangs to increased cyber resiliency by firms and law enforcement interdiction. The team also highlights the Qakbot takedown as a force multiplier for dampening ransomware impact since initial access is crucial for many of these gangs.
How Did Authorities Identify the Alleged Lockbit Boss? by Brian Krebs
If you want a masterclass in pivoting on email addresses and (now) open-source data from the recent FBI indictment of LockbitSupp, look no further! In this post, Krebs took data from the indictment and worked backward to find all kinds of posts allegedly written by LockbitSupp to trace his origin story from the early 2010s developing malware. Some chatter on underground forums and LockBit’s shame site that LockbitSupp was misattributed, but there’s a lot of information here pointing to the contrary.
Into the Viper’s Nest: Observations from Hunt’s Scanning by Hunt.io
Viper is an open-source C2 framework that draws inspiration from Cobalt Strike. The code and documentation are mostly written in Chinese, and according to Hunt, most of the Viper infrastructure they track is hosted on Tencent servers. Funny enough, many IPs hosting Viper and tracked by Hunt are run side-by-side with Cobalt Strike and Sliver. There are some great nuggets in here for hunting and fingerprinting Viper servers, so make sure to go check it out!
🔗 Open Source
ShellServe by 7etsuo
Neat C utility that functions as a basic fileserver (think FTP). I wrote something similar to this in college, and it was a great learning experience to see how network communication works in Linux down to the syscall level.
KerbTestApp by rasta-mouse
Kerberos Delegation Test App repo from the corresponding blog post by Rasta Mouse listed above.
Stego-toolkit by DominicBreuker
CTF tool to automate stego challenges. Not really detection related, but still useful if you pick up a CTF challenge at a conference!
C-from-Scratch by theokwebb
If you ever want to go down the rabbit hole of the C programming language, you want to make sure you choose the right resources for the job. I really like this list because it focuses on beginner friendly resources, and guides you to projects to work on like writing malware.
HoneyTrail by adanalvarez
HoneyTrail is an AWS-focused canary deployment toolkit written in Terraform. The intro blog post is in the corresponding entry listed above.