Det. Eng. Weekly #72 - Chasing an π in a π€‘ π
Increasing shareholder value, one clickbait-y blog at a time
Welcome to Issue #72 of Detection Engineering Weekly!
Programming note: Iβll be back in NY (again) next week for some more Datadog-y stuff. Then Iβll be taking a week off for PTO. So, Issue 73 goes out next week June 12, Issue 74 is June 26!
βͺ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
π Detection Engineering Gem π
Why a Single Test Case is Insufficient by Jared Atkinson
I have learned more about Windows threat detection internals from Jared than virtually any other article on the topic combined! In this post, Jared continues his "On Detection" series, leveraging the function call stack example from Part 12. He cleverly lays out the call stack for the Net Session Enumeration operation, selects two tools that perform that operation, and then inserts open-source rules from Sigma into their detection opportunities inside the call stack.
With each example, Jared calls out the idea of "detection analytic categories" as a more specific implementation of the Pyramid of Pain. We all love tool-based detections, but they can be brittle if you circumvent their location on the functional call stack. Behavior-based detection, a more modern approach with EDR, focuses on the operation you are trying to achieve and throws away most of the call stack detection opportunities.
The last modality-based detection is arguably a spin-off from "behavior" detection. It focuses on the strange relationship between tools and behavior. A good example he uses here is when Red teamers move to C# implementation of their toolsets away from Powershell.
π¬ State of the Art
The Real Danger Lurking in the NVD Backlog by Patrick Garrity
Since their announcement of scaling down CVE analysis, the state of NVD's vulnerability program has been grim. From a practitioner's perspective, leveraging the NVD database for CPE enrichment is a vital function for vulnerability triage. Garrity studied the subsequent months until now, and over 90% of vulnerabilities have not been analyzed by NVD since their Feb 12 drop date. I got to talk to Patrick and the VulnCheck team at RSA, and they have an attractive, more "modern" approach to CVE enrichment. Best of all, they have a community edition!
Hunting for MFA manipulations in Entra ID tenants using KQL by Thabet Awad
MFA audit logs are a goldmine for detections and hunting. Much like any authentication scheme in the cloud, there are so many options and "gotchas", that spending time on the different types while establishing a baseline can really improve the efficacy of your program. Awad reviews how Microsoft Entra MFA audit logs work in Entra, provides some detection opportunities and examples with KQL, and makes sure readers are setup with the right logs in the first place.
Detecting malicious JavaScripts within SMTP flow (Using KQL, XQL and Splunk scripts) by Nathan Hueck
I think this is the first time I've ever seen a detection blog on hunting for badness in SMTP flow logs. It looks like KQL, Cortex XDR and Splunk comes to the rescue here: you can dump all kinds of SMTP logs and e-mail messages to look for badness. I like how Hueck provides user options in all three types of querying languages.
Stealing everything youβve ever typed or viewed on your own Windows PC is now possible with two lines of code β inside the Copilot+ Recall disaster by Kevin Beaumont
Microsoft Copilot+ Recall (man, what a freakin' mouthful) is a feature launched by the firm that executives advertised as taking screenshots of your desktop to recall anything that's ever happened on your computer. This drew some understandable outrage: from a privacy perspective, imagine having a record of everything you've done on your P.C., personal and professional, and then putting that into a SQLite database. Then, have that database accessible like any other file on your P.C.
Beaumont installed Copilot+ Recall and tested many attack scenarios, all succeeding. The tech giant needs to reconsider its positioning and feature set, pull this back, and NOT roll it out. It's a bit of a P.R. nightmare already!
Merging Mental Models Part 2: The Cyber Defense Matrix by Sounil Yu
As a LinkedIn expert, I am offended.. just kidding. Mental models are a key ingredient to threat detection engineering: the Pyramid of Pain, MITRE ATT&CK, and NIST CSF are three of many models that help classify and describe what we are looking to do in the space. In this post, Yu explains how adding more to a model isn't necessarily the best approach when describing more complex relationships. Yu plugs his research on the Cyber Defense Matrix, which combines three models, and it allows users to create a grammar to describe cybersecurity concepts and ask the right questions when framing a problem.
ποΈ Detection Engineering Podcasts
As security engineers, we typically answer that the most important part of a business is their security. Itβs a biased answer since thatβs where we work day to day, but business operations entail way more than just making sure things are secure. This is especially true for SCADA and OT networks. In this podcast, Jason Waits (who I met with Jack at their party at RSA!) discusses threat detection and automation for OT environments, who are the primary customers of his firm.
Imagine having to deploy OT and SCADA systems in your own data center to do detection engineering for customers! Jason also called out the newsletter at the end of the episode, thank you so much!
Super interesting podcast episode detailing βOperational Relay Boxesβ or ORBs. It was cool seeing how Raggi and the Mandiant team developed a taxonomy of this type of attacker infrastructure. Iβve done some research and helped build detections around these ORB networks, and thereβs a ton of residential proxy activity mixed with botnet activity.
β£οΈ Threat Landscape
Detecting and Preventing Unauthorized User Access: Instructions by Snowflake Community
CONTENT WARNING: the actor used sexual abuse words in some of their tooling and that is listed in this blog
The big news from the end of last week was the intrusion news related to Snowflake customers. It caused a ton of stir in the community, especially if you are a customer, because it was a notable event that specifically targeted Cloud databases for the purpose of stealing data. In this post, the Snowflake security team released a list of hunting and detection opportunities for customers affected by this campaign.
Hudson Rock yanks report into alleged Snowflake compromise by Jessica Lyons
Hacking Millions of Modems (and Investigating Who Hacked My Modem) by Sam Curry
When I read titles like this, the first thought in my mind is, "Okay, is this true, or are they hyping themselves up with a theoretical attack?" Nope. Absolutely crazy dive into Cox's Business API for managing modems. The timeline is pretty funny, too - Curry's modem was hacked years ago, and when he replaced it, he stumbled upon some intelligence on how modem protocols work, which then led him to target the REST APIs around these modem protocols for Cox.
Check Point - Wrong Check Point (CVE-2024-24919) by watchtowr labs
Itβs Week 23 of the Fiscal Year of our Lord, and thereβs another critical vulnerability on an edge appliance. You thought that opener was cheeky? The watchtowr labs team went off on this one (in the best ways possible). Luckily, we have research teams that can patch diff vulnerabilities and get a better answer on the technical components of a vulnerability like this, since not all vendors release details on their vulnerabilities.
New Execution Technique in ClearFake Campaign by Reliaquest
What is old is new again. Am I dating myself if I say I had an AOL Instant Messenger account? Does anyone remember getting troll messages to copy and paste batch scripts disguised as something else? Then you get a CPU crash, or your desktop image set to something unsavory? It's safe to say that if you find a threat actor abusing a technique, it probably works. ClearFake is a cluster of malware designed to infect users visiting lookalike sites, and you get an annoying popup saying your computer is infected.
The team at ReliaQuest found a variant of this that prompts the user to copy and paste Powershell to fix the issue. Before arriving at the final infection with LummaC2, the malware chain employed some clever sandbox evasion techniques.
π Open Source
CVE-2024-24919-Bulk-Scanner by ifconfig-me
Bulk scanner project for Checkpointβs vulnerability based on the above blog by watchtowr labs.
Cadiclus by tjnull
Broke: Privesc in Linux by bruteforcing passwd
Woke: linpeas and bash scripts to do privesc in Linux
Bespoke: privesc using Powershell in Linux
The_Shelf by trustedsec
A cool graveyard of offsec tools by the TrustedSec team. Looks like a lot of them were leveraged for years, but after different offerings (both on the red team and blue team side) emerged, they became less relevant.
TotalRecall by xaitax
Pretty amazing timing from the Kevin Beaumont blog listed above on Recall+. Beaumont did not go into technical details (probably to make sure his research did not fall into the wrong hands), but the open source community changed that with this toolset. Lots of technical details starting here, the tool has some cool features for parsing the database and extracting potentially sensitive information.