Det. Eng. Weekly #73 - If BreachForums goes down, do intel firms have a product?
Do Popes and Bears use STIX 2.1?
Welcome to Issue #73 of Detection Engineering Weekly!
Iโm hanging out with Datadogs in NYC this week! I do love visiting NY, and hopefully I can get some great food before heading home and taking a week off.
Programming note: No newsletter next week, next issue is June 26!
โช Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
๐ Detection Engineering Gem ๐
EDR Internals for macOS and Linux by Kyle Avery
When I think of EDR, I think of Windows: perhaps because itโs the operating system's popularity, both with threat actors and cybersecurity professionals alike. What Iโve learned from reading lots of detection-focused content for Windows is that EDR was created in response to the sheer insanity of the Windows O.S. Its obsession with backward compatibility, multiple layers of DLLs invoking layers of other DLLs, and even some undocumented shenanigans, created a whole industry of companies that are now breaking the S&P 500.
What about endpoint solutions for the other operating systems? The complexity of malware can change between Linux, MacOS, and Windows, but context matters, right? This post helps readers dive into research performed on endpoint implementations in Linux and MacOS. I really appreciated the tools Avery and the team posted on instrumenting devices and the history behind Apple and the Linux Kernelโs teams responding to the need for this type of instrumentation.
๐ฌ State of the Art
The CTI Analyst Challenge by Will Thomas
Will launched a self-directed and free cyber threat intelligence training course for beginners and seasoned professionals. I love how templatized and prescriptive this training is: I read many blog posts on Medium or Twitter that look like a ChatGPT โHow to be a threat intel personโ prompt. Will's investment in the visual aspects and the instructions for each example scenario can really help aspiring analysts get reps on real-world incidents.
A Detection Engineerโs Guide to SCCM Misconfiguration Abuse by Trenton Tait
Ansible, Chef and Puppet are to Linux as Microsoftโs System Center Configuration Manager (SCCM) is to Windows. Tait and the good folks at SnapAttack published their research on detecting threats in SCCM. Tait reviews three open-source tools targeting SCCM and explores detection opportunities via Windows Events for each one. You can see functional chains being leveraged here, such as looking at the process graph when running SharpSCCM.
The Race to Make a Business of Secure Defaults by Rami McCarthy
I appreciate posts like Ramiโs here precisely because itโs an excellent index of โhow is the industry trying to solve this problem.โ I can see where detection is used as a hedge when secure defaults fail. I like telling folks that Detection isnโt about adding rules but about rule management. That means adding, updating, and DEPRECATING rules. Rule deprecation isnโt just reacting to detection drift; you should look to close holes inside your infrastructure to remove classes of detections altogether.
ANTI-CHEAT EXPERT: ALL YOUR PIXELS ARE BELONG TO US by Dennis Reuรwig
Anti-cheat is the original EDR! If you read posts on anti-cheat research, you'll get a lot of insight into modern security practices and, at times, a peek into the times ahead of what to expect in security products. According to the author, Tencent's "ACE" engine takes screenshots of your desktop display, not just the window handler of the video game. Reuรwig exposes the code from the engine that performs the screenshot and steps through each line of code to make sure readers can check their math. Their quote at the end of the blog showcases what the security community is concerned about with tech giants like Microsoft. However, maybe "taking screenshots" features like this goes further than just an O.S. feature.
It seems to be an artifact of the actual capabilities this anti-cheat has, which may not be present in the International version. In my honest opinion, such an anti-cheat feature shouldnโt be allowed in a game that is not solely available in China. ACE overall is a treasure trove of privacy violations: checking recently used files, uploading files to their servers, banning having reverse engineering tools open, or having used them recently on game filesโthe list goes on.
A Guide To Kubernetes Logs That Isn't A Vendor Pitch by Graham Helton
This is a super-comprehensive guide to logging on to Kubernetes, and it does a fantastic job of leveraging the "4Cs" model of cloud security I talked about during my SLEUTHCON talk! Basically, when you run K8s, you have to think about what is happening at the code, container, cluster, and cloud levels. Also, make sure you have deep Linux experience. After that, it seems easy, right? :).
A guide to threat hunting and monitoring in Snowflake by Julie Agnes Sparks and Seth Art
** Note, my employer is Datadog, and Julie and Seth are my colleagues! **
The security research team at Datadog released some threat-hunting queries and methodologies for Snowflake late last week! It was incredible watching the team put their heads together while parsing through Snowflake advisories and documentation and comparing notes on what other hunting queries and detection opportunities others could use to ensure they can check for compromise of their Snowflake instances. We split the queries by MITRE ATT&CK Tactics so you can jump to the blog's most important parts for starting investigations.
๐๏ธ Detection Engineering Podcasts
This latest episode of Darknet Diaries follows the story of "Anom," an FBI-controlled privacy phone company that marketed itself as a FUBU but for criminals. Joseph Cox at 404 Media documented this crazy story: these phones are typically sold on the criminal underground to some pretty bad people, and the FBI managed to turn its CEO into an asset and get copies of every single text message sent on the platform.
This is an excellent episode on incident response and studying intrusions that target the Cloud. Will Silverstone and Omar El Ahdan provide some pithy recommendations on helping secure the Cloud and what would have prevented breaches they responded to. It all comes back to identity!
โฃ๏ธ Threat Landscape
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion by Mandiant
The folks at Mandiant released their incident response report on the Snowflake customer incidents that dominated the news in the last few weeks. According to Mandiant and Snowflake, approximately 165 organizations were exposed and notified. The TL;dr is UNC5537 leveraged infostealer credentials to access these organizations.
Several botnets were dismantled in the largest international operation by Operation Endgame
International police launched a website dubbed "Operation Endgame" to start dismantling large botnets worldwide. IcedID, SystemBC, Pikabot, Smokeloader, and BumbleBee were targeted in the first iteration, and there's a countdown timer (as of 11 June) for a new release in about two days.
I'm kind of digging this type of marketing from Law Enforcement Agencies: they name and shame and try to sow discord in these communities.
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment by The DFIR Report
Excellent timing from the DFIR Report with the announcement of Operation Endgame! This report starts with an IcedID loader infection, which results in a ransomware deployment from ALPHV. This infection chain contains all the latest TTPs: RMM tools, Impacket, RDP for lateral movement, and Cobalt Strike.
No Way, PHP Strikes Again! (CVE-2024-4577) by watchtowr Labs
This is a clever write-up on a PHP RCE being exploited in the wild. The target set or victimology is interesting: only Windows servers that run PHP are affected, and there's some funky unicode "best fit" mapping when running PHP that can lead to the RCE. The team at Watchtowr leverages some techniques from an eerily similar 12-year-old PHP bug to help write the PoC for CVE-2024-4577.
๐ Open Source
CTI-Analyst-Challenge by BushidoUK
Challenge repository from Will Thomasโ post above. Start with proactive then reactive, and donโt forget about your stakeholders!
Misconfiguration-Manager by subat0mik
SCCM attack and defense repository used in the above SnapAttack article. I like how itโs split out into Offensive & Defensive techniques, and the defense techniques include a โCANARYโ section for some deception-based detection.
txt2stix by muchdogesec
txt2stix is a tool that takes text files as input, matches observables, and creates indicators of compromise in the STIX 2.1 format. It can leverage LLMs, pattern matching, and a key/value lookup based on your needs.
Evilginx-Phishing-Infra-Setup by An0nUD4Y
Extensive write-up on how to boot up evilginx for phishing engagements. I like the OPSEC tips because they force operators to understand what they expose if they put evilginx up on the public internet.
CVE-2024-4577-PHP-RCE by ZephrFish
Check for CVE-2024-4577 in go, python, shell or nuclei! Companion code to the watchtowr Labs post listed above.
Enjoy the time off next week my friend!