Det. Eng. Weekly #74 - Happy Birthday, Pasha!
🐶 8 years as my best bud and 74 issues as the face of this newsletter 🐶
Welcome to Issue #74 of Detection Engineering Weekly!
It feels good to be back and writing for you all! I took some much needed PTO at a rental lakehouse in New England, and managed to bring Pasha with the family so he can enjoy water time as well. This dog LOVES water - I caught him falling asleep with a toy in his mouth right at the start of the water on the shore. Today is his birthday, and it’s hard to believe how much this guy has stuck through it all with me.
A few people asked me “why is there a dog as your logo? Is it because it’s sniffing out alerts?” and I just awkwardly reply: “No I had a few drinks when I first started this Substack and I just wanted my dog as the logo”
Happy Birthday, buddy!
This week we’ll dive straight back into content, but since one of my favorite conferences, fwd:cloudsec, just happened, you’ll see more YouTube video content of some of my favorite detection-engineering related presentations and no threat landscape sections.
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Pivot Atlas by Amitai Cohen
Pivoting is an essential part of investigations and detection engineering. The idea is that by viewing technical indicators of compromise as composite objects, you can uncover details about an intrusion in an inquiry that isn’t present directly in the log or alert you are using. This gets especially important during response exercises, where you can leverage these composite objects to block campaigns and command and control infrastructure.
The Pivot Atlas is a fantastic visual Rolodex of composite objective pivoting techniques. Amitai did a great job documenting the highest value technical indicators of compromise, composed a map of these artifacts, and interconnected them with investigation questions to help analysts, detection engineers, and researchers get the best “bang for your buck” when deep diving campaigns.
🔬 State of the Art
Impair Defenses [T1562.012]: Detect Linux Audit Logs Tampering (Part 2) by Aleksandar Matev
In part 2 of Matev’s series on impair defenses detection, he explores detection opportunities when an actor attempts to delete auditd rules on a Linux box. Impairing Defenses are an excellent tool for threat actors to conceal their operations, but by detecting them trying to hide traffic, there lurks detections!
Demystifying Okta Attacks with Dorothy and Splunk by Trenton Tait
This is an excellent detection post on leveraging emulation tooling for detection opportunities in Okta. Tait creates an Okta tenant, sends audit logs into Splunk, and then runs Elastic’s Dorothy tool to interact with the Okta API and generate events. Like Matev’s post above, Tait attempts to impair Okta defenses by modifying policy states and Network Zone states (aka Okta firewall rules). Luckily, the actions Tait tested generate audit logs, and you can see a good amount of telemetry and enrichment that Okta provides.
Attack Paths Into VMs in the Cloud by Jay Chen
This is an excellent amalgamation of different types of attacks on virtual machines in AWS, Azure & GCP. The complexities of infrastructure in the Cloud are vast, and you have to shelf knowledge of one Cloud as you move to another due to implementation details.
Chen did a great job classifying types of attacks across the three major CSPs and provided detection opportunities as they compared and contrasted the methodologies. For example, did you know there is a virtually (via the network) unblockable “Serial Port” for cloud instances across all three providers, and they all provide CLI access?
Octo Tempest: Hybrid identity compromise recovery by Rich Peckham
It’s rare to see hands-on-keyboard activity reacting to incident response, but I’ve read several stories where Octo Tempest/SCATTERED SPIDER attempt to dig their heels in when they are being kicked out. Peckham reviews hybrid Azure & Entra environments in this post and walks through a playbook to “evict” threat actors from your Entra ID tenant. Once the Entra ID tenant is clean, they provide a separate playbook for on-premise AD.
Bypassing Okta’s Passwordless MFA: Technical Analysis And Detection by Ron Marom
Lots of identity and "impair defense" content for this issue! Marom reviews Okta’s implementation of “Passwordless MFA”, aka Okta Fastpass. The idea behind it is using something physical to prove an identity, like your phone, to achieve passwordless MFA. The problem with these methods comes into play when you can intercept authentication tokens to Okta from a Fastpass-enrolled device, or you get access to a victim machine and generate a token from their “something you have” device.
Marom creates an emulation of this technique, provides detection opportunities, and reviews the fields in the Okta audit log to detect this moving forward.
🎙️ Detection Engineering Media - fwd:cloudsec Edition
There is so much more content than the four videos I linked, so please check the fwd:cloudsec YouTube channel to get a full list of presentations. I chose these four because I think they offer some amazing lessons in threat detection in the Cloud, both from a rule perspective and from a sheer scale perspective.
Korstiaan runs Invictus IR, a company to which I’ve linked several of its blog posts in this newsletter. This specific presentation is on a clever intrusion in a victim AWS environment. The actor showed cloud knowledge, used several new techniques for enumeration, and also tried some hands-on keyboard activity as they were being evicted.
My friend Ian did a great deep dive on the LUCR-3/SCATTERED SPIDER/Octo Tempest intrusion set and showcased how advanced motivated actors can be when they try to ransom or extort a cloud environment. He had a hilarious bingo card for every time he said Uh/Um; that helped break up the slides, too!
Speaking of scale, how many API calls are processed by the main cloud service providers each day? If I had to guess, it'd be in the (B)illions. When you hit THAT scale, weird things, such as solar rays swapping bits on your telemetry, start to happen. So, what happens when bits are swapped? Strangeness ensues, and opportunities to attack customer environments start to emerge.
Last, my colleague, Nick, dropped research on initial access methods and detection opportunities for vulnerabilities he found in AWS. Listen, IAM is hard, Cloud IAM is weird and hard, so when you start poking around for cloud defaults or assumptions made by AWS devs, you find things! It's a good lesson in defense-in-depth, especially from a threat detection perspective, because Cloud developers at these service providers are humans like us.
🔗 Open Source
YetiHunter by Permiso-io-tools
Hot off the heels from the Snowflake security incident, the good folks at Permiso released a Snowflake threat hunting tool to help responders and hunters investigate their Snowflake environments. The team pulled several queries from open source reporting, including Mandiant’s and Datadog’s, and made it easy to quickly orient and find evidence of compromise in these environments.
Kdrill by ExaTrack
Python tool that checks for Kernel level rootkits in Windows. It’s always interesting reading rootkit detection code as it gives you a much deeper understanding of where artifacts or telemetry are generated on a system.
Voidgate by vxCrypt0r
Yet another EDR evasion tool that relies on creating memory regions with encrypted assembly and PAGE_EXECUTE_READWRITE permissions. It uses a VEH like other tools I’ve linked before, and decrypts 16 bytes at a time. Once decrypted, it re-encrypts the blocks. I don’t see any testing benchmarks against EDRs so definitely worth a try.
pivot-atlas by korniko98
Pivot Atlas mkdocs code from Amitai’s gem post above!
dorothy by elastic
CLI tool to perform various emulation techniques on Okta environments. Hoping the Elastic team can update this with new techniques since three years is a LONG time for a SaaS company like Okta to add new features and new vectors!