Welcome to Issue #76 of Detection Engineering Weekly!
Sorry about the late start! I lost precious time for editing (the night before) when my power went out.
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
📣 Issue #76 Sponsor: The CloudSec Engineer
📙 The CloudSec Engineer is out now!
The CloudSec Engineer is a practical guide on how to enter, establish yourself, and thrive in the Cloud Security industry as an individual contributor.
You can head over to engineer.cloudsecbooks.com to find more information about the book, its contents, and where to buy it.
💎 Detection Engineering Gem 💎
Mistaken Identification: When an Attack Technique isn’t a Technique by Andrew VanVleet
How do you differentiate detecting tools from techniques? This topic has been explored extensively since the Pyramid of Pain, but I haven’t seen an exploration that challenges the idea of a tool itself as it maps to MITRE ATT&CK. It’s a frustrating predicament: when you look at the technique (as VanVleet does) T1059:001 PowerShell, how is that... a technique?
I think what he is explaining here is that there is a cost associated with focusing too narrowly on a tool, which means you open yourself up to false negatives on the technique, as well as focusing too broadly on the tool, which means you are alert on everything.His WMI Event Subscription example is spot on: it achieves an objective, but does the use of WMI mean anything? Probably not.
I highly recommend checking out VanVleet’s previous post on mapping out attack techniques for more strategies for identifying pitfalls like the tool problem.
🔬 State of the Art
Find lateral movement paths using KQL Graph semantics by Fabian Bader
Attack paths visualized via graph databases are a powerful and intuitive way for threat hunters and detection engineers to find privilege escalation paths. When I think of privilege escalation, I come from the older, host-based world of a misconfigured machine with either a vulnerability that gets me a root shell or an overly privileged account or binary (SUID privesc, anyone?) that grabs that shell.
IAM was already hard enough on a host. Now, add the complexities of the cloud on top of our understanding of IAM, and you get some amazing research into privilege escalation paths like this one by Bader. By leveraging data from Microsoft Security and some KQL magic, you can visualize logs as graphs and quickly visualize these paths. Humans are much better graph processors than list processors, so having something out of the box to do this is a great tool for hunters.
When the hunter becomes the hunted: Using custom callbacks to disable EDRs by Saad Ahla
I wish EDR detection engineering wasn’t as “black box” as it is right now, but blog posts like this can help the general public (see, normies) understand EDR internals. The Intro is a bit of an ambulance chase:” This blog delves into a chilling demonstration..” but the technique is clever. EDRs focus on registering custom callbacks to inspect syscalls of interest, whether inspecting arguments or the process tree of the caller to determine maliciousness. According to Ahla, you can bypass EDR detections by registering your custom callbacks in several ways.
Ahla highlights an example here of registering a callback that is called before the EDR callback. You can choose to modify the arguments or block the execution of the EDR callback altogether.
Analysing IIS Compilation artifacts by Adrian Justice
IIS webshells are still a thing, and they can get pretty complicated if you start considering that a webshell does not need to be an interpreted language. In this post, Justice reverse engineers a suspicious assembly file loaded into an IIS server using dnspy. You’ll find asp modules compiled and written as aspx files in the assembly. Without looking at the decompiled module, you won’t know the full functionality of the potential webshells loaded on the server.
Detecting Lateral Movement in Entra ID: Cross Tenant Synchronization by Lina Lau
IAM and Cloud - a match made in purgatory. Organizational tenants are features released by Cloud Vendors, Identity Providers, and SaaS vendors to help manage a contextual view of an organization or customer. Providing cross-tenant access is a feature I’ve seen mainly in Identity Providers, which makes sense: you want Okta to handle authentication so you can authenticate to Okta and get access to an Azure environment. But what about unapproved tenants, like another Cloud account? Look no further than this blog post!
Lau includes detection methodologies at the end with step-by-step instructions on how to find these types of attacks.
Sysmon: a viable alternative to EDR? by Alex Teixeira
This post explores the “build versus buy” conundrum by detection teams, specifically on Sysmon. I like how Alex scoped his argument to use EDRs exclusively in large-enterprise environments. Building an “EDR-like” tool with Sysmon isn’t cheap, and by the time you hire and train the right staff and deploy bespoke collection and analysis infrastructure, you didn’t even get to the hard part: writing and tuning rules! The cost equation is always relevant to security leaders, so Alex frames this argument through the lens of cost: spend more time operating the tools and writing custom detections than building, operating, maintaining the infrastructure, AND writing detections.
🎙️ Detection Engineering Media
In this episode of Detection at Scale, Jack interviews Darren LaCasse, who heads Detection, Response & Intel at Elastic. It’s really interesting listening to how LaCasse’s org “dogfoods” Elastic security alongside the Elastic product team. I’m in a similar situation here at Datadog, and comparing and contrasting their alerting methodologies, how they ship detections to production, and are also guinea pigs for detections before they hit customer environments was really cool to hear and take notes on.
I feel like I always have to link a podcast if Andrew Morris is in it! It’s a great episode recapping some of the craziness of the last few weeks, but my favorite part is the interview with Andrew. Networking was my first love with computers in an academic setting - I was fortunate enough to study for the CCNA in high school (!) at age 16. Networking kind of got uncool within the last 10 years, especially with TLS, but what we learned as an industry is that there are way more peculiar things happening below Layer 7 that make virtually every Internet facing service and client unique.
☣️ Threat Landscape
Unfurling Hemlock: New threat group uses cluster bomb campaign to distribute malware by Hector Garcia
On the initial read, I thought the use of cluster bomb in the title was hyperbolic. Still, once you start reading this post from Outpost24 Research, it’s an apt analogy. Garcia details a technique leveraged by what they claim is a threat actor group in Eastern Europe that zips malware like a Matryoshka doll and throws the kitchen sink of loaders and stealers
Justice Department Leads Efforts Among Federal, International, and Private Sector Partners to Disrupt Covert Russian Government-Operated Social Media Bot Farm by US Department of Justice
DoJ seized two domain names and 968 social media accounts allegedly used by Russia-aligned actors associated with disinformation and astroturfing. The bot farm used AI to create profiles and messages to post on social networks. This is a wild statement from FBI Director, Christopher Wray:
“Today’s actions represent a first in disrupting a Russian-sponsored Generative AI-enhanced social media bot farm,” said FBI Director Christopher Wray. “Russia intended to use this bot farm to disseminate AI-generated foreign disinformation, scaling their work with the assistance of AI to undermine our partners in Ukraine and influence geopolitical narratives favorable to the Russian government.”
Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs by James Nutland
Researcher James Nutland at Cisco TALOS reviewed several recent ransomware group TTPs and documented the top ones. Since 2023, 14 groups have been studied, and the most (or least?) surprising Initial Access techniques should be no surprise: Exploit public-facing apps, spearphishing, and valid accounts.
Do a firmware update for your AirPods – now by Jonas Dreßler
It’s not every day you see a vulnerability disclosed for a pair of headphones! Dreßler found a vulnerability in Apple’s FastConnect protocol, which allows attackers to connect to your AirPods as a rogue device without you knowing. Apparently you can only do the update with an iOS device, so if you pair your AirPods with an Android phone, Windows laptop or the 12 people in the world who use Arch Linux, you’ll have to get to an Apple Store to do so.
Cloudflare 1.1.1.1 incident on June 27, 2024 by Bryton Herdes, Mingwei Zhang and Tanner Ryan
This is a lovely, in-depth post about the internal workings of BGP Hijacking. The team at Cloudflare dealt with a hijack for one of their core DNS servers, 1.1.1.1, and users trying to use it were blackholed in some areas. Some of the most fascinating incidents I’ve ever worked on were when I worked for Fastly (a competitor to Cloudflare) and watched the network team deal with the craziness known as the Internet.
🔗 Open Source
fragtunnel by efeali
Client/Server application that leverages TCP tunneling techniques to bypass firewall rules and other IDS/IPS technologies. Mostly used to bypass Layer 7 rules.
incidental by incidentalhq
Open-source incident management platform. You can boot this up and integrate with Slack to help manage everything from security incidents or other devops related incidents.
mailgoose by CERT-Polska
Webapp ran by CERT Polska to check domains for secure email domain configurations, such as SPF and DMARC.
monocle by bgpkit
Easy to use CLI tool to parse BGP data. You can provide data files, ASN numbers or prefixes and get back a nicely formatted table to interpret BGP data. The Cloudflare team mentioned this tool in their post-mortem above and it looked neat!