Det. Eng. Weekly #78 - 🙅 Begone, grifters! 🙅
July 24 is national no LinkedIn Grifters day starting NOW
Welcome to Issue #78 of Detection Engineering Weekly!
It’s been an insane week for a lot of our friends and family in IT and Security. I hope y’all kept your head on a swivel, got your work done, and demanded time off to decompress from this huge outage.
It’s so easy to make fun or make memes of other’s misfortunes. It’s a natural byproduct of the Internet, and I had a good chuckle at a LOT of Crowdstrike memes. The things that mostly get me are people who capitalize on this and ambulance chase. Avoid those people and companies like the plague. There’s a difference with saying “We are not affected” to “Hey switch to us if you are sick of Crowdstrike!” Screw the people who say the latter.
Our jobs are hard enough, and I can relate to massive outages, working at a CDN and now in a Cloud observability company. Freak events happen, things align when they shouldn’t have, and sometimes it just _happens_. So, shoutout to all you Crowdstrike people reading this blog, and everyone who responded to this over the last few days.
</endrant>
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
by Haylee Mills
This is a bit different from a gem because it's my first video and presentation gem. Always gotta change it up :).
Haylee sent me a message with this video, and I am super glad she did! The concept of Risk Based Alerting (RBA) has been on my mind lately, both at work and for this newsletter. The idea behind RBA is to try to reduce alert fatigue through an expert model system. Almost all "alerts" can be tied to human or machine entities. An example: Zack is a human entity with an IdP login and some level of access to an Azure environment. This entity performs actions, some more risky than others, and at some point, the sum of those actions exceeds a threshold.
If I could describe this talk in one sentence, it would be: "Haylee unveils Splunk's RBA strategies and did the math to show it." It's super technical but easy to follow. I loved some of the ideas around modeling attackers as entities that contribute to the score and applying them to different use cases around insider threats as well.
🔬 State of the Art
Bob and Alice in Kernel-land by Matt Suiche
All right, it may be a heavy "Crowdstrike" IT Outage weekly issue. Still, I think it's essential to separate the wheat (the good commentary) from the chaff (the grifting bullshit on social media and product pages).
A common rebuke I witness from EDR critics is that it's dangerous to have programs like an EDR run in Kernel space. Bad things can happen, whether attackers use it against you or outages at the scale of what we've seen with Crowdstrike.
That same rebuke is followed by the promise of technologies like eBPF, Rust, or the move out of Kernel space altogether. Suiche does a great job highlighting those options in the open-source and product world. Every OS has a different way of dealing with this problem. They are more mature and offer a different level of protection than something inline, like an EDR.
Cyberinsecurity: The Cost of Monopoly -- How The Dominance of Microsoft's Products Poses a Risk to Security by Daniel Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, Charles P. Pfleeger, John S. Quarterman and Bruce Schneier
Infosec Twitter/X circulated this paper in 2003 in response to the Crowdstrike outage. Seeing how many of these critical points ring true today is wild. Monopolies are not only a competition and market threat but, according to the authors, introduce a security threat into the fabric of society. Some of the points are less relevant today than before; for example, Microsoft has done a lot of good in responding to security requirements from organizations and has introduced many defense-in-depth measures in the OS.
However, as my ethics professor during my MBA school said: "When executives face a choice between incentives and ethics, they almost always choose incentives."
You can see the incentives behind a monopoly from Microsoft now, and we see that with security products, too.
Representing Ransomware payments using STIX and Neo4j by CrocSec
I am fascinated by the crypto-investigations world. It's a mix of traditional security and threat intelligence but with a nuanced understanding of how cryptocurrency payment systems are, by design, open and accessible for everyone to use. In this post, CrocSec leverages STIX objects inside Neo4J to create an open-source version of Chainalysis.
They also stress the importance of these technical threat indicators during investigations to build attribution and provide evidence for the investigations team and law enforcement.
EDR Telemetry Blocking via Person-in-the-middle attacks by Eito Tamura
Seeing a PoC blocking an EDR with a super old network technique is wild. ARP Spoofing is one of the first network "attacks" I learned in college. Basically, you can insert yourself between a host with an EDR on it and a Layer 2 device, typically a switch. Once you insert yourself, you can find out if the device is talking to EDR endpoints, and through a tool released by Tamura, you can drop packets once they reach your ARP spoofing host.
There are lots of networking devices that prevent this attack. It looks like Tamura got it working inside a client environment. What is old is new!
"If you have knowledge, let others light their candles in it." by Ralph B
Post-mortems are one of the single best places to derive new insights and plan for work in the future. Given last week's Crowdstrike's outage, I am genuinely curious and excited to read their post-mortem. Transparency shows maturity, but it also shows customers and the world that you have a blameless culture that embraces failure as an opportunity.
Ralph B. goes deeper on this topic in the case of cybersecurity incidents. Typical post-mortems focus on outages, but what about sensitive issues, such as when a security control fails? It's uncomfortable but important. Ralph quotes a stat from a 2020 report by Cyentia: "'The 100 largest cyber loss events of the last five years' was almost entirely reliant on information gleaned from sources other than the victims. "
We can do better, and I hope that we can share more of these things as a community.
🎙️ Detection Engineering Media
** Note, this podcast features me! **
Two weeks in a row, two podcasts with me as a guest! I spent some time with Christopher from LimaCharlie to talk about everything threat research, detection engineering, DevOps, and AI. I found out that Christopher and I occasionally type "please" to our OpenAI prompts to ensure they know we are polite people. Christopher is such a thoughtful host; seeing him grow and become more comfortable on this podcast is incredible. Make sure to subscribe to support it!
This episode of the “Three Buddy Problem” with Costin Raiu, Juan Andres Guerrero-Saade and Ryan Naraine was primarily about the Crowdstrike outage (the first half). I appreciate the expertise and level-headed takes by the hosts, because it’s easy to dunk on outages, it’s much harder to observe what is working and what is not working. Raiu compared and contrasted the outage with NotPetya, which caused a similar-scale outage but from a cyber attack.
☣️ Threat Landscape
Threat Actor Uses Fake CrowdStrike Recovery Manual to Deliver Unidentified Stealer by Counter Adversary Operations
This is a short-but-sweet writeup on cybercriminals leveraging the fallout of the Crowdstrike event to try to lure users into an infection. Actors leveraged a maldoc that downloads a information stealer malware, now dubbed "Daolpu". It's really not anything to write home about: it kills Chrome, steals a bunch of login data and cookies, then exfiltrates it. They used a pretense of a Microsoft recovery document using InTune, so you can tell they are paying attention to what's happening.
FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks by Antonio Cocomazzi
SentinelOne researcher Cocomazzi unveiled new developments with the notorious FIN7 gang. FIN7 switched from PoS malware to ransomware in 2020 and, according to Cocomazzi, is still developing ransomware tooling and interacting with ransom gangs. The researcher found several personas on various underground forums that link their motivations and interests to the tactics that align with FIN7. The rest of the blog highlights several tools used by the group, with a particular highlight on an AvNeutralizer sample that disables EDR tools.
Domain Hijacking by Squarespace
Domain hoster Squarespace, which just bought all Google Domains (including mine!), suffered a peculiar ATO attack for many of its customers. Customers who had OAuth configured were potential targets, and many of them were compromised. Unfortunately, Squarespace didn't read Ralph B's NCSC post above, and there needs more technical detail from the post-mortem.
RDGAS: The Next Chapter in Domain Generation Algorithms by James Barnett
Infoblox researcher James Barnett uncovered a new DGA-like technique, dubbed "registered domain generation algorithm,” found by an actor who operates the XLoader malware. RDGAs are different from DGAs, where an actor has a set of thousands of domains that are randomly generated, and the malware brute-forces the list generated from an algorithm to eventually find one that's generated. In RDGAs, actors privately register a large swath of domains, which makes it much harder for defenders to block.
CISA Adds Two Known Exploited Vulnerabilities to Catalog by CISA
CISA adds two vulnerabilities to their KEV list, CVE-2024-39891 and CVE-2012-4792. Yes, 2012. No, that's not a typo. Yes, it's for Internet Explorer. No, I don't know why it's here now, other than it probably was leveraged against a U.S. Government entity. Imagine doing THAT IR incident - are there incident responders who were small children at the time this vulnerability was found?
🔗 Open Source
BenignHunter by Allevon412
This is a clever tool that looks for hooked EDR functions on a target system. It does this by opening a file handle to ntdll.dll and looking for any exported names that begin with Nt and Zw. If you read MalwareTechBlog's blog on how to bypass EDR hooks, you'll remember that Nt and Zw functions are exported by the Kernel to allow User-Mode applications to call into these Kernel functions.
edr_blocker by TierZeroSecurity
ARP Spoofing telemetry blocker mentioned by TierZeroSecurity listed above in State of the Art.
AskJOE by securityjoes
Jokes on you, CTF challenge builders. Whenever I press on any “Reverse Engineering Challenges” on your CTFs, I can now use OpenAI directly in Ghidra to make me an uber 1337 haxor. Basically, AskJOE is a Ghidra-plugin to call OpenAI with the content of your Ghidra application, and it provides some context and explanation around the assembly you are looking at.
Respotter by lawndoc
Respotter is a deception-tech scanner for Responder deployments. It'll scan a subnet, try to perform DNS requests with a bogus domain name, and then send any responses it gets from Responder to webhooks. It's pretty cool to see more ways to mess with C2 and red-team servers.