Welcome to Issue #80 of Detection Engineering Weekly!
Happy hunting to all my friends, colleagues and readers attending BSides, BlackHat and DEFCON this week. Don’t forget to pace yourself. I wish I was there to meet you all and hang out at talks and parties. The best part is meeting random people and striking up a conversation, I’ve typically done this in line for a talk or village.
I suggest the line “HEY IM ZACK WHATS YOUR NAME WHAT DO YOU DO” then awkwardly hold out your hands because you don’t know what to do with them.
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
External Technical Root Cause Analysis — Channel File 291 by Crowdstrike
The full incident report from Crowdstrike is out! This is a much more technical deep dive than the one from last week. It makes sense—they marked it as preliminary :).
The biggest takeaway from this incident report is that it was a confluence of several failures; Crowdstrike lists explicitly six. These failures occurred at compile time of the sensor agent, which contains rapid response content template types, the interpreter of that rapid response template type, and the CI/CD process from a threat detection engineer's work laptop into "production" on customer boxes. It's worth the read, and the one thing I've learned is this:
The cost of speed is safety.
If you want to move fast, and there are plenty of blog posts on Crowdstrike's website(s) saying that they do want to move fast, you must be professionally paranoid about safety. Building in redundancy, exercising an annoying amount of attention to detail, and instituting engineering expertise, not just security expertise, across all facets of testing and deployment matters. Detection Engineering is really the answer (IMHO) to this.
Here's an updated diagram from last week to help you wade through it all, new updates are in blue:
🔬 State of the Art
Detection as Code: A Maturity Framework by Daniel Wyleczuk-Stern
I'm a big fan of maturity frameworks. Like all models, they could be better, but many are useful. This newsletter has featured several maturity frameworks, and I can attest how impactful and useful these frameworks have been in helping me with strategy in my organization and communicating progress to others. I'm a simple detection engineer: I see a maturity model, I link it.
On a more serious note, I'm glad to see Wyleczuk-Stern apply this to detection-as-code. I've seen several scopes and definitions of the term. IMHO, the author's is closest to what I think it is: treating code as software and applying software engineering and DevOps principles to your rules. It's good to see how descriptive this one is because it's highly environment-dependent, so you'll need to prove your compliance with the different maturity levels as you progress through language, testing, integration, and monitoring.
Cyber Threat Intelligence Capability Maturity Model by cti-cmm.org
It's the week of maturity models! This website, recently launched by a consortium of threat intel experts, is a massive effort to help capture intelligence capabilities by domain of expertise. The biggest issue I have with threat intel as a function is communicating the impact and outcomes of the function. It's not just loading technical indicators into an SIEM; it's managing stakeholders. Although stakeholder management is the goal, it's hard to slice that management into domains that a security function can understand. For detection & response folks, check out Section 6.1, Threat and Vulnerability Management (THREAT) domain, and 6.3, Event and Incident Response, Continuity of Operations (RESPONSE) domain.
Engineering a SIEM part 3: Creating cost-effective, scalable detections by Piotr Szwajkowski
Every part of this series is fantastic, but part 3 of Rippling's "Engineering a SIEM" series is one of the most in depth SIEM architectures I've seen in a few years. This is the first time I've seen Snowflake queries leveraging external functions and mapped to specific rules as Lambda functions.
There's some clever resiliency design in here, and the level of maturity that Szwajkowski and Rippling achieve with their pipeline fits very well into Wyleczuk-Stern's post above on detection-as-code maturity.
Driving lessons: The kernel drivers in Sophos Intercept X Advanced by Simon Reed
This blog post tastefully capitalized on the Crowdstrike outage from the lens of transparency. It's cool to see more companies open up and discuss the inner workings of their EDRs and agents. Intercept X is Sophos' EDR agent and ships with five kernel modules. They have a table with the driver files, current versions, driver type, and signature types and a small description for each. Even better, they put in a diagram of how their user-mode programs interact with the kernel.
They then describe their dogfood and feature flag release process, where they spend months testing and slowly removing feature flags as they dogfood and deploy iteratively.
Hiding in plain sight (part 2) - Abusing the dynamic linker by haxrob
I love Linux rootkit posts! Haxrob explores how process stomping techniques work on Linux and provides some really fun ways to detect user-space rootkits with command-line tools and checking process contents inside /proc/
. One way around this is hooking the main()
function leveraging LD_PRELOAD
, a classic user-space rootkit hooking technique. They even give a technique to remove LD_PRELOAD
in the environment variable context using built-in functionality in setenv.c
. It's a great piece on Linux reverse engineering and system hardening.
Detection Rules & MITRE ATT&CK Techniques by Jordan Camba
MITRE ATT&CK isn't perfect - and just like the capability maturity models I talked about above, they can be straight out wrong. That doesn't mean it isn't helpful, though. Camba highlights a core problem with some MITRE mappings. Some techniques' mappings need specificity in why it's malicious or what control you need to implement to detect it.
I love Camba's section on precision and accuracy - it's something I've talked a lot about in Detection Engineering. After defining precision and accuracy, Camba brings the proof and lists 5 Sigma rules that miss critical technique or sub-technique information to make them actionable.
☣️ Threat Landscape
Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access by Sebastian Obregoso, Zack Allen and the Datadog Security Research team
** Note: the research team at Datadog wrote this blog post, and I am one of the authors! **
I've posted many threat landscape updates where threat actors target software registries like PyPi and npm. It's been a super exciting topic for my team at Datadog because we see a ton of activity targeting these open-source software supply chain registries. This research is our latest endeavor in that research with an APT twist towards DPRK. Our clustering of actors focuses on dog breeds, and we see a lot of "Pungsan" activity that falls into this DPRK cluster. I'm super proud of the team for finding this!
Improving the security of Chrome cookies on Windows by Will Harris
Pretty sweet update from the Chrome security team. They updated how Chrome works on Windows, leveraging more than the base system primitives (DPAPI on Windows) to protect login cookies. "App-Bound" encryption allows Chrome to encrypt data tied to the application, similar to macOS.
France's Grand Palais discloses cyberattack during Olympic games by Bill Toulas
Infostealers strike again. The Grand Palais museum, and potentially several others, in Paris allegedly suffered a ransomware attack. This one is being scrutinized heavily because the Paris Olympics are literally minutes away. According to a separate media outlet, the Grand Palais shut down its systems to prevent the attack from spreading further.
SonicWall Discovers Second Critical Apache OFBiz Zero-Day Vulnerability by Hasib Vhora
For your facepalm vulnerability of the week: this blog post details a pre-auth 0-day against Apache OFBiz that allows attackers to perform remote code execution. This research stemmed from a previous vulnerability where researchers found a path traversal vulnerability, so engineers devised some protections on the vulnerable endpoints to prevent path traversal. Here’s the fun part: you could still get remote code execution on these endpoints simply by not trying to do a path traversal attack, and a POST to the endpoints gave Vhora full access.
StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms by Ankur Saini, Paul Rascagneres, Steven Adair, Thomas Lancaster
If you ever meet me in real life, feel free to ask the question (and measure the length of my response): "What is your favorite internet protocol?" And I’ll awkwardly and excited reply “DNS!!1”.
It's always DNS. So when I see an APT report about hacking an ISP and poisoning DNS to deliver malware, I get sad and giddy at the same time. StormBamboo, a PRC-aligned APT, compromised an ISP to poison DNS for specific organizations and targeted software with insecure update mechanisms to install malware. They then move to deploy some nifty browser extensions to steal mail data.
🔗 Open Source
OST-C2-Spec by rasta-mouse
Rasta Mouse, the creator of SharpC2, published this comprehensive RFC specification for offensive security tools. It’s wild to see this being applied to a malicious piece of software, but it’s also cool to see all the detection opportunities within the RFC.
huntsman by mlcsec
Huntsman is a connector to three outreach APIs, hunter, snov and skrapp. It enumerates email addresses, generates usernames and helps scrape a target domain and give a target list for pretexting an org for phishing or social engineering engagements.
dockerc by NilsIrl
Pretty hilarious implementation of turning docker images into standalone binaries. It looks like it started with a hilarious meme post on reddit, and now it’s a GitHub repository with over 2000 stars. It’d be cool to see this as a payload for a red team engagement.
aws-mine by Steven Smiley
Honey-token-as-a-service leveraging AWS Amplify as the management plane. You generate access keypairs on the Amplify service, aws-mine then tracks access key usage and alerts when bad guys use them.
trapster-community by 0xBallpoint
Community honeypot version of Trapster, a low-interaction honeypot. Looks like it has several honeypot services you can run and alert on.