Det. Eng. Weekly #82 - Catchy title with pop culture/security reference
Snarky ironic subtitle that emulates xkcd's mouseover text
Welcome to Issue #82 of Detection Engineering Weekly!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
What a Cluster! How Industry Groups and Names Threat Activity Clusters by John Doyle
Have you ever wondered how leading intelligence firms create " clusters as they track threat activity? Sure, the names are generally catchy (I'm still hoping for Microsoft to create a Chipotle Tempest), but there is some hardcore methodology behind the technique.
Look no further—John's post helps readers understand the general standard operating procedure for this practice. What's even neater is that he is also part of Mandiant, so he speaks from a lot of experience performing this type of analysis.
It's a two-stage process with many parts in between. Basically, as long as you capture relevant indicators of compromise, behaviors, timestamps (this is important!), and TTPs, you can create a baseline in a threat cluster. It's a cluster because it may contain only a handful of observations. Clusters "graduate" into groups, and firms typically drop these upgrades with a big splash blog post, conference talk, or alongside attribution that a government entity publishes.
On a work note: My hope is to get feedback from John on my $ DAYJOB's (Datadog's) use of dog breeds as a threat cluster designation :P
🔬 State of the Art
Improving Windows Logging Visibility in Elastic by Swathi Tadepalli
This is an excellent detection engineering home lab post for folks wanting to get deeper into running a threat detection stack at home. Tadepalli walks readers through how to set up the Elastic agent for a Windows machine, showcases how the out-of-the-box telemetry isn't rich with context, and deploys SwiftOnSecurity's Sysmon configuration to the agent for much better logging. You'll need to set up some ETLing beforehand to move the message format from K/V to something like JSON. Still, it's cool to see more labs-based posts for detection engineering!
Linux Detection Engineering - A primer on persistence mechanisms by Ruben Groenewoud
Another Elastic detection post, this time with a Linux focus! Groenewoud delves into how Linux persistence techniques and the out-of-the-box Elastic rules work together. You can follow his instructions to deploy Elastic agents, turn on the 200+ Linux rules, and start emulating different persistence methods with his open-source tool, PANIX. I linked PANIX in the newsletter issue last week, so it's nice to see these connect from code to implementation.
Hold Me Closer, TinyPilot by m0reCowbell
Okay, so do you have a friend in the industry who has crazy ideas for new products, whether they are serious or not? Let's say they DM you one day and say, "Listen, techy, I have THE BEST idea. It's gonna make millions. KVM-switch-over-IP. What do you think?" And I hope most of your replies will be, "That's the dumbest thing I've ever heard."
Well, in this week's newsletter, the dumbest thing you ever heard of actually exists: KVM-over-IP devices. It's exactly what you think. And m0reCowbell/Jim found hundreds of them on the Internet, and one belonging to a US Department of Defense workstation. Yeah, THAT government agency.
The best part? Detection opportunities at the bottom to find these buggers on your network.
HEG. So you want to generate some Windows by Peadar Conway
"Hunt Event Generator," or HEG, is an open-source tool that provides detection engineers an interface to execute a technique or procedure on Windows with various tools and write the telemetry out to an easy-to-use output file. The output file contains event IDs in several Windows tools for detection. It takes much of the work away from the detection engineer, such as downloading dependencies and toolsets and then writing them out in CSV format for consumption. Conway publishes two other tools for even more log generation, as well as an automated analysis of these techniques.
Sentinel Automation Part 2: Automate CISA Known Exploited Vulnerability Notifications by Bert-Jan Pals
Leveraging CISA KEV for security operations and "getting ahead" of threats exploiting vulnerabilities is an important workflow for security operations teams. When you get a KEV notification from CISA, you can email or Teams message the vulnerability details and create an incident. This is an excellent process because these vulnerabilities can become mainstream news, so you get an early warning before it hits the media, thus preparing your detection teams to find exploit attempts in your environment before the masses find a PoC.
I like how Pals set up several types of integration workflows using native Azure tooling to send out notifications to relevant teams. It'd be cool to see if you can leverage that same functionality to set a higher incident priority if you can find the vulnerability inside your environment.
🎙️ Detection Engineering Media
This short-but-sweet podcast from Click Here features Allison Nixon, whom I've linked articles and podcasts from before. Allison does leading-edge research on The Com and has some pretty amazing insights into how they operate like a "real-world gang" to ensure members stay in line or return to The Com life once they get out of jail or probation.
On a detection adjacent note, this "Wide World of Cyber" podcast with Alex Stamos, Patrick Gray and Chris Krebs was an informative take on the current state of election security. This is right off the heels of Iran-linked actors allegedly hacking into and stealing campaign data from Trump's campaign and what the media and platform response has been so far.
☣️ Threat Landscape
Ransomware attackers introduce new EDR killer to their arsenal by Andreas Klopsch
Sophos researchers found an EDR-killing payload that failed to kill Sophos and tipped its hand to analysts. This is the purest form of cat-and-mouse attack and defense with the baddies I've read!
On a more serious note, it's cool to see how analysts review malware samples that try to target the software they are building and find ways to protect themselves against the capability. The "EDRkiller" capability runs off of an embedded vulnerability driver and endlessly loops trying to kill process names and signatures matching the kill list loaded into the config.
Bureaucratic initiative redefines German law enforcement cyber operations by Jakob Bund
BKA, Germany's version of the FBI, has been a staple in several high-profile cybercriminal takedowns. Much like the woes of bureaucracy in the U.S., Germany and the BKA face challenges regarding their legal authority to carry out cyber takedown operations. There is no "centralized emergency response mandate" for takedowns in Germany, so as noted by Bund, the BKA can only neutralize or takedown a system in Germany if all 16 member states. Another issue stems from the separation of powers for domestic intelligence and foreign intelligence exchange, which came from a law starting in 1949. Fascinating stuff!
Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments by Margaret Zimmerman, Sean Johnstone, William Gamazo and Nathaniel Quist
Researchers at Unit42 uncover a massive cloud-focused extortion operation that scans the Internet for exposed secret files and uses these secrets to gain access to cloud environments. Whether they obtain the exposed secrets via an exposed web server or gain initial access and then steal the secrets off of the victim machine, it seems like the actors were successful. The coolest part is the "worm-like" feature of leveraging their victim's Lambda service to scan for more vulnerable hosts.
Beyond the wail: deconstructing the BANSHEE infostealer by Elastic Security Labs
Another week, another infostealer. The interesting part here, though, is that according to Elastic, MacOS-based info stealers are becoming more commonplace in the criminal ecosystem. The actor, 0xe1, charges a hefty monthly price ($3000 USD), but I imagine as demand rises for these password-stealing variants, competitors will drive down the price.
🔗 Open Source
Ransomware-Tool-Matrix by BushidoUK
Excellent catalog of toolsets used by ransomware and extortionist gangs. Will splits each tool up by technique, and the first column contains the tool and the second column is the list of gangs using that tool. This is a great asset for building detections across different techniques and tools, so hopefully you can “bring the pain” to potential ransomware actors on your network.
ShellSweepX by Michael Haag
ShellSweepX is a continuation of Michael's ShellSweep tool, which leverages a combination of machine learning and YARA to find web shells on target hosts. You deploy an agent, use the different models and YARA rules to find candidate web shells, generate alerts, and send the results back to a management page.
HEG-3.0 conway87
HEG generation tool that I linked in the “State of the Art” section above by Peadar Conway.
WindowsDowndate by SafeBreach-Labs
This is a clever tool that takes control of Windows Updates to downgrade a Windows OS so you can research old vulnerabilities. I love looking at tools that abuse or leverage update mechanisms, and this one should be great for a home lab where you mess with vulnerabilities and test payloads for detection opportunities.
whenfs by lvkv
Turn your Google Calendar into a FUSE filesystem. I can’t write anything succinct enough to do this README justice, but this is hilarious: