Welcome to Issue #85 of Detection Engineering Weekly!
I’m in Paris this week for some Datadog shenanigans, and it’s really solidified how much I love visiting France. As an American, there’s something special about how bustling the streets are during the day and into the night. I also am passing for a local which is a point of pride for me, though I quickly run out of things to say and ask if the person I’m talking with speaks English.
Also, have you ever eaten something and decided in that very moment that you’ll remember that bite or experience for the rest of your life? I had that experience last night. French butter - omfg. I walked with some coworkers to a fromagerie and one of them picked up a good kilo of it, and it was some of the best butter I’ve ever had in my life. Such a cool experience :).
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Enhance your Cyber Threat Intelligence with the Admiralty System by Freddy Murstad and Sean O’Connor
The Admiralty System is a way for intelligence (read, not cyber intelligence) analysts to rate the reliability and credibility of intelligence as it enters their workstreams. It's basically a system with a matrix that allows an analyst to interpret the quality of the intelligence they are receiving, and it's super helpful as you expand this system to multiple teams or a whole organization. I thought this post was interesting because Murstad and O'Connor argue that this system would be great for cyber threat intelligence.
Think about a situation where you've seen a researcher post something about a threat or vulnerability on your favorite social media platform. If you are a regular on social media sleuthing around, you can think of times when charlatans make a claim and experts quickly dismiss it, but the press picks it up. And when the media picks it up, your leadership team probably reads about it.
So, evaluating the claims is part of your job, but how do you also apply an objective lens to the credibility of the source info? This is where Murstad and O'Connor say a standardized Admiralty System in your program could be super helpful. I want to think this can also be applied to threat detection, as rule ideas or attack techniques can come from dubious sources, and if you see something published by, let's say, Mandiant, versus @ub3rhax0rdarkw3bm4n
, allows you to prioritize a credible source over a random keyboard warrior.
🔬 State of the Art
Azure | Cloud Threat Hunting Field Manual: Azure by Charles Garrett
This is a nifty reference manual for engineers and researchers to quickly orient themselves around Azure fundamentals and boot up an environment for experimentation and threat hunting. I really enjoyed reading the "Hierarchy" sub notebook, especially since most of my expertise has been in AWS. It also has some nice resources for logging and getting started with KQL, the preferred querying, hunting, and detection language for Azure.
5 Years of InfoSec Focused Homelabbing by Jared Stroud
I frequently get questions from aspiring detection engineers or security students who want to learn how to break into the field. It's always a tricky question, especially if someone comes from academia, is considering college or a boot camp, or wants to cross-train in a field like IT. A fantastic piece of advice I received early in my career is to experiment and put research out there, even if it doesn't seem that cool, you'll learn a lot
Jared has been in the field for years, and within the last 5 years, he's been doing great research on Arch Cloud Labs. This post is a retrospective of those 5 years, and he does a great job explaining how to do research, write about it, and the benefits you get from it. Here's an excellent snippet from the post on why putting research out into the Internet gives you an edge:
Not everything you blog about and build in your homelab needs to be production grade or realistic for enterprise environments. Part of the fun I have with homelab experiments, is developing systems which give you weird edge cases or ridiculous scenarios. These projects usually end up as great conversation pieces during interviews or in the worst case scenario a fun story to share over beers. The key takeaway here is to do projects you think are fun. When learning is fun, you’ll learn more. When your homelab feels like a job, stop.
Kernel ETW is the best ETW — Elastic Security Labs by John Uhlmann
Event Tracing for Windows, or ETW, is a staple in Windows threat detection. It's what I wish auditd did for Linux regarding configurability and standardization across (almost) all Windows flavors and versions. Did you know that there are several types of ETW services? Some are in user-land, and some are in Kernel. Even if you did, you should still read this post by Uhlmann, as it's an informative deep-dive on the ecosystem of ETW for Windows.
I always found it strange how Microsoft can be so good and so bad at providing documentation. You have wonderful documentation pages in places like Azure or on Filter Managers, but if you want to use Kernel-level ETW providers (like what Uhlmann writes about here), they're sparse.
Creating Kernel Object Type (Part 1) by Pavel Yosifovich
In this detection engineering adjacent post, Yosifovich begins a series on leveraging Windows Kernel objects to perform deep-level functionality inside the Windows OS. I recommend that threat researchers dive deep into software engineering and kernel-heavy posts like this to better understand how malware abuses these primitives. Yosifovich provides readers the basic structure of a Windows kernel object, shows how you can explore them inside Object Explorer, and explores how you can view objects and handle leveraging that kernel object.
New to Google SecOps: Turning Strings into Integers for Statistical Analysis by John Stoner
In my early days as a security engineer, I had to engineer a way to compare two pretty complicated objects in memory before the algorithm decided whether to continue. I went through many scenarios with a co-worker on a whiteboard, and I thought: could I convert these objects to BigInteger, measure the distance between the two, and decide? No way would work, but I was at my wit's end. It worked beautifully after finagling with the math and benchmarking with some statistical methods.
I hadn't thought about that solution in years, but when I read Stoner's post, I got a blast from the past. A super interesting technique you can use in threat detection is benchmarking the metadata around a detection, such as string length or number of substrings. Stoner demonstrates this inside Chronicle, highlighting how a high-length command in the command line, or one with lots of substrings, can yield interesting results during a threat hunt.
🎙️ Detection Engineering Media
Lots of my podcasts in the last few weeks have had some great nation-state and DPRK content! In this episode, two researchers join Sherrod to talk about Citrine and Onyx sleet. It’s really interesting getting information about these actor groups from a company with close to two decades of deep visibility into these clusters.
This was a cool mini-stories episode of Darknet Diaries. Both stories are detection adjacent: the first is about a hacker named EvilMog who was a contractor running IT infrastructure in Afghanistan, and he has a touching story on how he managed to get a soldier to call back to his family during a pivotal moment in their marriage. The second one is a penetration tester who exposed some awful content on a client’s employee’s laptop during an engagement. It goes to show that cybersecurity isn’t all just threat actors and intelligence, but you deal with humans in the best and worst ways, too.
☣️ Threat Landscape
Alerting the World to RT’s Global Covert Activities by U.S. Department of State
As a surprise to no one, Russia's RT news network has embedded foreign intelligence agents performing all kinds of shenanigans to shape public opinion. This specific disclosure by State talk about how they tried to sway the Moldovan election to favor candidates and outcomes best for the Kremlin. The interesting tidbit here is the section labeled "Cyber capabilities," where they leverage a cybersecurity arm inside RT to influence operations and intelligence collection capabilities.
Apple Drops Spyware Case Against NSO Group, Citing Risk of Threat Intelligence Exposure by Ravie Lakshmanan
In a wild turn of events, Apple dismissed it's lawsuit and case against NSO Group, citing that the risk of threat intelligence information during discovery could put Apple and victims even more at risk. It stinks to hear this because Spyware companies like NSO Group are evil and should not exist, but it's a game of cost. The cost of exposing and stopping NSO might not be worth the cost of disclosing critical information from Apple to combat these threats.
From Amos to Poseidon | A SOC Team’s Guide to Detecting macOS Atomic Stealers 2024 by Phil Stokes
This is a great summary of the most prevalent MacOS stealers being distributed to victims. It includes some history lessons on the two main variants, Amos and Poseidon, commentary on the criminal ecosystem, and drama between the two maintainers. The main distribution channel for these stealers is malvertising links for cracked or free versions of enterprise tools like Obsidian or Notion.
Snowflake Strengthens Security with Default Multi-Factor Authentication and Stronger Password Policies by Snowflake
This short-but-sweet product update from Snowflake highlights recent changes they made to their customer tenants' default security. Stronger passwords with a new password policy, as well as new and easier to use integrations to move to MFA or external oauth providers for Snowflake customers. This is obviously in response to the recent Snowflake "incident", where customer tenants were breached using infostealer malware. It's good to see progress in this after only a few months!
TAG Bulletin: Q3 2024 by Billy Leonard
This is a straight-to-the-point post by Google's Threat Analysis Group (TAG) on different campaigns they've shut down on Google products during Q3. There was lots of abuse by Russian actors on YouTube. One interesting tidbit is that they shut down a U.S.-based influence operation that tried to convince American voters not to vote for a Democrat or Republican but an independent candidate for upcoming elections.
🔗 Open Source
MFASweep by dafthack
Powershell script that performs a mass login to several Microsoft Azure services to check if MFA is enabled. This is a good way to sweep different accounts and services for your Azure subscriptions and tenants to make sure your password posture is in good standing and doesn’t change.
recaptcha-phish by JohnHammond
This is a cheeky embedded fake CAPTCHA that tries to convince users that the site is legit because it has anti-scraping and bot capabilities. The funny part here is it’s a copy-paste self-infect script, but because it has all the bells and whistles of a CAPTCHA, it’s more convincing.
API-Threat-Matrix by Escape-Technologies
MITRE ATT&CK-like matrix for APIs. They built a generic one for REST-like APIs as well as a GraphQL based on towards the bottom.
undocumented-aws-api-hunter by Datadog
My colleague Nick Frichette just released his API hunter tool at fwd:cloudsec EU! It’s a clever way to find undocumented APIs in AWS, and sometimes these APIs have a lot of power they shouldn’t have, or straight up don’t log to cloudtrail like others do.