Welcome to Issue #86 of Detection Engineering Weekly!
I had an amazing time in Paris! I love being able to visit other Datadog offices, it’s a perk and a privilege of the work. It’s cool seeing how other hacker cultures outside of the U.S. operate, but there’s still a common bond between all of us putting out dumpster fires on the daily.
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Prioritizing Detection Engineering by Ryan McGeehan
This is excellent reference material if you want a roadmap for building a detection engineering function! I featured Ryan's seminal 2017 essay on Detection Engineering two weeks ago, and it's cool to compare and contrast this new blog with his old work. Hint: not a lot has changed, but things have gotten more precise, which is excellent for aspiring teams and engineers trying to take on this massive detection undertaking.
I appreciate how prescriptive this post is. It focuses on stable growth rather than taking on a ton of things at once. It also calls out that this type of work is partnership-driven, so if you are not building partnerships with engineers, I.T. administration, and leadership, then you'll overshoot your work and either take on too much quickly or not enough because you are blocked.
My favorite section is at the bottom under "Why was this the correct prioritization for detection?" where Ryan describes our field as "deceptively tractable." This is a concise but accurate characterization because the team can take on too much and do nothing quickly.
🔬 State of the Art
Nuts and Bolts of Detection Engineering: Open Source Edition by Danny Zendejas
This post is a great follow-up to McGeehan's gem above. When you are ready to hire or start your first detection engineering process, one of the first things to do is create your detection lifecycle. Luckily, it matches closely to traditional software development lifecycles, and there are a ton of great open-source tools for you to use to get started.
Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence by Katie Knowles
~ Note, my current employer is Datadog, and Katie is my colleague! ~
Cloud IAM strikes again! In this post, Katie digs deep into Entra ID Administrative Units (A.U.) concepts, architecture, and abuse mechanisms! Azure admins functionally use A.U.s to provide scoped RBAC across Users, Groups,, and Devices instead of a whole tenant. Katie found several techniques to abuse Entra ID AUs, including persistence and privilege escalation. There are a ton of great visuals to describe each attack scenario, and Katie also shipped these techniques into the Stratus Red Team.
(Twitter/X) Periodic Table of Windows Events by AceResponder
This is a super clever visual of ETW IDs on a periodic table! I linked the X/Twitter post so make sure to give AceResponder a follow, but as a visual learner, it doesn’t get much better than this.
The Russian APT Tool Matrix by Will Thomas
After the success of Will's Ransomware Tool Matrix, the CTI goat created a separate matrix overlaying Russian APT tools across MITRE tactics. This is an excellent compendium because you can find plenty of rules for these toolsets in the open-source realm, many of which are open-source or free to download. The repository has two directories focused on the MITRE Matrix or markdown files describing the groups with a subset of the matrix inside.
Practical Incident Response - Active Directory by nxb1t
This is an excellent lab walkthrough of a ransomware attack against an Active Directory and Windows environment. You set up the lab environment for a hypothetical tech company called XOPS, review a common definition of incident response, lay out the job roles for incident response, and jump right into the incident. What's cool is that it hits the detection and response piece here, with some in-depth exercises on containment of the threat, memory forensics, malware analysis, and detection rules.
🎙️ Detection Engineering Media
It's been a long time since I've heard people talk about FIN7, as it seems like ransomware has completely taken over the criminal ecosystem, but this episode revealed to me that they are alive and well. The gang pushed many boundaries in its heyday: calling restaurants and socially engineering them to install credit card skimming malware, delivering ransomware via BadUSB attacks, and attacking ATMs. After some arrests of its members, they dialed down the bravado. Still, they silently ground away at expanding their operations in ransomware and phishing. This is a great episode on the latest exploits of FIN7 by the folks from Silent Push.
Really unique podcast episode from friends at The Three Buddy Problem, where the crew featured JAGS' keynote at LABScon. The talk's theme was describing the function of threat intelligence and how we can fight against it within the media, government, and the private sector. As cyber threat intelligence became more of a mainstay in security operations, some rules were applied to it, whether we wanted them or not. An example is a U.S. company being blocked from talking about APT research about the U.S. or a cloud company (AWS, Microsoft, Google) blocking research by threatening security researchers to kick them off the platform if they publish.
☣️ Threat Landscape
Staying a Step Ahead: Mitigating the DPRK IT Worker Threat by Codi Starks, Michael Barnhart, Taylor Long, Mike Lombardi, Joseph Pisano and Alice Revelli
You have to hand it to North Korea: they may not be good at execution, but my gosh, do they find creative ways to achieve their national objectives. I've linked the KnowBe4 story to this newsletter, where the company hired a fake I.T. worker from DPRK and managed to catch the worker as they tried to install malware on a device. The blog, IMHO, needed more technical nuance, whereas this one has plenty of detection opportunities.
Derailing the Raptor Train by Black Lotus Labs
Black Lotus Labs tracked and eventually helped take down a massive botnet operated by what Microsoft calls Flax Typhoon. Flax Typhoon is a Chinese-government-aligned threat actor group, and according to Black Lotus Labs, built a multi-tiered botnet with hundreds of thousands of infections. The domain for the C2 was so popular, it cracked Cisco Umbrella's Top 1 million popularity list. The management plane, or Tier 3 nodes, were impressive. Flax Typhoon leveraged an Express app connecting to a fully-fledged Node.js backend and issued commands to various exploitation, payload and C2 servers.
Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale by Matt Muir and Andy Giron
~ Note, my current employer is Datadog, and Matt and Andy are my colleagues! ~
The security research team at Datadog found a new campaign by TeamTNT that leverages docker swarm and kubernetes to attack exposed and misconfigured Docker servers. We’ve tracked TeamTNT for years, and it’s always interesting how these toolsets evolve and contain intimate knowledge of a cloud environment. For example, this sample attempts to pilfer Kubernetes configuration files to laterally move to a cluster using stored certificates. Another fun one is a bash script that searches for API keys and secrets inside know GitHub Codespaces directories.
“All your loaders suck until further notice” by r3v3rs3r
I love reading posts that take Blue Team to the extreme and, in my opinion, hack for good. In this post, r3v3rs3r reverse-engineered the Amadey bot panel and created an exploit chain to gain access to in-the-wild panels owned by these criminals. Once they had access, they could access credentials stolen by Amadey and (hopefully) get them to the proper folks at these credit card companies to quickly shut down the compromise and issue new cards.
🔗 Open Source
segugio by reecdeep
Malware configuration extraction toolset that detonates malware and records any interesting configurations it found along the way. This is useful when you need to extract IoCs from malware configurations and quickly push out indicators to your security tools to check for active infections.
Russian-APT-Tool-Matrix by BushidoUK
Will Thomas’ APT tool matrix repo that I talked about above in state of the art.
supernova by nickvourd
Yet another obfuscation and encryption tool for shellcode you generate. It boasts an impressive list of languages it can output to, so when you are doing CTFs and definitely not doing crime, you can get past pesky blue teamers or security tools to avoid detection.
localsend by localsend
Open source alternative to Apple’s AirDrop tool. It’s cross platform so interesting to have an alternative you can use across iOS, Android and endpoints.