Detection Engineering Weekly

Detection Engineering Weekly

Share this post

Detection Engineering Weekly
Detection Engineering Weekly
Det. Eng. Weekly #87 - I'm downgrading the severity of the CUPS vulns
Copy link
Facebook
Email
Notes
More
User's avatar
Discover more from Detection Engineering Weekly
The latest news and how-tos in detection engineering
Over 13,000 subscribers
Already have an account? Sign in

Det. Eng. Weekly #87 - I'm downgrading the severity of the CUPS vulns

Only because no one has ever figured out how to print on a Linux desktop

Zack 'techy' Allen's avatar
Zack 'techy' Allen
Oct 02, 2024
6

Share this post

Detection Engineering Weekly
Detection Engineering Weekly
Det. Eng. Weekly #87 - I'm downgrading the severity of the CUPS vulns
Copy link
Facebook
Email
Notes
More
Share

Welcome to Issue #87 of Detection Engineering Weekly!

⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:

Detection Engineering Weekly is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Det. Eng. Weekly #86 - Jetlagged AF

Det. Eng. Weekly #86 - Jetlagged AF

Zack 'techy' Allen
·
September 25, 2024
Read full story
Det. Eng. Weekly #85 - Paris Vous Aime

Det. Eng. Weekly #85 - Paris Vous Aime

Zack 'techy' Allen
·
September 18, 2024
Read full story

📣 Shameless Advisor Plug 📣

I've been advising a stealth-mode cybersecurity company focused on reducing toil and accelerating triage and investigation in security operations. They use a combination of data normalization, generative AI, and integrating with security stacks to make investigating less painful for analysts, which is a topic near and dear to my heart.

Their product is already live with a few early adopters, and they're looking to connect with interested security practitioners. I'd be grateful for folks who provide early feedback, validate their solution and positioning, or even be an early design partner. If you are in a SOC, work with an MSSP/MDR or want to kick the tires on how AI can help with investigations, they want to talk to you.

Shoot me an email techy@detectionengineering.net with your name/company/position and I'll forward your info over! Free stickers and a t-shirt for folks who connect and give them valuable feedback :)


💎 Detection Engineering Gem 💎

Tracking cloud-fluent threat actors - Part one: Atomic cloud IOCs by Merav Bar and Amitai Cohen

As the threat landscape evolves into the cloud, so should our defensive measures in the detection space. This is an excellent overview of how cloud environments such as AWS can offer different telemetry and indicators of compromise that we are not used to seeing in a pure host and networking world. Malicious tenants can establish a trust relationship with your cloud account, or a threat actor could be using well known tooling sold on the criminal underground to add a very obvious (at least to us blue team nerds) user that should not present in your account.

I also appreciated how Bar and Cohen talked about traditional indicators in a cloud context. Because this operating environment is so different, you need to incorporate the context of a production stack into things that may not be as high-signal in a "traditional sense," such as user agents.


🔬 State of the Art

Deconstructing Security Monitoring Antipatterns by Truls TD

Antipatterns can kill productivity, reduce trust and tend to breed more use of antipatterns. This concept is pulled from other areas of engineering and design, and there’s some funny posts from developers over the years describing their experience with them. Applying this same concept to threat detection, I’m sure you can come up with some scenarios where a single pattern has resulted in more cost than benefit in your org, which means you’ve probably found an antipattern.

Truls draws inspiration for this antipattern post from Microsoft's Cybersecurity Reference Architecture (MCRA), specifically a diagram in the MCRA that briefly describes antipatterns. They then go into a much deeper analysis of each and provide examples of why they are antipatterns to a SecOps and detection practitioner.


Hacking Kia: Remotely Controlling Cars With Just a License Plate by Sam Curry

On June 11th, 2024, we discovered a set of vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate.

OK I can’t spoil this because it’s a great vulnerability writeup, and I want all those who read to bask in the glory of responsible disclosure combined with eye twitching product decisions.


Probing Slack Workspaces for Authentication Information and other Treats by Andrew Byford

This is a neat OSINT technique for finding ways to infiltrate or protect a Slack workspace. Slack has an unauthenticated API per workspace that when probed, can give you some information on how the owners configured that workspace. Two factor settings, auto provision settings for domains and join URLs can be just enough information for someone to socially engineer their way in, or as Byford hypothesizes, abuse the APPROVED_DOMAINS flag to gain access. Their tool can also authenticate to your Slack workspace and use the API to do all kinds of discovery of secrets, files and other data based on how you configure it.


Ping Storms at GreyNoise by David Schuetz

I have fond memories of doing David Schuetz's crypto puzzles at ShmooCon. I thought they had the right level of difficulty that, as a security n00b in the early 2010s, I could try to solve them. He was very helpful at the con if you were stuck. Well, it's cool seeing how the puzzle maker solves a puzzle because Schuetz cracked a puzzle that GreyNoise has been stumped on.

TL;dr, according to GreyNoise, Noise Storms have been making their way through the Internet since they've been tracking it in 2020. It looks like an unsolved riddle on what the hell they are, and an unsolved riddle is merely a puzzle, according to Schuetz :). It boiled down to a tooling and packet interpretation problem. Schuetz "cracked" the code and found a peculiar academic exercise performing some of these storms at the end of his investigation.


Announcing LOLRMM: A Unified Approach to RMM Software Tracking by Michael Haag

RMMs are an extremely useful tool for threat actors to persist in an environment, and even use it for ongoing operations. Will Thomas has mapped dozens of these tools into ransomware gang and nation state usage. So why not store it on the lolfarm and make it free for everyone to use? Luckily, the good folks at Magicswordio did just that! LOLRMM is a database and website that stores all kinds of data on RMM tools, with associated artifacts and tools to help you with detection and hunting.


🎙️ Detection Engineering Media

If you want a breakdown of how MFA bypasses work in the modern age, this podcast episode by the Mandiant folks gives a great technical breakdown of infostealer and attacker in the middle tools that abuse the architecture behind MFA to bypass it. I'm glad that the guest, Josh Fleischer, went into detection opportunities at the network level because it only takes one a trip up to force a step-up author to kick an attacker out once they get past MFA.


In this Detection at Scale episode, Thijn Bukkems, who runs threat hunting at Grammarly, describes his approach to threat detection, hunting, and the organizational structures behind them. His emphasis on working backward from a response scenario into detection mechanisms was a nice "a-ha" moment for me because it focuses on the outcomes we want to drive when shit hits the fan rather than trying to piece together several detection strategies and hopes it works when an incident is ongoing.


☣️ Threat Landscape

Remote execution exploit chain in CUPS: Overview, detection, and remediation by Christophe Tafani-Dereeper and Nick Frichette

~ Note, I work at Datadog and Christophe/Nick are my colleagues ~

For the last three years, about once every three months, an insanely hyped, stress-inducing, and massively impact vulnerability has been dropped onto security teams across the globe. There's a fog of war associated with these vulnerabilities, with questions such as: "Is this a *4shell level of impact? Do I need to stay up all night to patch? Which vendor will email me first with some dumb ambulance-chasing headline?"

Without fail, these vulnerabilities both astonish and disappoint me. In the latest emerging vulnerability-du-jour, CUPS is the target, the service used for printing on Linux across a huge surface of kernel and distro types. My colleagues rushed to measure the surface and impact. They were amazed at the simplicity of the vulnerability (a malicious print job, essentially) but underwhelmed by its hype due to the exploit pre-conditions. This is a great synopsis of everything for a tl;dr and its effects on the cloud world.


Further Evil Corp cyber criminals exposed, one unmasked as LockBit affiliate by National Crime Agency

NCA releases the hounds and publishes their research and indictments against more EvilCorp members, this time targeting a LockBit affiliate who was Yakubets' right-hand man. Ryzhenkov was one of the main developers of Evil Corp's ransomware strains, was part of LockBit, and also either operated or used the BitPaymer ransomware against several victims in the U.S.


Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware by The DFIR Report

Yet another excellent intrusion writeup by friends at The DFIR Report. From initial access leveraging Nitrogen dropped in a fake tool download to ransomware 8 days later, it’s cool to see a full forensic analysis coupled with detection opportunities. The interesting tidbit here is the use of restic for exfiltration.


Three IRGC Cyber Actors Indicted for ‘Hack-and-Leak’ Operation Designed to Influence the 2024 U.S. Presidential Election by U.S. Department of Justice

The Justice Department has named and shamed the hack-and-leak actors who most likely stole documents from Roger Stone and other Trump campaign officials. It's nice to see how much we've learned from the 2016 DNC hacks and tried not to politicize this or call for arrests. I think an indictment this quickly is a result of all of those learnings.


🔗 Open Source

slack-watchman by PaperMtn

I linked PaperMtn's blog on Slack Watchman above, but this is essentially a Slack posture management and alerting tool. It leverages native Slack APIs to find secrets and sensitive attachments and hopefully helps reduce the OSINT footprint of your Slack workspaces.


WhoYouCalling by H4NM

This is a neat forensics and reversing tool that you point at a Windows binary and it’ll generate a full pcap and some ETW events for additional analysis.


NamelessC2 by trickster0

Yet-another-C2 but built in Rust and has a small footprint (<256kb). I like reading code from the smallest/unknown to the largest C2 frameworks because you start to see patterns in detection within the tools and across common implementations.


dockerhoneypot-logs by silascutler

Friend of the newsletter, Silas Cutler, just dropped a few years worth of docker honeypot logs. Really cool dataset for folks who want to track how Docker botnet and malware campaigns target this technology.


Detection Engineering Weekly is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Lance Leger's avatar
Highly Curious, Never Nosy's avatar
6 Likes
6

Share this post

Detection Engineering Weekly
Detection Engineering Weekly
Det. Eng. Weekly #87 - I'm downgrading the severity of the CUPS vulns
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

User's avatar
The Security Research Product Function
Product teams build, security research teams help navigate
Mar 26 • 
Zack 'techy' Allen
16

Share this post

Detection Engineering Weekly
Detection Engineering Weekly
The Security Research Product Function
Copy link
Facebook
Email
Notes
More
1
Det. Eng. Weekly #109 - I’m making a Hinge for detection engineers
Your profile is a rule, an alert is a match, and a false positive is a shitty date
Apr 9 • 
Zack 'techy' Allen
12

Share this post

Detection Engineering Weekly
Detection Engineering Weekly
Det. Eng. Weekly #109 - I’m making a Hinge for detection engineers
Copy link
Facebook
Email
Notes
More
1
Det. Eng. Weekly #97 - Goodbye, my friend
A commemoration post for my dog
Dec 18, 2024 • 
Zack 'techy' Allen
27

Share this post

Detection Engineering Weekly
Detection Engineering Weekly
Det. Eng. Weekly #97 - Goodbye, my friend
Copy link
Facebook
Email
Notes
More
6

Ready for more?

© 2025 Zack 'techy' Allen
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More

Create your profile

User's avatar

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.