Welcome to Issue #88 of Detection Engineering Weekly!
10,000 subscribers announcement, plus a poll!
We just officially crossed the 10,000 subscriber threshold. Another significant digit looks nice on the Substack page, but it’s more of a milestone of the impact a newsletter can make in the community. It took 88 issues, close to 18 months, and since then I’ve: had my second kid, graduated with a MBA, moved, got promoted.. lots of life happened. It’s truly an amazing experience seeing this thing grow with you all.
I just want thank all the readers and subscribers, especially those who kindly reach out on LinkedIn, Twitter, Slack, E-mail or in-person to say nice things about the newsletter. I try to make something that’s useful for practitioners, with my own spin and insight on blogs and stories that at first nobody would care about, but now has become a mainstay “feature” for this newsletter.
Like the first 88 issues, things change based on feedback, preferences, or how I want to experiment with content. I’ve been considering adding more content with different flavors, so I’d super appreciate if y’all took this poll to help direct a bit more of some of my ideas. As always, you can leave a comment or send me an email with your own ideas too :).
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Detect Azure Pass Through Authentication Abuse — Azure Hybrid Environments by Matteo Potito Giorgio
This is an excellent example of detection engineering via offensive security and threat emulation. Giorgio begins the post with an attack scenario: a hybrid on-prem and cloud environment, where on-prem hosts must authenticate to Entra ID via Microsoft Entra Connect. The attack path takes advantage of a DLL on Windows machines used to do pass-through authentication to Entra Connect and how malware can be written to hook the exported DLL function and capture cleartext credentials before it reaches out to Entra Connect.
With the malware in place, Giorgio explores detection opportunities. This is a classic DLL injection attack. Sysmon emits two events related to loading images and creating remote threads, which are two critical steps within the DLL injection attack tree. Giorgio notes that you can still hunt for non-Microsoft-signed DLLs, as savvy attackers steal certificates to sign them to avoid detection.
Both events are interesting, but when correlated together, they make a more reliable detection that can trigger an investigation. Giorgio's detection analysis fits nicely into Atkinson's function graph. It should give a high-fidelity detection with an acceptable false positive rate.
🔬 State of the Art
Event Log Talks a Lot: Identifying Human-operated Ransomware through Windows Event Logs by Kyosuke Nakamura
When you think of a ransomware event, the obvious choice for family attribution is the ransomware note or extension. But the fog of war is much ransomware may not cleanly provide a note, or the extension doesn't provide many clues. Nakamura explores this concept of ransomware strain identification via Windows event logs and grouping families of ransomware via logging artifacts.
It's a clever way of doing metadata analysis, which, at its core, tries to explain and provide new data about the data you are inspecting. They provide several examples of event log traces and group them into families. It's another clue that code reuse can provide a ransomware paleontology.
Cloud native incident response in AWS - Part II by Invictus Incident Response
This is a continuation of Invictus' Part 1 on doing cloud-native incident response using AWS tooling. In this post, you get a deep dive into leveraging AWS Athena, a SQL-like querying tool for data exploration of AWS logs. They go over examples of how to load the logs in AWS Glue. Then, they provide tips and tricks to limit searches, explore data, and recommend several log sources to query during an investigation.
This is particularly useful if you need to get up and running quickly using AWS services with no SIEM to rely on.
My Methodology to AWS Detection Engineering (Part 3 - Variable Scoring) by Chester Le Bron
Le Bron continues his AWS detection engineering series, focusing on how environmental and threat intelligence context can bump a score on an alert. The basic idea behind adding scores based on context is that access to these environments should be controlled and understood as much as possible, and you can use access context to your advantage. For example: in AWS, it's commonplace to provide vendors and other organizationally-owned AWS accounts cross-account access, so you can raise the suspicion of a CloudTrail event when you see an account ID you haven't seen before.
Unintentional Evasion: Investigating How CMD Fragmentation Hampers Detection & Response by Kostas Tsialemis
Being a 1-liner command line ninja can screw up logging and detections, not because you have a massive command to run, but because Windows and other operating systems can parse these commands into separate logging events. This is a cool investigation of the nuances behind command line logging and how special characters such as |
, &&
and interaction sessions can mess this up. Kostas then presents a scenario where a detection tries to look for a command line execution of tasklist to find a lsass process ID. Using a pipe within the command splits the logs into separate event IDs, and the rule incorrectly does not alert.
Gaining AWS Persistence by Updating a SAML Identity Provider by Adan Álvarez Vilchez
Persistence in the cloud is a funky subject. Unlike host environments, unless the victim does not have control plane logging, it's loud as heck. You can see how actors do this by creating new accounts, new access keys, or setting up trust relationships. But there are more ways to persist than these boring and overused techniques, precisely what Vilchez is exploring.
Persisting via rogue identity providers is exciting but technically more challenging to pull off. That being said, it has been used in the wild, and the example that comes to mind is the MGM breach.
🎙️ Detection Engineering Media
Scott Piper joins the Cloud Security Podcast to discuss his role as a cloud security researcher. It's really cool to see how Scott and the Wiz team built out their research function, and I had a chance to hang out with Scott and talk about this very subject at RSA. I also learned he has a German Shorthaired Pointer. As a German-breed dog owner (if you still need to guess by my logo), it must be a cloud security research thing to own a dog :).
Corsin, Ryan, and Juan discussed several APT-related topics this week, but the first part of the conversation was fascinating. TL;dr, Careto, first discovered 10 years ago, is an APT group with a unique victimology set and was mainly attributed to a country you don't hear about in the APT space: Spain. According to research presented at Virus Bulletin, there is a possible re-emergence of the actor, but the attribution is loose at best. The hosts revisited an important topic: how companies should surface more research on "non-traditional" APTs. Still, since it's a national security question, there's nuance around exposing it at the right time.
☣️ Threat Landscape
When AI Gets Hijacked: Exploiting Hosted Models For Dark Roleplaying by Ian Ahl
~ Warning, mentions of CSAM/CSEM in this post ~
Friend of the newsletter and Judoka Ian Ahl performed a deep-dive on attacker activity targeting AWS Bedrock’s integration with Anthropic models. The ecosystem behind this attack involves stealing AWS access keys, checking for security logging on the AWS Bedrock service, and then pushing that key into a reverse proxy to interact with victim Bedrock services. This reverse proxy then gets hosted on a NSFW roleplaying service for people to use. It involves several LLM jailbreaks and lots of detection opportunities for defenders.
T-Mobile Required to Change Business Practices After Data Breaches by Federal Communications Commission
I find it wild how often one of the largest cell phone networks in the U.S. has been breached. Like, every time I've seen news of a new breach, I can't believe nothing changed. It looks like the FCC released the hounds and reached a settlement with T-Mobile. The recommendations are hilariously obvious, but it makes me wonder how bad it's been "on the inside" for the last 10 years.
Case of Attack Targeting MS-SQL Servers Abusing GotoHTTP by Ahnlab
Threat actors leverage another RMM tool, GotoHTTP, to maintain persistence on a victim machine. Ahnlab researchers highlight how a recent intrusion involving MSSQL, a breakout using SQlShell, and quite the barrage of privilege escalation tools finally landed on GotoHTTP.
Chinese Threat Groups That Use Ransomware and Ransomware Groups That Use Chinese Names by Natto Team
This post is a great analysis of the evolution of ransomware linked to Chinese-aligned threat actors and how the cyber superpower can leverage ransomware for both espionage and cybercriminal purposes. This might confuse ransomware aficionados: what about the obvious Chinese-inspired ransomware groups like Qiulong and Qilin? Natto gets into that too, and funny enough, they most likely aren't Chinese gangs.
How Infostealers Are Bypassing New Chrome Security Feature to Steal User Session Cookies by Spycloud
I posted a story on Issue #80 about the Chrome team shipping an app-bound encryption feature to combat infostealers pilfering sensitive data and session cookies. This was July 30 of this year, and according to Spycloud, it took malware authors only a few months to circumvent the protection by leveraging a, you guessed it: debug port feature in Chrome!
TBH, this is a good thing. This technique, IMHO, is easily detectable with detection rules, especially if you are looking at what options new Chrome processes are spawned with. Forcing infostealers to take a much louder route results in much better detection opportunities.
🔗 Open Source
venator by nianticlabs
Threat detection platform optimized for Kubernetes deployments. Platform agnostic in the sense that you can write detection rules integrating with tools like Open Search or BigQuery, and makes heavy use of DevOps primitives to guarantee runs and provide observability on rule failures.
Athena Cheatsheet by invictus-ir
Athena cheatsheet from Invictus that they released from their blog post listed above in State of the Art.
Halberd by vectra-ai-research
Multi-cloud threat emulation tool with support for Entra ID, M365, Azure and AWS. Their companion blog post goes into lots more detail on it’s features. The attack automator looks pretty slick, and it has support for multi-cloud attack scenarios too.
garak by leondz
Open-source LLM vulnerability scanner. You can specify probes listed in their probes/
directory or run it all at once. I need to take some time and sit down to study more LLM vulnerabilities, some of the attacks like poem poem poem are hilariously named.