Det. Eng. Weekly #90 - it's bulking szn
My food intake is like my log ingest: high volume and expensive
Welcome to Issue #90 of Detection Engineering Weekly!
📣 2025 SANS Detection Engineering Survey 📣
The folks at Anvilogic are partnering with the SANS Institute to build a State of Detection Engineering Report, and I think surveys like this are super helpful to measure the state of our field.
The goal of this survey is to capture a representative sample of folks who work in detection engineering, whether it’s a full time job or something you do as part of your day to day, in order to understand your experiences, challenges, skill sets, salaries and your ieas.I also helped them with the question bank and gave feedback, shoutout to Chas Larios and the Anvilogic for putting this together!
Share your perspective by participating in our survey (takes 10-12 minutes), and the report should drop sometime early 2025⚡
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Have you been keeping up with your low confidence detections? by Gary Katz
Are Detection counts like stonks? Do they only go up? The answer: well, maybe. When you curate a ruleset, it should involve management of rules, which could include removing. Perhaps you implemented a new control that removed a class of detections, or you switched IDP providers; sure, those make sense. But what about your noisy detections?
In this post, Katz proposes the usefulness of detections other than high true positive detections. We all want precise detections, but they can be brittle and allow in too many false negatives, so what else can you do? He explores the concept of robustness, where you take advantage of your environment and create a detection that catches lots of attacker activity, making it extremely hard for the attacker not to trip.
He then adds his take on three reasons why robustness matters, which includes automation, threat intelligence and low confidence “signals” that can add up to something high confidence.
🔬 State of the Art
How we use Datadog for detection as code by Christine Le and Christopher Camacho
~ Note, I work for Datadog, and Christine & Chris are my colleagues and in my org! ~
I’m super happy to see this blog post finally come out! Christine and Chris have spent a lot of time with our detection engineering team, creating a robust detection-as-code pipeline leveraging open-source tooling and Datadog. Their approach is very opinionated, which means you can take some of the strategies they’ve implemented and retrofit them into your workflow because they have a step-by-step breakdown of our detection process.
EDR Telemetry by Kostas Tsialemis
Kostas launched a front-end for his open-source work on tracking and comparing EDR products. Currently, only Windows is supported (with Linux coming soon!), but you can click on various EDR products and compare and contrast their coverage. For example, by multi-selection Crowdstrike and SentinelOne, you can compare their different technique coverages within Windows and decide what matters most to you.
PowerShell Web Access: Your Network's Backdoor in Plain Sight by Michael Haag
Did you know that Windows Server has a feature that allows Remote Access to a web-based PowerShell console? I didn't! I hate this!
Just kidding, it seems like a powerful tool for system administrators to remotely access and perform tasks on machines without installing a 3rd party RMM tool. Haag documents how the tool is installed via different cmdlets and GUI options and how you can leverage it to do naughty things on a victim machine. The best part is the detection opportunities he includes in the end, of course!
Living Off The Land ESXi by Janantha Marasinghe
ESXi has joined the lolol farm! Whether you are in detection or red teaming, living off the land techniques present all kinds of opportunities for attackers and defenders. For ESXi, the binary set is limited but powerful. Marasinghe tracks 15 binaries found on these servers that you need to keep an eye on, especially since he also lists the threat actor groups that successfully used them in past infections.
Is Detection Engineering just glorified googling? by Brady Stouffer
What do Google Dorking and Detection Engineering have in common? In this post, Stouffer explores Googling for answers as an analogy for detection engineers finding the correct queries to return the most relevant results for analysts. He cleverly uses real examples of Google dorking to explore precision and recall for detections and increase or decrease the aperture to account for cost. Analogies are a vital tool for learning and retaining information. I think I found a great analogy for describing detection engineering to normies (aka my parents) when they ask what I do!
🎙️ Detection Engineering Media
This podcast is becoming my favorite APT-focused news source! Hearing how folks who have studied these types of threats for years approach intelligence, research and reporting is really insightful. Lots of topics were covered in this one. Still, in particular, the ESET “breach” on their Israel-related branch had a lot of nuance surrounding how exactly it was pulled off and what effects it was trying to achieve. TL;dr in “hot zone” conflicts, security breaches, especially low impact ones, are generally more helpful for propaganda and disinformation than from a pure espionage or criminal perspective.
I’m glad Alex is now publishing the Detection Engineering Dispatch podcast on Spotify! This episode’s guest, Reanna Schultz, is an SOC leader who has a ton of great insights into how to break into security and “level up” your career. Schultz also has a great outlook on preventing burnout, which I know our whole industry suffers from. If you want to break into SOC or threat detection, take notes on this episode.
☣️ Threat Landscape
Multiple Services: Partially incomplete log data due to monitoring agent issue by Microsoft
Microsoft published a preliminary post-incident review on a major outage regarding generating security logs in services like Microsoft Entra (whoops), Azure Logic, Microsoft Sentinel (o no), and others. It was detected on September 5, and they found a temporary workaround 14 days later, deploying it on September 19. It’s not Crowdstrike-outage level of badness, but to miss logs on critical security services for two weeks is bad news bears.
macOS NotLockBit | Evolving Ransomware Samples Suggest a Threat Actor Sharpening Its Tools by Phil Stokes
Stokes, a researcher at SentinelOne, uncovered some additional samples of “NotLockBit,” a MacOS ransomware variant first disclosed by Trend Micro. The interesting part about this strain is that it is compiled in Go, so if you are running a non-Intel-based MacOS device, you are good (unless you have emulation capabilities), and some samples are hardcoded with AWS access keys to create a bucket and ship exfiltrated data to the attacker’s AWS account.
Crystal Rans0m: Emerging hybrid ransomware with stealer capabilities by Outpost24
Stealer-as-a-Ransomware strain Crystal does precisely that: a dual-use infostealer and ransomware malware strain written in Rust. So they are not only dual-use malware authors but hipsters too. With the prevalence of infostealers becoming really good at what they do, I imagine adding a ransomware component on top to encrypt a victim’s laptop can squeeze a bit more juice out of the infection.
CISA Adds One Known Exploited Vulnerability to Catalog by CISA
CVE-2024-9537 (CVSS 9.3) affects ScienceLogicSL1, and, according to multiple sources, was exploited in the wild at Rackspace and resulted in their breach. When clicking on the CVE URL, it’s hard to see what exactly the vulnerability entails (unspecified), and they reference a Twitter account as a primary source, which is a little weird?
Two Sudanese Nationals Indicted for Alleged Role in Anonymous Sudan Cyberattacks on Hospitals, Government Facilities, and Other Critical Infrastructure in Los Angeles and Around the World by U.S. Department of Justice
Anonymous Sudan was picked up by the U.S. DoJ, and they were actually Sudanese! The two criminals DDoS’ed all kinds of critical infrastructure, including emergency care facilities, and that released the hounds from the FBI, who managed to seize the tool.
🔗 Open Source
priscope by marklechner
PRIScope inspects pull requests and leverages LLM capabilities to find security issues and vulnerabilities.
SmuggleShield by RootUp
Browser extension that actively tries to block malware using HTML smuggling techniques. You can take a look at the patterns in HTML here, and it uses a basic thresholding mechanism to block the page from loading if it happens.
gcp-ctf-workshop by n0jam
Hot off the BSides NYC circuit, this workshop builds a vulnerable GCP project that you can use to practice attack techniques against Google’s cloud environment. There’s 5 challenges, and you have a bunch of different attack paths you can practice, and they provide hint files to get you further along as well.
LOLESXi by LOLESXi-Project
GitHub link to the LOLESXi project I linked above in State of the Art.