Det. Eng. Weekly #91 - #tangodown Redline & Metastealer!
Congrats to all who worked on Operation Magnus
Welcome to Issue #91 of Detection Engineering Weekly!
My good friend, Clint Gibler, had his tl;dr sec newsletter hit 90,000 subscribers! If it weren’t for Clint and tl;dr sec, I’m unsure if my newsletter would be where it is today. So please go check out Clint’s newsletter and subscribe!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Exception Junction - Where All Exceptions Meet Their Handler by Brute Ratel
This is a deep-dive post inside Windows internals and how a well-known C2 framework tries to circumvent anti-debug and EDR features. I've covered Vectored Exception Handlers (VEH) and circumventing EDR hooks before, but these posts generally focus on how malware uses these techniques and how we can detect them. It's nice to get a change of pace on how malware authors use this same research to go even deeper into avoiding detection.
Dark Vortex (author of Brute Ratel) tries to figure out how to avoid detection when ntdll!RtlAddVectoredExceptionHandler
is called since this is a great way for malware to exit a control flow naturally or via a manufactured exception to execute code. The idea here is by abusing the API call via ntdll
, you can force an arbitrary VEH function to the top of a LinkedList to call when an exception occurs in Windows, potentially bypassing EDR hooks. According to their research, only ntdll
should be able to access and manage this list. It's done via a specific byte pattern, so they also release a rule to find this pattern in files (malware) trying to access the list outside of ntdll
.
This is a dense post filled with lots of Windows internals. Still, you should start to piece together detection opportunities and how anti-EDR techniques work. On Windows, the goal is loading and executing before an EDR hook, and VEHs look to be great ways to achieve that.
🔬 State of the Art
Doubling Down on Trusted Partnerships: Our Commitment to Researchers by Harry Coker, Jr., National Cyber Director
This is an interesting announcement from the White House on leveraging Traffic Light Protocol (TLP) for cyber threat intel classification. According to Coker Jr., who also spoke at DEFCON about government and research community collaboration, there is a desire for bilateral information sharing between the U.S. government and the threat intel community.
Azure MITRE Based Threat Hunting: Initial Access by Charles Garrett
I've linked the Cloud Threat Hunting Field Manual project before, but Garrett is adding more use cases on hunting and started with Initial Access (linked) and Execution. It's nice to see the specific sub-techniques used for Azure and ways you can create defensive strategies from a detection and engineering perspective.
Shell Style Guide by Google
I found this on a subreddit and wish I found it sooner! This is Google's guide on when to use and not use shell scripting languages, particularly Bash. Lots of security engineering, threat intel, and system administration leverage Bash, and I've seen GNARLY shell scripts that are impossible to read. They start the whole document with "When to use Shell" and give readers prescriptive guidance on moving to something more structured, like Python.
SELinux bypasses by Klecko
The gem above focused on Windows internals and bypassing EDR primitives. In contrast, this blog post focuses on Linux internals and bypassing SELinux primitives! SELinux is a security feature on the Linux Kernel that allows you to scope permissions and security checks to lock down a Linux box.
You can write SELinux rules to prevent all kinds of post-exploitation shenanigans. Klecko explores various bypasses of SELinux by inspecting the codebase and trying to force setting overrides to turn SELinux into permissive mode. My favorite bypass was overwriting a cache mechanism inside the Kernel to trick SELinux into thinking it's calculated permission before and allowing it to continue.
LOLAD: Living Off The Land Active Directory by LOLAD-Project
This is yet another LOL project; this time, it focuses on Active Directory! When you get on an AD box, you'll see almost all native Powershell and CMD commands to perform all kinds of shenanigans. I do think they broke the rules a little bit by adding mimikatz into the mix since it's not installed by default on Active Directory boxes, or at least since the last time I checked.
☣️ Threat Landscape
Malware targeting millions of people taken down by international coalition by European Union Agency for Criminal Justice Cooperation
This is a great #tangodown for two massive stealer families, Redline and Metastealer. Two domains and three servers were seized, effectively neutralizing infections, and tons of valuable victim information was made available to law enforcement. The coalition released a video plus a tool to see if you were affected, located at the Operation Magnus website.
Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview by Ian Kretz and Sebastian Obregoso
~ Note, this is a post from Datadog, my employer, and I work closely with Ian and Sebastian ~
Amazing research on the North Korean actor group Datadog tracks as "Tenacious Pungsan". Ian and Sebastian both found malware samples linking to infrastructure and malware used by this group, and they did it all using open-source tooling that we use everyday here. This family is linked closest to Contagious Interview and drops familiar malware families like Beavertail and InvisibleFerret.
Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files by Microsoft Threat Intelligence
Microsoft caught Midnight Blizzard using a novel and pretty wild initial access and execution vector: malicious RDP configuration files. A spear-phishing email arrives at a victim's inbox, and trying to build credibility as Microsoft employees, attempt to get victims to double click the configuration file and use RDP to connect to Midnight Blizzard-controlled servers. When loaded, These configuration files provide all kinds of juicy information back to a C2 server, allowing the actor to install additional files afterward.
Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses by Jia Yu Chan, Salim Bitam, Daniel Stepanic, Samir Bousseaden, Cyril Francois and Seth Goodwin
App-bound encryption helped stop current techniques leveraged by infostealers to pilfer Chrome cookies and app storage, but several stealers have worked around this protection, according to Elastic Security Labs researchers. The researchers found several detection opportunities using the new techniques, including using ChromeKatz, leveraging Debug functions, elevating to SYSTEM, and decrypting the encrypted contents.
The interesting one for me is Xenostealer, which performs privilege escalation on the victim system, launches its own instance of Chrome, and then injects a function to take the encryption key and decrypt the cookie data.
🔗 Open Source
XenoStealer by moom825
Yet another open-source infostealer ~ FOR EDUCATIONAL PURPOSES ONLY ~ that implements a clever Chrome App protection bypass.
LOLAD-Project.github.io by LOLAD-Project
GitHub repo for the LOLAD project listed above in State of the Art.
Linux Telemetry Section Issue for EDR-Telemetry by tsale
This is a GitHub issue opened by tsale, who runs the EDR Telemetry website I linked last week. Super interesting conversation on how to create a similar EDR telemetry view for Linux security products.
nifo by lkarlslund
The README is just too good for me to describe it. Nuke it from orbit:
With a precision of a brain surgeon wielding a chainsaw, nifo can obliterate most AV/EDR products from endpoints or servers running the worlds most popular operating system, even if they're BitLocker protected - if you have physical access to the device and it's not totally locked down (BIOS password + SecureBoot + Harddrive Password + No USB Boot).
Chrome-App-Bound-Encryption-Decryption by xaitax
Another App-bound encryption bypass was also referenced in the Elastic Labs blog above. This one uses the elevation service technique that the Elastic team found metastealer to use.