Welcome to Issue #92 of Detection Engineering Weekly!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Applying Test-Driven Development to Detection Engineering by Matt Hand
👏 Detection 👏 Engineering 👏 is 👏 software 👏 engineering 👏. Test-driven development is a process in software engineering where you write software tests, like unit tests before you write you write your function or code. The idea behind it is that you create a contract in your unit test with a set of assumptions. You define inputs and expected outputs, "fail" the test (nothing is written), and then write your code. In practice, it can be exhausting to implement. Still, we can learn a lot from this style of programming for detection engineering.
Hand goes into deep detail on the ideas behind test-driven development and how they can translate to threat detection. There are some hard parts to control here: for example, as you emulate a technique from a piece of malware, do you implement a COTS C2 framework or something more bespoke that matches the target tooling or technique as much as possible?
I like how Hand broke out Assert into three outcomes we drive with threat detection technologies: observe, detect, and prevent. Prevent seems evident if you run an EDR, but the difference between observe and detect has some nuance associated with it. For example, collecting or decorating telemetry and ensuring it's healthy is much different than alerting over it.
🔬 State of the Art
Silencing the EDR Silencers by Jonathan Johnson
What's going to win in a street match? One multi-billion-dollar alpha EDR solution or a small firewall boi? According to Johnson, Windows Firewall is a highly effective way to block out EDR functionality. It helps filter out callbacks to the EDR solution's servers for additional detection and investigations.
Windows Firewall and the Firewall Platform are systems inside Windows that attackers can use to perform this style of EDR blocking. Johnson does a great job of reviewing all of the entry points into these subsystems: GUIs, command-line rules, and even COM interfaces are all great ways to apply the bypass.
The best part of this post is the detection opportunities at the end. If you've been following along with this newsletter, hopefully, you have a much better understanding of EDR detection engineering. Writing hooks against registry keys and blocking firewall rules targeting EDR can make it into your vendor's roadmap.
V16 Brings (Re)Balance: Restructured Cloud, New Analytics, and More Cybercriminals by Amy L. Robertson
MITRE ATT&CK v16 just dropped! The MITRE team did an excellent job rebalancing Cloud categories and has a much better classification between IaaS (cloud service providers), Identity Providers (Okta, Entra ID, Workspace), SaaS apps, and, of course, Microsoft Office Suite and M365.
Cyber Threat Intelligence for Autodidacts by Will Thomas
CTI GOAT Will Thomas dropped an excellent blog post documenting how to break into CTI if you are a self-learner. Yes, that's what autodidact means :D. This is a good list even if you are a trained professional: for example, have you ever had to explain to detection folks or leadership about a threat actor they may be concerned about? How could you write a threat actor profile to help communicate this complex topic? Will has a section for that in here.
Lots of open-source resources land on Will's list, so you can go a LONG way without ever having to buy a product.
The Twelve-Factor App by Adam Wiggins
I've been reading lots of DevOps and SRE blogs and subreddits lately, so naturally the algorithms of our Internet overlords serve me more of this content. The Twelve Factors of a SaaS application serves as a fundamental building block for software engineers trying to build SaaS software. Each factor is clickable and gives readers descriptive guidance on achieving things like Concurrency, Deployment models, and logging. Something like this could be interesting to write for a detection engineering process.
How Attackers Can Abuse IAM Roles Anywhere for Persistent AWS Access by Adan Alvarez
Identity is the single hardest thing to secure in a cloud environment. Did you create the right users and roles? Are you leveraging an identity provider? Are the roles rightsized so they only use what they need to? Imagine doing this full time as your job with a whole team and still getting it wrong in many cases.
When new IAM features come out, have you correctly threat-modeled them? No worries, this post has you covered! This is an excellent example of how attackers can leverage a feature in AWS IAM as a persistence mechanism. IAM Roles Anywhere allow non-AWS owned workloads leverage public key cryptography to gain a temporary access token inside your AWS environment. Great for multi-cloud or on-prem uses, but much like Alvarez's research on rogue SAML identity providers, this can also be abused as a persistence mechanism.
Luckily, Alvarez added Stratus Red Team technique and a setup script to emulate this inside a test AWS environment for detection opportunities.
🎙️ Detection Engineering Media
This is a great Detection Engineering Dispatch episode interviewing Brady Stouffer from Expel. I featured Brady’s work recently on this newsletter, and it’s cool to hear from him on how he approaches threat detection and hunting working for an MDR. If you want a peak into how a large and hyper-effective MDR approaches detection rules and hunting, then look no further than Brady’s chat :).
Fintech companies fascinate me. They are selling to one of the most regulated industries in the world (finance). Still, they move quickly regarding how they build out their technology stack, especially in security.
It was great to hear how Saksham Tushar and the team at CRED perform detection engineering and threat hunting. Log correlation and making the SIEM a query source instead of a complex detection source seem to be movements that security teams are picking up and implementing.
☣️ Threat Landscape
Canadian Man Arrested in Snowflake Data Extortions by Brian Krebs
Canadian Police apprehended one of the main UNC5537 actors behind the Snowflake data extortion events earlier this year. The significance of these hacks stems from Snowflake itself not being breached, but Snowflake's customer tenants were vulnerable to valid account initial access due to infostealers. Krebs managed to interview the alleged perpetrator and, in true Krebs fashion, revealed details on the identity of Judische/waifu.
Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory by Okta
Quoted directly, no analysis needed:
On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. During specific conditions, this could allow users to authenticate by only providing the username with the stored cache key of a previous successful authentication.
wat
EDR Bypass Testing Reveals Extortion Actor's Toolkit by Navin Thomas, Renzon Cruz and Cuong Dinh
This is a fun writeup on an actor attempting to turn off Palo Alto's EDR with EDRSandBlast. It didn't work, and in debugging why it didn't work, the actor exposed their infrastructure to Palo Alto researchers, who gave them a huge window of opportunity to download their toolset and learn about the actor's TTP. They even got a video of the person talking about bypass techniques and found their LinkedIn profile after some OSINT sleuthing.
From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West by Seongsu Park
This is a great DPRK post detailing the role of Contagious Interview and DPRK IT worker schemes. We've seen more in the news within the last year. Park and ZScaler call the DPRK IT cluster WageMole, and they found some amazing data on victims for both Contagious Interview and WageMole. As a surprise to no one, WageMole
Unmasking VEILDrive: Threat Actors Exploit Microsoft Services for C2 by Team Axon
Researchers from Hunters unveil an attack group called VEILDrive, which is heavily focused on Microsoft environments. The cool part here is the section on "Microsoft Services/Apps as Attacker's Infrastructure", where they outline six different Microsoft products that VEILDrive uses to move through the ATT&CK chain. This might be the most "living off the cloud" threat research I've read: hosting malicious files on victim SharePoint servers or using Quick Assist over Teams to get remote access to another victim is pretty clever.
🔗 Open Source
droid by certeu
PySigma wrapper and converter. Has some testing capabilities with Atomic Red Team before you export it over to your favorite SIEM or EDR platform.
AChoirX by OMENScan
Multi-operating system collection and response platform for Windows, Linux, MacOS and Android. A singular collection script runs on all of the major OSes listed above which is nifty.
DetentionDodger by Permiso
Post-AWS key quarantine tool that digs into your quarantined access keys for impact. It also can find users who failed to have the AWS quarantine policy attached, because sometimes that can fail too!
maester by maester365
Open-source Microsoft 365 configuration tool that ensures you secured your 365 environments in a secure way. You can put it in as a GitHub action to run with your Terraform code, and it has a ton of extensibility with testing called “Pester” tests to assert when a configuration policy fails.