Det. Eng. Weekly #94 - I tune all the rules, yeah, somebody gotta do it
🗣️🗣️MUSTAAAAAAAAAAAAARD🗣️🗣️
Welcome to Issue #94 of Detection Engineering Weekly!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access by Sean Koessel, Steven Adair, Tom Lancaster
The gem post for this week is more closely aligned with a threat landscape post, but that's okay: it's worth the read. The Volexity team just presented the contents of this blog at CYBERWARCON, and it's one of the coolest threat writeups I've read in a long time.
The victim in this blog is a Volexity customer who was breached by an APT, but the detection opportunities pre-breach were eerily missing. The company was locked down: All public-facing assets with a login required MFA, yet a handful of accounts were breached via password spraying. How does that happen?
APT28 was the culprit in this breach, and they truly put the "P" in persistently going after this victim. Since the victims contained information that APT28 deemed crucial to the Ukraine war, they needed to gain intelligence on the inside. They did this physically via WiFi networks from different companies in the same proximity of the victim.
🔬 State of the Art
Linux LKM Persistence by Hal Pomeranz
If you are unfamiliar with persistence techniques on Linux, this is a great post that dives deep into kernel-based rootkit functionality and how you can detect them in userland. I've been writing and using Linux kernel module rootkits for shenanigans for years, and I'm amazed at the consistency of their implementation. However, the difficulty in finding them continues to make threat actors successful.
Pomeranz has a clever technique for detecting tainted kernels using bash magic, so I'll need to add this to my detection backlog.
Azure Detection Engineering: Log idiosyncrasies you should know about by Michael Aldridge
Is audit log posture management a thing? Am I going to be sacrificed to the security demi-gods for coming up with another SPM acronym? Perhaps, but as you read this post, I hope you don't get as frustrated as I did looking at all the peculiar log configurations that Microsoft Azure dumps on its users to figure out. Aldridge does a fantastic job documenting the gotchas of Azure Activity and Resource log collection. Fields and values change based on where you are sending them. Azure has several data models that apply to these logs as they traverse a data collection pipeline.
For example, User-Agent logging. It is not a big deal if you run a WAF, but it's a fantastic detection opportunity for the Cloud since everything is IP-based. What if I told you your cloud provider would strip out parts of the User-Agent field, truncating whitespace and throwing things away altogether? Or whether an application on a service principal should provide a verification field so you can trust default apps, but they just null it out? Just Microsoft things!
Authenticated *NIX Pipes over SSH by Pico.sh
Super cool project that leverages SSH as a backend and control plane for rapid prototyping. SSH pipes is a pub-sub system akin to Kafka, but all over SSH. Their main site has all kinds of useful SSH-backed developer tools, such as tunnels, blog platforms, paste sites and even content management.
Life on a crooked RedLine: Analyzing the infamous infostealer’s backend by Alexandre Côté Cyr
This is a hefty post analyzing the entirety of RedLine's malware-as-a-service platform. I'm fascinated by posts like this because you get to pick apart the architectural and software decisions of cybercriminals, which we rarely see in the public sphere. Some funny findings include passwords of affiliates passed to the main RedLine backend in the clear text, a Protobuf-based database that writes raw protobuf objects directly to files instead of a real database system, and an ad system to serve affiliates when they log into their panel.
Detecting WiFi dumping via direct WinAPI calls and introduction to “Immutable Artifacts” by Daniel Koifman
I guess I'm dunking on Microsoft for this week's issue! In this post, Koifman explores what I think is the necessary versus sufficient problem in detection engineering. Given access to a Windows machine with the correct userland (Sysmon) logging, can you find detection opportunities on immutable logs, or is everything attacker-controlled?
He explores this question with a Sysmon configuration and a custom C program to call Windows APIs directly to perform attack techniques instead of relying on LOLbins. By booting a reverse shell leveraging wlanapi.dll
directly, you can create a necessary and sufficient condition for detecting his malware, thus making it an immutable detection.
🎙️ Detection Engineering Media
Micah Funderburk and Alex Stemalty join the podcast to talk about their implementation of risk-based alerting (RBA) at LastPass. This concept, popularized by Splunk, and IMHO as an alternative to UEBA, where you can reconcile human and non-human entities and group alerts they generate into one view instead of many atomic views. These are super interesting details about how they manage scores across assets, environmental context, and threat intelligence.
Do we need to do attribution in public reporting? The grugq and Tom Uren explore this topic from the lens of several stakeholders, but it’s good to see this conversation out in the open. I think grugq describing a market for Attribution-as-a-service, aka threat intelligence, seem to align with marketing more than with intelligence analysis.
☣️ Threat Landscape
MUT-8694: An NPM and PyPI Malicious Campaign Targeting Windows Users by Matt Muir, Ian Kretz, Sebastian Obregoso and Andy Giron
~ Note, I work at Datadog with the researchers listed here! ~
The Threat Research team at Datadog found a cluster of activity publishing dozens of PyPi and npm packages packed with infostealers. The campaign involved 40+ packages and stuffing two separate infostealers inside as stage 2 payloads targeting Windows. Luckily one of the infostealers is “FOR EDUCATIONAL USE ONLY”, so nothing to see here!
One Sock Fits All: The use and abuse of the NSOCKS botnet by Black Lotus Labs
Proxy botnets are for cybercriminals what ORBs are to nation-states: non-attributable and hyper annoying to track. Luckily, the team at Black Lotus Labs dropped a huge expose on the NSOCKS botnet that allows actors to buy access to infected NSOCKS Bots to access their targets. The infected host connects to a BackConnect C2 server, and the criminals buying access route through the BackConnect into the infected host.
Major cybercrime operation nets 1,006 suspects by Interpol
Interpol and Afripol announced a massive operation to arrest 1,006 suspects alongside over 100,000 pieces of malicious infrastructure. The actors leveraged this malicious infrastructure to perform ransomware attacks, BEC, and scams. The law enforcement agencies tracked nearly 200 million dollars in loss and recovered about a quarter of it.
Stolen Credit Card Data: Cybercriminals Are Shifting to Threads to Advertise Stolen Financial Data and PII by Kyla Cardona and Aurora Johnson
SpyCloud researchers Cardona and Johnson track the exodus of Telegram cybercriminals to Facebook’s Threads social platform. The algorithm makes this easy: when the researchers found one post on Threads with stolen credit card information, it happily served them more content with even more cards to buy! Most notably, this move to Threads coincided with Pavel Durov’s arrest, so it looks like some of these criminals wanted to diversify away from Telegram as it’s not as safe as they thought.
🔗 Open Source
ssldump by adulau
ssldump is a classic forensics tool and luckily has a new home! It’ll attempt to decode SSLv3/TLS traffic and put them into plaintext to parse through. Has JSON and JA3 supprot as well!
InfoSec-Black-Friday by 0x90n
Black Friday is this Friday, so make sure to check out this list of black friday deals for infosec folk. There are several detection engineering courses with discount codes..
DefenderYara by roadwy
YARA rules extracted from Microsoft for Defender.
MacOS.Stealer.Banshee.7z by vxunderground
Banshee stealer’s leaked source code: lots of detection opportunities and interesting MacOS techniques.
skuld by hackirby
Next-gen stealer written in Go: for educational purposes only, of course.