Det. Eng. Weekly #95 - I prefer Vegas in December
there's something nice about 65 degree weather in the desert
Welcome to Issue #95 of Detection Engineering Weekly! I’m in Las Vegas this week soaking in the moderately nice sun. I’m so used to being here for DEFCON and hacker summer camp with 100+ degree weather everyday.
For those on BlueSky, I made a “Starter Pack” for detection engineering. You press one button and can follow some of the best detection engineering and threat research minds on the new social network.
Check it out here → https://bsky.app/starter-pack-short/HenXJUR
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Automated Hunting by Mark Ellzey
One of my favorite parts of threat research is infrastructure hunting. It combines so much expertise that I've tried to learn and build over the years in my career: network security, threat intelligence, operating systems, and detection engineering. The basic premise behind infrastructure hunting involves taking known indicators of compromise, such as an IP or a domain, and building fingerprints and pivots on internet data to uncover additional technical threat intelligence. You can turn this methodology into saved searches and get really good at tracking "the bad guys" based on what platforms you have access to.
Ellzey works for Censys, and Censys offers a researcher tier, so make sure to sign up so you can follow along. This blog post uncovers their tool, Censeye (I will link it to open source below), the methodology behind Ellzey's research team, and how they find interesting pivots and searches. It's a meme in threat hunting, but it all comes down to clever group-by-and-sort to look at the weird stuff that isn't occurring often. For example, starting with a Stealer C2 from a public report, you can uncover an SSH fingerprint of that server and find the same actor deploying dozens of other hosts. My favorite is hunting for weird and unique HTML titles, which Ellzey does, to uncover red team infrastructure.
I've gotten lucky using Censys/Shodan and others to track ransomware shame sites, phishing websites, C2 servers, and even unmask Tor hidden services. Word of caution: this can burn your API quota, and I hope the Censys team finds clever ways to give more researchers access to this data.
🔬 State of the Art
EDR Silencers and Beyond: Exploring Methods to Block EDR Communication - Part 1 by Fabian Bader
The EDR evasion space gets deeper, with even more clever ways to shut off communication to upstream management domains using fun Windows internals. In this particular scenario, Bader provides insights on a Windows feature called the Name Resolution Policy Table, or NRPT. It's basically /etc/hosts
on steroids, where you can do more complex routing of traffic and DNS instead of just relying on key-value pairs.
The attack involves leveraging a cmdlet or registry key edit to set all EDR domains to localhost or 127.0.0.1, thus preventing it from accessing the backend servers of Microsoft, Crowdstrike, or what have you. I imagine some alerting and response capabilities are baked into the EDRs themselves, but this should help you move a bit more quietly when running attacks; maybe an alert for when your host EDR turns off seems like a good compensating control here?
EDR Silencer and Beyond: Exploring Methods to Block EDR Communication - Part 2 by Mehmet Ergene
o, your eyes aren't deceiving you. This is a Part 2 blog post by Mehmet on a domain different from Bader's above post! Mehmet continues Bader's and the other EDRSilencer research work by exploring other Windows primitives to perform the attack. I felt somewhat satisfied that he started this by discussing /etc/hosts
, which I mentioned in Bader's analysis. Another option is moving from Layer 7 (DNS) to Layer 3 (Routing) and effectively routing the EDR's management plane via IP range blocking.
Importing Sigma Rules into a Threat Intelligence Platform by David Greenwood
Data modeling is one of the most important things you can do as a detection engineer working in an organization, large or small. The problem with data modeling is that it can get confusing when you use different tools or software: maybe your security logs can follow a unified model, but what about your threat intelligence data?
STIX has been the answer for threat intelligence for over a decade. In this post, Greenwood explores how to take one data model, Sigma rules, and fit it nicely into STIX so you can explore the rule metadata inside whatever TIP you have. This is useful when you move outside the rule metadata context: a TIP can give you actors and technical threat intelligence for an attack technique, and you can translate that technique into a Sigma rule to check coverage.
I linked the GitHub repo to convert Sigma rules to STIX indicators in the open-source section below!
Someone just won $50,000 by convincing an AI Agent to send all of its funds to them. by Jarrod Watts (on X)
I don't usually include X threads or AI research in this newsletter, but I thought this was a clever thread of gaming an AI that manages a Smart Contract on Ethereum.
Basically, a developer created a Smart Contract that allowed people to deposit money into the contract starting at $10, and when you deposited it you got a chance to convince an AI agent managing the contract to send you money. The basic premise is this AI manager was instructed to accept money and never transfer money. Someone "broke" the AI contract around the $50,000 mark and got a nice reward afterward.
Dissecting JA4H for improved Sliver C2 detections by Webscout
If you haven't played around with the JA4+ suite, this is a great blog post showing the power of fingerprinting using its algorithm. In this scenario, a threat actor documented by Arctic Wolf was abusing Palo Alto's latest vulnerabilities tracked under CVE-2024-0012 and CVE-2024-9474. Arctic Wolf made the community a solid by releasing indicators of compromise for threat hunters to check exposure within their environments.
John Althouse simplified the IOCs from the infection chain by showcasing how JA4 can catch the Sliver C2 framework by fingerprinting the communication itself rather than hunting on ephemeral IPs. Webscout took this further by booting up Sliver and finding additional fingerprinting opportunities within the default configuration, which it published on the blog. It's highly technical and highly reproducible, down to the CyberChef recipes they used!
🎙️ Detection Engineering Media
If you read last week's gem, you'll notice that the guest on this week's 3 Buddy Problem podcast is the CEO of and helped with the Nearest Neighbor incident! Their team's breakdown of how they found the attack and how they leverage network telemetry to find compromises in network edge devices is super fascinating.
Wade Wells joined Detection Engineering Dispatch to discuss everything detection-as-code. It's a fascinating subfield of detection engineering that still needs lots of research and talks to fully realize its potential. I like how Wells espoused the importance of great documentation of detections, leveraging Palantir's ADS, so anyone reading the alert can have a full playbook to respond to them.
☣️ Threat Landscape
Bootkitty: Analyzing the first UEFI bootkit for Linux by Martin Smolár and Peter Strýček
ESET researchers found a UEFI bootkit targeting Linux on VirusTotal. Their initial analysis concluded that it was probably built as a proof-of-concept rather than something that got deployed to victims. Later, they confirmed it was a university project from students in Korea. The post had some interesting detection opportunities, such as looking for LD_PRELOAD use during the boot process and making sure UEFI Secure Boot is enabled to prevent the self-signed bootkit from running.
Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud by FBI
This is a wild PSA post from FBI on the use of generative AI for scams and fraud. It's got a bunch of stuff you would expect to see: synthetic content generation, fake profile photos, and scaling spear phishing. But the section on vocal cloning, as well as using generative AI for sextortion, made my stomach turn. I'm curious if their tips on protecting yourself are helpful; for example, can you train your grandparents on this recommendation?
Listen closely to the tone and word choice to distinguish between a legitimate phone call from a loved one and an AI-generated vocal cloning.
Joint operation investigated thousands of cyber-enabled scams on five continents by INTERPOL
Another cyber-scam takedown notice from INTERPOL! This seizure was no joke: more than 400 million USD of assets were collected. The takedown involved targeting perpetrators who were participating in voice phishing, romance scams, online sextortion, investment fraud, illegal online gambling, business email compromise fraud, and e-commerce fraud.
Accused Kitchener hacker unmasked after threatening woman online by Terry Pender
Excellent recap of the Snowflake hacker arrest, this time with a local twist from waifu’s hometown. I want to give a huge shoutout to folks who worked on this case, especially Allison, who I still think is one of the most important and impactful security researchers (and also has great stickers) of this decade.
Chinese hack of global telecom providers is ‘ongoing,’ officials warn by Maggie Miller
More Salt Typhoon news, though this particular story has a unique recommendation from CISA. According to the article, as many as 80 ISPs and telcos were compromised, and Greene recommended that everyone use encrypted messaging apps like Signal until this thing is resolved.
🔗 Open Source
sigma2stix by muchdogesec
Convert Sigma rules to STIX format indicators, as featured in the post above by David Greenwood.
censeye by Censys-Research
Censys threat hunting tool on steroids. Beware your API query limit :). As featured in the gem post above by Mark Ellzey.
RequestShield by osintmatter
Open-source threat detection tool for web logs. Parses access logs and applies a risk scoring algorithm on top using even more open source tooling, such as AbuseIPDB and GeoLite.
NoDelete by moval0x1
Malware analysis tool that locks a target folder and prevents any files from being deleted. Super helpful if you have malware that self deletes once it runs.