Det. Eng. Weekly #99 - I got 99 problems
But a title ain't one
Welcome to Issue #99 of Detection Engineering Weekly!
I have returned from the last Shmoocon, and boy am I going to miss it. My first one was in 2012, and I missed all-but-two since then. I said hello to probably 100+ people over the weekend, and several readers stopped me to also say hi :). It feels great knowing there are real people out there that read this and find it useful, so thank you all so much and I hope the folks who got stickers enjoy them!
⏪ Did you miss the previous issue? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Part 15: Function Type Categories by Jared Atkinson
This is an excellent follow-up post to last week's gem, the EDR compendium. You have a good idea (hopefully) of how Windows internals work alongisde EDR, and now you can write much deeper OS and API call detections. If not, read on.
In Jared's part 8 blog, he mapped out how to map out tool graphs and function chains to circumvent and build detections. It was quite eye-opening seeing all the combinations of various Windows API calls that can achieve the same function but using a different API call within the chain:
So, this blog post helps readers build these tool graphs by classifying types of functions based on his research into the heuristics of the kinds of functions inside Windows. Once you pick a function chain like the one listed above, you can pick out a "critical function" that is necessary to achieve the function chain. So, when reversing a malicious binary and isolating the critical function, you can identify the parameter signatures in the lowest level function to try to "catch" the specific technique at it's most critical level.
The crazy thing I find about Windows is the amount of indirection DLLs use when interacting with various APIs. As far as I can understand (and I hope folks like Jared can correct me), this is a combination of backward compatibility features and a security precaution. Unlike Linux, Windows wants a hard boundary between user-mode and Kernel-mode operations, and this does set up detection opportunities if you can capture all the combinations.
🔬 State of the Art
Reliable system call interception. by Magnus Groß
The best analogy for rootkits is that they apply rose-colored glasses to the system. Hear no evil, see no evil, speak no evil right? Well, one of the fun things you can do with rootkits is make specific binaries being run or files being modified; it seems like nothing nefarious is going on.
Groß explores this with some modern Linux kernel techniques. According to Groß, Linux treats seccomp profiles as BPF and eBPF under the hood, so you can do some trickery with seccomp's unotify module and creating a TOCTOU condition and hide files.
Qualifying Stakeholder Requirements for Detection Development by Regan Carey
Security engineering is built on the shoulders of software engineering. If you talk with any professional software engineer, I'm sure they have war stories on extracting requirements from a stakeholder. Their manager, CEO, customers, and users are all examples of stakeholders in a software engineering environment. Funny enough, these examples work well for detection engineering teams, too. So, besides your teammates, how do you deal with outside stakeholders requesting new work from your detection teams?
Carey explores this topic through the eyes of one of those detection engineers. Much like any ticket management and request system, you need to ask lots of questions and filter out noise. How relevant is the request? Is it related to a false positive or false negative? Is it covered by other rules or features? This is the "boring" but important work that detection engineering teams need to do to account for capacity and be productive.
My favorite nugget of knowledge in this post is Carey's advice to readers to avoid side channels. Basically, don't work outside your ticketing process and take requirements or work items via email or chat. This can start to breakdown the fabric of your team's process and can really erode productivity.
The Role of Fuzzy Hashes in Security Operations by Eric Capuano
Hashes are a misnomer in information security because they are shorthand for something very specific in cryptography: one-way cryptographic hashes. The idea behind a one-way hash is that it's powerful in enforcing the avalanche effect, which I discussed in Issue #96. But did you know other hash algorithms exist and can be used for everything from error correction to clustering?
Capuano explores the idea of clustering potentially malicious files using these different algorithms. SSdeep, imphash and tlsh hashes are all fantastic ways to generate and use these strings for clustering and comparison. The best part is he includes a lab, so you can play around with them yourself!
Attacking Entra Metaverse: Part 1 by Daniel Heinsen
If you cringe whenever you hear the phrase "cloud transformation," you are not alone. What does it mean besides a bunch of marketing fluff? Well, Heinsen has you covered here, providing a practical example of how Microsoft tackles firms moving to Azure and connecting on-prem Active Directory with their Azure equivalent: Entra.
Heinsen starts this blog post with a quick introduction to Entra and how Entra Connect Sync takes changes from the local Active Directory and syncs them to Entra. He then dives deep into the "metaverse," yes, it's real, and no, Zuck doesn't own it.
You typically see changes from the local Active Directory into Entra. Still, Heinsen explores compromising the Entra user to move back into the on-prem environment. He does this by abusing KeyCredentialLink attributes, which are analyzed in detail in this blog post.
Introducing Limbo: A complete rewrite of SQLite in Rust by Pekka Enberg and Glauber Costa
This is detection-adjacent news, but I thought it was interesting for folks who deploy SQLite and leverage it heavily in their environments. SQLite is surprisingly fast since it's stored in memory (and not memory/disk or on some remote server). Limbo tries to address some of SQLite's write limitations and puts other features as first-order citizens rather than afterthoughts. I'm particularly interested in its WASM capabilities and shipping full SQLite to an edge service like Cloudflare for all kinds of high-performant detection and blocking.
🎙️ Detection Engineering Media
It feels good to be back in the saddle and my favorite podcasts starting to spin again after the holidays! This is a good episode of Security Conversations if you want some sobering but pragmatic takes on the state of edge-network device compromises. It's like that meme of the Grim Reaper going to different doors to claim a life vulnerability, and each door is labeled with the usual suspects.
The other peculiar story that led to a great conversation here is China's rejection of the Volt Typhoon findings. A news organization within China argued that Volt Typhoon was a false flag operation.
Listen, we are spoiled in cybersecurity. I can't count the times I've heard other researchers or startup entrepreneurs talk about a "new" thing they discovered that the world had for hundreds of years. Cyber threat intelligence is a huge culprit because it's investigative intelligence with a computer security twist.
This episode of Darknet Diaries is a good reminder that "intelligence" has many applications, and it's one of the more unique episodes because it's an OSINT-focused non-profit focused on finding bike thieves!
☣️ Threat Landscape
Authentication bypass in Node.js websocket module by Fortinet
Big oof vulnerability on FortiOS and FortiProxy that allows not only an authentication bypass but also granting super-admin privileges. They give IP IOCs towards the middle of the post, and I am facepalming because they are terrible and show a lack of understanding of attacker infrastructure. I'll send stickers to a random poster who replies to this newsletter with wtf is wrong with these:
1.1.1.1
127.0.0.1
2.2.2.2
8.8.8.8
8.8.4.4Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls by Stefan Hostetler, Julian Tuin, Trevor Daher, Jon Grimm, Alyssa Newbury, Joe Wedderspoon, and Markus Neis
Speaking of more Fortinet shenanigans, Arctic Wolf researchers describe campaigns likely exploiting the above Fortinet blog. Notice the IPs in Phase 1, but make sure you read the reason why these are spoofed beforehand. It’s nice to see more log IOCs in this one compared to Fortinet’s, and they split it out by the separate phases of the attack.
Justice Department and FBI Conduct International Operation to Delete Malware Used by China-Backed Hackers by Department of Justice
FBI announced a PlugX disruption operation alongside French authorities and Sekoia. They took out thousands of PlugX infections in the U.S., seemingly because Sekoia and their partners found a way to issue a delete command against infections. Yet another interesting approach to search and seizure authority that the FBI leverages to perform these operations.
Analysis of Counter-Ransomware Activities in 2024 by BushidoToken
BushidoToken provides a 2024 review of the good guys getting some wins against ransomware gangs. He points to three pillars that make these operations successful: Ransomware-as-a-service platforms, cryptocurrency, and safe havens that prevent extradition. Within each pillar, he points out different operations, such as arrests or takedowns, that helped us move closer to stopping ransomware. But, until we take out one of these pillars for good, it'll be a long time before we "stop" these operations.
🔗 Open Source
esxi-testing-toolkit by AlbinoGazelle
ESXi Testing Toolkit is like Atomic Red Team, but for ESXi servers. This is great for threat emulation and testing detections in a lab environment. The repository has 21 different attacks across 8 different MITRE ATT&CK techniques. There’s lots of documentation and helpful examples!
what-is-this-stealer by MalBeacon
Much like ransomware notes have specific formats and text, so do infostealers! The good folks at MalBeacon dropped over 20 YARA rules to detect infostealer system info files, which can help detect active infections or for threat hunting.
CF-Hero by musana
Cloudflare, everyone's favorite CDN for hiding backend origin IP addresses, can frustrate infrastructure analysis and clustering. Threat actors can make mistakes and configure their service incorrectly, so you can look at different pieces of metadata or Internet scanners to find the true service IP address.
CF-Hero automates this using a combination of DNS data and Internet scan data. It has a pretty interesting architecture and decision chart, and it even checks its findings against the Cloudflare-protected domain to confirm what you found.
Evilbytecode-Gate by EvilBytecode
Evilbytecode-Gate is a Windows malware research tool that provides a PoC to find System Service Numbers (SSNs) of syscalls. This is particularly useful if you want to access syscalls directly, but since Windows doesn't like you doing this and has different service numbers across versions, it can be difficult to find.
ExecutePeFromPngViaLNK by Maldev-Academy
A clever way to use steganography and embed a Windows executable into a PNG file, with an associated LNK file that extracts, decrypts, and runs the PE file.