Detection Engineering Weekly #10 - You don't publicly expose your ESXi servers, do you?
Last week's news and how-tos in the art and science of Detection Engineering
Welcome to Issue 10 of Detection Engineering Weekly! WE CROSSED 1000 SUBSCRIBERS! I am so thankful for your patronage and the feedback throughout the process. I am continuing to improve every week, and you’ll start to see some minor changes to style or format.
I’ve also gotten a few emails surrounding sponsored spots, if that’s interesting to you, shoot me an email techy@detectionengineering.net. I need to do it tastefully, and I’d probably follow similar formats to tl;dr sec and a few other top security newsletters.
Explain Detection Engineering to your CEO: Feature #3 - Brandon Dossantos
Social links: LinkedIn
Reduction of manual effort is key here! Security is a cost center, so by optimizing and automating, you can do the work of many manual analysts, which can help reduce headcount or manual work and therefore cost. Nice “e-mail” Brandon!
This week’s recap:
A gem by Alex Teixeria on in-house threat detection that is holding true years later
A new Detection: Challenging Paradigms podcast, more ChatGPT and OneNote detection opportunities
ESXi gets pwned, but not completely
If you haven’t subscribed, please consider! I’ll do all the hard work of aggregating and writing, so you don’t have to :)
Happy Hunting
💎 Detection Engineering Gem 💎
DIY: In-house Threat Detection Engineering by Alex Teixeira
I love going back to posts made years ago and seeing how well they predicted (or not) how we would operate today. For this post, Teixeria's take on creating an in-house threat detection team from 2018 still holds true for what we are facing almost five years later! I think from 2015 onwards, SIEM engineers and threat analysts alike started to see that a heavy SIEM with generic rules was not going to work at scale with companies with unique threat models and data. Here is my favorite quote from the blog:
Given the amount of non-standard data types and distinct threat models or different priorities seen in enterprise environment, it comes as no surprise that organizations should not rely on vendors to come up with ways to leverage that data for detection.
State of the Art
Episode 28: Hosts by Detection: Challenging Paradigms (DCP)
My first podcast link, but I'm glad to see that DCP released their first episode of the year! If you want a deep dive into how security leaders and experts talk about false positives and alerting strategies, check this episode out. The hosts are also doing mini casts, and you can view them on LinkedIn or Youtube, so make sure to go follow them here and tune in!
How Adversaries Can Persist with AWS User Federation by Vaishnav Murthy and Joel Eng
AWS persistence via abuse of Federated Tokens. The tl;dr here is that Murthy and Eng discovered a technique where a federated token was used to maintain persistence, even after the account that created that token was revoked. CrowdStrike did the right thing and disclosed this technique to AWS, who subsequently updated their documentation to reflect that federated tokens can be used to access the AWS Console.
ChatGPT and Microsoft Sentinel — simplify the incident handling process by Antonio Formato
Even more ChatGPT shenanigans, this time using Microsoft playbooks to automate response actions, hunt queries, and detection opportunities. If we can nail the balance between ChatGPT doing 80% of the grunt work, us fact-checking that work, and then humans finishing the remaining 20%, it'll be a game changer for blue teams.
Multi-Session Compromise by Teri Radichel
You should read Teri Radichel on Medium. The number of posts and quality content generated by their Medium is insane. In this post, Radichel describes an attack opportunity where temporary credentials between multiple AWS accounts (and roles) are cached. The attacker can use these cached credentials to perform a privilege escalation. It's somewhat confusing, like many things cloud, and is inconsistent across IAM models in major cloud service providers.
Detecting OneNote (.One) Malware Delivery by Micah Babinski
Babinski is quite a graphic designer
Just from the header image alone, you should read this post! Babinski goes into their thought process of discovering how .one files are created, how this applies to the latest trend in OneNote malware, and what you can do to detect these attacks. I appreciate the thought process and notes along the way, as it can be frustrating reading a post on detecting X, Y, or Z, and authors make a massive jump between two concepts without explaining how they got there. RTLO characters make an appearance here, and if you know what that is, you might be shivering like me from fear and excitement.
API requests are available via audit log streaming – Private Beta by GitHub
Praise be, and a bit late, but I'm glad to see GitHub starting to make audit logs available. Now they just need to do this for smaller orgs (not enterprises), and maybe we can all help prevent exfiltration of code and detect abuse in our GitHub orgs!
Incident Response in Google Cloud: Forensic Artifacts by Sygnia
An excellent crash course in Google Cloud security and the types of logs and artifacts you can use for incident response, detection engineering, and analysis. The cool part about this post is the thoughtfulness put into mental models and triage processes. For example, there are many types of alerts that Google can generate, but Sygnia did the hard work for everyone and listed out some relevant ones for triage, including general, user, administrative, Gmail, and custom alerts. Bookmark this!
Threat Landscape
HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign by Asaf Eitani
An in-depth post about a novel malware campaign and family dubbed "HeadCrab." The malware strain finds open redis servers and loads a redis module from a C2 server that, according to redis, "extends the server's functionality in many ways." The best part here is that the authors gave a shoutout to the AquaSec team. You know you've made it when you get a threat actor shoutout!
Ransomware targeting VMware ESXi by Julien Levrard
If you ran a publicly facing ESXi server from approximately its inception to now, you have had a bad time for many years. Last week probably did not help. OVH, which I don't usually see threat posts from, posted a detailed blog on publicly exposed ESXi servers being popped through CVE-2021-21974 and being ransomed. Why encrypt VMs when you can encrypt the hypervisor itself?
New Medusa Botnet Emerging Via Mirai Botnet Targeting Linux Users by Cyble Research
A stealer being propagated off Mirai infections, Medusa doesn't act like a stealer like I've come to love. It infects Linux devices, performs DDoS attacks, has ransomware functionality, and also has a wiper. It sends C2 traffic back to medusa-stealer[.]cc with a friendly splash page!
MalVirt | .NET Virtualization Thrives in Malvertising Attacks by Aleksandar Milenkoski
A scary new loader, dubbed MalVirt, has emerged from the recent uptick in malvertising attacks. The infection chain of some of these malware families is fascinating, as there is a supply-chain aspect from initial access to a data breach. A malvertising campaign can drop MalVirt, which then loads FormBook, an infostealer, and many infostealers and loaders like these have been initial access vectors for ransomware.
Microsoft tracks >100 ransomware threat actors by Microsoft Security Intelligence
I wonder if Microsoft popped a bottle of champagne after hitting the 100 mark for ransomware threat actors tracked. The Microsoft Intelligence team notes that although phishing has been the tried and true method for ransomware, malvertising is on the rise and is proving to be an effective initial access vector.
Making Waves: TTP Intelligence Highlights in January by Scott Small
And to finish out this week's threat landscape: a much better and more thorough threat landscape report by the team at Tidal! 684 techniques were references in public threat reporting in 39 sources. Check out the Install Digital Certificate T1608.003 section, which was a rare technique (in terms of publicly available reference) made by Mandiant.
Open Source
pdtm by Project Discovery
Neat Golang tool by Project Discovery that installs all of their tools in one go (haha).
Awesome Actions by Sdras
A bit different repo than our usual security repos, but I liked this one because many threat detection professionals use GitHub actions for their day-to-day. This is a great collection of interesting actions you can add to your pipelines.
They Are Always After Me Lucky JARMS by Sketchymoose
JARMs are a great pivoting tool for threat hunting and mapping attacker infrastructure. Back to last week's gem on composite objects, JARM hashes are an additional component to add to the arsenal of hunting for similar infrastructure. This post contains the rationale behind the script and a link to the GitHub repo here.
ffuf 2.0 by ffuf
2.0 release of popular web-fuzzer ffuf. It can now be used as a vulnerability scanner and has some better tracking on successful attacks via hashes.