Detection Engineering Weekly #19 - Elon Musk killed my Twitter embeds
MY twitter embeds, not yours, but MINE!
Welcome to Issue 19 of Detection Engineering Weekly!
This week’s recap:
Leo Bastidas’ journey into Detection Engineering at TrustedSec
Windows seems to provide a lot of resources to live off the land, this time with drivers, by Michael Haag, Jose Hernandez, and Nasreddine Bencherchali
Microsoft and Forta go after Cobalt Strike, and Iran is taking out Azure environments, according to Microsoft
CISA adds five new vulnerabilities to KEV
and much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
On the Road to Detection Engineering by Leo Bastidas
Timely post for my newsletter, but this is the first time I’ve included a “gem” that isn’t months in the past! I am a big believer in posts that highlight HOW someone got into a career because it sometimes isn’t what you would expect. For example, going from the military as a system administrator and security engineer to an incident responder at a consulting firm, then moving into detection engineering isn’t a path I would envision.
This post also describes a path into security I can relate to: systems administration. Is that a thing anymore, or did devops/SRE kill it? Some of the best security folks I’ve ever met came from IT and administration background, so you don’t need a CS degree, or specific detection training certs, to get into this field. All you really need is the ability to learn, wear many hats, and think like a defender and an attacker.
State of the Art
Living Off The Land Drivers by Michael Haag, Jose Hernandez, and Nasreddine Bencherchali
If you have heard of the famous LOLBAS project, which focuses on vulnerable binaries and scripts vulnerable to “live off the land” techniques, then this project shouldn’t be a surprise to you. Turns out drivers are just as useful as a way to masquerade your post-infection tomfoolery, and Haag, Hernandez and Bencherchali documented all of this for you!
The crew also did an Atomics on a Friday stream episode if you want to dive deep on how the project came to be.
64 Methods For Execute Mimikatz(RTC0003) by RedTeamRecipe
The title is exactly what is inside this blog post. Are you a bad enough dude to write detections for all 64?
Understanding Azure logging capabilities in depth by Morten Knudsen
This is one of the most comprehensive Azure logging blogs I’ve ever read. Knudsen goes into deep detail on how Azure performs data collection, aggregation, and querying using “data-in,” “data-transformation,” and “data-out” nomenclature.
Quarterly Sigma Project Update Q1/2023 by Florian Roth
Q1 update from the good folks at the Sigma project. The most exciting, in my opinion, include new ruleset releases and new rule types. Specifically, splitting out Sigma rules into generic, emerging threats, and threat-hunting rules. I like this approach a lot because it helps set expectations when using these rules for the precision/recall slider that we’ve talked about many times in this newsletter.
Creating email detection rules for Sublime Security by Mino Kim
Sublime Security is like Yara but for email. They have an open-source platform with a standardized language, called MQL, that you can use to write detections for incoming mail messages. I’m a big fan of what they are doing since they are open-source (read this article in Venture in Security about why open-source in security companies is a must).
This post details how to use various aspects of the Sublime ecosystem, and Kim works through their methodology in detection ideation, implementation and testing. They contributed a phishing rule into the main Sublime Detection Ruleset by the end of the blog post. Great stuff!
100 Days of YARA later by shellcromancer
If you haven’t heard of 100 Days of YARA, it’s a 100 day challenge to write at least one YARA rule a day. I’ll link the repository for 2023 in the “Open Source” section below. Shellcromancer just hit their 100 days, and this post reviews the 100 days spent on all kinds of fun things in the YARA space, with a focus on MacOS malware. Nice work shellcromancer!
Detection Engineering on Social Media
Thanks, Elon you cringelord
https://twitter.com/MalwareJake/status/1645739988925988864
https://twitter.com/jaredcatkinson/status/1645822295460413442
https://twitter.com/SecurePeacock/status/1645188485903446017
Threat Landscape
Stopping cybercriminals from abusing security tools by Amy Hogan-Burney
Microsoft coming in hot this week! The team is partnering up with Fortra, maintainers of beloved Cobalt Strike (for professional and educational use, only), and Health-ISAC to take legal action against rogue Cobalt Strike servers. Cobalt Strike has been associated with some of the nastiest and most destructive ransomware campaigns, as it is known to serve as a pre-cursor/initial access vector for ransomware gangs. I hope this is fruitful, and if not, search for #cobaltstrike on Twitter and update your intel feeds as researchers find more and more attacker infra.
MERCURY and DEV-1084: Destructive attack on hybrid environment by Microsoft Threat Intelligence Center
Iranian-linked threat actors are attacking organizations with a specific focus on destroying infrastructure via cyber means, according to MSTIC. The interesting part of this story is that the actors not only destroy on-prem environments but also use privileged access to pivot to Azure and start destroying infrastructure there.
Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities by Edmund Brumaghin
At this point, I’m publishing stealer updates every week, whether it’s a new version of a stealer like Typhon, or a brand new stealer that goes for sale on the underground or goes up for free on GitHub. In this post, Brumaghin tracks the Typhon Stealer rebrand and showcases some of its new shiny anti-analysis features. The amount of work that goes into what type of data these pieces of malware steal is quite staggering. I counted 64 separate programs it steals from, and apparently, it can steal from game clients, but the malware author did not include this functionality in this version.
Ironing out (the macOS) details of a Smooth Operator (Part II) by Patrick Wardle
This is a continuation of Wardle’s Part 1 analysis of the trojanized MacOS binaries from the 3CX Smooth Operator supply-chain attack. Wardle is an expert in MacOS-based malware and exploitation, so it’s a fresh look at how to perform malware analysis forensics and techniques on a platform many of us probably are unfamiliar with.
CISA Adds Five Known Exploited Vulnerabilities to Catalog by CISA
Veritas makes it’s CISA KEV debut! Three out of the five new additions to CISA’s KEV project are vulnerabilities with Veritas’ “Backup” product line. Thanks to the ALPHV ransomware gang, we can add another product suite to this growing catalog.
Security Update Mandiant Initial Results by Pierre Jourdan
Imagine, overnight, you and your company become the biggest story in information security. Twitter is blowing up, reporters are reaching out for comment, and the cybersecurity darlings are posting all kinds of blogs about how owned you are. This post reads to me as Mandiant wrote it, although the CISO of 3CX posted it. It’s a bit strange because I imagine this type of deep technical malware analysis isn’t on brand for 3CX, and most of their customers are probably confused with all of the fun malware family names like TAXHAUL, COLDCAT, POMPOMKITTEN, LAFFYTAFFY and SIMPLESEA (okay only 3 of these are real, can you guess?)
Open Source
2023 by 100 Days of YARA
The 100 Days of YARA 2023 repository! Shellcromancer’s rules are in here, and a few others who took the challenge.
Pyramid by naksyn
A Python-based post-exploitation toolkit used to test “blindspots” in EDRs. You run everything out of a python interpreter, and somewhere else, the corresponding server is ran to serve additional modules.
Obfu-DE-Scate by user1342
Interesting Android malware analysis tool that uses fuzzy matching to deobfuscate an APK, given another APK that is similar in functionality.
PhoenixC2 by screamz2k
Yet another C2 framework, but this time, their README doesn’t have “for educational use only!” Rather, the authors don’t condone misuse, which is way more reasonable than the 1337 hax0r C2 framework Github’s I've seen that doesn’t explicitly say that. Doesn’t look to be fully functional yet but probably another one you should test detections on.
ClientInspectorV2 by KnudsenMorten
I listed one of Knudsen’s blog post in the “State of the Art” section above, but I’m really enjoying their content and their code for Azure logging and forensics. Especially relevant since Microsoft published the MERCURY / DEV-1084 news last week.