Detection Engineering Weekly #20 - My threat actor designation is Chipotle Tempest
I'm financially motivated, spicy and locally sourced
Welcome to Issue #20 of Detection Engineering Weekly!
This week’s recap:
💎 post by Julien Vehent on data engineering and detection engineering
Okta releases detection rules in coordination with Splunk
Azure session tokens get you.. a lot.
Lockbit targeting Apple, Microsoft changes it’s threat actor taxonomy (and I self-assign myself my threat actor name), and a red teamer isn’t the first “actor” to put a webshell on a client’s web server
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Data Driven Detection Engineering by Julien Vehent
Detection Engineering is Software Engineering. A beautifully put observation by Vehent! This week’s gem goes into the evolution of threat detection from the “early days” into now. To scale threat detection efforts beyond human capacity, we need to use more software and data engineering techniques. I discuss this concept in my blog Table Stakes for Detection Engineering, but Vehent hones in on the data engineering specialty and its evolution. I love the comparison of “tripwire” vs. “behavioral” detections, as this relates to the Pyramid of Pain but with way more math and statistics. Awesome stuff!
State of the Art
Okta and Splunk Combine to Detect Common Attacks by Brett Winterford and Defensive Cyber Operations
The detection engineering team at Okta partnered with Splunk for experimental detection efficacy. The interesting thing about these detections is Okta used its own platform to generate these scenarios and then shipped them over to the folks at Splunk for additional enrichment, experimentation, and publication. Amazing work, team Okta!
Brace for Impacket! by Micah Babinski
Impacket is a Swiss army knife for low-level control of sending packets across the wire, but did you know that it comes with all kinds of attacks out of the box? And that threat actors frequently use it to carry out their objectives? Well, now you know, Babinski is here to make you feel much more comfortable writing detections and researching Impacket!
Also, Babinski wins this week’s “most quotable” contest, with beautiful imagery around Impacket’s “veritable potpourri” of MITRE ATT&CK coverage. Bravo!
Logging strategies for security incident response by Anna McAbee, Ciarán Carragher, and Pratima Singh
Bookmark this blog, especially if you are setting more of your infrastructure up in an AWS environment! The authors highlight different components of AWS’ shared responsibility model, what gets logged and where, and how you can analyze security logs. They even recommend parsing into jq
:)
Hacking Your Cloud: Tokens Edition 2.0 - TrustedSec by Edwin David
The beautiful thing about Microsoft Azure/O365 is how integrated it is. Email, Azure, Teams and SSO all combined into one seamless experience. Well, that seamlessness comes at a cost, and David shows what the cost is. You can do a lot of damage with a session token from these environments, and a successful phish or infostealer (which this newsletter absolutely adores) can give you access to a ton of information on a victim account.
Hunting & Detecting SMB Named Pipe Pivoting (Lateral Movement) by Ankith Bharadwaj
It’s Windows and Cloud week here at Detection Engineering Weekly, and a timely post by Bharadwaj gives a crash course on lateral movement using SMB named pipes in Windows. Although named pipes are primarily used for interprocess communication on a singular host, due to Microsoft’s commitment to integration and seamlessness, you can use them across hosts via Microsoft’s SMB protocol! Bharadwaj shows an example of this pivoting using Sliver C2, and then goes deep into detection opportunities from a host and network level.
Countering the Problem of Credential Theft by Intel471
Short and sweet analysis of the impact of credential theft on the cybercrime ecosystem. With Genesis down, I imagine actors are flocking to other markets like Russian Market, but the threat still remains. If a stealer market can provide features such as URL or domain filtering for cookies, then this type of access will always be useful for low-level fraud all the way to ransomware initial access.
This is a good report to pair with Okta’s blog post above, in which Okta released rules to help detect account session takeover from markets just like Genesis.
New Phone, Who Dis? How Cloud Environments Are Exploited for Smishing Campaigns by Nathan Eades
Cloud threat actors are living off the.. cloud? I mean, I can’t say land, because it’s right there in the name. Anyways, Eades and the Permiso P0 team have seen an uptick in threat actors abusing AWS customer environments as attack infrastructure for sending out malicious SMS messages. This is an evolution from SES for email, and as cloud platforms become more commoditized with “everything we need” to run a business, these cybercriminals will find ways to abuse it.
Detection Engineering on Social Media
https://twitter.com/joltsik/status/1648045466276208640
https://twitter.com/malwrhunterteam/status/1647384505550876675
https://twitter.com/techyteachme/status/1647041723019800580
Threat Landscape
The LockBit ransomware (kinda) comes for macOS by Patrick Wardle
I’ll have to say the hair on the back of my neck raised when I first saw the findings around a MacOS-specific ransomware developed by LockBit. Luckily, folks like Patrick Wardle can quickly get to the bottom of these MacOS malware stories. TL;DR Although this sample has all of the fixins of LockBit, it probably was not intended for live use. Yet.
Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land by Ryan Chapman
Sometimes, simpler is better. Unit 42 IR folks found a PowerShell script in a Vice Society engagement that exfiltrated victim data to an attacker-controlled server. The script had built-in rate-limiting capabilities, file filtering, and POSTed data to an exfiltration server. The interesting part of this blog is under the “Detection and Hunting” section, where Unit42 gives a bunch of opportunities to identify this specific script via PowerShell module logging and identifying specific function names.
Ransomware in the Cloud by Invictus Incident Response
In this post, Invictus responds to a cloud-based “ransomware” incident. I put ransomware in quotes not to diminish the work or impact but rather, how different ransomware is on a cloud service provider versus what we usually see in a ransomware incident on a Windows environment. Basically, if a threat actor has enough permissions to manipulate your S3 bucket configuration, they can turn versioning off and ship your data to an attacker-controlled endpoint and then delete your data.
In this case, the actors dropped a note on the S3 bucket but did not encrypt anything. So this would qualify as single extortion. Almost all of what Invictus writes about here can easily be automated by a boto3 script, so scary stuff if they get access and ship your data off.
Espionage campaign linked to Russian intelligence services by CERT.PL
CertPL and the Polish government are coming out strong with a great writeup on APT29/NOBELIUM. Based on victimology alone, I’m sure CERT.PL has their work cut out for them when dealing with Russian-in-origin cyber attacks and espionage campaigns. Phishing websites and malicious attachments aside, the interesting tidbit I got from this writeup is the use of Notion to host 1st and 2nd stage loaders. Who would’ve thought that providing a cloud-based file hosting service would be used for nefarious purposes? </endtroll>
Butting Heads with a Threat Actor on an Engagement by maxcorbridge
Case-in-point of why Red Teaming/Purple Teaming is beneficial for a company that wants to write detections! I'm curious how frequently this happens; the author was on a Purple team engagement for a client and exploited a public-facing webserver with a local file inclusion vulnerability.
Microsoft shifts to a new threat actor naming taxonomy by John Lambert
Microsoft is changing how it names and shames threat actors! Can you imagine being the one pitching this project to your manager? “Okay, so we track 100s of these at this point right? And we have all kinds of names for them? Well, we’re gonna do it all over again. No it’ll be cool this time - we can create figurines, alcoholic drink names and maybe do dress someone up at RSA to be one of them!”
I always wonder about the externalities of changing names. Will Microsoft go back and change all references? What about downstream consumers? Will future reporting have their new names and old names, just in case?
Open Source
VMwareCloak by d4rksystem
Major update to a years-old script for “hiding” a malware analysis VM from malware that is trying to find out if it is inside a malware analysis VM. It’s like inception, but for malware!
Powershell Dirty Words by nasbench
List of “dirty words” that PowerShell looks for when reading codeblocks and determining if they are potentially malicious. Cool extraction done by nasbench here - interesting to see how Microsoft thinks about finding malicious Powershell.
Malware Analysis Course by ArchCloudLabs
Soup-to-nuts course on building your own malware analysis pipeline by our friends at Arch Cloud Labs.
Introducing Edge: A Recon Tool for Cloud Provider Attribution by Jason Ostrom
Blog post that announces Ostrom’s Edge tool, which helps perform IP enrichment on known cloud provider infrastructure. The cloud providers do a decent job of publishing their IP ranges, services and, in some cases, regions for transparency.