Detection Engineering Weekly #21 - Can cows can help us explain detection?
If they could, what shape would they be?
Welcome to Issue #21 of Detection Engineering Weekly!
This week’s recap:
💎 by Sven Cattell on the gotchas and assumptions we put on machine learning models in cybersecurity; they sound eerily similar to detection rule assumptions
Transparency in EDR telemetry and MITRE ATT&CK v13, canary tokens and sleep obfuscation detection and evasion
Don’t sell your old routers and switches, or at least don’t trust your company to do it securely
Infoblox researchers find a rare but effective exploitation framework using DNS
ChatGPT phishing, Yet another stealer (but the actor gets spooked after being called out), and more MacOS malware
And so much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
The Spherical Cow of ML Security by Sven Cattell
This week’s gem is focused on machine learning security, but there are many overlaps in Cattell’s post with what we deal with on the detection side. If you don’t know what a spherical cow is, it’s a metaphor or an attempt to apply a “simplistic” model over a highly complex subject. Sound familiar? We do this all the time in threat detection! Most of us have met a machine-learning-based model in production, and we probably have rolled our eyes at some of the marketing-speak behind them, but it turns out it’s extremely hard to run these things at a “peak” efficacy. My favorite section on the post talks about false negatives:
If a model isn’t performing well the only ways to fix it is to retrain or finetune the model. This can be impossible if there isn’t enough data to fix the problem. If just one over-represented sample out of millions is causing the efficacy guarantees to break, then retraining with that sample might not fix the model.
State of the Art
EDR Telemetry Project: A Comprehensive Comparison by Kostas Tsialemis and Alex Teixeira
Coverage is a term I’ve been thinking a lot about lately. What does having breadth vs. depth of coverage mean in rules, telemetry/log sources, and tooling? Well, turns out it is an extremely hard question to answer, but one way to get a little bit closer on answering this is through transparency with your vendors or a collective knowledge-base from the community. This is your base for EDR telemetry sources! Tsialemis and Teixeira mapped Telemetry Feature category (such as File Manipulation) and a few other data points across vendors in the space.
ATT&CK v13 Enters the Room: Pseudocode, Swifter Search, and Mobile Data Sources by Amy L. Robertson
It’s heeerrreeee! ATT&CK v13 is live! Lots of updates with this one, and I don’t want to completely steal the team’s thunder, only steal a little bit. Mobile data sources make an entrance, and lots of update to the ICS, campaigns, Linux and Cloud. My favorite part? DETECTION OPPORTUNITY PSEUDOCODE!
ImpELF: Unmasking Linux Malware with a Novel Imphash Approach by David Burkett
It’s like imphash, but for ELF binaries! The name also sounds way more demonic (in a cool way) than imphash. Burkett created a neat way to process an ELF file, obtain a cryptographic hash of its imported symbols and libraries and output it for additional pivoting by the researcher. I hope VTI can implement something like this for Linux malware researchers!
Using Detect It Easy to… detect it easy by Hexacorn
Speaking of ELF binaries, Hexacorn dives deep into an odd ELF binary that says it’s packed by UPX, but is a bit more complicated to unravel than using the upx binary. It turns out you can pack something with UPX, and mess with the headers telling UPX that it can be unpacked, but the executable can still run. They then use DetectItEasy to see where the binary was modified and with what, so you can be on your merry way and unpack it with ease.
An Adventure in Google Cloud threat detection by Martin McCloskey and Day Johnson
Note, my employer is Datadog, and Martin and Day are in my org, and I’m super proud of them 🙂
Crash course in Google Cloud Platform (GCP) threat detection, with some Sherlock Holmes, references to boot! Martin & Day use Stratus Red Team to quickly boot up an environment, emulate attacks, shut down infrastructure and inspect the logs afterwards.
Early Warnings with LimaCharlie + Canarytokens by Matt Bromiley
It’s hard for me not to get excited about tools and companies I like working with; it’s even harder when combined into one blog post! Canary Tokens from Thinkst are an easy-to-onboard, high-fidelity detection that anyone can add to their SOC workflow. The great thing about a canary token alarm “tripping” is that just the presence of a log is high fidelity enough to alert on. If you want to get up and running on a free tier of LimaCharlie, this is a great way to experiment with canary tokens!
Tunnel via Cloudflare to any TCP Service by root
Cloudflare has been releasing interesting tooling for “edge” networking use cases, one of them being cloudflared tunnels. Basically, it allows you to publish an HTTP-based service on the internet using Cloudflare’s infrastructure while preserving your IP address locally. In this post, root shows how you can get around the company’s HTTP-only filter using websocat and gost. My favorite part/I don’t know why I found this so funny, the author kept putting publish in quotes, like ‘publish’, and to me it reads that they are implying some more nefarious uses of this :).
An Introduction into Sleep Obfuscation by Nigerald
Sleep obfuscation is a technique used by beaconing malware to help evade EDR and detection platforms. In the post, Nigerald details how Hunt-Sleeping-Beacons work, and ways you can work around these techniques. One aesthetic thing I like about this blog: there are small callouts that you can expand if you don’t understand the post's terminology, making it way more interactive and intuitive as you follow along with their content.
The C2 Matrix by SANS/Jorge Orchilles
The SANS team released the latest version of the C2 Matrix at RSA. This latest edition has a bunch of new C2 frameworks pre-installed inside the VM, so you can use it to generate payloads and watch the telemetry come out the other side in VECTR. I have serious FOMO from RSA this year, it seems the conference is getting more and more technical with great releases like this one!
Detection Engineering on Social Media
https://twitter.com/4ndr3w6S/status/1649688342349398016
https://twitter.com/MerrittBaer/status/1650967275154067463
Threat Landscape
Investigating the resurgence of the Mexals campaign by Stiv Kupchik
The Mexals botnet is alive and well with new tooling and obfuscation techniques. This is allegedly a Romanian-based malware group, and its new name, Diicot, is a nod to the Romanian anti-terrorism agency. Some of the malware dropped uses UPX with the UPX headers stripped, but luckily for readers of this newsletter, you can read Hexacorn’s post above (which references Akamai, btw) to rebuild and unpack this malware!
Discarded, not destroyed: Old routers reveal corporate secrets by Cameron Camp and Tony Anscombe
When you think of a supply-chain attack, do you think about discarded routers and networking equipment? ESET researchers Camp and Anscombe did not think so until they bought some used equipment for testing and found all kinds of interesting stuff being left behind on this equipment.
Dog Hunt: Finding Decoy Dog Toolkit via Anomalous DNS Traffic by Infoblox Cyber Intelligence Group
DNS is my favorite protocol. Yes, I told my readers this before, in many other newsletters, and yes, I may blurt this out with a few drinks in me at conferences, but it’s just SO freaking interesting. For example, did you know that “The DNS community has established that much of the DNS traffic observed on the internet is a replay of previous traffic” [source]? Infoblox researchers know, and I’m glad they pointed this out.
This blog uncovers a RAT toolkit dubbed “Decoy Dog” with a peculiar DNS signature paired with the Pupy RAT, which heavily targets enterprise victims.
EvilExtractor – All-in-One Stealer by Cara Lin
Another week, another stealer we all have to deal with. EvilExtractor has several features for pilfering data from victims and also contains a “simple” ransomware module to take $1000 from victims who choose to pay. The actor advertising EvilExtractor, Kodex, seems to have gotten spooked by the news. Their website is now down, but as the great Benjamin Franklin once said, “the Internet always remembers.”
BlueNoroff APT group targets macOS with ‘RustBucket’ Malware by Ferdous Saljooki and Jaron Bradley
So are we worried yet, Mac users? Are the days of our impenetrable laptops over? Not that MacOS malware hasn’t existed in the past, and maybe its recency bias, but I’ve seen a lot more “threat landscape” style news blogs like this one by Jamf Threat Labs talking about targeting macOS devices. BlueNoroff is an alleged subgroup of Lazarus, and the tooling and techniques employed by the group are eerily similar to a Windows counterpart.
Super interesting finding in this one: a backdoored PDF viewer is deployed but not used unless a specifically formatted PDF file is loaded into the PDF viewer.
ChatGPT-Themed Scam Attacks Are on the Rise by Peng Peng, Zhanhao Chen, and Lucas Hu
I distinctly remember the week the Notre Dame Cathedral fire happened. Not only was it an iconic moment in history, but it also pulled at all of our heartstrings. I remember it because I was researching phishing infrastructure then, and a massive influx of Notre Dame-themed phishing pages were being registered and deployed. Criminals seem to flock to events that pique our curiosity and empathy to make a quick buck.
In this post, Unit 42 researchers have tracked criminal infrastructure targeting our curiosity with ChatGPT and LLMs. Spikes in domain registration that specifically “squat” on ChatGPT do everything from phishing to putting in credit card forms, promising people they’ll get access to the platform.
Open Source
LOOBins by InfosecB
*Bins are the new hotness. This time, it’s not off the land, but the orchard specifically. You guessed it: a whole mess of binaries on MacOS that can be used maliciously!
EDR Telemetry by Kostas Tsialemis and Alex Teixeira
Github link to the EDR Telemetry project listed above under “State of the Art”.
ScareCrow by optiv
Major update (5.0.0) to the ScareCrow framework, which uses specific side-loading techniques to bypass EDR detections. Optiv included links to blogs that deep dive into the technique, which helps a lot with detection opportunities!
Mergen by sametsazak
More recency bias has crept into my writing, but I’ve seen lots of MacOS malware alongside many more open-source MacOS security tooling. This one checks the configurations of your Mac device and compares them against secure benchmarks.