Detection Engineering Weekly #22 - My monolith can beat up your monolith
Just make sure to reboot it every minute as it leaks all kinds of strangeness
Welcome to Issue #21 of Detection Engineering Weekly!
This week’s recap:
A departure from detection-only 💎, and highlighting one 💎 on actual engineering architecture by Lawrence Jones
If a gameshow existed on blocking macros, we’d all lose, by Pieter Ceelen
Rich telemetry and blocking RATs by Detection Engineering Weekly MVP Alex Teixeira
CISA adds a log4shell vuln to its KEV, TA505 returns with LOBSHOT, cryptominers are out, proxyware is IN, and much much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Keep the monolith, but split the workloads by Lawrence Jones
A bit different type of Detection Engineering gem. I’ve read many blogs on scaling workloads to meet detection demands over my career. I’ve been writing about it (post from 2016!) for about as long. If we want to take a small team of detection and response engineers and scale them to look like 100 engineers with only 10 in your team, then I think putting on our SRE, DevOps, and software engineering hats while building these systems is the right way to do it.
Jones shares a warstory of a time his company experienced a massive outage and how the cause was a systemic architecture issue in combining workloads in a monolith application rather than splitting them to reduce time to remediation. It has a ton of parallels to how I’ve seen threat detection systems be built.
State of the Art
So you think you can block Macros? by Pieter Ceelen
Malicious Windows Macros in Office docs have had a long, successful history of obtaining initial access to a victim environment. This post dives into how Microsoft has implemented defenses against malicious macros throughout the years, and just how hard it is to create a usable and secure environment. Ceelen hints at their talk on “LOLdocs”, which I am excited to see more of, to complete our shiny Pokemon collection of “LOL” toolsets and techniques for detection purposes, of course :).*
Procedural Detections to Uncover PsExec Style Lateral Movement by Ankith Bharadwaj
TIL that there are many flavors of PSExec, and threat actors do everything they can to remain under the radar when using this toolset. Great deep dive into how blue teams started to catch “the bad guys” using PSExec, so “the bad guys” do everything they can to masquerade usage of PSExec, including renaming the binary and service name to using derivative PSExec tools. Bharadwaj has a ton of references to real-world incidents abusing PSExec derivatives and masquerade techniques, so bookmark this for later, especially if you are going to be improving detection opportunities on this toolset.
Microsoft Azure Sentinel is just crap by Richard de Vries
Alright, I admit it. I work for a vendor. It’s tough work, but I do find a lot of motivation in helping relieve pain points in customers and prospects. One of the things about working in the vendor space is the constant need to solicit feedback, whether it’s good OR bad. The good stuff is validating, but the “bad” feedback is extremely useful. It means someone has taken the time and energy to express their pain into words and give it to you. It’s even better when it’s written like THIS blog post.
Whenever you build a product, you start with some assumptions to solve 80% of the problem, and then you (hopefully) rely on customer feedback to finish that remaining 20%. But the problem with this 80/20 rule is that your assumptions may also just stink. For example, did you ever think that a query that returns 30k results in Azure Sentinel would ever occur? Probably not, so you just cut off the result set in the UI!
Well, de Vries thinks otherwise. I love this post because it goes super deep into how de Vries deployment model works, their assumptions, and a clear mismatch between their requirements and Sentinel’s requirements. I hope the Azure Sentinel team picks this one apart!
Welcome 👋 Microsoft Extractor Suite by Invictus Incident Response
Invictus updates its Microsoft-365-Extractor-Suite to include evidence acquisition across many parts of the Microsoft ecosystem. I think this would be a great tool for engineers to emulate attacks in Microsoft environments, extracting the necessary telemetry generated and writing rules against that telemetry.
Detecting and decrypting Sliver C2 – a threat hunter’s guide by Kevin Breen
Breen puts Sliver C2 under a microscope and shows their methodology of moving from threat intelligence reporting (Sliver C2s seen in the wild) to running Sliver inside a label environment. I love that they add Yara rules and Elastic searches for alerts on potential Sliver infections.
RATs Race: Detecting remote access tools beyond pattern-based indicators by Alex Teixeira
I’ve always found it interesting to read and/or listen to someone’s thought process regarding threat detection or problem-solving in general. Maybe it is how I learn, but seeing the why behind the process of doing work is way more useful to me than a path of A to B to C - it makes it seem like the author got it “right” on their first try! In this post, Teixeira shows their thought process behind finding behavioral patterns and indicators of RAT malware.
Behavioral indicators are ways to detect threats based on patterns of malware or actors rather than just atomic indicators. It’s the TTPs/toolsets section of the Pyramid of Pain, and it causes a lot more pain to actors than detecting a hash or IP address and then moving on.
Introducing HASH: The HTTP Agnostic Software Honeypot framework by Eslam Salem
*Note, I am employed by Datadog*
Happy to announce that Eslam, one of Datadog’s esteemed security researchers, open-sourced our honeypot tooling on creating HTTP Agnostic honeypots! We’ve had some super interesting results from this, and it allows you to quickly create services to mimic real applications quickly and collect telemetry that can be used for detections. The neat trick that Eslam did with HASH is mimicking vulnerable endpoints, such as SQL injection, to take HTTP honeypotting a bit further than just logging scanner activity.
Detection Engineering on Social Media
https://twitter.com/rj_chap/status/1652682862444023809
https://twitter.com/chrissanders88/status/1650866293942235136
Threat Landscape
CISA Adds Three Known Exploited Vulnerabilities to Catalog by CISA
CISA adds three vulnerabilities to its KEV catalog. Two are from 2023, and one is a follow-on from Log4shell, no, not that one, but CVE-2021-45046, the fix after the fix of CVE-202-44228. Yeah, it was not a fun few weeks for any of us.
Elastic Security Labs discovers the LOBSHOT malware by Daniel Stepanic
Elastic uncovers a new malware strain with loose attribution to TA505. Like many other dropper malware within the last year, LOBSHOT is installed after a user visits a malicious Google Ad. The malware has infostealer-like capabilities and the capability to initiate an hVNC server, so the actor can connect via VNC/Remote Desktop in a “hidden” fashion to interact with victims.
Tonto Team Using Anti-Malware Related Files for DLL Side-Loading by ahnlab
Tonto Team is a suspected Chinese-backed actor group primarily found targeting South Korea, Japan, Taiwan and the US. Good luck getting me to remember their new designation in Microsoft’s latest ontology! Ahnlab found an infection by suspected Tonto Team using a maze of DLL-sideloading and C2 techniques to avoid detection.
Attackers Use Containers for Profit via TrafficStealer by Alfredo Oliveira
Cryptocurrency is tanking, so attackers are now monetizing and grifting via Proxyware traffic. This isn’t the first blog post in my newsletter that talks about this threat. Still, it should be a concern (IMHO) as I see implications (see: legal) of running scraping or click-farm traffic via your infrastructure as way riskier than connecting to a mining pool.
CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution by Naveen Sunkavally
Insecure default configurations. Have you heard of them? (Cue Pulp Fiction meme with Jules pointing his gun at the screen).
Apache Superset is a data visualization server that lets users explore/visualize their data. It looks like Apache’s Open Source competitor to Tableau, though I am not doing it j justice. Sunkavally found a key shipped in default installations that users _should_ change, but didn’t, and now you can login as an administrator by signing a valid session token. The best part? Almost all (~66% according to Sunkavally) publicly exposed SuperSet servers are installed with this insecure default!
Threat Actor Selling New Atomic macOS (AMOS) Stealer on Telegram by Cyble
A macOS-based infostealer? Sign me up! I’ve been telling all of my readers they are coming for us mac users! (Puts tinfoil hat on). This one focuses on all the usual suspects of cryptocurrency wallets, but given how successful these stealers have been for initial access, expect more modules in the near future. I’d imagine it’s a bit easier to block this one on the network level, since all variations send data to amos-malware[.]ru, and I am SURE that the author running this stealer isn’t duplicating any stolen logs sent to this domain. So sure.
Open Source
deepsecrets by avito-tech
Yet another secrets scanner tool, but this one is neat because it has a SAST-like approach to secrets scanning.
Bin-Finder by Kudaes
Scan running processes for a target binary (or one that doesn’t have a target binary). This might be useful for running detection scenarios where, according to Kudaes, “a specific EDR/AV DLL is not loaded.”
Breach-Report-Collection by BushidoToken
Interesting start of a repository that collects breach report information on various companies, with suspected or confirmed actors who performed that breach. If you are into adversary emulation at the scale of massive fincrime or nation-state gangs, this is a great repo to keep in your bookmarks!
Adversarial Interception Mission Oriented Discovery and Disruption by darkquasar
A pithy but super-valuable threat-hunting framework that goes deep into how to structure threat hunts as “missions.” There’s quite a bit of semantics in here, but if you can read through everything, I’m sure you can snag parts of this framework to help enrich your current hunting processes or start one from scratch.