Discover more from Detection Engineering Weekly
Detection Engineering Weekly #24 - My .zip domain brings all the victims to the yard
And they're like, "welp I thought it was an actual file thanks microsoftupdate.zip"
Welcome to Issue #24 of Detection Engineering Weekly!
This week’s recap:
Detection Engineering is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
💎 of a post by Anton Ovrutsky with a deep-dive into a Kubernetes purple team lab
Johannes Ulrich gives a take on .zip gTLD pros and cons
Part 2 on Fantastic Rootkits and where to find them, some OverlayFS craziness, and Detection Eng. vs Threat Hunting take
Eric Capuano uncovers the coolest shame site for a ransomware gang during an engagement, BPFDoor gets a facelift, and hunting malicious infrastructure given only an IP address, and I personally rename the PaperCut vulnerability to PaperGash
My Detection Twitter list gets almost 500 followers! Thank you all :)
Plus, so much more!
Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me firstname.lastname@example.org
💎 Detection Engineering Gem 💎
Building a Kubernetes purple teaming lab by Anton Ovrutsky
I LOVE reading purple teaming lab posts. But what separates a good purple team/detection lab post from a great one? First, every tool in the post has to be open-source, free, or freemium. Second, it has to be integrative of different stacks and techniques. Lastly, it has to assume you know nothing about building this, but if you were new, you could follow along. Well, this post hits all three of these things.
Ovrutsky offers something different in this post by focusing on Kubernetes-based purple teaming. Not only do you set up a cluster via minikube, but you also install Laurel, send logs over to SumoLogic free, and then build emulation cases with Vectr. Ovrutsky also does one of my favorite things in these blog posts: he shows what can go wrong. For example, while querying control plane logs on Minikube, you may want to filter object names that you know are benign. Excellent work!
State of the Art
The .zip gTLD: Risks and Opportunities by Johannes Ulrich
If you haven’t heard, Google obtained the
.zip gTLD. Hilarity ensued across the infosec Twittersphere, where people picked up some of the most suspicious-looking domains I’ve seen in years. And already, there was some phishing activity reported shortly thereafter. In this post, Ulrich reviews the current state of affairs with this puzzling gTLD, and makes some interesting observations about how browsers/mail clients and the like will render .zip domains. Will it try to download a file or go to the domain? What if it’s
foo.zip/foo.zip? General wisdom says to just outright block this gTLD for now.
Detection Engineering vs Threat Hunting by Danny Zendejas
We’ve talked about and read a lot about Detection Engineering vs Threat Hunting on this newsletter. Zendejas offers a fresh take on comparing and contrasting the two, showcasing that they can work in unison as long as you can systematize both, and hopefully turn your hunts & detections into additional backlog items or incidents. I quite like the table Zendejas posted midway through the post:
The OverlayFS vulnerability CVE-2023-0386: Overview, detection, and remediation by Ryan Simon, Matt Mills, Christophe Tafani-Dereeper, Frederic Baguelin
~Note, my employer is Datadog~
Linux kernel privesc vulns are always a fun foray into Linux internals. My team at Datadog picked apart a PoC in OverlayFS, went into deep detail on how it works, and built some detection opportunities around the exploit.
Fantastic Rootkits and Where to Find Them (Part 2) by Rotem Salinas
I hope you read Part 1 last week, because Part 2 is even spicier! Salinas switches gears and focuses on rootkit analysis of two in-the-wild rootkits, Husky (from a BruteRatel APT29 infection) and CopperStealer. Besides the C2-traffic-via-pupper-pictures, my favorite part is Salinas finding a C2 domain with no detections on VTI, as well as the great detail into diving into DriverEntry functions for reverse-engineering these two rootkits.
Mythic comes out with a major facelift in 3.0 with a completely rewritten Golang backend. Thomas and the SpecterOps team really focus on usability here - they even released a Jupyter Notebook alongside deployments so operators and developers can see examples of interacting with the GraphQL Mythic API.
Emulating OilRig with CALDERA’s Emu Plugin by CALDERA
CALDERA is MITRE’s brainchild of threat emulation on steroids. In this post, the CALDERA team uses their Emu plugin which converts their “emulation plan” format into an adversary profile, which then can be used inside CALDERA to emulate real intrusions. The team also goes over technical limitations of threat emulation; turns out that emulating a real intrusion is REALLY hard. You may never have a true 1-1 mappings of emulations to real world intrusions across all scenarios, but you can get pretty close.
Chrome Extensions - Forensics by Vikas Singh
Great deep dive in Google Chrome extension forensics. Singh steps through an example incident where a user installs a malicious browser extension, then gives tips and tricks on finding the extensions folder, using tools like Hindsight to export the extension data and metadata, and then digging into each extension to see how it behaves. They also give tips on triaging the same incident via SentinelOne and Defender for endpoint.
Permhash — No Curls Necessary by Jared Wilson
Speaking of malicious browser extensions, Mandiant just released a tool called permhash that gives you a cryptographic hash of the permissions within browser extensions, APKs and other files to help pivot and group similar (or the exact same) malicious extension. This technique is similar to import hashing (and elfhashing on Linux). It’d be cool to see Singh pick this up, fold it into their blog post above, and see if there are ways to group their extensions into a benign or malicious bucket!
Detection Engineering on Social Media
Emergence of Akira Ransomware Group by Eric Capuano
Alright, I’m not supposed to give compliments to ransomware operators. One, because they are scummy people. Two, it encourages them, especially when they are interviewed by people, as we are basically doing free advertising. But this shame site is DOPE.
Capuano responded to an Akira infection and documented their observed TTPs and several unique elements of Akira. The most interesting thing to me is using
cloudflared it as a reverse tunnel (think
ngrok but with the reliability of Cloudflare). Some other common TTPs include network share enumeration, compression tools, and using SSH to log in to ESXi for additional encryption and mimikatz.
When is a “new” TTP not “new”? Maybe it took a while for AT&T to publish this blog, and they wrote it when it was newer, and now it’s not? Also, what’s with the weird disclaimer at the top?
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Nothing too new here, but still good to review blogs like this to add more corroboration to your detections and defense strategies.
I’m surprised people haven’t named the PaperCut vulnerability with something more attractive, like Paper Gash. CISA and the FBI co-released this blog to talk about the impact of a piece of software I’ve never heard of, but plenty of people deploy, and it’s really causing harm to folks who aren’t patching fast enough. One of the scarier quotes:
Education Facilities Subsector entities maintained approximately 68% of exposed, but not necessarily vulnerable, U.S.-based PaperCut servers. In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet.
All roads lead back to Wuhan… Xiaoruizhi Science and Technology Company by intrusiontruth
I’ve wrestled with the choice of putting intrusiontruth blogs on here. Much like the X-Files, I want to believe, and it’s so fascinating looking at how they use OSINT techniques to uncover supposed APT actors. Look at your own risk - it’s hard to say whether or not their analytical techniques are sound, but it’s relevant from a threat landscape perspective.
I don’t think this got as much press coverage as PaperCut, but the interesting timing of this vulnerability alongside PaperCut is interesting. Both CVEs are the result of an unauthenticated privilege escalation vulnerability. This technical blog goes much deeper than the CISA post, although I’m sure there’s a ton of technical content around the PaperCut vuln. Call it selection or recency bias, but I wonder if these unauthenticated priv escs will get more attention from now on.
Discord discloses data breach after support agent got hacked by Sergiu Gatlan
I’m sure many readers of this newsletter have a Discord, and use it for all sorts of reasons, including interacting with the security community. It’s heavily used by the criminal underground. For example, many stealers use Discord as an exfiltration tool, but it’s also a ripe target for doxxing victims. The only thing Discord revealed was a somewhat short e-mail. Still, customer support agents with access to internal tooling on platforms are a ripe target for insider threat recruitment and targeting of these types of groups.
BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game by Shaul Vilkomir-Preisman and Eliran Nissan
BPFDoor gets an update and researchers at Deep Instinct give a great technical analysis of its new capabilities. If you haven’t read anything about BPFDoor, check this blog out, as it gives some great insight into how BPF works and how absolutely insane BPF-style malware can be.
Hunting Malicious Infrastructure using JARM and HTTP Response by Michael Koczwara
Malicious infrastructure hunting and tracking is one of my few joys when doing deep research against a group. Based on how Koczwara finds, tweets, and now with this blog, writes about, I imagine he is in the same boat as me :). The beautiful thing about infrastructure mapping is that you can do SO much with free tier tooling on Shodan, Threatfox, Abuse.ch, and VTI. In this post, Koczwara hunts some Qbot and Brute Ratel infrastructure, starting with some basic telemetry, such as an IPv4 address.
Similar malicious infrastructure hunting post as Koczwara’s above, but this time focusing on Quasar rat and using Censys. Unlike Koczwara’s post, Brennan starts with a malware configuration extracted from a sample and moves through mapping Quasar infrastructure. Funny enough - Brennan gives a shoutout to Koczwara in the post.
YARA rule generator for LOLDrivers #79 by Florian Roth
LOLDrivers are the gift that keeps on giving, and the LOLDrivers project are getting some awesome pull requests like this one that adds automatic rule conversion support.
Ghidra 10.3 by the NSA
Ghidra has dark mode. That’s it. Just kidding - they released many other features in the debugger, including training courses on how to use it. But seriously, dark mode.
Introducing Resocks - An encrypted back-connect socks proxy for network pivoting by Redteam pentesting
Resocks is a reverse SOCKS5 proxy, not reverse shell as specified by the authors, and it allows attackers to pivot via a compromised system via SOCKS rather than trying to setup complicated proxychains, SSH port forwarding, or an insecure SOCKS proxy on the victim machine. I like this because “infected” hosts aren’t listening on a port but rather connecting out to the resocks server, then that server is forwarding SOCKS5 traffic back through the victim machine into the internal network.
A new Tripwire, but in Python by hacksplaining
Large facelift for Tripwire by hacksplaining. This time completely rewritten in Python, with some additional alerting and logging features. The interesting thing about Tripwire is I feel like it’s the closest to a true detection lab I’ve encountered, where it automatically creates cases for you to experiment with different alert scenarios, and now with C2 logging!