Welcome to Issue #25 of Detection Engineering Weekly!

This week’s recap:

• 💎 by Dragos Cofounders on the Four Types of Threat Detection

• A post by Brandon Chamberlain on LOOBins. A LOOBins are to MacOS what LOLBAS are to Windows

• BushidoToken uses stylometric analysis to group ransomware gangs

• A Windows event log to Splunk tutorial by Invictus Incident Response

• MSTIC outs Volt Typhoon, malicious .zip websites that look like WinRAR, and an insider threat during a ransomware incident

Do you want a real-time stream of social media posts by threat detection experts? Check out my Detection Engineering Twitter list!

🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?

Leave a comment below or email me techy@detectionengineering.net

💎 Detection Engineering Gem 💎

The Four Types of Threat Detection by Sergio Caltagirone and Robert M. Lee

The concepts presented in this formative paper by Caltagirone and Lee from Dragos still holds strong almost six years later. The authors explain that there are four types of detection: modeling, threat behavior, configuration analysis and indicators. You can probably guess some of these off the bat, but it’s also important to note that they complement each other in different ways. My favorite call out in this paper is configuration analysis. I don’t see enough content surrounding this concept, primarily because lots of detection content is around hosts rather than ICS or production workloads.

State of the Art

Importing Windows Event Log files into Splunk by Invictus Incident Response

The folks at Invictus continue to write fantastic content, and this time it’s focused more on a home lab setup than an IR engagement. Suppose you’ve never worked with Windows event logs before. In that case, this is an excellent tutorial on importing a known “bad” dataset of event logs from Blackstorm Security into a free Splunk instance.

Introducing LOOBins by Brendan Chamberlain

LOOBins are to MacOS, as LOLbas are to Windows. The website is chock-full of interesting binaries, and scripts found out-of-the-box on MacOS to do mean things to victims. One of my favorite tools on MacOS for general tomfoolery is osascript. For example, issuing a popup to ask for the user password seems to be an effective technique in credential access on MacOS, and it appears to feature rich and effective.

Looking Closer at BPF Bytecode in BPFDoor by Nikhil Hegde

BPFDoor has made the news cycles within the last few years, and the previous newsletter contained a threat update on a new version of the Linux rootkit. If you haven’t familiarized yourself with BPF/eBPF technologies, these are used for Linux-based endpoint protection products and rootkits like BPFDoor. Hegde also had a finding that refuted some findings in DeepInstinct’s blog on the latest BPFDoor iteration.

Learn 10 ways to use ChatGPT for Threat Hunting Right Now! by Adam Goss

I try not to link too many blogs about ChatGPT, because they are primarily theoretical, but Goss’ blog is a great jumping-off point for the tool if you want to try it out. Its threat-hunting hypothesis generation and ability to reason around APT and criminal groups targeting an enterprise are impressive.

Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz by BushidoToken

I want to drop the phrase “stylometric analysis” somewhere in my day job to sound like a mad scientist working on ransomware cases. Too bad that BushidoToken did this first! Just kidding :) This blog explores how researchers can use a corpus of ransomware notes to group disparate ransomware groups to show that they are mainly from the same builder.

NixImports a .NET loader using HInvoke by dr4k0nia

Dear expert Microsoft security readers - how many internal APIs does Microsoft truly have? I feel like when I read blog posts like this, a few things happen: first, I cry because I can’t imagine having this complexity on Linux systems. Second, I cry some more because the amount of indirect ways to achieve creating a freaking thread is astronomical, and security will always be catching up. Third, I laugh (with tears in my eyes), because I know my friends and colleagues will always have jobs protecting Microsoft products.

In this post, dr4k0nia uses their HInvoke technique to create a loader with minimal footprints. The basic premise is that by using HInvoke, you can dynamically pass in names and member hashes to Windows-managed functions, reducing footprints in the binary. The best part? A Yara rule at the end!

How to version detection rules? by LogCraft

If you want detections-as-code, you should follow software engineering paradigms to make them as successful as possible. What happens when you deploy two rules with the same name but different versions? What does it mean to have different versions of a rule? This blog post did a great job of challenging paradigms in what constitutes a rule change using semantic versioning.

Detection Engineering on Social Media

Link: https://twitter.com/greglesnewich/status/1661170082683183109

Link: https://twitter.com/jaredcatkinson/status/1663580527536873473

Link: https://twitter.com/rootsecdev/status/1662803188578172930

Threat Landscape

Volt Typhoon targets US critical infrastructure with living-off-the-land techniques by Microsoft Threat Intelligence Center

Microsoft identifies an alleged Chinese-backed group, Volt Typhoon, targeting critical infrastructure companies and systems in Guam and throughout the U.S. The group’s initial access method is via vulnerable Fortinet devices from compromised SOHO networking equipment. At this point, Fortinet has 10 CVEs in CISA’s KEV database

Beware of the new phishing technique “file archiver in the browser” that exploits zip domains by Pierluigi Paganini

I’ve always thought of a security vulnerability category called “UX Confusion.” The basic premise is that through some UX sleight-of-hand, a threat actor can confuse a victim that they are interacting with an application that isn’t the original source. I wrote about this using Open Graph years ago. 

Anyways, we all know that .zip TLDs were a great idea, so why not take it a step further and make a .zip website with a fully functional-looking WinRAR app? A Twitter user dubbed this“File archiver in the browser,” and it’s rather convincing. 

New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force by Ravie Lakshmanan

Pretty amazing findings here where researchers abused vulnerabilities in a fingerprinting authentication protocol that allows an “unlimited amount” of fingerprint combinations, bypassing controls that prevent brute forcing on smartphones. The attack pre-supposes you to have physical access to the phone, where organizations like the U.S. Department of Justice could find this very useful in their forensic analysis phases of investigations.

PyPI was subpoenaed by Ee Durbin

PyPi has had a lot of activity on its blog within the last few weeks, with good reason. The FBI subpoenaed PyPi for information regarding some user accounts. The package index has been the target of malicious packages for years now. Although some of these attacks are basic and commoditized in a way, it was only a matter of time before one of these attacks “hit big” and required investigation by the FBI. 

The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile by Allen West

Akamai research found a braggadocious actor who duct-taped code from our favorite malware variants to create their botnet. The best part of this post is how much information “the actor” gives out regarding what they are attacking. I’m sure the Akamai team has the actor’s full info. Anyone this braggy usually stinks at OPSEC. 

DogeRAT: The Android Malware Campaign Targeting Users Across Multiple Industries by Anshuman Das

Move over open-source infostealers; it’s now time for open-source Android malware! It turns out the author of DogeRAT is a SaaS entrepreneur too. They have the freemium version and a premium subscription if you want advanced features.

Shedding light on AceCryptor and its operation by Jakub Kaloč

The cybercrime malware ecosystem is a fascinating representation of a criminal economy. There are commodity malware and services, tailored services, JIRA boards for RaaS teams, org structures, and software that the authors buy to make their experience more accessible.

Cryptors are an ecosystem component that provides obfuscation on top of malware binaries to hopefully help customers achieve “FUD” status - a fully undetectable binary. The AceCryptor service provides this for dozens of malware families, and it looks like they respond to market demand as new malware families emerge and others fizzle out.

Man convicted of blackmail and other offences by South East Regional Organised Crime Unit

This article reads like an episode of “It’s Always Sunny.” In this episode, the gang finds out that their employer was ransomed, so Charlie devises a way to replace the crypto-wallet address of the attackers with his own. Nope, that actually happened, and this IT security analyst really tried to do that. 

Open Source

Malware Morphology by Jared Atkinson

Jared’s training on Malware Morphology is now on GitHub! I wish I could have taken this live, but for those following along, the training challenges the conventional wisdom around building detections solely on MITRE ATT&CK. There is an inherent selection bias with ATT&CK, and having a systematic way to create detections using different lenses will make your program the most “complete.” 

Ransom Chats by Casualtek

I love reading ransomware gang chats and logs. It gives an insight into attacker behavior that we, as an industry, are almost never privy to. So why not check out negotiations across dozens of these ransomware actors? Be sure to checkout the Conti leaks afterwards :).

Badger Builder by Tw1sm

Nothing like throwing ChatGPT/OpenAI some malware configuration specifications and having it spit out a malleable C4 profile! I think randomizing these profiles will make detection harder on the infrastructure mapping side, but I don’t see this being a hindrance overall with combatting C2 frameworks like Brute Ratel.

Gato by Praetorian Inc.

Gato is a GitHub access token enumeration tool, similar to how tools for AWS tokens enumerate permissions. I’d love to see someone take this and generate control plane/audit logs to write detections against in the wild.

Hidden Desktop by WKL-sec

Heavily inspired by TinyNuke, this HiddenDesktop aggressor script gives Cobalt Strike operators a “VNC-like” desktop session that is hidden from the victim. I appreciate the implementation details in the README, which could help write detections for this type of activity.