Detection Engineering Weekly #26 - I like to MOVEit MOVEit
Threat actors, ya nice, sweet, fantastic!
Welcome to Issue #26 of Detection Engineering Weekly!
This week’s recap: ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR ERROR
REBOOTING…..
> NEW CONTENT FOUND, PLAYING: Welcome to The Purple Team Tapes.mp4
Detection Engineering Weekly Presents: THE PURPLE TEAM TAPES
Call me, maybe? Press play 👇👇👇👇👇👇👇👇👇👇
Yes, the number works. No, I’m not collecting phone numbers. Rant anonymously or drop your socials. Tell me about your worst or best day in detection or red teaming. I wanna hear real stories, real rants and real people! Thanks for helping out, Gary!
That was weird. Maybe give me a call and tell me about it?
Anyways, this week’s recap:
💎 by Jared Atkinson on Tool Graphs
Verizon DBIR is out and it’s spicy, and I like spicy
Cloud misconfigurations by Nick Frichette, bypassing SELinux via LKM by Sean Pesce, and Misconfigurations are threat detection by Anton Chuvakin
MOVEit has been in the news, did you know? Lots of MOVEit related threat landscape updates this month
Threat actors learn how to bundle software]
And so much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
On Detection: From Tactical to Functional by Jared Atkinson
I was excited to see Jared release this post and even more excited to dive deep into it. I linked his training for this in a previous issue. A “Tool Graph” implements function chaining, where you can model specific techniques, such as process injection, to document detection opportunities. A process injection could require 4-5 Windows API calls to succeed. But, due to the complicated nature of a modern operating system like Windows, an implicit chain of internal APIs is being called before a syscall is actually issued to the Windows kernel. You can “mix and match” a technique to avoid detections by mapping these function chains. By going down this rabbit hole, Jared showcases 900 different ways to achieve process injection, simply through mapping out the tool graph with function chaining.
This post is a fantastic demonstration of challenging bias against standard models, especially kill-chain and MITRE ATT&CK. I think Jared and the Spectre Ops team are some of the greatest minds in our industry and in the detection engineering “sub-profession.” I’d love to see this for Linux and other OSes!
State of the Art
Using Cloud Securely — The Config Doom Question by Anton Chuvakin
For readers who read the gem from last week, configurations-as-part-of-threat-detection was a pillar in the Dragos paper on threat detection. I thought this post from Anton was timely - it turns out, more often than not, cloud breaches are the result of misconfigurations. When you have services such as AWS, Azure, or GCP, built to be easy to use and scale quickly, security will always be a second-class citizen. Isn’t that how our industry works, though? Is Windows secure by default?
Bypassing SELinux with init_module by Sean Pesce
Fantastic writeup on bypassing SELinux on a Linux device (Android, according to Pesce) using different API calls than what SELinux enforces. Another timely article as it relates to Atkinson’s gem from above: the author created a function graph and uncovered additional APIs underneath that achieved the same technique but using different functions. It’s as simple as init_module()
vs finit_module()
.
Incident Detection and Response by Joshua Natan
Introspective post by a security consultant who had to reframe their definition of a security incident while talking with clients. One can fall easily into the trap of providing advice without understanding the pain points of implementation. TL;DR incidents are all about loss; if a security incident happens, but there is no loss, then it’s probably not an incident. It seems simple enough, but I’ve been caught by the shininess of fun or technically obtuse attacks that have distracted me away from helping the business.
Misconfiguration Spotlight: Securing the EC2 Instance Metadata Service by Nick Frichette
~Note, my employer is Datadog~
Nick drops some knowledge on how to secure EC2 instances from being abused by IMDSv1 pivoting. Many people still use IMDSv1, so putting this post out was a way to get “the good word out” with better ways to manage your cloud metadata services on EC2 and beyond.
2023 Data Breach Investigations Report by Verizon Intelligence
It’s OUT! If you’ve never read the Verizon DBIR report before, I highly recommend checking it out. The folks that author the report are amazing people, super intelligent and put a ton of sweat equity into making the publication high quality. Ransomware has remained a top action variety from their datasets, but I found it surprising that most action vectors/breaches are through a web application attack.
OWASP Top 10 for Large Language Model Applications by OWASP
It was inevitable, but what a way for OWASP to capitalize on the LLM craziness going on right now. Get your comments in for their initial draft, and also check out their educational links on learning more about LLM-specific security issues.
Detection Engineering on Social Media
Link: https://twitter.com/FrankMcG/status/1665819451588050944
Link: https://twitter.com/LisaForteUK/status/1665691453513711616
Link: https://twitter.com/DianaInitiative/status/1665372859638620161
Threat Landscape
MOVEit Transfer Critical Vulnerability (May 2023) by Progress Community
Move aside PaperCut; there’s a new dumpster fire in town! Network appliances with web service frontends just seem like a bad idea, and the community has been ablaze with responding to this SQL injection vulnerability. Hats off to Progress: they’ve updated this post with new information almost daily since the disclosure.
Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft by Nader Zaveri et al. (a lot of freakin people!)
Who would win in a fight? One LEMURLOOT or one Chipotle Tempest? Great breakdown of the MOVEit vuln by the folks at Mandiant as they responded to incidents involved with the vulnerability disclosed by Progress last week.
Scanning for Indications of MOVEit Transfer Exploitation with THOR Lite by Nextron Systems
MOVEit has dominated the news cycle and my newsletter cycle, but I want to point out that there are organizations out there that release tools for free so you can scan for compromises related to MOVEit. Nextron, who helps maintain the Sigma ruleset, has many tips and tricks here to help protect your org from MOVEit exploitation.
Cyclops Ransomware and Stealer Combo: Exploring a Dual Threat by Uptycs Threat Research
RaaS provider for Cyclops Ransomware threat group has discovered the art of bundling. But what is bundling? Ever bought a SaaS product? Notice they have different tiers sometimes, and maybe some things are “mixed and matched”? Well, crime imitates business, and it turns out this specific provider is now offering a Go-based stealer. The best part of the post? Detection opportunities at the end!
Qakbot: Retool, Reinfect, Recycle by Black Lotus Labs
I hate Qakbot. Okay, now that I’ve said that (and have before and will continue to do so), we can move on! Lumen’s Black Lotus Labs gives a threat profile on Qakbot campaigns this year, particularly noting how fast they are at changing their operational security practices and delivery mechanisms. Residential proxy IPs are of particular note here, where for as little as $10/GB, you too can use them for legitimate traffic, such as C2 operations!
Open Source
Scraping Kit by Lares
This isn’t a web scraping kit; it’s way cooler. Lares developed a whole toolset to search services for keywords and enumerates many different Windows and Azure ecosystem components to help you focus quickly on what to.. well, you know, compromise!
MFA Bombing by Authomize
Threat emulation is such a value-add for detection engineering efforts. I have yet to see one that has this specific focus, which is crazy to me because MFA bombing has resulted in many high-profile breaches.
fq by Wader
Like jq
, but for binary files. The language for filtering is eerily similar (a good thing) jq
as well.
Terminator by ZeroMemoryEx
Turns out that the Spyboy fiasco of an “EDR-disabler” for $3000 is worth exactly $0, because it’s now open source!
NoseyParker by Praetorian
The Praetorian team rewrote an internal secrets scanning tool and open sourced it under Apache. Written in Rust, it looks uber fast, and I quite like the SARIF support, which will make integrating into CI/CD workflows easier.