Detection Engineering Weekly #28 - Techy 3000
I'm feelin' like the Andre 3000 of threat detection baby
Welcome to Issue #28 of Detection Engineering Weekly!
I’m happy to announce that the newsletter has just crossed the 3000 subscriber threshold. Thank you so much to everyone who reads, shares, and writes content!
This week’s recap:
💎 on creating a not-so-good EDR by Ethical Chaos, which quickly taught me how complicated real-time threat detection is on Windows
Microsoft wins the content 👑 this week with plenty of content around AitM campaigns and a new open-source Azure detection tool
Threat intel is BACK: Ondra Rojčík and Robin Dimyan publish great articles on doing threat intel the right way (with answering the “so what” and doing criminology studies)
Snake (Barracuda) vs. Panda (PRC): Panda eats snake (though snake is commendable), fake security researchers and opsec fails, and dangling S3 buckets are the new hotness for attack vectors
Plus so much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Lets Create An EDR… And Bypass It! Part 1 by Ethical Chaos
I stumbled upon this blog post via a tweet/retweet from my Detection Engineering List and was super happy that I did! You may have used EDRs in your day job, but have you ever written one? I will say that writing a crappy $THING (whether it's a driver, operating system, kernel module, or even a website) gives you way more insight into technology than playing with the front end of a highly complex system like EDRs.
Ethical Chaos makes some educated guesses on how vendors construct EDRs, and what each layer of defense does and needs to do better. For example: Does the file contain a SHA1 hash we know about? What about its control flow graph? Does it match a malicious pattern? Can we hook into internal APIs to sample for maliciousness if the file executes? If we assume there's a malicious file, maybe we can collect events afterward to indicate something bad happened?
Afterward, Ethical Chaos builds a straightforward "EDR" (with lots of issues, of course!) to start checking off these different stages of protection.
State of the Art
Detecting and mitigating a multi-stage AiTM phishing and BEC campaign by Microsoft Threat Intelligence
Adversary-in-the-middle, or AitM, is a low-tech but high-impact technique where an attacker uses legitimate credentials (from phishing) AND 2FA codes (from AitM) to generate a valid session on a victim email or machine. Afterward, the actor adds other 2FA methods or rules to avoid prompts in the future. In this series of AitM attacks, the actor would compromise one organization and use that email inbox or trusted relationship to send phishing links to other organizations, running through each of them and expanding outwards.
Detection Engineering in Azure & Introducing AzDetectSuite by Ryan Hausknecht
Out-of-the-box rules and detections are a powerful and opinionated way to help clients and new security teams get up and running with a decent threat detection posture. In this post, Hausknecht released a tool dubbed AzDetectSuite that comes with out-of-the-box KQL queries mapped to MITRE ATT&CK that help find badness for Azure and AzureAD-based attacks.
Threat Hunting — CyberCorp Case 2 by whoami
This post contains an interesting walkthrough of the Cyberdefenders platform that runs the student through a threat hunting case. I've seen more blue-team-style CTFs lately, making me want to kick the tires on at least a few of them. I think whoami did a great job of describing their mindset and What to look for? Throughout the post, which helps put your threat hunter hat on and reason through various hypotheses throughout the challenge.
From Descriptions to Impact: Unlocking the Power of Basic Cyber Threat Intelligence Questions by Ondra Rojčík
Good threat intelligence analysts use bias prevention and mitigation mechanisms during their analysis. Most of this is due to our fascination as humans with an interesting problem, or even worst, solution, rather than focusing on answering "So what?". Rojčík explains that the "so what?" is one of the essential parts of intelligence analysis, and I see a lot of crossovers here with Detection Engineering. I've had to have not-so-fun conversations with newer detection engineers or former analysts who chase a problem because it's interesting and not because it's impactful.
Accelerating Threat Detection Through Engineering by Kyle Kurdziolek
BigID’s Kurdziolek describes how the BigID Detection team built their workflows around ideating, writing, and shipping detections. The team went from crawl to walk with enterprise tools but saw that it needed to scale at its desired speed and accuracy. By focusing heavily on a CI/CD approach and using agile processes, the team could move faster and more efficiently with the same amount of people.
SRE is to software engineering and system administration, as Detection Engineering is to blue team. I love reading stories on scaling these detection teams because the same tools and techniques are being used to 10x blue teamers.
Trend Forecasting: How to spot the next big thing in cyber crime? by Robin Dimyan
Criminology in cybersecurity fascinates me. We rarely look at the motivation for commodity crimeware (or even large operations like ransomware). Still, we LOVE to read massive deep dives on Nation-State activity where the motivation remains the same: intelligence collection and espionage. Dimyan takes an approach of the "so what/why?" of cybercriminals and then begins to build assumptions from those drivers, which map to detection opportunities. IMHO, this is a much better detection backlog approach than blindly choosing mappings on MITRE ATT&CK.
New Techniques: Uncovering Tor Hidden Service with Etag by Sh1ttyKids
Imagine being "the DevOps person" for a ransomware operation. You need to serve a reliable and secure Tor hidden service that victims, researchers, news organizations, and other criminals can access, search and download troves of data. You spend so much time on operational security to keep your infrastructure from researchers and law enforcement. But performance ALWAYS comes at the cost of security. Shame sites use HTTP E-Tags to cache responses and build edge-like capabilities when serving their assets. These same E-Tags can be used to pivot from the Tor site to a service like Shodan to uncover the "true" IP of the ransomware site.
Beacon-on-Demand: Abusing push notifications for persistence by Nikos Laleas
Laleas publishes a super cheeky persistence mechanism by abusing the push notification API in Windows. Another strange UX finding for Windows-based notifications, there are four types, and one of them, called "Raw," doesn't have a UI associated with it. So you can register a device to receive malicious push notifications and send them without notifying the user.
Detection Engineering on Social Media
Link: https://twitter.com/MalwareJake/status/1670522624995213313
Link: https://twitter.com/malmoeb/status/1671106885590630400
Link: https://twitter.com/reprise_99/status/1670691958271115267
Threat Landscape
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China by Austin Larsen, John Palmisano, Mathew Potaczek, John Wolfram, Matthew McWhirt
Mandiant released some great details on the Barracuda ESG remote code execution vulnerability. It turns out Barracuda found the intrusion, engaged Mandiant, and was able to isolate the vulnerability and begin containment and eradication. The crazy part is that UNC4841, who has ties to PRC, responded to their active defense and quickly scanned the Internet to get in as many appliances as possible.
Darth Vidar: The Aesir Strike Back by S2 Research Team
S2 research gives an update on Vidar infrastructure configuration after they first exposed it in January. According to S2, the Vidar operators are trying to move to anonymous infrastructure on Tor and VPN. Luckily, the team exposed most of their operations and potential attribution before moving onto these not-so-savory Internet parts.
Cadet Blizzard emerges as a novel and distinct Russian threat actor by Microsoft Threat Intelligence
MSTIC upgrades DEV-0586 to full name status: Cadet Blizzard. According to Microsoft, Cadet Blizzard is a subgroup inside Russia's GRU, and emerged after the Ukraine invasion. Interestingly, a subunit inside GRU ~mostly~ uses cmd.exe for most of its Lateral Movement/C2 techniques. Once they pilfer a server, they allegedly leak the data on a Tor website called "Free Civilian." My favorite chart on this post shows how much telemetry Microsoft has visibility into: they can map "operational activities" across a 24-hour timeframe and map it to standard work hours in Russia.
Fake Security Researcher GitHub Repositories Deliver Malicious Implant by Jacob Baines
Fake security researcher GitHub and Twitter accounts created "PoC" exploits for well-known pieces of software, only to name their implants implant_linux.go or my favorite: persist_linux.go. Being a researcher isn't as safe as we think it can be: there have been numerous attempts by North Korea that target researchers. I believe their OPSEC was a bit better than this attempt, though.
Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers by Guy Nachshon
Dangling S3 buckets are the new dangling domains: if they expire and your favorite OSS repo uses them, they can be taken over and turned malicious. It is still fascinating that many of the Internet's underpinnings rely on open-source repos doing some shady-looking things at build and install time, like downloading and executing a binary. According to Checkmarx, 1000s of these dangling buckets exist, so it's a problem I think will be around for a while.
Inside of the WASP's nest: deep dive into PyPI-hosted malware by Alexey Firsh
Super nice to see PyPi malware getting spotlighted from massive security platforms like VirusTotal. If you want a "deep dive" on many different types of Python malware, this is a great blog post showcasing several open-source stealers that infect the PyPi ecosystem.
Open Source
ShellSweep by Michael Haag
It's like a Roomba, but instead of fur or dirt, it finds webshells. I named my Roomba to make it easier for me to cope with the fact that Bezos owns the company now and is most likely mapping out my house. But, ShellSweep doesn't do that. My favorite feature of ShellSweep is the entropy detection: it uses obfuscation techniques against actors and turns it into a high-fidelity detection.
AzDetectSuite by Microsoft
Direct link to Ryan Hausknecht’s post Linked above in “State of the Art".”
n0kovo_subdomains by n0kovo
The certificate transparency log is a gift that keeps on giving, and now you can use it for subdomain enumeration thanks to n0kovo! Associated blog post is here.
known_aws_accounts by fwdcloudsec
Freshly published and maintained list of known AWS account ids. This is a super helpful list for enriching Cloudtrail logs (or anything with AWS Account IDs) so you can separate the benign and focus on the badness.
proxy by UsagePanda
Open-source LLM proxy that sits between OpenAI and your prompting client. First time I’ve seen this implemented and released on open source channels.