Detection Engineering Weekly #29 - Good Luck, I'm Behind 7 EDRs
I hope I didn't age myself with this meme :(
Welcome to Issue #29 of Detection Engineering Weekly!
This week’s recap:
💎 by Gary Katz on detection metrics and challenging mean-time-to-detect
Lots of EDR internals content this week: Part 2 of Ethical Chaos series on building an EDR, Jonathan Johnson on Kernel callbacks, and process mockingjay..ing? as a shell injection technique
Cozy Bears target creds (shocker), CISA adds 11 (!) KEVs, Army Soldiers get unsolicited (wait for it) smartwatches, and Kaspersky burns Equation via exposing TriangleDB
Plus so much more!
Dear 🟪 , 🟥, 🟦 teamers and everyone in between
Call my hotline? I need a few more “rants” about purple teaming before I start editing and publishing! Imagine one of those morning talkshows with people calling in ranting about whatever and whoever. I’d love to hear your rants on security, threat detection, purple teaming and everything else.
📱📱📱+1 954-280-0080
📱📱📱
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
The Limitations of Mean time to Detect by Gary Katz
At this point, mean-time-to-detect (MTTD) is an industry-standard metric for SOC organizations. For a detection engineer, it might be useful to see how quickly an alert was generated after observing known malicious activity. According to Katz, the problem with this approach is that MTTD is a historical indicator and only focuses on known adversary behavior. If an adversary has a variation in tactics, techniques, or procedures, then this metric falls flat on its face.
What's the alternative, then? MTTD isn't useless; it's just that when running a detection program, you want to focus on the rules your organization deems as having the highest impact. Katz splits these types of rules up into Low, Medium/High, and High impact, with prescriptive guidance on measuring each bucket of rules. I like this approach because it helps remove the bias of assigning equal importance and weight to all detections. Katz goes into WAY more detail here, so please go check it out!
State of the Art
Lets Create An EDR… And Bypass It! Part 2 by Ethical Chaos
Part 2 of last week's gem on creating our own EDR. This time, Ethical Chaos focuses on different ways to bypass the techniques implemented in the previous blog post. This post may be a few years old at this point. Still, there are some good nuggets of knowledge in here, specifically around implementing direct syscall operations to bypass EDR signatures. This is eerily similar to Jared Atkinson & Jonathan Johnson's training on Malware Morphology and function graphs.
CloudGoat Vulnerable Lambda Scenario - Part 2 (Response) by 0xdeadbeefJERKY
You've probably heard of CloudGoat, a vulnerable-by-design AWS environment to help people learn about AWS security. Several blog posts document how to complete its different challenges, and what I like about this one is that it complements the challenges with detection opportunities.
AWS CloudTrail cheat sheet. Incident Response in AWS made easy by Invictus Incident Response
Invictus posts have been featured in this newsletter several times, and many of them focused on a real-world AWS incident response scenario. A big part of AWS incident response is using CloudTrail to build an attack timeline. They combined telemetry insights from their IR engagements, Stratus Red Team and their "collective brain power" on effective attacks.
Understanding Telemetry: Kernel Callbacks by Jonathan Johnson
Hopefully, you read Ethical Chaos' "Lets Create an EDR" series above, as Johnson's post goes much deeper into modern Windows internals, specifically around Kernel callbacks. A callback function typically isn't invoked directly by the developer, you register them with some underlying technology (in this case, the Kernel) and rely on the technology to invoke your function after a specific event.
To put it plainly: you give the Kernel the location of a function you want called when a particular event fires or a condition is met. Johnson provides a PoC for callbacks in Windows, gives examples of open-source tools that can help find registered callbacks, and you can use these registered callbacks for detection opportunities.
Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution by Thiago Peioxoto, Felipe Duarte and Idor Naor
Interesting new process injection technique by the "Security Joes" that tries to limit the amount of calls to Windows APIs to evade EDRs. Common process injection techniques typically rely on "allocating memory space and setting the protections of this memory section to Read-Write-Execute (RWX)." They list several process injection style techniques and their corresponding Windows APIs that EDRs typically hook and try to block.
This "Process Mockingjay" attack focuses on finding a vulnerable DLL that has a default RWX section (so you don't have to change permissions) and then abusing that section to "inject" into the DLL, thus avoiding API calls to the Windows subsystems. Once loaded, the authors do some trickery by loading a clean copy of NTDLL.DLL from disk and eventually unhooking the EDR and bypassing it.
Detection Engineering on Social Media
Link: https://twitter.com/techspence/status/1673319493781671941
Link: https://twitter.com/jfslowik/status/1673022578603196416
Link: https://twitter.com/techyteachme/status/1672340645048885248
Threat Landscape
Kremlin-backed hacking group puts fresh emphasis on stealing credentials by Daryna Antoniuk
Microsoft has identified APT29/Cozy Bear/”Midnight Blizzard” performing credential stealing campaigns against victim organizations. The interesting thing to note here is that the group used “low-reputation proxy services” to route attacks and switched the proxies regularly to avoid detection.
CISA Adds Six Known Exploited Vulnerabilities to Catalog AND CISA Adds Five Known Exploited Vulnerabilities to Catalog by CISA
A Detection Engineering Weekly first: 2 articles in 1 section! CISA adds ELEVEN new KEVs to their list. The first batch was around iOS/MacOS exploits that alluded to in Operation Triangulation (listed below), the second batch involved a smattering of Roundcube, VMWare, Firefox, and a priv esc in Windows.
Dissecting TriangleDB, a Triangulation spyware implant by Georgy Kucherin, Leonid Bezvershenko and Igor Kuznetsov
In this post, Kaspersky researchers showcase TriangleDB, an implant targeting iPhone users (and potentially MacOS). Once attackers gain root privileges on a victim's iPhone (and Kaspersky says here they did it by exploiting a kernel vulnerability), it's deployed in memory. The implant framework has all the bells and whistles of a post-infection piece of malware, including exfiltration, C2 communication and dumping of sensitive data.
GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking by Ilay Goldman, Yakir Kadkoda
When usability is at odds with security: have you ever renamed a Repo or a GitHub organization? GitHub conveniently forwards, almost like an HTTP 301 redirect, to the permanent location of your new repository. RepoJacking takes advantage of this configuration (a feature in GitHub) and allows attackers to register orgs that no longer exist, with identical repos, that can be used maliciously. It's like domain jacking,but for code repositories.
CID Lookout: Unsolicited Smartwatches Received by Mail by Department of the Army Criminal Investigation Division
This story was an eyebrow-raiser - apparently, US Army personnel are receiving unsolicited smartwatches in the mail. There had to be several reports of this to warrant an investigation by CID. They are worried that Army personnel will turn them on and have the watch infect their home network and potentially Army networks.
If you’ve received one of these and are willing to part ways, let me know, I’ll get it to some interested parties!
Emerging Threat! Exposing JOKERSPY by Colson Wilhoit, Salim Bitam, Seth Goodwin, Andrew Pease, Ricardo Ungureanu
Elastic gives their breakdown of the JOKERSPY toolset, first documented by Bitdefender. I'm not a MacOS threat detection expert, but watching how intrusion sets on an Apple environment do recon, escalate privileges and try to perform post-exploitation is super interesting. The best part? Detection opportunities at the end!
IoT devices and Linux-based systems targeted by OpenSSH trojan campaign by Microsoft Threat Intelligence
Do Microsoft people get super giddy about writing threat research reports on platforms that Microsoft doesn't own? I know we are all in this together, and they do a LOT to help the Linux ecosystem, but I think it must be nice occasionally to take a shot or two at Linux greybeards.
Anyways, this is a typical SSH botnet that performs brute forcing, some level of honeypot checks, and then installs both an LD_PRELOAD (Diamorphine) and an LKM-based (Reptile) rootkit. I have used both of these extensively in red team competitions & engagements, and man, do they just _work_!
The interesting part of this intrusion is live patching OpenSSH source code files, compiling them, and rebooting OpenSSH. This live patch allows the attackers to exfiltrate passwords used on the host for additional compromise.
Open Source
MagicSigner: Signtool for expired certificates by namazso
MagicSigner enables you to patch signtool to sign with expired (or leaked and revoked) certificates. Out of the box, signtool doesn’t let you use anything expired or revoked, but have no fear: a little C++ goes a long way here!
malware-analysis-pipeline by threatcat-ch
New email analysis-to-malware-sandbox framework with a comprehensive list of integrations. If you have spamtraps setup this is a great way to extract malicious attachments and get intel on them quickly.
strelka by Target
Strelka is not new, but I stumbled (back) onto it while doing some research. The team at Target has continuously added features and optimizations to the project over the years and is worth checking out if you want to do malware file analysis at “enterprise scale.”
win32-app-isolation by Microsoft
A new security feature by Microsoft, win32-app-isolation helps you run applications inside their AppContainer service in a low integrity context. Definitely interesting for
We should have a conversation around coverage and metrics to track coverage. Would love to get other Detection Engineer thought leadership inputs around it. I’m thinking about getting the strategy I just developed cleared for release on a blog post.