Detection Engineering Weekly #31 - MOVEit, get out the way
oh noo, another vuln's out, its time to patch your.. alright im gonna stop
Welcome to Issue #31 of Detection Engineering Weekly!
This week’s recap:
💎 by Goblinloot on how new analysts should investigate alerts. Great opinionated insight into how analysts think and how we should build detections for downstream consumers
AiTM protection by Jeffrey Appel, and Microsoft publishes best practices on honeytoken
ServiceNow privilege escalation by R3zk0n, Cobalt Strike via PDF still works by Kostas Tsialemis, and HHHash by Alexandre Dulaunoy
MOVEit ships a Service Pack for some serious vulns, Truebot is the new Mean Girl, and Proofpoint finds a kitten that wants you to run their Mac malware
Plus so much more!
Dear 🟪 , 🟥, 🟦 teamers and everyone in between
Call my hotline? I need a few more “rants” about purple teaming before I start editing and publishing! Imagine one of those morning talkshows with people calling in ranting about whatever and whoever. I’d love to hear your rants on security, threat detection, purple teaming and everything else.
📱📱📱+1 954-280-0080
📱📱📱
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Investigate by Goblinloot
If you are building detections for analysts, how do you know what they do, don't, or like or don't like? Do you make assumptions about what YOU would do with an alert versus studying a typical analyst workflow? What about a junior vs. senior analyst? Building detections should focus on the most straightforward way to contextualize an alert so that a junior to senior can understand and take action immediately.
I love this post because it's a 101 on being an analyst and what your workflow should entail. It's great for aspiring analysts, but I'm selfish and like to use posts like these when designing detections and products for them. The best part is that it talks about bias in analysis, which we try to limit as humans, but you should also design your alerting and detection strategies with technical controls for bias.
My favorite quote:
On the topic of bias, we are going to cover a few. First and foremost humans love shortcuts if you give them an idea (which an alert will always do) they will be drawn to chase and confirm that idea is true ignoring variables and other legitimate data that might outright disprove or lower the quality of that idea. Being actively conscious of this is really important because going back to the very beginning we need to always consider the distance between analysis and action.
State of the Art
AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2023 edition) by Jeffrey Appel
AiTM phishing kits have surged in popularity over the last few years, and both open-source and closed-source kits have successfully foiled 2FA. It's not fancy either - you just serve a proxy to a victim and fill in their credentials and OTP code on their behalf! Appel gives an overview of AiTM attacks over the years and provides updates on defenses that Microsoft employs to help combat these styles of phishing attacks.
ServiceNow Insecure Access Control To Full Admin Takeover by R3zk0n
I am fascinated by the threat model of ticketing systems and knowledge bases. Last week, I linked a blog post on AtlasReaper, which targeted Confluence & JIRA servers. Luckily, no ServiceNow enumeration tool has been posted (yet), by R3zk0n does a nice job of showcasing attacking a ServiceNow instance and escalating privileges to an administrator. I imagine someone copying all ServiceNow data and then deleting it as "ransomware." Can I coin the term "SaaSomrare"?
Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity by Nathan Swift
Honeytokens are high-fidelity sources of alerting and "badness", so why not use them? Microsoft is shipping more honeytoken functionality out of the box through Honeytoken tags, and Swift's post gives some great ideas for setting up honeytoken accounts.
Public Opinion Survey Results: You’re Pwned by Kostas Tsialemis
Short-but-sweet writeup on an intrusion that Kostas helped investigate where the actors delivered a Cobalt Strike beacon via a PDF attachment. He gives a great analysis of the incident timeline, so you can use each one of these stages as a detection opportunity. Or, if you are lazy like me, implement ALL of the detection opportunities listed at the end of the post!
Art of Conducting Effective Blameless Postmortems by Pavan Kristipati
I get a lot of inspiration from SRE best practices when thinking about Detection Engineering. An area I'd like to see more work (hint, a blog post!) from the community is how people deal with postmortems related to detections. Whether a new rule was pushed out and flooded the alert queue with false positives or, a rule missed an actor, I think we need to adopt this methodology so we can improve as a whole.
Python Threat Hunting Tools: Part 9 — Creating Python Packages with Poetry by Adam Goss
Part 9 of Goss' series on Python threat hunting focuses on packages and my third favorite Python tool: poetry. Suppose you are dabbling more and more in writing automation for your workflows, writing tools for others and want to build distributed and reliable Python packages. In that case, poetry should become your best friend!
HTTP Headers Hashing (HHHash) or improving correlation of crawled content by Alexandre Dulaunoy
I love seeing researchers publish new hashing and similarity frameworks. With so much data being collected and stored, hunting, grouping, and risk calculation makes it easier to see if one connection (whether JARM, JA3, or this) is similar to others. The cool part about this HHHash post is that the other boiled down the calculation from a cURL command :).
Detection Engineering on Social Media
Link: https://twitter.com/bettersafetynet/status/1677385903134613514
Link: https://twitter.com/SecurePeacock/status/1678086849636585473
Link: https://twitter.com/techyteachme/status/1678124814123384832
Threat Landscape
MOVEit Transfer Service Pack (July 2023) by Progress Community
New vulns dropped via Progress Community's "Service Pack" update. CVE-2023-36934 (CRITICAL), CVE-2023-36932 (HIGH) and CVE-2023-36933 (HIGH). The first two are SQL injections; the latter looks like a DoS. With the success of CL0p ransomware and MOVEit exploits, I think we are in for a bumpy ride for this software.
What’s up with Emotet? by Jakub Kaloč
This post has a great timeline of Emotet's return after it's takedown and perhaps vacation earlier this year. The botnet operators refactored their modules since it's comeback in November 2021, and Microsoft did some damage when they announced disabling VBA macros in the Summer of 2022. Kaloč cannot confirm the rumors of Emotet being sold in January of this year, but a peculiar finding from a potential debug log was seen in one of the botnets that have me scratching my chin.
Increased Truebot Activity Infects U.S. and Canada Based Networks by CISA
Emotet is out, Truebot is in? CISA published this post noting increased activity from Truebot infections starting in the Summer of this year. It turns out CL0p loves to use this malware family for the collection and exfiltration of stolen data. Like other stagers, loaders, and post-infection malware, Truebot has been a link in the chain of tools like Raspberry Robin, Flawd Grace, Cobalt Strike & Teleport.
Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware by Joshua Miller, Pim Truouerbach and the Proofpoint Threat Research Team
Charming Kitten/ TA453/Mint Sandstorm (ugh) tried to infect a victim on a Mac machine and only realized it about a week later. So like any good nation-state employee, they sent a separate payload that will work on the Mac machine! The infection chain, dubbed Noknok by Proofpoint, shares similarities with its Windows counterparts used by TA453.
Letscall – new sophisticated Vishing toolset by ThreatFabric
The two groups of vishing: low-tech but highly effective (see LAPSUS$) and high-tech and somewhat-effective (what I've seen in this post). The group, Letscall, primarily targets South Korean Android phones, and they serve specially crafted phishing page to the victim that looks like Google Play. Once the victim installs the spyware, their calls are redirected to call-centers, and a litany of spyware functionality is executed on their phone.
Apparently, ThreatFabric got access to the administrative panel of one of these pieces of malware and lots of creepy functionality unveiled itself, typical of spyware on phones.
CISA Adds Five Known Vulnerabilities to Catalog by CISA
Patch Tuesday was yesterday, so you know what that means, lots of vulns dropped by Microsoft! Lawrence Abrams has a great rundown of six that were zero-days, and five of them snuck into CISA’s disclosure.
Open Source
ShellGhost by lem0nsec
Self-injection PoC by lem0nsec that demonstrates a supposedly novel evasion technique against EDRs/AVs. It relies on a technique called shellcode mapping, which “enables the thread to intermittently execute instructions while never exposing the entire shellcode in memory”.
shortscan by bitquark
Brute force tool against IIS servers which helps scan for “short names” in files and name disclosures. Based off research from this paper, IIS handles requests with tildes in the filepath, and hilarity ensues.
Ansible Atomic Red Team by Red Canary
Configuration management for the win! Red Canary released an ansible role that helps bootstrap target machines to test out atomics without having to build the role yourself.