Detection Engineering Weekly #32 - Ackshually, it's "Entra ID" now
My toxic trait is spot correcting anyone saying Azure AD
Welcome to Issue #32 of Detection Engineering Weekly!
This week’s recap:
💎 by Greg Ake on forming a hypothesis
Gary Katz continues dropping 🔥 LIT 🔥 posts on detection metrics, and David Bianco rounds out the 1-2 punch with baselining using the PEAK framework
Erica Zelic on LDAP queries just in case BloodHound disappears, Curated Intel publishes a threat actor profile guide, and Rhino Security releases a new tool to help with hunting Actions in AWS
Storm-0558 steals Microsoft keys, maybe Microsoft should get an Apple Airtag? The Permiso team strikes back at (Jay &) Silent Bob, more CISA KEV drops
plus so much more!
QUICK SHOUTOUT TO CLINT @ TL;DR SEC!
🎉🎉 Congrats Clint Gibler, creator and maintainer of the tl;dr sec newsletter, on hitting 18,000 subscribers! I modeled (cough copied cough) several parts of my newsletter after Clint’s excellent security newsletter. When I shot him a message about how much I appreciate his work, he immediately asked if I wanted to get on a Zoom and chat about newsletters, work and life. I really appreciated that, so thank you Clint! Please go give tl;dr sec a subscribe and tell him I sent you!
Dear 🟪 , 🟥, 🟦 teamers and everyone in between
Call my hotline? I need a few more “rants” about purple teaming before I start editing and publishing! Imagine one of those morning talkshows with people calling in ranting about whatever and whoever. I’d love to hear your rants on security, threat detection, purple teaming and everything else.
📱📱📱+1 954-280-0080
📱📱📱
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Where to begin - Formulating a Hypothesis by Greg Ake
60% of the time, we miss the basics every time
This quote is a fun way to start a blog post :). What is your decision-making process when you start building out a new detection or a suite of detections? How much evidence do you have? Do you also document how much you don’t know, a.k.a. a gap analysis? This is where the scientific method can help a detection team, but let’s be specific: formulating a hypothesis on detections requires diligence.
Ake covers the art of doing diligence when formulating a hypothesis. We tend to get lazy when we find an outcome we like, such as a causal relationship between your detection and telemetry on the wire. We rush to ship the rule and move on to the next one. But what about when something doesn’t go as expected? It’s just as important.
If I were you, I would spend some time and read this gem and move directly below to Katz’s post on validation, followed by Bianco’s post on threat hunting via baselining. It’s a crescendo of the application of the scientific method!
State of the Art
Quantifying Detection Coverage with Validation by Gary Katz
Katz continues his posts on measuring the effectiveness of a detection engineering program. This post dives into the idea of detection coverage validation. The intricacies of a valid detection are fickle and easily thwarted, mainly if you aren’t focusing on separate ways to achieve the same procedure. Jared Atkinson talks about this subject with function chaining (and we’ve highlighted this in this newsletter!). I love this graphic Katz uses about the fundamental problem of detection:
If you assume you will never have full coverage into the unknown, you can take many steps to validate as much as possible before there are diminishing returns.
Baseline Hunting with the PEAK Framework by David Bianco
Bianco lays out the strategy behind baseline threat hunting to round out previous posts on the PEAK framework. Baselining is a way to collect representative telemetry samples, whether you onboard new data or are in a new environment. Once you onboard this data, you can start looking at ways to look for outliers outside a baseline. Bianco mentions stack counting or “group by → sort to least occurring” and Z-scores to look for P95 or P99 values. After the “Execute” phase, you can review your baselines and make detections.
Detecting BPFDoor Backdoor Variants Abusing BPF Filters by Fernando Merces
BPFDoor has been one of the most fascinating rootkits on Linux since I started in security. By abusing eBPF programs, you insert your code in the packet parsing process (before even being evaluated by the firewall), and you can get deep into victim boxes. There isn’t too much here that is “new,” but it was a great review of everything that has led up to the current incarnations of BPFDoor.
LDAP Queries for Offensive and Defensive Operations by Erica Zelic
Zelic uses this blog post to document the most common (and interesting) LDAP queries for blue and red team exercises. This would be useful for detection engineers who rely heavily on BloodHound and may want to look a bit deeper into how the underlying LDAP subsystem works.
The Threat Actor Profile Guide for CTI Analysts by Curated Intel
Have you ever wanted to know how to communicate a “threat actor profile” to stakeholders? If you want to infuse the rigor of cyber threat intelligence into your detection backlog, whether in documentation or detection descriptions, this is a great tool for building profiles on groups your company may be concerned with. The “TTPs” section is excellent, but your leadership or stakeholders may not care about them as much as they are concerned with the adversary’s motivations.
Spraying the Microsoft Cloud by BlueTeamOps
We need WAY more blog posts like this one! The author took several open-source tools related to Azure MFA spraying and logged the event types and telemetry that Azure generated. I’ve linked various MFA spraying tools on this newsletter, but aggregation posts like this one help you orient around the technique rather than just individual tools.
IAMActionHunter: Query AWS IAM permission policies with ease by David Yesland
The team behind pacu, one of the most popular open-source AWS penetration tools, released IAMActionHunter to help users understand the blast radius of IAM permissions on AWS. Yesland showcases an example where the tool found a privilege escalation path on a vulnerable role that they claim other tools couldn’t find.
Detection Engineering on Social Media
Link: https://twitter.com/curi0usJack/status/1679971626836987904
Link: https://twitter.com/burning_pm/status/1679598514576211969
Link: https://twitter.com/lorenzofb/status/1680982461721763845
Threat Landscape
Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email by Microsoft Security Response Center
An alleged China-based threat actor group, Storm-0558, was discovered targeting Microsoft customer emails. The scary part about this specific incident isn’t that customers were successfully compromised but that Storm-0558 obtained a Microsoft Signing key (MSA) to forge authentication tokens. Microsoft blocked and rotated the key, but it’s wild to think that the company still hasn’t figured out how it was compromised and that it was a “golden ticket” to Microsoft-hosted OWA/Outlook accounts as well as Azure AD (ahem, Entra ID) accounts.
Analysis of Storm-0558 techniques for unauthorized email access by Microsoft Threat Intelligence
This is a much more technical blog post than the MSRC one listed above, so if you want to get into details of the Actor origins and TTPs, read this one! The MSTIC team says the actor “acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumers.” I am very interested in how Microsoft handles this incident moving forward and if they’ll release any details on how the key was compromised.
Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead by Abian Morina
Besides having one of the best banner images for any security blog I’ve read, this is a great post detailing how commodity crimeware targeting cloud environments is evolving. These actors are updating tooling to target more than just AWS: GCP, Azure, and Kubernetes are all on the menu. The actors were also helpful and provided a Gitlog of all the changes they’ve made! But the best part? Detection opportunities at the bottom!
FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware by Symantec Threat Hunter Team
According to Symantec researchers, Syssphinx, aka FIN8, has pivoted from POS attacks to Ransomware. The FIN8 group “revamped” Sardonic, a toolset researched by Bitdefender years ago, and is actively using it against victims. It seems FIN8 got so upset with using C++ that they switched to good old C.
CISA Adds One Known Exploited Vulnerability to Catalog AND CISA Adds Two Known Vulnerabilities to Catalog by CISA
Two announcements here: CISA adds three known exploited vulnerabilities to their catalog: one Microsoft, one Apple, and one SolarView vulnerability. The SolarView one is from last year, while the Microsoft & Apple vulnerabilities are from their company’s latest releases.
Open Source
IAMActionHunter by RhinoSecurityLabs
GitHub repo link to the RhinoSecurityLabs tool posted above in “State of the Art.”
edge by iknowjason
Opinionated cloud IP attribution lookup tool. It does way more than just identify where an IP belongs to a cloud service provider - there’s some reverse DNS and Certificate Transparency magic that gives the whole picture behind a Cloud IP.
LOLAPPS by LOLAPPS-Project
New lolfarm project, this time with applications! If any of your organizations are using applications listed in lolapps, I highly recommend looking at how to detect attacks on them by using this project.
LinuxForensics by ashemery
This GitHub repo is an amalgamation of what looks like many talks and workshops on Linux forensics. Star this one and come back to it when you have a rainy day and want to learn a thing or two about Linux DFIR :).
BadZure by mvelazc0
Want an Azure AD (ARGGHH ENTRA ID) lab that’s misconfigured on purpose? This a great tool that stands up a misconfigured Azure environment out-of-the-box, so you can practice your detection engineering, red teaming, or both!
PentestGPT by GreyDGL
ChatGPT powered automated pentesting tool, all installable with a pip command. Would love to see a red teamer generate a report with findings from this tool, and then written with ChatGPT. Work smarter, not harder!