Detection Engineering Weekly #37 - 🤠 There's a snake in my spreadsheet 🤠
I was sick of crappy VBS, now I get to decode crappy Python
Welcome to Issue #37 of Detection Engineering Weekly!
This week’s recap:
A Bordeaux of a 💎 by Ryan Stillions - a detection framework way before it was cool
Backdooring AWS accounts with Mystic0x1, tricking vision models and EDRs, and an intern project that’s log-lickin’ good
Malvertisers up their game to prevent those pesky researchers from finding their infra, CISA adds 4 KEVs to their list, Ivanti exploit AGAIN, and I expose Silas Cutler as the only person who has paid for WinRAR
Plus SO much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
The Detection Maturity Level (DML) Model by Ryan Stillions
This gem is one of the oldest posts I’ve ever posted: it’s close to TEN years old! But, like Bordeaux, it’s aged beautifully and is still useful to this very day. It’s pretty amazing seeing someone think about concepts like coverage, backlogs and taxonomy way before things like ATT&CK and detection engineering becoming mainstream.
In this post, Stillions proposes an 8 level model that starts with nothing (literally), and moves it’s way up to maturity of detecting goals of major criminal groups and nation states. To me it builds on things like the Pyramid of Pain, where you are moving from tactical detection to more strategic, systemic detection of an adversary.
State of the Art
Methods to Backdoor an AWS Account by Mystic0x1
Quick, no Googling: what’s the technique in MITRE ATT&CK after Initial Access and Execution? Persistence! What makes a good persistence strategy for an attacker, no matter what platform they’re on? My friend mubix once told me: “Two is one, one is none.” Well, Mystic has more than one AWS-focused persistence method here, so you should bookmark this blog for your next cyber heist detection engineering sprint and/or red-team engagement!
My favorite persistence methodology from red-teaming in security competitions in the past is the user-data script method.
Minority reports (yes like the movie) as a machine learning defense by Dillon Niederhut
If you want to study how detections can “drift” at massive scales of data and statistics, look no further than adversarial machine learning. In this post, Niederhut reviews a paper that discusses detecting “adversarial patches” in computer vision. The basic premise of the attack involves adding a “patch” (literally like a piece of cloth) on an image, and the patch confuses the computer vision model (think CCTV face detector) and prevents a successful prediction of your face or whatever you’re predicting. By sliding a patch around an image, taking a prediction, and then studying the distribution, you can accurately predict whether an attacker uses an adversarial patch to fool your model.
DLL Notification Injection by Mor Davidovich
In the ever-evolving cat-and-mouse game of researchers and malware authors versus EDR vendors, it never ceases to amaze me how the “adversaries” develop novel techniques to bypass EDR detections. Davidovich briefly explains how process injection works and provides the basic heuristic model of performing this technique on Windows. This area of research attacks the heuristic itself: if you can get something else to perform any of the four steps, you can bypass an EDR. So, Davidovich finds a method for getting another process to run the last step, which is shellcode execution in the process you inject into.
Deep Dive Into Windows Diagnostic Data & Telemetry (EventTranscript.db) - PART 1 by Abhiram Kumar
Forensic investigators rely increasingly on diagnostic data when putting together an attack timeline. Whether it’s Windows or MacOS (see XProtect), the datasets can provide additional insights into how actors executed, modified, or created specific files during their campaigns. In this post, Kumar revisits the EventTranscript in Windows and releases a tool to help parse it. Kumar also notes a peculiarity in some of the transcript data when running a binary, deleting it, modifying it slightly, and rerunning it: Windows does not accurately compute the SHA1 hash of the new binary in the Win32kTraceLogging.AppInteractivitySummary
log.
Intern Showcase: Anonymizing Logs made easy with LogLicker by Corey Ahl
I love celebrating success, especially with interns! Corey Ahl, Ian Ahl’s (SVP/head of research at Permiso) son, built a log processing tool that helps reduce sensitive data exposure when generating logs. The manifest file is a super interesting feature of this tool. Basically, as you process logs, you can replace sensitive data with dummy data, and you can choose to generate a manifest file to hold the replaced values. You can transfer this manifest file securely to someone else, who can re-replace the dummy data with the sensitive data to view the logs.
Excellent work, Corey!
Azure Threat Research Matrix by Microsoft
This GitHub site hosts an interesting ATT&CK-like matrix for Azure made by Microsoft. I’m surprised this is the first time I’m seeing this, but if you click on the specific techniques and sub-techniques, you can see a description and how to perform the attack using your favorite Microsoft tool.
C2 Server Hunting: Empowering Threat Intelligence with Nuclei Templates by Project Discovery
Interesting pivot by Project Discovery (makers of Nuclei), they are now doing C2 server fingerprinting via Nuclei templates. I love how democratized threat research is becoming. This stuff was held on to several vendors and charged a premium for access. Another example is the myriad ransomware shame site aggregators on GitHub. These lists were highly coveted and tightly sealed behind paywalls and login portals at intel companies, now they are free for everyone to see!
Detection Engineering on Social Media
Link: https://twitter.com/HackingDave/status/1691162440254238720
Link: https://twitter.com/onfvp/status/1691623077262590142
Link: https://twitter.com/vxunderground/status/1693983499370541244
Threat Landscape
Malvertisers up their game against researchers by Jérôme Segura
Cat-and-mouse is an apt analogy for EDR research, so what’s the analogy for cybercriminals and researchers? I’m thinking Hellcat and paladin. Is that too nerdy? Maybe, but one of the _really_ fun things about threat research is uncovering the techniques used by the baddies to prevent analysis from the proverbial “good guys.” Malvertisers are no exception, and Segura showcases a dynamically generated malvertising page that determines whether or not to serve you malware based on several “anti-analysis” factors.
CVE-2023-38035 - Vulnerability affecting Ivanti Sentry by Ivanti
Yet another vulnerability affecting Ivanti Sentry. According to the writeup on NIST, Sentry comes out of the box with an insecure default configuration in HTTPD that can expose sensitive administrative APIs to an attacker. My crappy Shodan search shows 112 servers publicly exposed on the port specified (8443) in the Ivanti write-up.
CISA Adds 4 Vulnerabilities to Known Exploited Vulnerability (KEV) Catalog by CISA
CISA added four vulns, CVE-2023-24489 (Citrix), CVE-2023-26359 (Adobe ColdFusion (lol)), CVE-2023-38035 (Ivanti Sentry) and CVE-2023-27532 (Veeam), to their KEV catalog. The interesting one, CVE-2023-38035, was listed above from Ivanti. The Ivanti post did not say whether or not actors exploited it in the wild, only that “there is low risk of exploitation for customers who do not expose 8443 to the internet.”
Monti Ransomware Unleashes a New Encryptor for Linux by Nathaniel Morales and Joshua Paul Ignacio
What rhymes with Conti? Monti, of course. Trend Micro analysts Nathaniel Morales and Joshua Paul Ignacio give an update on the Conti-adjacent ransomware crew that showed many similarities with the original Conti group when it first emerged. Later strains of Monti have different code bases (shown with a bindiff), but it could also mean that they repacked the malware strain differently.
LABRAT: Stealthy Cryptojacking and Proxyjacking Campaign Targeting GitLab by Miguel Hernández
In this post, Hernández finds a devilish actor trying to compromise GitLab servers with a 2-year-old RCE. Some interesting findings include: the use of cloudflared as an attacker infrastructure mechanism to deliver payloads and the deployment of Proxyjacking malware. My availability bias is kicking in here, but I think there is more money playing the long game with proxyjacking rather than trying to mine crypto in a smash-and-grab campaign.
RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability by ZDI
RCE in WinRAR? RCE in WinRAR! It does require user interaction, but when a victim opens up a malicious file, a specially crafted “recovery volume” can access memory out of bounds from an allocated buffer. I’m unsure how many people still use WinRAR (I do), but I hope you paid for it, like good Internet citizen Silas Cutler.
https://twitter.com/silascutler/status/1213229169120862208?lang=en
Open Source
LogLicker by Permiso-io-tools
GitHub link to Corey Ahl’s LogLicker tool that I wrote about above.
DllNotificationInjection by ShorSec
Repo by ShorSec on their DllNotificationInjection technique that was written about above. They said to go here if you want a tl;dr and to get started.
wrongsecrets by OWASP
Yet-another DVWA focused on misconfigurations that expose secrets in web applications.
youre-the-os by plbrault
I got way too stressed out playing this game but it’s super addicting. You basically play the role of the operating system and have to manage processes, memory and I/O events.