Welcome to Issue #38 of Detection Engineering Weekly!
This week’s recap:
Lots of threat hunting thought leadership this week! A 💎 by Sydney Marrone on deliverables of Splunk’s PEAK framework, Kostas Tsialemis on some good and some ugly hunting metrics, and Ron Marom on hunting in Snowflake audit logs
“Thought process” blog pieces on creating detection content in Docker, courtesy of Seth Hanford and Anton Ovrutsky
Yaron Avital on GitHub and CI/CD IAM permission models
Johnny Johnson demystifies DLL Hijacking
DoJ takes down Qakbot, Lazarus leaves the front door open on their infrastructure, Metaverse developers get a bad npm package, and HTML Smuggling/Word in PDF malware is super effective
Plus so much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Key Threat Hunting Deliverables with PEAK by Sydney Marrone
Hopefully you read through the Splunk team’s series on PEAK. If not, go back on their blog (and this newsletter) to read up on it. Structured approaches to threat hunting not only provide reproducible and standardized outputs, but also help increase the knowledge of your teams as they publish their learnings. The Splunk team splits up PEAK into three phases: prepare, execute and act. But what happens when you finish a threat hunt, or maybe you stop early due to technical limitations? How do you capture that value of “threat hunt” outputs so you can showcase it?
In this post, Marrone provides plenty of answers to this question. It’ll help practitioners who want to boot up a program or show the value of a current one.
State of the Art
Threat Hunting Metrics: The Good, The Bad and The Ugly by Kostas Tsialemis
Lots of metrics blog posts this week for the newsletter! This is the second post on threat-hunting metrics in the newsletter, the first being the gem listed above. Much like the PEAK framework, Tsialemis talks about outputs other than incidents that can prove the value of your hunting program, or "the good." Metrics can also be an enemy to your program if you only report time spent during a hunt and hunt count per hunter. It's kind of like measuring software engineering skills by code output. It definitely worked for Elon!
Frosty Trails: Threat-Hunting For Identity Threats In Snowflake by Ron Marom
Have you heard of Snowflake? It sounds like a SQL database on steroids, with many out-of-the-box features you don't usually get with MySQL/Postgres (someone please fact-check me on that!) In this post, Rezonate researcher Ron Marom shows how you can use native tables in Snowflake to do detection engineering over identity threats targeting your Snowflake instance. TL;dr, you can create a user with access to the ACCOUNT_USAGE schema and do detection and hunting there. Marom publishes 10 (!) detection opportunities you can do on Snowflake out of the box without paying extra for special logs and historical data. Looking at you, Microsoft!
Writing My First Sigma Rule: Container Residence Discovery by Seth Hanford
Detection Engineering veteran and Eagle Scout, Seth Hanford, documents his first foray into writing an open-source detection via Sigma and getting it committed to the Sigma ruleset. I love the section on formulating detection opportunities, specifically because it challenges the reader to think about the different ways an attacker can issue a discovery command based on their environment.
Third-Party GitHub Actions: Effects of an Opt-Out Permission Model by Yaron Avital
Have you ever studied the permissions model in a CI/CD system? Much like IAM in Cloud accounts, Active Directory or.. Entra AD (🤮), there's nuance. Software supply-chain security has become a hot topic in security in the last few years, and the bad guys love the flexibility of GitHub actions as much as the good guys on the inside. Avital and the Prisma Cloud team documented permissions gaps of the top 1000 actions on the GitHub marketplace and found around 50% of them..
..don’t perform any interaction against the repository and, therefore, don’t require the GitHub token to fulfill it’s purpose.
We'll start to (hopefully) see some more research behind IAM in CI/CD systems, and that should lead to open-source tools that we can use to help evaluate permissions gaps. It's kind of like CIEM, but for CI/CD, so CI/CDIEM? I hate acronyms.
Demystifying DLL Hijacking Understanding the Intricate World of Dynamic Link Library Attacks by Johnny Johnson
In this post, Johnson gives a crash course on classic DLL Hijacking techniques on Windows, and then provides some detection opportunities trying to identify these techniques. Several things make this a frustrating attack to detect, like: lots of DLLs are loaded frequently throughout the Windows ecosystem, and Microsoft Defender for Endpoint needs an enrichment to tell you whether or not an event contains a signed DLL.
CVE-2020-19909 is everything that is wrong with CVEs by Daniel Stenberg
Ever get woken up due to some actor or researcher dropping a vulnerability? How about it become a nothingburger because the NVD/researcher/actor overhyped the impact? As an industry, we've combatted vulnerability misinformation for years, but the answer to any vulnerability being released is almost always "it depends" on the impact question.
In this post, Stenberg, author of curl, talks about a frustrating experience with an issued CVE for a curl security vulnerability without ever being involved. Some peculiar things with this issued CVE:
The issue date is 2020.
The CVSS score is 9.8 on NVD.
The score is different on other vendors.
The associated HackerNews discussion on this post gave me some hope that we're recognizing the faults of this system outside of security.
📘 Volatility3 : Remote analysis on cloud object-storage. by Felix Guyard
The Volatility team published an update to their tool that allows for reading remote cloud storage for memory dumps. I think this makes a super interesting case for “agentless” memory scanning on cloud workloads. Have you workloads generate a volatility dump, share it to an S3 bucket, then remotely load the dump into Volatility for detection. You can run Yara rules over Volatility dumps which makes it even more interesting!
Detection Engineering on Social Media
Link: https://twitter.com/rootsecdev/status/1695234485057409044
Link: https://twitter.com/ACEResponder/status/1695890808233222558
Link: https://twitter.com/brianwhelton/status/1695885506276372627
Threat Landscape
Qakbot Malware Disrupted in International Cyber Takedown by US Department of Justice
Operation Duckhunt 🦆🦆 was a success! I don't want to steal their thunder, but I've linked many articles exposing Qakbot over the last year. Go check out the press release, it's fantastic! #tangodown
Akira: Pulling on the chains of ransomware by Silas Cutler
My friend (and fellow WinRAR enthusiast) Silas Cutler and the Stairwell team hit a goldmine of intelligence when they spotted an Akira server with an exposed home directory. After downloading EVERYTHING, Silas compiled an excellent synopsis of this aspect of the Akira operation and an even better outcome: they helped stop active infections in several organizations! This blog post gives a rare look inside ransomware operator tools, techniques, and procedures.
Telekopye: Hunting Mammoths using Telegram bot by Radek Jizba
Threat actors are people, too, which means they prefer convenience and usability, just like the rest of us! In this post, Jizba spotlights a toolkit that runs on Telegram as a bot and allows actors to purchase phishing kits, configures the infrastructure, and deploys them on behalf of the cybercriminal. The administrators call their customers Neanderthals, and since Jizba got ahold of the source code itself, they revealed their monetization and payout schemes. It turns out the more bad stuff you do, the better commission you get, and the more functionality you unlock within the chat.
Lazarus Group's infrastructure reuse leads to discovery of new malware by Asheer Malhotra, Vitor Ventura, Jungsoo An
TALOS researchers uncover new toolsets used by Lazarus by monitoring the infrastructure used in previous campaigns going back.. years? It's a brazen set up by alleged Lazarus actors - they either know and don't care that researchers burned and track their infrastructure, or they don't know whatsoever. Part of me thinks it's the former due to their success in these operations. Another interesting finding includes moving to open-source toolsets like DeimosC2 to establish persistence.
Fake Roblox packages target npm with Luna Grabber information-stealing malware by Lucija Valentić
The metaverse, aka Roblox, becomes a juicy target for information stealer malware using malicious npm packages. According to Valentić, Roblox developers use a Node.js library called noblox.js to communicate with the open Roblox API, which makes this an exciting vector for cybercriminals to compromise and pilfer data from these developers.
HTML Smuggling Leads to Domain Wide Ransomware by The DFIR Report
Spear phishing email with an attached HTML file, which then downloaded a password-protected ZIP file, which contained an ISO with a malware payload when decompressed. You would think this many steps would fail to infect, but you would be incorrect! This DFIR report outlines a case with the previous initial access method, an IcedID infection, and an eventual domain-wide ransomware intrusion.
MalDoc in PDF - Detection bypass by embedding a malicious Word file into a PDF file by 増渕 維摩 (Yuma Masubuchi)
Yo dawg, I heard you like Word files, so we put a Word file inside your PDF file so you can execute a VBS file. According to Masubuchi, opening a malicious PDF in Word that contains a Word file inside the PDF works and executes the MalDoc inside. Due to this strange configuration, the author warns that some sandboxing and malware analysis tools may miss this technique.
Open Source
vCenterKit by W01fh4cker
Most of the README is in Chinese (Simplified) (thanks Google), but it's not hard to figure out what the developer wants to do with this open-source toolkit. Lots of initial access brokers and Ransomware operators have targeted vSphere and vCenter servers to carry out their attacks. I counted five CVEs pre-loaded for folks to try when they git clone the repo.
AppleJuice by ECTO-1A
If you were at DEFCON, and at least for me, walking around at Flamingo, you may have gotten several AppleTV spoof messages. Luckily, nothing reported indicates a 0-day, but scary nonetheless! ECTO-1A recreated these spoofed broadcasts and open sourced it so you only need a Bluetooth adapter to annoy your friends and family!
Detectient by Matt Coons
Who needs detection engineers for your detections-as-code pipeline when you have ChatGPT? This CI/CD pipeline generates prompts for the ChatGPT API and returns detections to save in the repository.
ThreatHunting-Keywords by mthcht
This repo contains lists for threat-hunting queries, think of password lists but for threat-hunters! I imagine this casts a wide net and the efficacy of your hunt results may vary, but isn't that what threat hunting is all about?!
DockerDetectionNotes by antonlovesdnb
Antonlovesdnb pulls apart several Docker attacks inside a Sumologic lab and provides the screenshots to prove it! I like reading raw notes like this from time to time - it shows how someone approaches a problem in detection and it isn’t mired by editors, storytelling and marketing.