Detection Engineering Weekly #41 - Ocean's 11, but with a cat
And the cat complains a lot when things go wrong
Welcome to Issue #41 of Detection Engineering Weekly!
This week’s recap:
💎 by researchers at MITRE Engenuity on improving the Pyramid of Pain to score your detection analytics
Michael Barclay from SpecterOps demystifies the procedure-level tracking of attacks, and how it doesn’t have to be so reactive
DFIR Spot gives a 101 on Sysmon, Bert-Jan Pals on useful KQL functions, Amitai Cohen becomes professor of exothrunting at Starfleet Academy, and Yaron Avital shows how pinned GitHub actions aren't so secure
It’s casino week here at Detection Engineering Weekly, so I hope you are ready for some *good* (IMHO) MGM/Caesar’s commentary from Mandiant andAllan Liska.
Retool discloses a security breach, Pulsedive researcher Khan exposes a new infostealer, and Trend Micro finds a Linux variant from Earth Lusca
plus so much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Summiting the Pyramid: Level Up Your Analytics by Roman Daszczyszak, Steve Luke and Ross Weisman
MITRE Engenuity Center for Threat-Informed Defense published a framework on scoring detections as you "summit" the Pyramid of Pain. Basically, by combining several themes from Specter Ops' Capability Abstraction research, the Pyramid of Pain, and some "engenuity" from MITRE, you can score the robustness of your detections based on the observables you can track in the Application, User, and Kernel space.
What I like about this is that it allows you to map cost to the adversary even deeper than the Pyramid suggests and adds analytics to your detection capabilities. The output is a sparse matrix (or an Excel doc if you prefer) that gives a score, and you can identify detection gaps in your telemetry and detection code. Their Example Mappings page shows breakdowns on two sub-techniques, LSASS Memory and Scheduled Tasks. I can't wait to see how these are implemented in generating coverage maps!
State of the Art
Reactive Progress and Tradecraft Innovation by Michael Barclay
Most TTPs focus on targeting combinations of tactics and techniques, with rules that try to find as many procedures as possible. In this post, Barclay describes the faults and assumptions we tend to make when writing detection rules for specific procedures. Not only do we make assumptions but we mostly react to changes in procedures rather than being proactive. But what does it mean to be proactive?
Specter Ops talks about this in capability abstraction, and this week's gem talks about "traversing the summit" to find different ways to execute a procedure at separate telemetry levels to achieve a robustness metric behind detections.
It's a lengthy read but definitely worth your time. As an industry, we are beginning to demystify the field (in a mathematical sense) of different ways to execute a procedure. We can map most of this if we sit down and, well, do the math!
Sysmon: When Visibility is Key by The DFIR Spot
This is a fantastic introductory post to why Sysmon is helpful, what you can get from it, and how to implement it. I'm an intel nerd, so _I love_ "Executive Summary" style bullet points, or "The Rundown", here. For example, did you know Windows OS does not log command line executions by default? It may be the year of the Linux desktop, it at LEAST has a bash history.
After describing Sysmon's usefulness, the author goes through an example of using it to inspect several command-line executions and where you can start your detection journey.
KQL Functions for Security Operations by Bert-Jan Pals
KQL is the mainstay query language if you are a Defender, Sentinel, or Azure customer. In this post, Pals highlights four KQL reserved functions that are super useful for detecting and hunting for badness in your environment. To piggyback on the previous Sysmon post, hunting for interesting Powershell queries in the command line, especially ones with base64 characters, can give you many interesting results that may result in an incident or a great detection candidate.
Thrunting Grounds by Amitai Cohen
When you build detections or threat hunts for malicious artifacts in your environment, how exactly do you define "artifact?" An astute student might say, "..file hashes of malware, IP addresses of C2 servers, and logs related to behavior I want to catch." These are all right, but doesn't an attack start before an attacker places these artifacts? Have you ever looked for attacker toolsets, staging infrastructure, or attacker identities during a threat hunt?
Cohen tries to answer this question about hunting outside traditional indicators of compromise. He coins a tongue-in-cheek term, "exothrunting," to describe the concept. He gives examples of different "observable types" and how they fall between attacker and victim networks afterward.
Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows by Yaron Avital
This is a follow-up post from Avital's research behind GitHub Actions IAM model. Following down the IAM threat modeling rabbit hole, Avital describes how GitHub Action Pinning works and how a malicious actor can compromise an Actions pipeline via this method. GitHub recommends pinning actions to a particular commit hash, but Avital has other plans to circumvent this control. Basically, just because you pin to a static commit hash, it doesn't mean that static commit hash on the target action doesn't dynamically load in images or other code that actors can compromise later.
The bogus CVE problem by Jake Edge
This is a great synopsis post of the recent cURL incident of a mystical CVE arriving at their inbox with a high CVSS score. Edge provides commentary on cURL's response to the CVE and several more examples of bogus CVEs and miscalculated CVSS scores. Edge ends the post with a harrowing conclusion:
All in all, the CVE system seems to be broken in various ways. It also seems to be getting more and more entrenched into "cybersecurity" handling at various levels. Given that it is effectively run by—and now for—governmental agencies, the ability to replace it with something more sensible has likely already passed us by. CVE, warts and all, will be with us for a long time to come; FOSS projects and organizations are simply going to have to figure out how to coexist with it.
Detection Engineering on Social Media
Link: https://twitter.com/josh_murchie/status/1702711970648994118
Link: https://twitter.com/HackingLZ/status/1704102852757495827
Link: https://twitter.com/Cyb3rMonk/status/1703867317824729185
Threat Landscape
Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety by Mandiant Intelligence
Since Ransomwaring hospitals aren't good enough for clicks, I'm glad there's been more reporting by major news outlets on the MGM and Caesars ransomware plaguing the Vegas Strip. The TL;DR is that two groups most likely carried out the attacks: UNC3944/SCATTERED SPIDER and ALPHV/Blackcat. This excellent writeup on UNC3944 showcases how a motivated group can use social engineering techniques to gain administrative access to cloud and IdP environments.
You. Are. The. Criminal. Dumbass. by Allan Liska
It's Casino Week here in Detection Engineering Weekly, BUT, excellent content has been released that grounds a lot of us back into reality. This is one of those posts. Liska, the ransomware sommelier (actual sommelier, and as a wine drinker I would love to share a glass with him sometime), picks apart the ALPHV "update" they gave on their shame site. This is a direct "FU" response that I hope feels like the weight of the security community towards ransomware operators.
Malware distributor Storm-0324 facilitates ransomware access by Microsoft Threat Intelligence
I hope you read the SCATTERED SPIDER / UNC3944 piece from Mandiant above! There are lots of exposés on initial access brokers (IABs) this week, and this particular IAB commoditizes their access operations and sells that access to actors. The interesting part in this post revolves around using Microsoft Teams to issue phishing lures to victims.
When MFA isn't actually MFA by Snir Kodesh
Did you read the SCATTERED SPIDER / UNC3944 piece from Mandiant? Are you sensing a theme? Retool released a blog following a security breach where an attacker successfully socially engineered one of their employees. They then added a secondary MFA option, and abused Google's "feature" about syncing OTP codes to the cloud. The actor accessed those OTP codes, internal admin systems, and 27 Retool customer accounts, all in the crypto industry.
Analyzing Agniane Stealer by Mohammad Amr Khan
Lots of new infostealers are emerging on the criminal underground. This one was interesting due to the Telegram support channel you can join if you forgot your password; what great service! The anti-analysis techniques were also interesting; the malware exits if it finds researcher binaries, such as Wireshark or Filemon. So, why not push out Wireshark to all your employees and protect yourself from Agniane? Modern problems require modern solutions!
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement by Joseph C Chen and Jaromir Horejsi
Earth Lusca is a China-linked group that Trend Micro tracks back to 2021. They recently found a new binary that targeted Linux, which has some inspiration from other Linux RAT/malware families. They found an encrypted .so hosted on one of Earth Lusca's staging servers and, through some sleuthing on VirusTotal, found the decryptor for it just by searching for a reference file name! The group targets several CVEs, including Fortinet devices, Gitlab servers, and Proxyshell vulnerable machines.
Open Source
summiting-the-pyramid by center-for-threat-informed-defense
Corresponding GitHub link and source code for the gem listed above.
Periscope by malcolmvetter
A complete adversary toolkit with CI/CD integration and all kinds of goodies for your red team engagements. The feature list on the wiki is quite extensive, and I enjoyed reading the operational security malcolmvetter put into the tool, especially the canaries and the redirectors.
llm-guard by laiyer-ai
Open-source LLM proxy protection server. I imagine it’s hard for large enterprises that want to use LLMs to completely trust OpenAI/Google to sanitize prompts and prevent data leakage. This is a layer on top of that to give control back to the users.
TierZeroTable by SpecterOps
This is the codebase that runs the table for TierZero hosted here. Do yourself a favor and read the two blogs in the README. SpecterOps continues to blow me away with the level of knowledge behind Detection and Response in the Windows & Azure space.
Bashfuscator by bashfuscator
I just. What? WHAT IS THIS DARK MAGIC.
$ bashfuscator -c "cat /etc/passwd"
[+] Mutators used: Token/ForCode -> Command/Reverse
[+] Payload: ${@/l+Jau/+<b=k } p''"r"i""n$'t\u0066' %s "$( ${*%%Frf\[4?T2 } ${*##0\!j.G } "r"'e'v <<< ' "} ~@{$" ") } j@C`\7=-k#*{$ "} ,@{$" ; } ; } ,,*{$ "}] } ,*{$ "} f9deh`\>6/J-F{\,vy//@{$" niOrw$ } QhwV#@{$ [NMpHySZ{$" s% "f"'"'"'4700u\n9600u\r'"'"'$p { ; } ~*{$ "} 48T`\PJc}\#@{$" 1#31 "} ,@{$" } D$y?U%%*{$ 0#84 *$ } Lv:sjb/@{$ 2#05 } ~@{$ 2#4 }*!{$ } OGdx7=um/X@RA{\eA/*{$ 1001#2 } Scnw:i/@{$ } ~~*{$ 11#4 "} O#uG{\HB%@{$" 11#7 "} ^^@{$" 011#2 "} ~~@{$" 11#3 } L[\h3m/@{$ "} ~@{$" 11#2 } 6u1N.b!\b%%*{$ } YCMI##@{$ 31#5 "} ,@{$" 01#7 } (\}\;]\//*{$ } %#6j/?pg%m/*{$ 001#2 "} 6IW]\p*n%@{$" } ^^@{$ 21#7 } !\=jy#@{$ } tz}\k{\v1/?o:Sn@V/*{$ 11#5 ni niOrw rof ; "} ,,@{$" } MD`\!\]\P%%*{$ ) }@{$ a } ogt=y%*{$ "@$" /\ } {\nZ2^##*{$ \ *$ c }@{$ } h;|Yeen{\/.8oAl-RY//@{$ p *$ "}@{$" t } zB(\R//*{$ } mX=XAFz_/9QKu//*{$ e *$ s } ~~*{$ d } ,*{$ } 2tgh%X-/L=a_r#f{\//*{$ w } {\L8h=@*##@{$ "} W9Zw##@{$" (=NMpHySZ ($" la'"'"''"'"'"v"'"'"''"'"''"'"'541\'"'"'$ } &;@0#*{$ ' "${@}" "${@%%Ij\[N }" ${@~~ } )" ${!*} | $@ $'b\u0061'''sh ${*//J7\{=.QH }
[+] Payload size: 1232 characters
THIS IS AWESOME.