Detection Engineering Weekly #43 - A nothingburger with some cURLy fries
He had us in the first half, I'm not gonna lie
Welcome to Issue #43 of Detection Engineering Weekly!
It feels good to be back! I hope you enjoyed some of my scheduled original content. If you haven’t checked them out yet, click below:
This week’s recap:
💎 by Alex McGlothlin on log centralization strategies becoming too costly for detection teams
AWS Security showcases their MadPot system for catching baddies all across their infrastructure
eBPF not a silver bullet by Artem Dinaburg, Allan Liska successfully redeems PowerShell in light of ransomware, Thomas Roccia uses LLMs in a useful way
a cURL CVE, a more serious Confluence CVE, Mandiant maps the DPRK org chart and MSTIC tells several stories about Defender stopping threat actors proactively
Plus so much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Is log centralization dead? by Alex McGlothlin
The “before times” of everything in the cloud and doing SIEM and logging on-prem may seem more straightforward at first glance. Still, many of the same problems we face today existed “back then.” There were advantages in ancient times, though. First, you could physically touch and verify devices, servers, and endpoints needed to send logs. Second, scaling was more tactile since you had to run to Best Buy or Circuit City for extra hardware.
According to McGlothlin, engineering advances in modern times make it easier to scale but also easier to mess up due to SaaS sprawl and running up your bill. This SaaS sprawl comes with data schema problems, so you need software engineering expertise to maintain ETL pipelines, monitor, and deploy these solutions.
McGlothlin compares and contrasts the two strategies and how we, as an industry, try to solve this now with products and processes. Federated search, MDR, and data analysis skills become the norm in a mature detection engineering organization.
State of the Art
How AWS threat intelligence deters threat actors by Mark Ryland
Only a few organizations can achieve honeypots at Internet scale, and AWS is one of them. As the AWS team scaled over the years, so did their actor observation and intelligence system, MadPot. Basically, by dogfooding several AWS products like Shield, WAF, and GuardDuty and building a service that mimics “..a huge number of plausible innocent targets,” the AWS intel team can derive a ton of insights on attacker behavior. Some stats they list from their first quarter of 2023:
5.5 billion signals from their sensors and 1.5 billion signals from their active probing efforts
1+ million outbound botnet-driven DDoS attacks stopped
1000+ C2 hosts identified and shared with affected registrars and hosting providers
This not only catches commodity botnet and malware activity but also some nasty APTs like Sandworm and Volt Typhoon.
Pitfalls of relying on eBPF for security monitoring (and some solutions) by Artem Dinaburg
eBPF is the new hotness for security monitoring. This works incredibly well on Linux-based hosts. Security engineers can use the same underlying technology behind what powers Wireshark, but just like Wireshark, everything you see is based on filters called eBPF programs. This is much different than the traditional EDR you see on Windows, where you hook functions and return execution to the program running it. Dinaburg describes these design decisions in detail and showcases several pitfalls that eBPF can fall short of being a reliable security tool.
Avenging PowerShell to Stop Ransomware by Allan Liska
The Ransomware Sommelier, Allan Liska, published the last issue of a three-part series reviewing Powershell’s importance for ransomware operations and defense. The first two parts are listed at the top of this post, so go check that out, but what I like about this one is the amount of detail Liska goes into around building detection content for Powershell on Windows. Basically, Liska argues that without a baseline of Powershell usage in your environment, it’ll be hard to write effective detections since it’s a flexible and powerful language.
Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild by Martin McCloskey, Frederic Baguelin and Christophe Tafani-Dereeper
*Note, my employer is Datadog AND this is my team :D*
One of the more exciting things the security research organization at Datadog can do is is threat hunt across cloud environments. This post follows several hunts the detection and research team performs focusing on AWS. Since cloud platforms rely so heavily on control plane APIs to perform actions (read, write, modify), you can use these same logs to find badness.
Artifacts of Execution: Prefetch - Part One by The DFIR Spot
We’ve linked several blog posts about using prefetch files in forensics and incident response. The DFIR Spot took it one step further to give readers a deep dive into a multi-part series. The Windows prefetch feature allows the operating system to cache code snippets for a faster experience in subsequent executions.
The Intel Brief by SecurityBreak. An LLM Experiment by Thomas Roccia
Don’t you hate it when there are suitable applications of AI and LLMs? It turns out that when you peel back the veneer of marketing-speak from $PRODUCT_VENDOR, you’ll see a lot of clever use cases of AI for everyday tasks. Roccia wanted to work smarter, not harder, when processing intel briefs, which can be up to dozens of pages long, so using Python magic, he could point OpenAI at a URL and get a tl;dr of the content. It seems good enough that he started a newsletter that uses the notebook to send out a weekly email.
Detection Engineering on Social Media
Link: https://twitter.com/vx_herm1t/status/1712417798738108542
Link: https://twitter.com/HackingLZ/status/1713728624279351405
Threat Landscape
How I Made a Heap Overflow in cURL by Daniel Stenberg
Drumroll, please! Although my title was tongue-in-cheek, teasing CVE-2023-38545 (the cURL vuln), the buildup was not worth the letdown. I’ve listed Stenberg’s content in this newsletter, specifically related to the shenanigans behind a strangely reported CVE to the cURL project (link here). But, a lot of stuff needs to happen to trigger this heap overflow:
An attacker that controls an HTTPS server that a libcurl using client accesses over a SOCKS5 proxy (using the proxy-resolver-mode) can make it return a crafted redirect to the application via a HTTP 30x response.
If the libcurl using client has automatic redirect-following enabled, and the SOCKS5 proxy is “slow enough” to trigger the local variable bug, it will copy the crafted host name into the too small allocated buffer and into the adjacent heap memory.
Assessed Cyber Structure and Alignments of North Korea in 2023 by Michael Barnhart, Austin Larsen, Jeff Johnson, Taylor Long, Michelle Cantos, Adrian Hernandez
This is an excellent recap of DPRK cyber operations done by the folks at Mandiant. The team uses a combination of open-source intelligence, first-hand experience working on DPRK intrusion sets, and industry connections to point out a likely picture of “APT” structures within the North Korean government.
Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641) by Kevin Backhouse
Ever heard of libcue? Me neither! Apparently, tracks on a CD rely on cue sheets to describe its layout. It’s also used heavily in audio files, libraries, and file indexing services on Linux, similar to Spotlight. Through a maliciously crafted cue sheet, an attacker can get a victim to download the sheet to the Downloads folder and cause remote code execution. Quite a clever auditing process by Backhouse, and a fun vulnerability that I hope to see a PoC soon!
Automatic disruption of human-operated attacks through containment of compromised user accounts by Microsoft Threat Intelligence
This is an interesting post by the Microsoft team on how they’ve baked in a “User containment” feature in Defender. Suppose Defender thinks an actor compromised a system and is attempting to target a specific user or elevate privileges. In that case, it’ll automatically contain the account. This is not a product pitch per se. They give several examples, including when they stopped an Akira campaign from spreading. Apparently, a non-enrolled endpoint was popped, and the actor tried to move laterally and deploy encryption and was stopped in their tracks.
The Confluence CVE-2023-22515 vulnerability: Overview, detection, and remediation by Frederic Baguelin, Eslam Salem, Emile Spir and Christophe Tafani-Dereeper
*Note, my employer is Datadog AND this is my team :D*
OK OK last Datadog one, I promise. It’s been two weeks of paternity leave, and I am getting FOMO from all the great work we’ve published. TL;dr hosted Confluence is a juicy target for threat actors because, unlike Confluence in the Cloud, the lag time for updates completely depends on the server's administrators to update it. Lots of info in here for defenders and the community.
Open Source
event-maturity-matrix by AppOmni-Labs
Open-source repo for the Event Maturity Matrix site and corresponding blog. It’s a threat detection framework for audit logs, and the goal is to showcase the visibility (or lack thereof) of specific audit logs belonging to a product and where to find them. Lots of detection opportunities stored here!
KubeHound by Datadog
*Note, my employer is Datadog AND this is a sister team :D*
“With great scalability comes great responsibility.” - Uncle Ben on Kubernetes
KubeHound is a Kubernetes attack path discovery tool. Like other *hound tools, this is excellent for red and blue teamers. There is a custom DSL on top of the tool to make it super easy to quickly orient and identify interesting findings in Kubernetes environments.
multipass by Canonical
Vagrant has saved me lots of headaches when developing for work or for play. I saw multipass get posted on a devops-focused subreddit and it’s Canonical’s take on creating a VM manager for Ubuntu boxes.
machofile by pstirparo
Lightweight Python module (read, no external libraries) to analyze Mach-O files. This might be useful if you are in the malware world and get your hands on a piece of potential malware targeting MacOS.