Detection Engineering Weekly #9 - Indicators are kinda nice, actually
Last week's news and how-tos in the art and science of Detection Engineering
Welcome to Issue 9 of Detection Engineering Weekly! We are about to cross 1000 subscribers, and I want to thank you all so much for signing up, reading the content, and giving me feedback. I’ve gotten many kind words from many of you, as well as some salient and actionable feedback to make this much better from week to week.
Explain Detection Engineering to your CEO: Feature #2 - Jimmy Vo
Social links: @jimmyvo
I like Jimmy’s wording here, specifically around “alignment” with engineering principles. The reason why many companies have scaled a product or service is due to modern software engineering developments, such as DevOps, CI/CD, agile and microservices. By learning from their techniques, tools, methodologies, and mistakes, we can follow that same trajectory and make a small threat detection team seem like a massive security team. Thank you for your insights, Jimmy!
Want to be featured in this newsletter? Submit your “Explain Detection Engineering” take to the form below!
This week’s recap:
Indicators of Compromise are more useful than you think, courtesy of Joe Slowik in a gem of a post from his time at DomainTools
Detection Engineering resumes, according to Matt Franz
GOOTLOADER and Remote Admin Tools dominate the initial access threat landscape
Bye-bye, Hive (kind of)
Kali Purple, Threat Emulation and yet-another-Sigma python bind tool (but from one of my favorite open source developers)
If you haven’t subscribed, please consider! I’ll do all the hard work of aggregating and writing, so you don’t have to :)
💎 Detection Engineering Gem 💎
Analyzing Network Infrastructure as Composite Objects by Joe Slowik
In this gem, Slowik pushes against the generally accepted opinion that network-based threat indicators are atomic and aren't useful in isolation. Instead, you can view these indicators as composite objects, and with some analytical rigor, you can build a larger picture of adversary technique and infrastructure. I cut my teeth on adversary infrastructure analytics at my previous job, and I wish I had this blog post in the beginning of my career, as I dismissed indicators for years. It wasn't until a lot of trial and error that I found deeper relationships between these composite objects.
State of the Art
A bit different when it comes to the "state of the art" links that I usually send to the newsletter. The biggest takeaway here, and I agree in some ways, is standing out by showing the impact on the business or via projects.
Elevating Security Alert Management Using Automation by Josh Liburdi
Liburdi & Brex detail their approach detection & response at their firm, soup-to-nuts. I'm a big fan of the Brex team and their commitment to openness with their tooling and methodologies. If you want a deep dive into how to approach alert management, automation, metrics, labeling, and scaling, or if you want to compare and contrast your approach (and probably steal from theirs; it's fantastic), this is the post for you!
"Defenders think in lists, attackers think in graphs - Benjamin Franklin" Wait, no, that is from John Lambert. Anyways, much to my delight, visual representations of threat detection scenarios are becoming more common in the industry and in this newsletter! I will be checking out more of how Memgraph helps solve these use cases in the near future, but this post has a great example of resolving a dependency tree from a malicious (or vulnerable) pypi package. Extremely easy to orient yourself with a graph!
Good UAL Hunting by Emily Parrish
The Unified Audit Log, or UAL, is a compilation of forensic data that groups "workloads, record types, and operations" Parrish does a deep dive on UAL parsing and hunting to help find root causes of security events, but also offers suggestions on using it for detections in Microsoft's Sentinel SIEM. I hail from the Linux space (Arch Linux anyone, anyone?!), so I love learning about Microsoft/Azure through detailed posts like this one!
MITRE Engenuity's Top Technique Calculator is an excellent tool for testing your detections against known techniques and tactics used by threat actor groups. Kraus has a great methodology here they start with a hypothesis of low capability monitoring across processes and files and then work backward to use Atomic Red Team for attack emulation on a TinyTurla backdoor and see what events are generated afterward for detection opportunities. Repeatable and scalable emulation methodologies like this one can save you a lot of time and pain as you get more mature as a detection org.
Hunt them in Windows by Ashish Bansal
Quick and clean introduction to the Windows event log and using the chainsaw tool to parse for detection opportunities. My favorite feature of chainsaw is the hunt command, which takes a rule, parses it, and outputs any matches on the massive event log store on the target machine.
Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations by Govand Sinjari and Andy Morales
Great synthesis by Mandiant on GOOTLOADER infections they've observed in the wild. Although primarily used as an initial infection vector and for reconnaissance, it can quickly lead to other infections like Cobalt Strike. At the end of the post, Sinjari and Morales link several ways to detect registry payloads, including a Cyberchef recipe. That's a first for me!
U.S. Department of Justice Disrupts Hive Ransomware Variant by Department of Justice, Office of Public Affairs
Exciting news - a large ransomware gang website has been seized by law enforcement. Not so good news - very little info on arrests in the statement, and since ransomware gangs change teams more than Ryan Fitzpatrick (yeah, I made an NFL reference, go bills :( ), we should expect a lot of Hive TTPs to emerge in existing or new gangs.
A Blog with NoName by S2 Research Team
Excellent post by S2 Research about NoName057(16), attributed to DDoS-based attacks against entities considered anti-Russian since March of last year. This is a great demonstration of the "Network Infrastructure as Composite Objects" gem I posted above.
The Dangerous Consequences of Threat Actors Abusing Microsoft’s “Verified Publisher” Status by Assaf Friedman, David Krispin and Eilon Bendet
A new type of supply-chain security attack that abuses how Microsoft "verifies" OAuth apps was discovered by Proofpoint researchers in December 2022. This is similar to how apps get into mobile app markets in Android and iPhone, but with a verified badge like Twitter. I don't think Elon is running the show for Microsoft, but it shows how hard it is to monitor content in a marketplace: just because you are verified does not mean you should be trusted.
Threat actors are just like us. They have mortgages/rent to pay, take vacations, have medical bills, and they also don’t believe in the adage “if it ain’t broke, don’t fix it.” This is the case for packer tools, and TrickGate survived the life and death of everything from Cerber, REvil and Agent Tesla. Luckily, these groups have found a reliably updated packer or “crypter” (that’s what the cool kids on Breached say) that helps make their malware hard to detect.
This post serves as a quick introduction to several techniques used to evade defenses on MacOS. I’ve been under the impression that MacOS does not get malware, but after the CircleCI incident, I am now afraid to do anything on my Macbook. I felt safe. But, with blog posts like this, I am happy to acknowledge now that this will have to become a platform that many detection engineers need to understand and write detections against.
According to CISA, Remote monitoring and management (RMM) software is effective for initial access by actors. What I love about these posts is that CISA relies heavily on third-party reporting, and they can use telemetry collected to do a retrohunt for additional infections. Many of these attacks stem from an e-mail that is IT help desk themed.
Kali Purple by Kali Linux
Large project published by Kali that focuses on a "SOC-in-a-box" approach to Kali. They call it purple due to the amount of red and blue team tools inside the distribution. I am excited to see how folks use Kali Purple to practice both sides of the red-blue spectrum.
Laurel by ThreatHunters-IO
Laurel takes Linux audit events and transforms them into JSON parseable logs. Some enrichment is done before they are shipped to whatever destination you want them to go to. Nice way to simplify audit logs parsing into a SIEM of your choice, as working with some of these log formats other than JSON can be a pain!
Azuma by Ninoseki
If you haven't followed ninoseki, they are a fantastic researcher that publishes a ton of useful tools for security. I still use their eml_analyzer project to this day :). Azuma is a fork of pysigma and helps defenders interface with Sigma via a python API.
Gato by Praetorian
Gato is a threat emulation and red team tool that enumerates permissions on a compromised GitHub OAuth token. This can be useful in generating audit logs on your Github organization to write rules against.
debloat by Squiblydoo
debloat removes extraneous bytes that are typically added to malware binaries to confuse analysts and researchers and to limit the ability to upload to a public sandbox that has a size limit.
Detection Engineering is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.