Detection Engineering Weekly - Issue 2
Last week's news and how-tos in the art and science of Detection Engineering
Issue 2 Summary
Welcome to Issue 2 of Detection Engineering Weekly! You might notice a few changes in colors, and I am working (aka interacting with designers on Fiverr) for a banner. I've had such an amazing response to my first newsletter, so thank you to everyone who reached out with kind words and feedback.
I'm trying to experiment with grouping news and blogs. My typical workflow is looking at general concepts within the state of the art of Detection Engineering, whether it's about the subject itself or a specific technology. Secondly, grouping by updates in the threat landscape helps me understand what the bad guys are up to, which can help reprioritize detections and research. Lastly, we use open source a ton at my place of work, so making sure I can find anything useful to bring back to the team where they can uplevel capabilities through one git command is ideal.
If this makes sense, great! If not, please drop some feedback in the Google Form at the end of the newsletter. It's anonymous and should take 2 minutes. I appreciate your reading!
Have content to share? Could you email me?
I am always interested in looking at new content. I have plenty of Threat Landscape and am craving more “State of the Art” Detection Engineering content. Do you have thoughts on how to design a detection engineering sprint or manage a backlog? How about what tools do you use for detection engineering? Shoot me an e-mail at techy@detectionengineering.net with your link, and I’ll see if I can add it here!
Happy Hunting
🌟 Spotlight 🌟
Prioritization of the Detection Engineering Backlog by Joshua Prager
Specterops has always put out fantastic thought leadership around various topics, but I get excited the most when I see detection content come out from their team. I've heard amazing things about their Detection Engineering training as well. In this post, Prager details how a solid process of managing a backlog of inputs, separated by priority, can help detection teams navigate the chaos of detection engineering. It also does a great job of separating the functions of a mature detection engineering organization and how we can serve as input to other teams.
State of the Art
Threat Hunting with VirusTotal by Alexey Firsh
As stated in my spotlight, Prager says that Threat Hunting can be an input into Detection Engineering. I love VirusTotal as a product, and albeit pricey, if you have access to it, you can get a lot of mileage out of their hunting modules. I put this under "State of the Art" as I think Firsh and the team do a good job explaining how to hunt and pivot through VirusTotal here, and your findings could influence several detection backlog items in the future.
Bypassing MFA with the Pass-the-Cookie Attack by Jeff Warren
Tactic: TA0004 Privilege Escalation
Technique: T1134.001
Warren saves the sales pitch for their product right at the very end, but pass-the-cookie is a real deal threat here. In this post, Warren uses mimikatz to extract a cookie from an MFA IT Admin account and then logs in and impersonates the IT Admin. This is the bread-and-butter TTP for infostealers. Some dark web markets, like Genesis Market, provide a browser to load cookie profiles so users can buy, install and impersonate users within minutes. Worth a look if you haven't considered this threat model.
Yet Another Azure VM Persistence Using Bastion Shareable Links by Karim El-Melhaoui
Tactic: TA0003 Persistence
Technique: T1133
I love working in the cloud space because whenever a cloud service provider announces a new feature or a product, researchers quickly investigate and see how it can be used for evil. Luckily, El-Melhaoui did this and gave detection scenarios for this interesting new persistence attack on Azure VMs.
Attacker persistence in Kubernetes using the TokenRequest API: Overview, detection, and prevention by Rory McCune
Tactic: TA0003 Persistence
Technique: T1098.001
In this article, Rory describes persistence techniques on Kubernetes clusters using an API endpoint introduced in version 1.24 (Kubernetes is now 1.25). Like cloud service providers, long-lived access tokens present an interesting persistence mechanism for attackers. Rory is a Kubernetes expert, and he bestows his knowledge on how to abuse this endpoint while providing detection opportunities.
Blowing Cobalt Strike Out of the Water With Memory Analysis by Dominik Reichel, Esmid Idrizovic and Bob Jung
MITRE ATT&CK link w/ Tactics & TTPs: S0154
Unit42 researchers publish an extensive overview of Cobalt Strike artifact observations on how you can build detections around its various behaviors. Since Cobalt Strike operates in memory after it is run, there are some ways you can use memory analysis to create detections.
Threat Landscape
GreyNoise Open Forum 4: A year in the noise by GreyNoise
GreyNoise does a lot of work for the community, especially during emerging and celebrity vulnerabilities. I'll be signing up for this solely because visibility into internet-wide data can help you cut through the crap and prioritize what has actual business impact versus what is hot on social media right now.
Aqua Nautilus Discovers Redigo — New Redis Backdoor Malware by Ofek Itach and Nitzan Yaakov
A great analysis was done by the Aqua team here following the infection chain of a Redis-based malware. Teams tend to forget about malware affecting server software itself (clients get all the love!), but if a server is publicly exposed, you can expect the waves of the internet to crash into it repeatedly.
Preparing for a Russian cyber offensive against Ukraine this winter by Clint Watts
Winter is coming. The Microsoft team describes potential adversarial movements from Russia against Ukrainian operational technology and information technology infrastructure. Recently, wiper malware targeted a critical logistics hub in Poland, and based on history, Russia may not care about blast radius as they are feeling pressure from the war.
Alert (AA22-335A) #StopRansomware: Cuba Ransomware by CISA
Last week Hive, this week Cuba! Many ransomware gangs have similar playbooks post-exploitation but with minor differences as they progress through the kill chain. The differences you want to look at here are initial access (specific to certain CVEs) and tooling once they land. Cuba uses Hancitor, while Hive has some living-off-the-land toolsets they employ.
DEV-0139 launches targeted attacks against the cryptocurrency industry by Microsoft Security Threat Intelligence
Have you considered adding employee Telegram handles to your threat model? MSTIC details how an attacker cluster, DEV-0139, connects with victims directly on Telegram to deliver a payload and steal their cryptocurrency wallet. The actors do their homework and target cryptocurrency holders. Remember: access can be sold, so if DEV-0139 achieves their objective, nothing is stopping them from selling access to other botnets or even ransomware gangs.
Open Source
ThreatCrawl https://gitlab.tue.nl/threat-crawl/THREATcrawl by Michele Campobasso and Luca Allodi
I’m always interested in tooling that helps you interact with the criminal underground (read: dark web forums) at scale. This codebase was released alongside a paper at APWG eCrime 2022 conference. The question with large codebases like this always comes back to scale and maintainability, so we will see if this is maintained long-term.
SALO by Splunk
SALO was a recent addition to awesome-detection-engineering on Github. A strong emulation framework to test detections in your CI/CD pipeline makes your program for detection much more mature. SALO skips the hassle of building infrastructure by emulating it’s existence without all the server maintenance nonsense.
Flightsim by AlphaSOC
What SALO does for infrastructure, Flightsim does for network traffic. Really cool project by the AlphaSOC team to emulate network events to test detections on. I hope to see more features added here for other types of events, but they have a great out-of-the-box set of network traffic already built.
Conclusion
Thanks for reading this week’s newsletter! As I am starting, I’d love to get your feedback.
If you can take 2 mins to answer 3 questions in the following Google Form (feedback is anonymous) to improve this newsletter, I’d be extremely grateful!