Detection Engineering Weekly - Issue 3
Last week's news and how-tos in the art and science of Detection Engineering
Issue 3 Summary
I can’t believe we are approaching a month of this! Thank you, everyone, for reaching out and providing feedback and accolades. For e-mail viewers, you might have seen my new banner. For website viewers, you might have seen the new colors. For those that haven’t seen the banner: that dog is my dog, Pasha! He may seem mean/scary inside the banner, but a Fiverr artist made him look regal. He is a detection engineer at heart but only focuses on squirrels and finding food on the ground.
This week’s recap:
One of my favorite post series from Expel
A number of posts detailing architecture around threat detection systems (Substation and Matano)
Microsoft burns one of my TTPs (it’s totally mine)
Exploits in the wild at FortiOS, Github as a C2, and more botnets that lead to ransomware
If you haven’t subscribed, please consider! I’ll do all the hard work of aggregating and writing so you don’t have to :)
Also, please give me feedback! There’s a form at the bottom👇👇 of the newsletter. Three questions, two minutes; I’ve improved a lot of aspects of this newsletter from feedback. Thank you!
Have content to share? Could you email me?
I am always interested in looking at new content. I have plenty of Threat Landscape and am craving more “State of the Art” Detection Engineering content. Do you have thoughts on how to design a detection engineering sprint or manage a backlog? How about what tools do you use for detection engineering? Shoot me an e-mail at techy@detectionengineering.net with your link, and I’ll see if I can add it here!
Happy Hunting
🌟 Spotlight 🌟
Performance metrics, part 1: Measuring SOC efficiency by Elisabeth Weber and Jon Hencinski
“Ah you think the SOC is your ally? You merely adopted the SOC. I was born in it, molded by it.” Many of us started our security journeys in a SOC. For a Detection Engineer, it is one of the best places to get instant feedback on what you write and alert on. I revisit this post often to remind myself who my teams are building for and look at ways we can drive SOC efficiency with the right information and context in our detections.
State of the Art
Building the Threat Detection Ecosystem at Brex by Julie Agnes Sparks
If you haven’t checked out Substation yet, this post should convince you to try it. Brex approached building this platform with predefined engineering principles (vision first!) and then went to build a scalable, modular, and performant platform.
SANS- Purple teaming to enhance detection engineering by Aaditya Jain
Jain used this blog post to review a webinar by SANS on Purple Teaming. I think it’s great to see folks who write recap posts like this - we definitely focus on new content when we could use different form factors of content that already exists. It was nice to see how purple teaming fits into the grander scheme of Detection Engineering, and that is something we do at my day job with threat emulation tooling.
The Future of SOC by Hexacorn
A bit of a ranty post, but you know what? Maybe we don’t always need prim-and-proper/academic writing. I love me some good hot takes. Hexacorn brings to light how complicated systems and stacks have gotten, and the traditional “SOC” has gotten just as complicated. My favorite quote (which they say they borrowed): “Blue Teaming is 90 percent social capital today.”
{JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF by Noam Moshe
Technical deep dive on bypassing modern WAF solutions using JSON as a prepend payload for a SQLi payload. Since many modern databases process JSON, this allowed the injection to incur. Moshe claims that many modern WAFs don’t account for JSON, which I am not surprised. As a former WAF engineer, WAFs rarely account for anything :P. My favorite section: The New ‘ or ‘a’=’a
IIS modules: The evolution of web shells and how to detect them by Microsoft Threat Intelligence Center (MSTIC)
For my CCDC red team compatriots: after ~8 years of using IIS modules against student blue teams, it looks like one of our reliable TTPs is burned! For those that run webservers (Apache, IIS, nginx) and crap, even Django/Flask/PHP, read this blog post. Lots of detection and hunting opportunities here for testing a not-so-blogged about TTP.
One Year Since Log4Shell: Lessons Learned for the next ‘code red’ by Edwin van Vliet and Max Groot
What were you doing around December 9th, 2021? I was one month into my new gig, and Log4Shell lit a gargantuan internet-wide dumpster fire for all of us to deal with. There are plenty of post-mortem lessons learned here, and what is scary is that Log4Shell is still a problem for many firms.
Threat Landscape
Compromised Cloud Compute Credentials: Case Studies From the Wild by Dror Alon
Great post by Alon discussing two attack scenarios involving stolen cloud compute credentials. The amount of enumeration that attackers need to do to retrieve permissions is staggering. The AWS example started with compromised Lambda credentials, enumeration of permission, and then pivoting via SES to launch phishing attacks. As always, Unit42 includes detection opportunities, so they get to be listed here <3
Breaking the silence - Recent Truebot activity by Tiago Pereira
Tell me if you’ve heard this story before: a botnet infection leads to ransomware. Talos researcher Pereira details two botnets for Truebot that sometimes led to ransomware. They even employ a custom data exfiltration tool. Some folks don’t realize that some of these botnets play off of each other, so Pereira documented how a Raspberry Robin infection led to a Truebot infection. Reminds me of the Trickbot → Emotet → Trickbot → Ransomware infection chains from the last few years.
Drokbk Malware Uses GitHub as Dead Drop Resolver by Secureworks CTU
You know, I’m really happy when I see APTs use bytecode languages like .NET, because when people much smarter than I reverse that malware, I can at least see what the hell is going on :). In all seriousness, Secureworks CTU found strains of Drokbk malware and attributed it to COBALT MIRAGE, an Iranian government-sponsored threat group. Guess where they found it? A Log4Shell incident!
FortiOS - heap-based buffer overflow in sslvpnd by Fortiguard Labs PSIRT
FortiGuard Labs released a PSIRT advisory detailing an unauthenticated remote code execution vulnerability in what looks like all of FortiOS (that “affected products” side panel is a big oof). Lucky for us, they provide several indicators of compromise and detection opportunities.
A Custom Python Backdoor for VMWare ESXi Servers by Asher Langton
Sometimes less is better. Langton analyzes a Python backdoor deployed on an ESXi server in this blog post. A compromised server contained a Python script that gave reverse shell capabilities to the attacker who implanted it. My only confusion in the post is that the webserver is listening on 127.0.0.1, so unless there’s some tunneling somewhere else on the ESXi server, you can only access the tool on the local machine.
Open Source
Open Sourcing Chronicle Detection Rules by Mikail Tunç
I LOVE when engineers open-source their rules! Algbra Labs published a set of detection rules for Chronicle, and I am glad to see a great collection of detections. It would help if you used repositories like this to compare logic and approaches.
Matano by Matanolabs
Matano looks like an alternative to Substation, but with a few differences. Like comparing internal detections to open-source detections (I mentioned this in the open-source post above), you should do the same for architectures.
GCPGoat by ine-labs
Is it weird to say I like eating and hacking Goats? Yeah, it’s weird. Well, Goat projects are like damn vulnerable environments. You deploy and are presented with a scenario where you can pentest an application and practice tactics, techniques & procedures to compromise it. GCPGoat does this for a Google Cloud Compute project.
Unprotect Project by Thomas Roccia and Jean-Pierre Lesueur
A colleague shared this with me, and I was geeking out for 20 mins at the art and the usefulness of the catalog. Much like MITRE ATT&CK is for attack techniques, this is for evasion techniques. Cross-platform, some with PoCs, and a valuable tool if you are into threat emulation.
Conclusion
Thanks for reading this week’s newsletter! As I am starting, I’d love to get your feedback.
If you can take 2 mins to answer 3 questions in the following Google Form (feedback is anonymous) to improve this newsletter, I’d be extremely grateful!
Thanks for reading Detection Engineering! Subscribe for free to receive new posts and support my work.