Detection Engineering Weekly Issue #39 - Segmentation fault (core dumped)
Please refer to the core dump file for keys to the kingdom
Welcome to Issue #39 of Detection Engineering Weekly!
This week’s recap:
A 💎 by Kamil Bojarski on uncovering the nastiest attacker infrastructure using the most dangerous tool known to humankind: a spreadsheet
Daniel Avinoam keeps readers undetected by pesky EDRs via Windows Containers
David Storie on bypassing Outlook Web Applications by converting Bearer and Refresh tokens into session cookies
Richard de Vries on the only detection metric that matters, Brendan Chamberlain applies OOP to threat detection, and MDSec Research gets initial access via VSCode extensions
The roosters of Storm-0558 come home to roost, and their feed is a core dump. The Linux Threat Landscape, malicious Signal and Telegram third-party apps, RocketMQ gets some love from CISA and from threat actor friends
Plus so much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Squeezing out IoC juice - methodical analysis of network infrastructure by Kamil Bojarski
Amazing crash course on network pivoting; the only tools you need are open-source accounts and spreadsheets! Bojarski distills the concept of attacker infrastructure pivoting down for their readers and even references one of my favorite posts, and Detection Engineering Gem, by Joe Slowik. The key phrase, IMHO, from Bojarski’s post is:
the biggest problem is the appropriate and repeatable approach to network infrastructure elements
Now, replace “network infrastructure elements” with anything in our field. So, to help solve this problem, the author released a templated Google sheet to help budding analysts or battle-hardened professionals hunt and track attacker infrastructure in a repeatable way. The link is above the first Google sheet screenshot, but if you can’t find it, check it out here:
Happy hunting!
State of the Art
Contain Yourself: Staying Undetected Using the Windows Container Isolation Framework by Daniel Avinoam
I’ve worked on, deployed, broken, and built containers for most of my professional career. But, if you ask me how containers on Windows work, I would start sweating ever-so-lightly, and maybe you’ll see one of my eyes twitch. I believe it was the Insane Clown Posse who said: “Windows containers, how do they work?” Well, look no further. Avinoam’s post gives us a critical deep dive into the Windows container ecosystem and the differences between styles of containers on the operating system. They end with using this system to trick Windo
Converting Tokens to Session Cookies for Outlook Web Application by David Storie
Excellent red team story on using Bearer and Refresh tokens to access a victim mailbox without being prompted for MFA tokens. The blog assumes you have phished credentials from a user, and the next step involves bypassing MFA. Red team blogs like this rock because they show how the underlying technology flows through a system and reveal detection opportunities along the way. It also shows how complicated Conditional Access Policies can get in an O365 environment and how you can enable MFA for Mobile and Desktop clients but have it disabled for other types of clients.
MTTC - The Only KPI that matters by Richard de Vries
In this post, de Vries argues that detection teams should use Mean-time-to-contain (MTTC) as the gold star for all of their key performance metrics. I agree with their take fundamentally: You can factor in different components of a detection program to measure success, but from a strategic component perspective, business leaders primarily care about the impact on business operations. De Vries also provides strategies to measure and reduce MTTC to help keep your eyes on the prize, so to speak.
An Object-Oriented Approach to Threat Detection Engineering by Brendan Chamberlain
Humans are natural classifiers. It’s one of our greatest strengths and helps us make sense of a chaotic world. The ease of classifying chaotic concepts in computer code is one of the many reasons why Object-Oriented Programming (OOP) remains so popular. In this post, Brendan pulls on his experience as a software engineer using OOP and applies it to the threat detection world. The helpful tidbit within this modeling type is that you can model a system at an abstract layer and then implement different interpretations of that abstraction to describe the system. This makes swapping things (like a data model) in and out easy if they don’t scale to your needs.
Introducing Query Post-Processing and Output Finalization to Processing Pipelines by Thomas Patzke
If you aren’t familiar with the Sigma querying language, you must learn it ASAP! It’s open-source, doesn’t cost you anything, and the amount of brain power the Sigma team puts into the threat detection ecosystem is staggering. By describing rules in the Sigma language, you can use “backends” to convert Sigma rules into proprietary formats in whatever flavor of SIEM you want. The problem with some of these converters is that they weren’t as flexible regarding post-processing and custom configuration fields. So, the team released custom output formats, which allow post-processing of results to add additional enrichments in a pipeline fashion.
Leveraging VSCode Extensions for Initial Access by MDSec Research
This post shows how valuable red team engagements can be for a detection program. MDSec found that their client used VSCode extensively, so they thought achieving initial access via a malicious VSCode extension could prove helpful in their operation. VSCode uses a vscode:// URI handler to install extensions, and if you can get an extension published on the VSCode marketplace, you can send a file handler for vscode: / to install the extension. Even better - getting verified is as simple as clicking a checkbox on the registration page. MDSec did some neat red team infrastructure engineering to limit the impact of accidental installs outside the scope of their pentest.
Detection Engineering on Social Media
Link: https://twitter.com/CVEnew/status/1698616510082601131
Link: https://twitter.com/rootsecdev/status/1699262598456266809
Link: https://twitter.com/stvemillertime/status/1699203986341982248
Threat Landscape
Results of Major Technical Investigations for Storm-0558 Key Acquisition by Microsoft Security Response Center
Well, the saga of Storm-0558 and Microsoft has ended. We laughed, we cried, we felt pain but, most of all, we felt helpless. Obtaining a highly privileged MSA key seems like an impossible task. And we all knew that China-aligned actors were good, but were they THAT good? I guess it comes down to what you mean by good. How about lucky? Basically, in April of 2021, a consumer signing service crashed and generated a core dump. This core dump contained debug information which accidentally exposed the MSA key. A developer moved the core dump from production into an internet-connected dev environment, which is standard. It just turns out that Storm-0558 was on that developer’s laptop like butter on rice and yoinked the key. Would you rather be good, or lucky?
The Linux Threat Landscape Report by Pawan Kinger, Sunil Bharti, and Magno Oliveira
I may have availability bias, but I rarely see comprehensive threat reporting on the Linux ecosystem. Several things factor into this, in no particular order:
The heterogeneity of Linux versus Windows makes it harder for criminals and nation-states to build a scalable and reusable threat program against Linux systems.
Cloud workloads are primarily in Linux and are mostly not interesting from an IAM perspective* (though it’s getting more interesting with Cloud)
Windows has lots of backward-compatible functionality, making it easier to develop malware across versions.
That being said, Trendmicro did a great job of showcasing data they’ve observed on Linux threats. The most exciting tidbit on vulnerability exploitation was their section on “Web-Based vs. Non-Web-Based Attacks.”
Linux attacks are dominated by web-based attacks, in contrast to Windows. Web attacks, such as SQL injection, cross-site scripting (XSS), server-side request forgeries (SSRF), and other security compromises, are aimed at web resources. Conversely, non-HTTP attacks focus on specific application protocols like FTP (File Transfer Protocol), DNS (Domain Name System), SSH (Secure Shell Protocol), SMB (Server Message Block), or SMTP (Simple Mail Transfer Protocol).
BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps by Lukas Stefanko
This is a fantastic post on the intricacies of backdooring privacy-based phone applications. Stefanko and the team found two malicious apps on the Google Play and Samsung Galaxy Store advertised as companion or feature-enhancing applications for Signal and Telegram. Both exfiltrated metadata, but if the victim enabled specific settings, they gave access to backup databases, giving the actors access to messages. The ESET team attributed this campaign to GREF, a China-aligned APT group.
GitLab Security Release: 16.3.1, 16.2.5, and 16.1.5 by GitLab
Security release post by GitLab where they “strongly recommend” updating instances. Several vulnerabilities exist in this security update. Two interesting ones include a privilege escalation from an external user and a Google Cloud logging private key being exposed to other group owners. The external user privilege escalation, CVE-2023-3915, showcases how complicated IAM can get on almost any SaaS platform.
Cross-Tenant Impersonation: Prevention and Detection by Okta Defensive Cyber Operations
On a more serious note, the Okta Blue team wrote a great post on how attackers gain access to Okta tenants and laterally move afterward. I find it fascinating how in-depth IdP attacks have evolved over the years and how much threat actors have evolved with them. The unique attack listed in this post involves setting a “malicious” Inbound Federation. Basically, it is an Org2Org authentication scheme where an attacker-controlled Org successfully authenticates to its own Org, and due to the trust relationship being maliciously configured on the destination org, the actor crosses identity boundaries and can access services on the victim org.
CISA Adds One Known Vulnerability to Catalog by CISA
CISA finally added the RocketMQ vulnerability from a few months ago, CVE-2023-33246. Juniper Networks reported one of the first in-the-wild exploitation of this vulnerability in June of this year. I’m not necessarily sure of the threshold of exploitation that CISA considers for its candidates for the KEV, but I’m glad to see it nonetheless!
Exposing RocketMQ CVE-2023-33246 Payloads by Jacob Baines
CISA added CVE-2023-33246 to KEV a day after Baines dropped this post. Coincidence? I think not! I'm kidding, but if you want a technical breakdown of how the RocketMQ RCE works, read this post! You basically need to have two separate ports open for this to work. Not only can you write a custom, malicious configuration file to RocketMQ, but you can also read these files remotely without authentication! Baines connected to several vulnerable instances, downloaded the malicious configuration and came out with some juicy post-exploitation data for further analysis.
Open Source
Supernova by nickvourd
Shellcode generator written in Golang. Has various levels of encryption, and can generate dynamic variable names in shellcode to prevent static detection or those pesky EDRs looking for common variable names like “shellcode” :).
PIPE by jthack
Really well written primer on prompt injection for LLMs. My favorite section, “New Vectors for Traditional Web Vulnerabilities”, shows how attackers can abuse prompt injection to issue classic web payloads over the prompt.
vovk by malienist
Vovk is an extension for WinDbg that creates Yara rules over any Windows binary. The author presented Vovk at Blackhat Arsenal. It looks like it’s executing the binary and building Yara on top of that.
go-exploit by vulncheck-oss
If you read the VulnCheck RocketMQ post above, you probably saw the author using go-exploit. The aim for this tool is providing developers create platform independent exploit binaries using Golangs portability. It comes with some out of the box C2s and a straightforward skeleton for writing exploits.