Det. Eng. Weekly #59: Peace up, LockBit down
🎶 Up in their servers with LE, tryna get some intel, keep it down on the low-key 🎶
Welcome to Issue #59 of Detection Engineering Weekly!
This week’s recap:
💎 by Andrew Vanvleet on balancing detection coverage versus detection cost
Andy Robbins uncovers a powerful, hipster Entra Role that you’ve probably never heard of, Anton Chuvakin and Amine Besson operationalize threat intelligence for detection opportunities, Lizzie Moratti backdoors Amazon chatbots for persistence, Aleksander Matav shows a clever way to use configuration data (sudoers files) for threat detection and Stephan Berger uncovers a liar in an AWS-based ransomware incident
Podcasts by the DISCARDED crew interviewing Katie Nickels, and Security Conversations interviews Katie Moussouris on democratizing bug bounty programs
LockBit takedown dominates the newscycle, APTs using ChatGPT and LLMs from Microsoft, NSA announces retirement of Rob Joyce, ACEResponder discloses a vulnerability in Empire C2 and BushidoToken breaks down the I-S00N leaks on Twitter
plus so much more!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
The Threat Detection Balancing Act: Coverage vs Cost by Andrew Vanvleet
This is an excellent post on balancing the capacity for detection rules within a detection program. It has a hyper-focus on capacity in detection engineering. It is a great companion post to Jon Hencinski's (and previous 💎 on Issue #47) post on modeling SOC analyst capacity. Threat detection is a statistics labeling problem, and a labeling problem means there's a human capacity problem.
Vanvleet introduces the concepts of "Incremental Coverage" and "Incremental Cost" of detection rules. By laying out how different detection types can improve the "incremental coverage" score, the subsequent incremental cost to take that rule under the management of your detection team isn't worth the cost. My favorite quote:
A big body of detections with low incremental coverage won’t help us win the game of probability. We’re much better off with a smaller body of detections with high incremental coverage.
🔬 State of the Art
The Most Dangerous Entra Role You’ve (Probably) Never Heard Of by Andy Robbins
Another week, another strange Entra (mis)configuration that makes it hard for detection and response to monitor for abuse. The crazy part about this role is it's tough to find inside the Azure GUI, and you can't even search for it, and it's hidden behind several views. Luckily, Robbins goes down the Azure rabbit hole, including reversing Javascript, to find the correct information to audit assignments to this role and see if someone is abusing it.
Blueprint for Threat Intel to Detection Flow (Part 7) by Anton Chuvakin and Amine Besson
In Part 7 of this series, Chuvakin and Besson explore how intel teams can enter detection opportunities into the detection engineering lifecycle. Detection engineers spend time wearing many hats, and intel is the most nuanced in that it requires the analyst to have formal analysis training to use things like public intelligence reports or information-sharing centers.
This post assumes a separate intel versus detection function, but this could exist as the same person! The handoff procedure of an opportunity or creativity to a potential rule can have some consequences on cost and capacity (see the gem in this week's issue for more). Overall, reading this post can help folks orient around the idea of "threat-informed defense" and how you can leverage intel to drive coverage.
The Crow Flies at Midnight — Exploring Red Team Persistence via AWS Lex Chatbots by Lizzie Moratti
In this post, Moratti explores a clever persistence mechanism by abusing AWS Lex, AWS' chatbot service. The goal here is to "work with what you got." if a company maintains a Lex service to service their customers, what better way to persist than to abuse services they already use? Moratti installs a "sleeper phrase" inside the Lex Lambda function to retrieve temporary credentials and serve them to the attacker to carry out other actions on the objective.
Enhancing Sudoers File Security on MacOS with Osquery and Splunk: A Novel Detection Engineering Approach by Aleksandar Matev
One of the Four Types of Threat Detection (also the Gem in Issue #25) is configuration. I feel like this is often overlooked as a detection opportunity. Suppose you understand what constitutes a good baseline configuration. In that case, you can detect deviations from the baseline as a great detection opportunity for all kinds of techniques. Matev explores this with the sudoers file in Linux and MacOS. They use a combination of Osquery, Splunk, and a correlation search to detect deviations of a known good user via a CSV lookup table, and voila! High-fidelity detection for everything from persistence to privilege escalation.
AWS Ransomware by Stephan Berger
Did you know that ransomware criminals, big or small, are liars?
It's a hard pill to swallow, but this blog is an excellent case in point, even for smaller-scale ransomware "attacks." Berger worked on an AWS S3 data exfiltration incident, and actors placed a ransomware note and binary in the buckets. The "binary" pretends to "check" for stolen or encrypted data and does nothing but give the victim several Bitcoin addresses to pay the actor for their data back. It's a good lesson in the evolution of ransomware on cloud buckets and never trusting a criminal during an incident.
🎙️ Detection Engineering Podcasts
I'm a huge Katie Nickels fan, so seeing her as a guest on DISCARDED, I made sure to sit down and take notes. The episode explores several topics in threat intelligence. Still, the two most important to me include entering the threat intelligence field and the nuances of clustering threats and naming APTs.
This podcast episode is detection-engineering adjacent, but it’s nice to see an entrepreneur like Moussouris approach wicked problems, like vulnerability research, with a fresh approach. Luta vets red teamers and pen testers into their platform, and vetted individuals get a “dividends payout” per month to create a better together story.
☣️ Threat Landscape
Law enforcement disrupt world’s biggest ransomware operation by Europol
The biggest news of the year (so far) was that LE announced a takedown of key LockBit infrastructure during President's Day in the U.S. By the numbers, they seized dozens of servers, froze hundreds of crypto accounts, and arrested two individuals related to the operation. The difference between LockBit and other large groups is their "as-a-service" model, where affiliates can sign up and get access to tooling. At the same time, core LockBit members maintain portals and perform ransomware attacks. Congrats to everyone involved!
Staying ahead of threat actors in the age of AI by Microsoft Threat Intelligence
I find it fascinating that a company or firm creates a product that is so valuable that nation-states and criminals alike use it to perform research tasks. Imagine if you took "Googling" away from folks who try to harm others, how much of an impact you could make on people's lives. Well, Microsoft & OpenAI published two blogs on this topic related to ChatGPT and their LLM product suite. Microsoft attributes several APTs using their platforms to perform everything from vulnerability research to phishing and social engineering.
National Security Agency Announces Retirement of Cybersecurity Director by the National Security Agency
I went back and forth, deciding whether this was a worthy story for a "threat landscape" spot. However, isn't the NSA the gorilla in the room regarding cyber threat capabilities once you think about it? The spy agency announced the retirement of Rob Joyce, an industry veteran and all-around meme lord, so the next director has enormous shoes to fill in capabilities and public outreach. Congrats, Rob!
Exploiting Empire C2 Framework by ACEResponder
The folks at ACEResponder found and disclosed a directory traversal vulnerability that can lead to remote code execution inside Empire C2. The vulnerability lies around how Empire tries to detect directory traversal from its stagers and uses a confusing Python primitive to determine absolute paths (hint: Empire used the wrong one). This eventually led to RCE and the Empire folks quickly releasing a patch.
My favorite part: detection opportunities and detection advice for red teamers at the end of the post!
(Twitter thread) BushidoToken on I-S00N Leak by Will Thomas
It's been a dramatic week in Infosec land. I-S00N is a Chinese-based defense contractor. Someone leaked a metric butt-ton (that's a measurement, right?) of their documents into a GitHub repo. Will sifts through some content and pulls out interesting slides and descriptions. It looks like an APT-as-a-service with other capabilities like a Twitter monitoring platform and email analysis.
🔗 Open Source
refinery by binref
Malware triage tool that, according to binref, “is an attempt to implement something like CyberChef on the commandline.” I’ve used this toolset for some CTFs and it was a bit more powerful than CyberChef if you want to automate some tasks.
modpot by referefref
Brand new Go-based honeypot framework. I’ve linked refrefref’s honeydet and they seem to be exploring abstracting away the cat-and-mouse game of honeypots and creating frameworks to build detections and honeypots “at scale”.
I-S00N by I-S00N
Public leak of I-S00N defense contractor data. Not translated.
http-garden by narfindustries
HTTP Garden is a collection of HTTP servers and proxies wrapped together in a CLI to help test payloads against several combinations of these setups. This might be useful for testing detections against WAF setups as well as vulnerability research when you run into proxy and server setups you have not seen before.
SOC-Interview-Questions by LetsDefend
Collection of SOC-related interview questions. If you are interested in breaking into Detection or Threat Analysis, this is a great study guide for the “basic” landscape of the field.
"Peace up, LockBit down
🎶 Up in their servers with LE, tryna get some intel, keep it down on the low-key 🎶"
I can literally hear this in Lil John and Usher's voice. Great way to start this issue!
Read →