Ideas on Detection Engineering
I learn one thing on-line just lately that urged that the position of detection engineering is to cut back the false constructive (FPs) alerts despatched to the SOC. Partly, I totally agree with this; nonetheless, “cyber safety” is a crew sport, and it is actually incumbent upon SOC and DFIR analysts to assist the detection engineering effort by their investigations. That is one thing I addressed a bit in the past on this weblog, first right here, and then right here.
From the second weblog publish linked above, crucial value-add is the picture to the correct. That is one thing I put collectively as an example what, IMHO, needs to be the interplay between the SOC, DFIR, risk looking, risk intel, and detection engineering. As you see from the picture, the thought is that the output of DFIR work, the DFIR evaluation, feeds again into the general course of, by risk intel and detection engineering. Then, each of these features additional feed again into the general course of at numerous factors, one being again into the SOC by the event of excessive(er) constancy detections. One other suggestions level is that risk intel or gaps recognized by detection engineer serve to tell what different knowledge sources could should be collected and parsed as a part of the general response course of.
The general level right here is that the SOC should not be inundated or overwhelmed with false constructive (FP) detections. Moderately, the SOC needs to be gathering the mandatory metrics (by an applicable stage of investigation) to definitively exhibit that the detections are FPs, and the feed that on to the DFIR cycle to gather and analyze the mandatory data to find out the best way to finest deal with these FPs.
One instance of using such a course of, though not associated to false positives, could be seen right here. Particularly, Huntress ThreatOps analysts have been seeing quite a lot of malware (particularly, however not solely restricted to Qakbot) on buyer techniques that gave the impression to be originating from phishing campaigns that employed disk picture file attachments. One of many issues we did was create an advisory for patrons, offering a way to disable the power for customers to simply double-click the ISO, IMG, or VHD recordsdata and routinely mount them. Customers are nonetheless in a position to entry the recordsdata programmatically, they simply cannot mount them by double-clicking them.
Whereas this particular occasion wasn’t associated to false positives, it does illustrate how taking a deeper take a look at a problem or occasion can present one thing of an “upstream remediation”, approaching and addressing the problem a lot earlier within the assault chain
Podcasts
In the event you’re into podcasts, Zaira offered me the great alternative to seem on the Way forward for Cyber Crime podcast! It was an important alternative for me to interact with and study from Zaira! Thanks a lot!
Recycle Bin Persistence
D1rkMtr just lately launched a Home windows persistence mechanism (tweet discovered right here) primarily based on the Recycle Bin. This one is fairly fascinating, not simply in it is implementation however it’s important to marvel how somebody on the DFIR aspect of that persistence mechanism would even start to analyze it.
I understand how I might…I created a RegRipper plugin for it, one which shall be run on each investigation routinely, and supply an evaluation tip so I always remember what it is meant to indicate.
recyclepersist v.20230122
(Software program, USRCLASS.DAT) Verify for persistence by way of Recycle Bin
Class: persistence (MITRE T1546)
ClassesCLSID{645FF040-5081-101B-9F08-00AA002F954E}shellopencommand not discovered.
ClassesWow6432NodeCLSID{645FF040-5081-101B-9F08-00AA002F954E}shellopencommand not discovered.
Evaluation Tip: Including a shellopencommand worth to the Recycle Bin will permit this system to be launched when the Recycle Bin is opened. This key path doesn’t exist by default; nonetheless, the shellemptycommand key path does.
Ref: https://github.com/D1rkMtr/RecyclePersist
Plugins
Talking of RegRipper plugins, I ran throughout this weblog publish just lately about retrieving Registry values to decrypt recordsdata protected by DDPE. For me, whereas the general publish was fascinating within the method taken, the most important assertion from the publish was:
I don’t have a background in Perl and it seems I didn’t must. If the one requirement is a handful of registry values, a number of plugins that exist within the GitHub repository could also be used as a template. To get a really feel for the syntax, I discovered it useful to evaluate plugins for registry artifacts I’m aware of. After a number of moments of time and testing, I had an operational plugin.
For years, I have been saying that if there is a plugin that must be created or modified, it is as simple as both creating it your self, through the use of copy-paste, or by reaching out and asking. Offering a transparent, concise description of what you are in search of, together with pattern knowledge, has repeatedly resulted in a working plugin being out there in an hour or so.
Nevertheless, taking the reigns of the DIY method as been one thing that Corey Harrell began doing years in the past, and what let to such instruments as auto_rip.
Now, this is not to say that it is at all times that simple…speaking by including JSON output took some dialogue, however the one who requested about that was prepared to debate it, and I feel we each discovered from the engagement.
LNKs
Anybody who’s adopted me for a short time will know that I am a very big proponent for taking advantage of what’s out there, notably in the case of file metadata. One of many richest and but largely untapped (IMHO) sources of such metadata are LNK recordsdata. Cisco’s Talos crew just lately printed a weblog publish titled, “Following the LNK Metadata Path“.
The article is fascinating, and whereas a number of LNK builders are recognized, the publish falls simply in need of figuring out toolmarks related to these builders. At one level, the article turns to Qakbot campaigns and states that there was no overlap in LNK metadata between campaigns. That is fascinating, when in comparison with what Mandiant discovered relating to two Cozy Bear campaigns separated by 2 years (see figs 5 & 6). What does this say to you in regards to the Qakbot campaigns vs the Cozy Bear campaigns?
Updates to MemProcFS-Analyzer
Evild3ad79 tweeted that MemProcFS-Analyser has been up to date to model 0.8. Wow! I have never had the chance to do this but, nevertheless it does look fairly superb with the entire performance offered within the present model! Give it a shot, and write a evaluate of your use of the instrument!
OneNote Instruments
Following the prevalence of malicious OneNote recordsdata we have seen although social media over the previous few weeks, each Didier Stevens and Volexity crew have launched instruments for parsing these OneNote recordsdata.
Addendum, 30 Jan: Matthew Inexperienced added a OneNote parser/detection artifact to Velocidex.
