Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Next-Generation Technologies & Secure Development Low-Impact Disinformation Campaigns Based in Russia, China, Iran, Israel Rashmi Ramesh (rashmiramesh_) • May 31, 2024     OpenAI says it caught actors from China, Russia, Iran and Israel using its tools to create disinformation. (Image: Shutterstock) OpenAI said […]

La entrada OpenAI Disrupts AI-Deployed Influence Operations – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Security Information & Event Management (SIEM) , Security Operations SIEM Provider Focuses on Acquisitions, Partner Channels, European Union Compliance Michael Novinson (MichaelNovinson) • May 31, 2024     Mikkel Drucker, CEO, Logpoint (Image: Logpoint) European SIEM provider Logpoint tapped the former chief executive of experience management firm Netigate as its […]

La entrada New Logpoint CEO Mikkel Drucker Seeks Growth Via M&A, MSSPs – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Healthcare , Industry Specific Asks Agencies Not to ‘Scapegoat’ Firm’s CISO, But to Hold CEO and Board Accountable Marianne Kolbasuk McGee (HealthInfoSec) • May 31, 2024     Sen. Ron Wyden, D-Ore. (Image: U.S. Congress) U.S. Sen. Ron Wyden, D-Ore., is urging the U.S. Securities […]

La entrada Senator Urges FTC, SEC to Investigate UHG’s Cyberattack – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Cybercrime , Finance & Banking , Fraud Management & Cybercrime ShinyHunters Advertises Data Set of ’30 Million Customers’ for $2 Million David Perera (@daveperera) • May 31, 2024     Santander disclosed earlier this month a breach of a database hosted by a third party provider. (Image: Shutterstock) A hacker […]

La entrada Hacker Sells Apparent Santander Bank Customer Data – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Live Nation Entertainment has confirmed what everyone has been speculating on for the last week: Ticketmaster has suffered a data breach.

In a filing with the SEC, Live Nation said on May 20th it identified “unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary)” and launched an investigation.

The third party it refers to is likely Snowflake, a cloud company used by thousands of companies to store, manage, and analyze large volumes of data. Yesterday, May 31st, Snowflake said it had “recently observed and are investigating an increase in cyber threat activity” targeting some of its customers’ accounts. It didn’t mention which customers.

In the SEC filing, Live Nation also said:

On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.

The user data likely refers to the sales ad for 560 million customers’ data that was posted online earlier this week by a group calling themselves ShinyHunters. The data was advertised for $500,000 and says it includes customer names, addresses, emails, credit card details, order information, and more.

Bleeping Computer says it spoke to ShinyHunters who said they already had interested buyers, and believed one of the buyers that approached them was Ticketmaster itself.

Ticketmaster says it has begun notifying its users of the breach. We are likely to hear more in the coming days, and will update you as we do.

For now, Ticketmaster users should keep an eye on their credit and bank accounts for an unauthorized transactions and follow our general data breach tips below.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Scan for your exposed personal data

While the Ticketmaster data is yet to be published in full, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

Active Directory (AD), introduced with Windows 2000 [1], has become an integral part of modern organizations, serving as the backbone of identity infrastructure for 90% of Fortune 1000 companies [2]. Active Directory is widely used by organizations for its simplicity and centralized management approach. It is an attractive solution for businesses as it makes it […]

La entrada Active Directory Security se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Connectivity is continuing to transform the Automotive and Smart Mobility ecosystem, increasing cybersecurity risks as more functionality is exposed. 2023 marked the beginning of a new era in automotive cybersecurity. Each attack carries greater significance today, and may have global financial and operational repercussions for various stakeholders. Upstream’s 2024 Global Annual Cybersecurity Report examines how […]

La entrada GLOBAL AUTOMOTIVE CYBERSECURITY REPORT se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Welcome to the Check Point 2024 Cyber Security Report. In 2023, the world of cyber security witnessed significant changes, with the nature and scale of cyber attacks evolving rapidly. This year, we saw cyber threats stepping out from the shadows of the online world into the spotlight, grabbing the attention of everyone from government agencies […]

La entrada 2024 Cyber Security Report by Checkpoint se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Zimperium’s latest research explores a dynamic and expanding threat landscape by meticulously analyzing 29 banking malware families and associated trojan applications. This year alone, the research team identified 10 new active families, signifying the continued investment from threat actors in targeting mobile banking applications. The 19 adversaries who persist from last year reveal new capabilities […]

La entrada 2023 Mobile Banking Heists Report se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Today’s cyber landscape is threatened by a multitude of malicious actors who have the tools to conduct large-scale fraud schemes, hold our money and data for ransom, and endanger our national security. Profit-driven cybercriminals and nation-state adversaries alike have the capability to paralyze entire school systems, police departments, healthcare facilities, and individual private sector entities. […]

La entrada 2023 Internet Crime Report se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Authors/Presenters: Jiwon Kim, Benjamin E. Ujcich, Dave (Jing) Tian

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – Intender: Fuzzing Intent-Based Networking with Intent-State Transition Guidance appeared first on Security Boulevard.

The AI Revolution in META Banks 

Benefits of Artificial Intelligence-led Banking in the META Region

Implementing Artificial Intelligence in META Banks 

Challenges and Risks of AI in META Banks 

Conclusion

Overview Recently, we identified several critical Pwn Request vulnerabilities within GitHub Actions used by the Rspack repository. These vulnerabilities could allow an external attacker to submit a malicious pull request, without the requirement of being a prior contributor to the repository, and compromise the following secrets: NPM Deployment Token Compromise: Exploitation of the Pwn Request […]

The post Compromising ByteDance’s Rspack using GitHub Actions Vulnerabilities appeared first on Praetorian.

The post Compromising ByteDance’s Rspack using GitHub Actions Vulnerabilities appeared first on Security Boulevard.

Why Next-Gen Data Intelligence Platforms Are Game Changers

RBI has issued comprehensive master directions and guidelines for banks and non-banking financial corporations to identify and address operational risks and weaknesses. These guidelines are based on recommendations from working groups focused on information security, e-banking, governance, and cyber fraud. The primary motivation behind these directives is the growing need to mitigate cyber threats arising […]

The post What is an IS (RBI) Audit? appeared first on Kratikal Blogs.

The post What is an IS (RBI) Audit? appeared first on Security Boulevard.

TCE Cyberwatch: A Weekly Round-Up

AI's Dark Side: Experts Warn of Cybercrime, Election Attacks at Congressional Hearing

Courtroom Recording Software Hit by Supply Chain Attack, Thousands Potentially Affected

Australian Regulator Sues Optus Over Massive Data Breach of 10 Million Customers

Critical WordPress Vulnerabilities: Update Plugins Immediately!

Ransomware Attack on Spanish Bioenergy Plant Highlights ICS Vulnerabilities

Islamabad's Safe City Project Exposed: Hack Highlights Security Failures

Massive Data Breach at Pharma Giant Cencora Exposes Millions

MediSecure Ransomware Breach: 6.5 TB of Patient Data Listed for Sale on Dark Web

OpenAI Backtracks on Voice Assistant After Scarlett Johansson Raises Concerns

To Wrap Up

Credential phishing is a type of cyberattack where attackers attempt to deceive your employees into providing their sensitive information, such as their Microsoft usernames and passwords. What is not obvious is credential phishing is the root cause of many breaches, including the recent ransomware breach at UnitedHealth subsidiary Change Healthcare. According to UnitedHealth Group CEO […]

The post Understanding Credential Phishing first appeared on SlashNext.

The post Understanding Credential Phishing appeared first on Security Boulevard.

What is Business Email Compromise? Business Email Compromise (BEC) is a sophisticated form of cybercrime where attackers use email to deceive and defraud organizations. Unlike typical phishing attacks that cast a wide net, BEC is highly targeted and often involves impersonating a trusted individual or entity to trick employees into transferring funds or divulging sensitive […]

The post Understanding Business Email Compromise (BEC) first appeared on SlashNext.

The post Understanding Business Email Compromise (BEC) appeared first on Security Boulevard.

As DDoS attackers become more sophisticated and the attack surface grows exponentially, businesses must expand beyond an ideology of prevention to include a focus on early detection and response.

The post Adaptive DDoS Defense’s Value in the Security Ecosystem appeared first on Security Boulevard.

The post Risk vs. Threat vs. Vulnerability: What is the difference? appeared first on Click Armor.

The post Risk vs. Threat vs. Vulnerability: What is the difference? appeared first on Security Boulevard.

We're incredibly proud to share some exciting news at Impart Security: We've achieved SOC 2 Type 2 certification! This certification represents our unwavering dedication to providing exceptional security and operational excellence in API security.

The post Impart Security: Leading the Charge in API Security with SOC 2 Type 2 Certification | Impart Security appeared first on Security Boulevard.

Senator Ron Wyden wants the FTC and SEC to investigate the ransomware attack on UnitedHealth's Change subsidiary to see if there was criminal negligence by the CEO or board.

The post Senator Calls for FTC, SEC Probe Into UnitedHealth’s ‘Negligence’ in Breach appeared first on Security Boulevard.

A vulnerability has been discovered in Check Point Security Gateway Products that could allow for credential access. A Check Point Security Gateway sits between an organization’s environment and the Internet to enforce policy and block threats and malware. Successful exploitation of this vulnerability could allow for credential access to local accounts due to an arbitrary file read vulnerability. Other sensitive files such as SSH keys and certificates may also be read. Depending on the privileges associated with the accounts, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Local accounts that are configured to have fewer rights on the system could be less impacted than those that operate with administrative rights.

Authors/Presenters:Alex Luoyuan Xiong, Binyi Chen, Zhenfei Zhang, Benedikt Bünz, Ben Fisch, Fernando Krell, Philippe Camacho

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – VeriZexe: Decentralized Private Computation with Universal Setup appeared first on Security Boulevard.

Permalink

The post Randall Munroe’s XKCD ‘Complexity Analysis’ appeared first on Security Boulevard.

Check Point disclosed a serious vulnerability in Check Point Security Gateway devices with certain remote access software blades enabled. See how to find them.

The post How to find Check Point devices appeared first on Security Boulevard.

Clearing the National Vulnerability Database Backlog

CISA's 'Vulnrichment' Initiative

"To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product," the cloud storage giant said in a statement today.

Alleged Snowflake Breach Details

Extortion Attempt and Malware Involvement

Snowflake Responds

"We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity.

Tools and Indicators of Compromise

Multiple Vulnerabilities in Carrier's LenelS2 NetBox

• CVE-2024-2420 (CVSS v3.1 Base Score 9.8, Critical): A vulnerability involving a hard-coded password in the system that could permit an attacker to bypass authentication requirements.
• CVE-2024-2421 (CVSS v3.1 Base Score 9.1, Critical): An unauthenticated remote code execution vulnerability that could permit an attacker with elevated permissions to run malicious commands
• CVE-2024-2422 (CVSS v3.1 Base Score 8.8, High): An authenticated remote code execution vulnerability that could permit an attacker to execute malicious commands.

Vulnerability Remediation

Copilot Recall Privacy and Security Claims Challenged

Does Recall Have Cloud Hooks?

Data May Not Be Completely Deleted

Malware Used by Andariel APT in this Campaign

Additional Malware Strains

• Keylogger/Cliplogger: Performs basic functions like logging keystrokes and clipboard contents, stored in the “%TEMP%” directory.
• Stealer: It is designed to exfiltrate files from the system, potentially handling large quantities of data.
• Proxy: Includes both custom-created proxy tools and open-source Socks5 proxy tools. Some proxies are similar to those used by the Lazarus group in past attacks.

IoCs to Watch for Signs of Andariel APT Attacks

This video might be a juvenile colossal squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

We are pleased to introduce Insight Agent support of ARM-based Windows 11 devices for both vulnerability and policy assessment within InsightVM. Customers with Windows 11 devices powered by ARM processors can now take advantage of the great performance and lower power requirements of these chips without sacrificing the agent-based visibility of their remote assets. This release coincides with enhanced vulnerability content for Windows 11 in InsightVM, providing customers with high-quality, accurate coverage. The full list of operating systems supported by the Insight Agent can be found in our documentation.

The latest generation of ARM64 chips promises excellent CPU performance and multi-day battery life on a single charge, making them more attractive than ever for enterprise and consumer devices, including laptops. As hardware and software vendors continue to bolster support for Windows on ARM, Rapid7 customers using or considering adoption of these devices can deploy the Insight Agent to Windows 11 devices immediately. The existing Windows (x64) installer – downloaded as ‘agentInstaller-x86_64.msi’ – can be used for installation, and the Insight Agent will automatically run in emulation mode. No other action is required, but do note that only InsightVM functionality is supported at this time.

You can find more information on how to download and install the Insight Agent in our Help Documentation and on the Agents page within the Insight Platform:

Customers can use the Agent Test Set feature to roll out newer versions of the Insight Agent on a select set of machines before deploying it widely.

Quis dīrumpet ipsos dīrumpēs

In this release, we feature a double-double: two exploits each targeting two pieces of software. The first pair is from h00die targeting the Jasmine Ransomeware Web Server. The first uses CVE-2024-30851 to retrieve the login for the ransomware server, and the second is a directory traversal vulnerability allowing arbitrary file read. The second pair from Dave Yesland of Rhino Security targets Progress Flowmon with CVE-2024-2389 and it pairs well like wine with the additional and accompanying Privilege Escalation module.

New module content (4)

Jasmin Ransomware Web Server Unauthenticated Directory Traversal

Authors: chebuya and h00die
Type: Auxiliary
Pull request: #19103 contributed by h00die
Path: gather/jasmin_ransomware_dir_traversal
AttackerKB reference: CVE-2024-30851

Description: This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.

Jasmin Ransomware Web Server Unauthenticated SQL Injection

Authors: chebuya and h00die
Type: Auxiliary
Pull request: #19103 contributed by h00die
Path: gather/jasmin_ransomware_sqli

Description: This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.

Flowmon Unauthenticated Command Injection

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #19150 contributed by DaveYesland
Path: linux/http/progress_flowmon_unauth_cmd_injection
AttackerKB reference: CVE-2024-2389

Description: Unauthenticated Command Injection Module for Progress Flowmon CVE-2024-2389.

Progress Flowmon Local sudo privilege escalation

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #19151 contributed by DaveYesland
Path: linux/local/progress_flowmon_sudo_privesc_2024

Description: Privilege escalation module for Progress Flowmon unpatched feature.

Enhancements and features (3)

• #19195 from adfoster-r7 - Updates msfconsole to support risc-v platforms.
• #19198 from adfoster-r7 - Add support for Ruby 3.3.x.
• #19200 from adfoster-r7 - Updates Metasploit's gemspec file to work with additional static analysis tools.

Bugs fixed (0)

None

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.10...6.4.11
• Full diff 6.4.10...6.4.11

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

In “Living off the Land attacks,” adversaries use USB devices to infiltrate industrial control systems. Cyberthreats from silent residency attacks put critical infrastructure facilities at risk.

The post A Major Industrial Cybersecurity Threat: Living off the Land Attacks appeared first on Security Boulevard.

Daft name, serious risk: Kit from ActionTec and Sagemcom remotely ruined and required replacement.

The post ‘Pumpkin Eclipse’ — 600,000+ Rural ISP Routers Bricked Beyond Repair appeared first on Security Boulevard.

This month we have something big: Our new Third Party Risk Assessment app, TPRA. And it’s now available to current customers! Observable third-party risk assessments  Vendor assessments are a huge part of any GRC program, so it only makes sense to handle them in the same platform that handles your compliance, security questionnaires, and trust […]

The post TrustCloud Product Updates: May 2024 first appeared on TrustCloud.

The post TrustCloud Product Updates: May 2024 appeared first on Security Boulevard.

On Detection: Tactical to Functional

Why a Single Test Case is Insufficient

Introduction

In my previous post, I explored the idea that different tools can implement the same operation chain (behavior) in various ways. I referred to these various ways as execution modalities. In that post, we explored five tools that allowed us to understand some of the most common modalities that one would expect to encounter and concluded with an image of a function call stack that represented the Session Enumeration operation with overlaid tools.

In this post, I want to explore the implications of execution modalities on detection engineering. I’m particularly interested in how diverse modalities affect our ability to evaluate detection coverage. Evaluating detection coverage is a problem we’ve seen rise to industry attention with the ATT&CK EDR Evaluations. While the objective of the evaluations is not necessarily to assess detection coverage, that is undoubtedly a question that industry consumers are interested in, and rightfully so. This post will explore why a test not specifically designed to answer coverage questions fails to provide the necessary evidence. But before we do that, let’s revisit what we learned in the previous post. This refresh will set us up for a hypothetical scenario that will allow us to understand the problems that execution modalities create for us.

NetSessionEnum Function Call Stack

In the previous post, we analyzed the netapi32!NetSessionEnum function to generate its function call stack. Based on our analysis, we know that when an application calls netapi32!NetSessionEnum, it calls the lower level srvcli!NetSessionEnum and ms-srvs!NetrSessionEnum functions behind the scenes. We then identified that we could use the “Session Enumeration” operation to group the functions.

We represent the relationship between these functions as a function call stack below:

Tool Samples

In the previous post, we analyzed five Session Enumeration tool samples; however, we will reduce our scope for this post to just two samples so we can explore how changes to the execution modality impact detectability even if the behavior remains static. I’ve selected two samples, PowerView Get-NetSession and BOF get-netsession, that overlap maximally. I selected these samples because they have the same name (Get-NetSession) and execute the same API function (netapi32!NetSessionEnum). We can, therefore, say they perform the same behavior; however, their authors implemented that behavior via different execution modalities (PowerShell Script vs. Beacon Object File [BOF]). We should expect the rule to detect both samples if we use a behavior-based approach. The problem lies in our definition of behavior-based detection, which I hope this post will help reify. Before we get going, let’s quickly review these particular samples.

Sample 1: PowerView Get-NetSession (PowerShell Script)

The first sample is the Get-NetSession function from Will Schroeder’s PowerView project. Will implemented this sample as a PowerShell script, which confers certain advantages and disadvantages to its users. When we view its source code, we quickly find that the bulk of the script’s interaction with the operating system occurs when it calls the netapi32!NetSessionEnum Windows API function.

Sample 2: get-netsession (Beacon Object File)

The second sample is a BOF called get-netsession, part of TrustedSec’s CS-Situational-Awareness-BOF project. BOFs offer a distinct advantage over PowerShell scripts because they tightly integrate with the agent. As a result, there is no need to spawn a new process, as we typically see during PowerShell execution. Since this BOF is open-source, we can review the code to understand its implementation. Very quickly, we saw a similar call to the netapi32!NetSessionEnum function, so we know that the underlying behavior of this BOF will be identical to that of the first sample we analyzed.

Integrating the Tools into the Function Call Stack

After introducing the samples and performing a quick analysis, we’ve identified that both tools call the netapi32!NetSessionEnum API function. We can now add these samples to our graphic to demonstrate where they reside in the function call stack. Notice that both tools point to the same function, netapi32!NetSessionEnum, which indicates that while the superficial details (e.g., programming language, variable names, etc.) of each tool may differ, they should be considered “functionally equivalent.” Functional equivalency is important because, given the minimal differences between the samples, we expect that a rule written to detect one sample would also detect the other. This resiliency to change differentiates between a “signature” and a “behavior-based detection.” If two tools are equivalent at the functional level, but a rule does not detect both, the rule is not behavior-based. Put another way, the rule focuses on tool-specific details rather than the tool’s behavior.

Detection Rules

Next, we will look at two detection rules. Of course, we all know that there are myriad possible detections. For instance, some rules are built using hashes, some are built using strings or other details associated with malware, and some are more focused on the behavior itself. MITRE Engenuity recently released its Summiting The Pyramid project to explore this proposition. however, for the sake of this particular exercise, we will act as if there are only two possible detection rules. We will use publicly available rules through the Sigma project for this exercise. One rule will depend on the modality, while the other will be behaviorally focused. The goal is not to say that one rule is better; instead, our goal is to understand the tradeoffs between different detection strategies. Let’s take a look at the two detection rule options.

Rule 1: Malicious PowerView PowerShell Commandlets

Rule 1, written by Bhabesh Raj, was written to leverage a potent telemetry source called PowerShell ScriptBlock Logging. If you aren’t familiar with ScriptBlock Logging, I recommend the original PowerShell ❤ the Blue Team article, which describes what it is and how it works. If we look at line 28 of the rule, which is shared below, we see that the rule is also predicated on explicitly including a specific string (Get-NetSession) in the PowerShell ScriptBlock Log. I’ve included a version of the rule below for your review:

https://medium.com/media/fcd09de414418c3a3da2542220fc7044/href

It is helpful to explicitly lay out the conditions a sample must meet for this rule to fire. I’ve listed the alert conditions for Rule 1 below:

1️⃣: PowerShell ScriptBlock Logging (SBL) is enabled

logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'

2️⃣: The tool is implemented in PowerShell (and therefore triggers SBL)

logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'

3️⃣: The Get-NetSession string is included in the script

detection:
    selection:
        ScriptBlockText|contains:
            - 'Get-NetSession'
    condition: selection

This rule is great for detecting the default implementation of PowerView’s Get-NetSession function because it is named “Get-NetSession” and, therefore, will appear in the ScriptBlock when executed. However, the rule assumes that the attacker will not alter the function’s name AND that the attacker will execute this behavior via a PowerShell script.

Rule 2: SharpHound Recon Sessions

This second rule, by Sagie Dulce and Dekel Paz, actually undersells its capability. It is titled “SharpHound Recon Sessions,” but is generic enough to cover all implementations, so long as they call the NetrSessionEnum RPC Procedure (which, as discussed earlier in this post, is true of all our samples). The rule depends on the Zero Network’s RPC Firewall project to function. It then looks for any process attempting to call the NetrSessionEnum RPC procedure, which the protocol defines as Opnum 12 of the 4b324fc8–1670–01d3–1278–5a47bf6ee188 interface.

https://medium.com/media/cc6a5aa601cf83b64df766b2dc7e3f36/href

The following conditions must be met for this rule to trigger an alert:

1️⃣: RPC Firewall is installed on all relevant processes

logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12'

2️⃣: The RPC Procedure is implemented by the MS-SRVS RPC Interface (4b324fc8–1670–01d3–1278–5a47bf6ee188)

InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188

3️⃣: The RPC Procedure is NetrSessionEnum (OpNum 12)

OpNum: 12

Here, we see that the rule focuses on the execution of a specific RPC procedure, NetrSessionEnum. It may be difficult to immediately understand the viability of such a rule, especially if you are unfamiliar with RPC and its integration into standard Windows API functions. We can refer to the Session Enumeration function call stack, where we see the ms-srvs!NetrSessionEnum RPC procedure sits at the bottom of the stack. Its position indicates that all code paths will eventually result in a call to the procedure, which is good news for defenders who choose this rule.

Rule Analysis

I want to analyze both samples quickly in the context of each rule. The goal is to identify whether the sample(s) meet the conditions of each rule, as described in the previous section. Remember that the sample must meet ALL conditions for the rule to produce an alert.

Note: Both rules rely on telemetry, which may not be enabled by default in your environment. However, for the sake of this post, we will assume that our target environment has enabled all of the necessary telemetry for both rules. This assumption means that each sample will meet Condition 1 for both rules as it evaluates the state of telemetry collection, not the sample or behavior itself.

Sample 1 + Rule 1

1️⃣: PowerShell ScriptBlock Logging (SBL) is enabled ✅

• We have assumed that our hypothetical environment has SBL enabled. The first condition passes.

2️⃣: The tool is implemented in PowerShell (and therefore triggers SBL) ✅

• PowerView’s Get-NetSession is implemented as a PowerShell script. Therefore, it would be subject to SBL, satisfying the second condition.

3️⃣: The Get-NetSession string is included in the script that is executed ✅

• The function is named Get-NetSession, which means the string Get-NetSession would exist in the relevant logs, satisfying the third condition.

Overall Result ✅

• Based on our analysis of the conditions of Rule 1 and the features of Sample 1, I found that Sample 1 WOULD (✅) trigger Rule 1 to produce an alert.

Sample 2 + Rule 1

1️⃣: PowerShell ScriptBlock Logging (SBL) is enabled ✅

• We have assumed that our hypothetical environment has SBL enabled. The first condition passes.

2️⃣: The tool is implemented in PowerShell (and therefore triggers SBL) ⛔️

• TrustedSec’s get-netsession is implemented as a BOF and, therefore, would not be subject to SBL, failing to satisfy the second condition.

3️⃣: The Get-NetSession string is included in the script that is executed ✅

• The BOF’s name is get-netsession; therefore, assuming the string comparison is case-agnostic, the third condition would be satisfied.

Overall Result ⛔️

• Based on our analysis of Rule 1’s conditions and Sample 2’s features, Sample 2 WOULD NOT (⛔️) trigger Rule 1 to produce an alert.

Sample 1 + Rule 2

1️⃣: RPC Firewall is installed on all relevant processes ✅

• We have assumed that the RPC Firewall is installed in the hypothetical environment, satisfying the first condition.

2️⃣: The RPC Procedure is implemented by the MS-SRVS RPC Interface ✅

• The same RPC call specifies OpNum 12, which corresponds with the NetrSessionEnum procedure and satisfies the third condition.

3️⃣: The RPC Procedure is NetSessionEnum ✅

• The same RPC call specifies OpNum 12 which corresponds with the NetrSessionEnum procedure, satisfying the third condition.

Overall Result ✅

• Based on our analysis of the conditions of Rule 2 and the features of Sample 1, I found that Sample 1 WOULD (✅) trigger Rule 2 to produce an alert.

Sample 2 + Rule 2 ✅

1️⃣: RPC Firewall is installed on all relevant processes ✅

• We have assumed that the RPC Firewall is installed in the hypothetical environment, satisfying the first condition.

2️⃣: The RPC Procedure is implemented by the MS-SRVS RPC Interface ✅

• TrustedSec’s get-netsession calls netapi32!NetSessionEnum. According to the function call stack, this function leads to an RPC call to the MS-SRVS Interface, satisfying the second condition.

3️⃣: The RPC Procedure is NetrSessionEnum ✅

• The same RPC call specifies OpNum 12, which corresponds with the NetrSessionEnum procedure and satisfies the third condition.

Overall Result ✅

• Based on our analysis of the conditions of Rule 2 and the features of Sample 2, I found that Sample 2 WOULD (✅) trigger Rule 2 to produce an alert.

Integrating Rules into the Function Call Stack

Now that we understand both rules, we can integrate them into our graph. Remember that both Sample 1 (PowerView’s Get-NetSession) and Sample 2 (BOF get-netsession) call the netapi32!NetSessionEnum function; in other words, the samples are “functionally equivalent.” When two samples are functionally equivalent, we can attribute any difference in detection results to differences in modality or some other tool-specific detail or toolmark.

Recall that Rule 1 is based on PowerShell ScriptBlock Logging, so its detection scope will be limited to implementations that rely on the PowerShell engine. This reliance means it is married to the PowerShell Script modality discussed in the previous post. Our analysis shows that Sample 1 is implemented in PowerShell, but Sample 2 is implemented as a BOF instead of in PowerShell. Therefore, Rule 1 detects Sample 1 but not Sample 2.

Rule 2, on the other hand, is focused on the execution of the ms-srvs!NetrSessionEnum RPC procedure. Based on our understanding of the function call stack, we know that when a sample calls the netapi32!NetSessionEnum function, as both samples do, it will eventually reach the bottom of the function call stack and call ms-srvs!NetrSessionEnum. As a result, both samples will ultimately execute the ms-srvs!NetrSessionEnum procedure and thus trigger the alert. We can confidently say that Rule 1 is focused on modality (PowerShell Script), while Rule 2 focuses on behavior (Session Enumeration).

It is also worth noting that in RPC-based function call stacks, the RPC procedure sits at the base of the stack and, therefore, represents the optimal location for telemetry. Client-side telemetry implementations risk missing direct RPC implementations, like impacket, while server-side implementations lose important client-side context.

I have added both rules to the function call stack in the image below. Notice that Rule 1 is associated with a specific sample or, more generically, with the PowerShell Script execution modality. In contrast, Rule 2 sits at the base of the function call stack (at the RPC procedure). This position in the stack indicates that Rule 2 offers a more holistic approach to detecting this behavior.

Detection Analytic Categories

When we complete this analysis, we find that at least three categories of detection analytics exist.

The first, “tool-based” detections (signatures), is a well-known approach that represents a relatively solved problem. We are all familiar with different ways to build detection rules that focus on the specific details or toolmarks of known malware samples or attacker tools.

With the rise of Endpoint Detection and Response (EDR) products, we saw an effort to move beyond tool-based detections to a new approach that can better deal with the uncertainty that we face. This new category was commonly referred to as “behavior-based” detection. Behavioral detections purported to focus on what the sample does instead of what it is. Unfortunately, the term “behavior” has been poorly defined traditionally within the industry, but in this blog series, I argue that behavior should be considered identical to the operation chain. Therefore, behavioral detections for a tool like PowerView’s Get-NetSession should focus on the Session Enumeration operation.

A problem that I often wrestled with was that detection rules would present themselves as behavior-based because they had moved beyond hashes and static strings, but they didn’t make it to focus on the behavior. This disconnect was evident, especially when Red Teamers migrated from PowerShell tools to C#. It didn’t make sense to me that one could change the programming language used to write malware, which was sufficient to bypass behavior-based detections. The introduction of execution modalities as a concept helps to bridge the gap. A third detection category, which I call “modality-based” detection, seems to exist.

Many modern detection analytics fall into this third modality-based detection category. This focus on modality-based detection strategies can largely be attributed to the poor definition of “behavior” and our lack of resolution, which did not allow us to differentiate between the execution modality and the behavior. I hope this post helps detection engineers make deliberate decisions between modal and behavior detections.

Determining Which Category a Rule Belongs To

The best way to determine which category a detection rule fits into is to execute multiple test cases using samples that emphasize each category. For example, if one were to execute two PowerShell scripts that both call netapi32!NetSessionEnum, but maybe the name of the function was changed, and perhaps some comments with the author’s name were removed, and the detection rule fires for one sample but not the other, so it is likely that the rule is tool-based. If, however, a rule detects both PowerShell scripts but does not detect a BOF that also calls netapi32!NetSessionEnum, then the detection rule is likely modality-based. Finally, suppose the detection rule detects all five tool samples from the previous post. In that case, the rule is likely sufficient for detecting any variation of the behavior and would fit in the behavior-based category.

Understanding that most rules do not fit nicely into one category is essential. Instead, we find that the rule’s logic often involves elements of each approach but is predominantly aligned to one approach. For example, Rule 1, “Malicious PowerView PowerShell Commandlets”, is modality-based due to its reliance on PowerShell ScriptBlock Logging and tool-based due to its use of the string Get-NetSession. Meanwhile, Rule 2 is a pure behavior-based rule due to its location at the bottom of the function call stack.

Modality-based vs. Behavior-based Detection Approaches

An interesting dichotomy exists between modality-based and behavior-based, which makes it difficult to determine whether one approach is “better” than the other. It is possible for a modality-based approach to make executing ANY behavior challenging using that particular modality. For instance, one could imagine a detection engineer or product that learns how to spot proxied RPC. If that were the case, then it would be possible for that solution to eliminate the ability of attackers to execute any behavior via that modality. The downside, of course, is that it would be possible for attackers to execute each behavior using a different modality. It is unclear whether it is possible to eliminate all execution modalities despite the likelihood of fewer modalities than behaviors.

Similarly, we can easily imagine a scenario where a behavior-based approach eliminates a specific behavior regardless of the selected modality. We expect this from a behavior-based detection rule targeting the Session Enumeration operation. In practice, we expect to see some combination of detection approaches, primarily when multiple products exist in many environments.

Example: Detecting the Direct Syscall Modality

Gijs Hollestelle at FalconForce provides an excellent example of modality-based detection in this blog post. Gijs describes his approach to detect direct syscalls (an execution modality) where one looks for syscalls where the calling module is not ntdll.dll, win32u.dll, or wow64win.dll. The thing to notice here is that this detection strategy does not focus on a single behavior, like Session Enumeration, but instead on detecting the use of direct syscalls. This focus makes it a modality-based detection. Again, modality-based detection strategies are fine. The important thing is that we understand the strengths and limitations of whichever strategy we choose to implement.

Why a Single Test Case is Not Enough

I opened the post by explaining that execution modalities complicate our ability to evaluate detection coverage. This problem arises due to the diversity of forms of any given behavior. In his recent post, Luke Paine describes the mathematical underpinnings of detection coverage. He focused on explaining how we can calculate the coverage of a Technique based on the results of its Procedures (operation chains or behaviors). We realized that while this is correct, determining the results of a procedure is a complex problem. As I’ve described, attackers can use numerous execution modalities to implement a procedure, and each modality adds its own wrinkle. This post focuses on the problem of whether it is possible to detect any single variation using many analytics. These analytics range from specific (brittle) to generic (robust) concerning the procedure. It is not always possible to determine where a particular solution exists on the spectrum, especially when evaluating proprietary analytics. You can only build confidence in your procedure coverage when you test the same procedure via many different modalities (built-in tool, PowerShell script, Beacon Object File, Direct RPC).

Your confidence should roughly follow the same function that Luke described for the procedure to technique coverage estimate with the exception that the first test is as good as meaningless because even if you successfully detect it, you have no way of knowing whether your analytic is more like Rule 1 or Rule 2 (as described in this post). Robust detections are resilient to change. This resilience, first and foremost, should be true regarding execution modality. Still, it also should include changes at any level of resolution that is more fine grain than the functional level.

Scenario

Imagine that you are conducting a Red Team assessment. You gain initial access as an unprivileged user and are interested in determining your next step. One common approach is to pursue “user hunting,” where the attacker identifies an interesting target account (e.g., SQL Administrators), typically due to the account’s access to resources germane to the Red Team’s objectives. Once that target user is selected, the attacker must determine where the user account is logged in in the network. The red teamer may enumerate network sessions to glean this information, but they have a choice. They can use PowerView’s Get-NetSession PowerShell function or the get-netsession BOF from TrustedSec’s SA repository.

Note: In real life, there are more than two implementation options. Constraining the possibilities makes the point easier to demonstrate.

The red teamer is a PowerShell fanatic and, as a result, chooses PowerView’s Get-NetSession. Now imagine that later that day, in an exchange with the client, the red teamer is informed that their Session Enumeration was detected. The question is, “What broader assertions can we make as a result of this detection?” Here’s the rub. Remember our two detection rules? Like our two tool implementations, these represent only two of the many ways that either of the tools could be detected. However, I selected these two rules on purpose. Rule 1 only works to detect Sample 1, but Rule 2 works to detect both.

When it comes to dynamic testing, especially in cases where proprietary analytics are in play, we do not necessarily know how the analytic works under the hood. We are using our test cases as a means to reverse engineer or glean the alerting conditions of the analytic itself. When we run a test, the binary result abstracts details of how the analytic works. The test case is either detected (i.e., the rule produces an alert) or not detected (i.e., the rule does not produce an alert). Therefore, when we run our PowerView Get-NetSession test case, if the detection rule generates an alert, we often have no way of knowing whether the first rule caught it (explicitly focused on the tool itself) or the second rule (focused on the underlying behavior and therefore tool agnostic). The best or most efficient way of ascertaining is to use multiple test cases. In a sense, we would then be “triangulating” the analytics logic.

Triangulation

The process of triangulation would look like this. The first test case would be something like executing PowerView’s Get-NetSession function. Assuming it is detected, we now have two example analytics that could be responsible for the alert. We should then select a second test case to eliminate any residual uncertainty (concerning how the analytic works), so we might choose to execute TrustedSec’s get-netsession BOF. The BOF code is almost identical to the Get-NetSession PowerShell function. The difference is that the BOF is written in C and integrates directly into Beacon, eliminating the relevance of PowerShell-specific data sources such as ScriptBlock Logging. In the case of a different result, the similarity between the test cases allows us to pinpoint the cause. If the second test case is not detected, we can infer that a holistic detection rule, like Rule 2, is not in play, and the likelihood that the active rule is similar to Rule 1 increases tremendously.

One final observation is that our ability to triangulate coverage depends on the results from a single detection rule. During this type of testing, the null hypothesis is that all detection rules are tool-based until proven otherwise. If, for instance, we detected both PowerView’s Get-NetSession and the get-netsession BOF, but we depended on different rules to do so, we must assume those rules are tool-based and do not generalize to other implementations. We can, of course, continue testing to determine whether that is, in fact, the truth, but we must operate from the tool-based starting point as it is the most likely result.

Conclusion

In these two posts (Parts 12 and 13), we’ve explored how a behavior implementation matters as much as the behavior itself. We discovered that in the transition from tool-based to behavior-based detections we made an unintended discovery of modality-based detections. These detections complement a behavior-based strategy because they can detect unknown or unaccounted-for behaviors. We identified that it is impossible to evaluate detection coverage using a single test case. This fact makes red team exercises non-ideal for this particular task (although they are quite valuable for other pursuits). Purple team exercises fill this gap because they primarily implement a different testing protocol. One that focuses on presenting multiple test cases. However, the devil is in the details. Consumers should be mindful of understanding the vendor’s testing protocol including how many test cases they will execute per behavior, how those test cases are selected, and whether the selected test cases represent the range of behavioral and modal variability.

On Detection: Tactical to Functional Series

• Understanding the Function Call Graph
• Part 1: Discovering API Function Usage through Source Code Review
• Part 2: Operations
• Part 3: Expanding the Function Call Graph
• Part 4: Compound Functions
• Part 5: Expanding the Operational Graph
• Part 6: What is a Procedure?
• Part 7: Synonyms
• Part 8: Tool Graph
• Part 9: Perception vs. Conception
• Part 10: Implicit Process Create
• Part 11: Functional Composition
• Part 12: Behavior vs. Execution Modality

Part 13 was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Part 13 appeared first on Security Boulevard.

Authors/Presenters: Sanjam Garg, Aarushi Goel, Abhishek Jain, Johns Hopkins University; Guru-Vamsi Policharla, Sruthi Sekar

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – zkSaaS: Zero-Knowledge SNARKs as a Service appeared first on Security Boulevard.

Celebrate 10 years of BSides Knoxville, featuring discussions of AI in security, historical hacking, and holistic protection, fostering a dynamic cybersecurity community.

The post BSides Knoxville 2024: A Community Celebrating A Decade of Cybersecurity appeared first on Security Boulevard.

Insight #1

Transparency isn't just about promising action, it's about proving it. It means sharing the data and results that show you're following through on your commitments.

The post Cybersecurity Insights with Contrast CISO David Lindner | 5/31/24 appeared first on Security Boulevard.

This cybersecurity playbook is inspired by David Cross’s insights on how to best handle a potential incident that could have been caused by what seemed to be a suspicious email sent to a marketing team. He recently shared his recommendations on CyberOXtales Podcast, highlighting the importance of having a clear playbook for incident response, determining […]

The post Effective Incident Response: A Cybersecurity Playbook for Executives appeared first on OX Security.

The post Effective Incident Response: A Cybersecurity Playbook for Executives appeared first on Security Boulevard.