News

• Pwn2Own Vancouver 2022 - The Results. Always cool to see some nice 0day chains take down major names.
• DOJ Announces It Won't Prosecute White Hat Security Researchers. It's all about intent. However this is just an "agency policy" and doesn't actually change the law. Read the full PDF here.
• Kali Linux 2022.2 Release (GNOME 42, KDE 5.24 & hollywood-activate). Nothing crazy here, just quality of life improvements, version bumps, and a "hacker" screensaver.
• When Your Smart ID Card Reader Comes With Malware. Supply chain attacks in equipment meant to secure systems. The ultimate trojan horse? The major user of PIVs in the US is the government, so this attack would likely land on personal (or maybe even official computers) of government employees.
• CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware. Supply chain attacks aren't new, and this one was likely targeting other software supply chains via their CI to expand its reach.
• [PDF] Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission. "On thousands of sites email addresses are collected from login, registration and newsletter subscription forms; and sent to trackers before users submit any form or give their consent."
• CISA, NSA, FBI and International Cyber Authorities Issue Cybersecurity Advisory to Protect Managed Service Providers (MSP) and Customers. Why hack individual companies when you can hack MSPs that have SYSTEM level access to all the endpoints in hundreds or thousands of companies?
• Out Of Band Update: Cobalt Strike 4.6.1. Minor fixes to the 4.6 release.
• **authenticated** PetitPotam still works even after latest updates.. Windows machines just really want to authenticate to you.

Techniques and Write-ups

• Nighthawk 0.2 - Catch Us If you Can. MDSec releases the second version of their in-house C2, and is kind enough to detail its features. If you are looking for an advanced red team framework to support engagements, seriously consider Nighthawk. I haven't gotten any hands on time yet, but it sure looks impressive. If anyone at MDSec wants to hook me up with a trial contact me.
• Exploiting an Unbounded memcpy in Parallels Desktop. This post details the development of a guest-to-host virtualization escape for Parallels Desktop on macOS, as used in a successful Pwn2Own 2021 entry to achieve code execution on a macOS host from a running a Linux guest via Parallels.
• EntropyCapture: Simple Extraction of DPAPI Optional Entropy. If you've decrypted DPAPI blobs but were left with gibberish data, perhaps the encrypting appliaction was supplying optional entropy to DPAPI. The new EntropyCapture uses hooks to capture that entropy so you can decrypt the blobs successfully.
• Exploit Development: No Code Execution? No Problem! Living The Age of VBS, HVCI, and Kernel CFG. Hypervisor-Protected Code Integrity (HVCI) and other modern protections make kernel level code execution difficult. Connor threads the needle with kernel-mode ROP in the post and takes you along every step of the way.
• S4fuckMe2selfAndUAndU2proxy - A low dive into Kerberos delegations. This post explores Kerberos delegation and ways to detect and exploit it, including the sometimes complicated S4U2self/proxy attacks.
• No-Fix Local Privilege Escalation Using KrbRelay With Shadow Credentials. This "manual" KerbRelayUp shows how the pieces work together to get a SYSTEM shell.
• Revisiting a Credential Guard Bypass. Patching two offsets in LSASS can bypass credential guard, but until now, those offsets have been hard-coded in tools. This post shows how they an be dynamically located at run time. The proof of concept is on GitHub.
• How I could exploit the CVE-2022-1388, F5 BIG IP iControl Authentication bypass to RCE. This is the background on the biggest bug of the last few weeks.

Tools and Exploits

• ghostrings - Ghidra scripts for recovering string definitions in Go binaries. More info in this blog post.
• Mortar Loader v2. Lots of improvements to this loader in version 2.
• SharpEventPersist. Persistence by writing/reading shellcode from Event Log.
• DynamicWrapperDotNet. Dynamically Loads Assembly and Calls Methods from JScript.
• bin2memfd. Encodes a program (which can be a script, despite the name) to a Perl or Python script which sticks it in a Linux memfd and runs it. The goal is to enable staged implants to be run with curl | perl, or something similar.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• BinAbsInspector - Vulnerability Scanner for Binaries.
• Labtainers - Docker-based cyber lab framework.
• privaxy - (work in progress) Privaxy is the next generation tracker and advertisement blocker. It blocks ads and trackers by MITMing HTTP(s) traffic.
• Argus is a lightweight monitor to notify of new software releases via Gotify/Slack messages and/or WebHooks.
• Red-Lambda - Leveraging AWS Lambda Function URLs for C2 Redirection.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack. Follina aka CVE-2022-30190 is an RCE vector that uses the Microsoft Support Diagnostic Tool via a URL handler in a Word document (no macro) to execute code. There is more analysis here as well as official guidance. follina.py is the PoC.
• Welcome to the next generation of ngrok. The popular tunneling utility used to exposed local ports to the public internet released version 3 with some cool new features. Oauth and OpenID support with a few command line switches make authentication easy. Ngrok has been used to host short lived phishing pages by threat actors in the past.
• Broadcom to Acquire VMware for Approximately $61 Billion in Cash and Stock. If anyone witnessed the Symantec acquisition br Broadcom this is scary if you use any VMware products (vCenter, Carbon Black, etc). For what it's worth I've been using Proxmox at home and in production for a while and it's pretty great.
• How I hacked CTX and PHPass Modules. This is a great example of how NOT to conduct "security research." By deploying malicious packages that actively harvested sensitive environment variables, this crosses the line and I would not consider it "good faith" research. However, the automated techniques used to target package registries are relatively low effort for an extremely high impact. The next attacker will not claim "research" and will use this access for ransomware or worse.
• FTC fines Twitter $150M for using 2FA info for targeted advertising. Twitter used its 2FA phone numbers for advertising and got caught. I suppose when you loose 221 million USD a year you get desperate and every piece of data is up for sale.
• Serious security vulnerability in Tails 5.0. Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information. 5.1 will be released 2022-05-31.

Techniques and Write-ups

• Spoofing Microsoft 365 Like It's 1995. What if you wanted a scanner to send emails to your internal users but you use O365 email? How about an MS mail server that listens on port 25, has no auth, and delivers mail straight to your users from any email even if it doesn't exist in your domain? What could go wrong?
• Issue 2254: Zoom: Remote Code Execution with XMPP Stanza Smuggling. XML being parsed differently by two different libraries ends ups in RCE. Impressive research.
• A Kernel Hacker Meets Fuchsia OS. This is a long post that goes from "download the src" to "plant a rootkit."
• The printer goes brrrrr!!!. The ability to exploit an implant a network printer could give you network access for years. No one watches their printers, and the often have access to many subnets.
• Debugging and Reversing ALPC. No big reveal at the end of the post, but it does give good instructions on setting up a Windows VM for local or remote kernel debugging. For a more detailed post check out Offensive Windows IPC Internals 3: ALPC.
• Leveraging AWS QuickSight dashboards to visualize recon data. Use the AWS "business intelligence" tool to visualize all your "business intelligence" or make sense of some very verbose command line output.
• Capitalizing on BloodHound's Data: Cypher, Object Ownerships and Trusts. Investigate object ownerships across domains using custom Cypher queries.
• Taking ESF For A(nother) Spin. ESF is the macOS ETW.
• Security Code Audit - For Fun and Fails. While there is no epic RCE to end this post, there is tons of good knowledge and process described throughout.
• Intro to Web App Security Testing: Burp Suite Tips & Tricks. Some basic Burp Suite usage to get you started poking at web apps.
• Automating Azure Abuse Research — Part 1. Every website has an API, some just make you work harder to automate their usage than others. In this case Andy automates the "Run Command Script" function of Azure via Powershell, but the technique is generally applicable.
• VMware Authentication Bypass Vulnerability (CVE-2022-22972) Technical Deep Dive. Host header manipulation and a custom "logon server" allow you to bypass authentication on multiple VMware products. PoC here.

Tools and Exploits

• DeepSleep is a variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC.
• VLANPWN is a VLAN attack toolkit (double tagging and DTP hijacking).
• mempeek is a command line tool that resembles a debugger as well as Cheat Engine, to search for values in memory.
• KaynStrike is a User Defined Reflective Loader for Cobalt Strike Beacon that spoofs the thread start address and frees itself after entry point was executed.
• freeBokuLoader is a simple BOF that tries to free the memory region where the User Defined Reflective Loader is stored.
• Shelltropy - A technique of hiding malicious shellcode via Shannon encoding.
• MachoBins is designed to provide information on Mac lolbins, similar to https://gtfobins.github.io/ or https://lolbas-project.github.io/, but specifically for Mac!
• NimlineWhispers3 - A tool for converting SysWhispers3 syscalls for use with Nim projects.
• CdpSvcLPE - Windows Local Privilege Escalation via CdpSvc service (Writeable SYSTEM path Dll Hijacking).

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• BofRoast - Beacon Object Files for roasting Active Directory.
• BatchGuard - Batch file AV evasion and obfuscation solution.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Announcing PSP's cryptographic hardware offload at scale is now open source. What happens when the NSA draws a smiley face on your network map? You spend a decade perfecting encryption that you can offload to smart NICs so that all traffic is encrypted in transit. I wonder where the next smiley face will be drawn...
• Confluence Server and Data Center - CVE-2022-26134 - Critical severity unauthenticated remote code execution vulnerability. "Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance."
• Information Security Controls: Cybersecurity Items. The US joins Europe with its own "Wassenaar Arrangement" rule by the Industry and Security Bureau. TLDR don't sell cyber capabilities to Country Group D.

Techniques and Write-ups

• Abusing CVE-2022-26923 Through SOCKS5 on a Mythic C2 Agent. This post explores the AD CS vulnerability but uses Mythic an an Apollo agent with SOCKS forwarding to pull it off. Nice practical usage example!
• From open redirect to RCE in one week. This is a wild ride through a series of strange small bugs that result in full RCE. Web app hackers take note.
• Technical Advisory - Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552). This one is for the embedded device hackers (and chromebook hackers).
• Managed Identity Attack Paths, Part 1: Automation Accounts. Azure Automation Accounts, Logic Apps, and Function Apps all use "Managed Identity assignments" which allows scripts to authenticate as a specific Service Principle. These services can be used by an attacker to leak their JWT which can be used to authenticate outside the context of the Authentication Account.
• DeepPass — Finding Passwords With Deep Learning. It's starting to feel like Will is lining up a career change into data science, but as long as he keeps the red team angle I'm here for it. Here he trains a model (DeepPass) to recognize passwords in arbitrary documents. How long before this is repackaged and sold as "AI/ML deep learning information disclosure hunter 9000" at RSA?
• LSASS needs an IV. Spoiler: It doesn't really need an IV if you can guess a few characters of a password. Interesting deep dive into the (poor?) cryptographic decisions in LSASS.
• Enumeration and lateral movement in GCP environments. Lateral movement is more fun in the cloud.

Tools and Exploits

• COM-Hunter - COM Hijacking voodoo.
• VoightKampff - Beating Google ReCaptcha and the funCaptcha using AWS Rekognition.
• Nidhogg Nidhogg is an all-in-one simple to use rootkit for red teams.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• The Surreal Case of a C.I.A. Hacker's Revenge. I haven't read this one yet but its on my list.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• There's Another New Deputy in Town. SOCKS5 support may finally be coming to Cobalt Strike.
• KrebsOnSecurity in New Netflix Series on Cybercrime. Might be worth a watch but I always worry these shows will be too much drama and not enough technical detail for my taste.
• ANOTHER Guy Has Leaked Classified Military Documents On The SAME TANK GAME'S forums. Not all that relevant, but goes to show that useful information can be fond in the strangest places.
• [PDF] clickstudios Passwordstate Incident Management Advisory #03. A digital signing certificate published online for 2 days was enough for it to be scooped up and used by a malware crew. No one is safe from the scrapers.

• Logo'd bugs

  • PACMAN Attacking ARM Pointer Authentication with Speculative Execution. I'd put this in the same camp as spectre, if you already have privilieged code execution, this may be useful, otherwise its a fun academic exercise but has a very narrow useful window.
  • Hertzbleed Attack. This one may be slightly more useful, with the potential to extract key material from "constant time" cryptographic routines, even remotely. Intel and AMD are affected, with the potential for ARM chips to be vulnerable as well. Code here.

• Google suspends engineer who claims its AI is sentient. You can read the editied chat transcripts here and decide for yourself. Either way this is 10/10 marketing for Google.

Techniques and Write-ups

• How to Reverse Engineer and Patch an iOS Application for Beginners: Part I. There is a need for these kinds of write ups that introduce a complex topic from first principles. Unfortunately, by the time people learn the skills, they don't write the posts! You'll need a mac and a jailbroken iOS device to follow along at home.
• Managed Identity Attack Paths, Part 2 and 3. Two more posts in the series started last week.
• Hacking Some More Secure USB Flash Drives (Part I). Some very in-depth hardware hacking against "secure" USB drives.
• Covenant In 2022. This post has some ideas on how to wrap or modify grunts to bypass some EDR solutions.
• CVE-2022-26937: Microsoft Windows Network File System NLM Portmap Stack Buffer Overflow. RCE as SYSTEM but careful, "unsuccessful exploitation results in a crash of the target system." No PoC available yet.
• Avoiding B.A.D. behaviour: The difficult relationship between nihilism, cybersecurity professionals and Being-A-Dick behaviour. Not technical, but potentially useful.
• Pwn2Own 2021 Canon ImageCLASS MF644Cdw writeup. An unbound base64 decode leads to RCE in a printer. Great post that goes from firmware extraction to RCE.
• Gone in 130 seconds: New Tesla hack gives thieves their own personal key. This feels like something a basic internal security audit would have found?
• Beware of BloodHound's Contains Edge. AD relationships are complex, and mapping them is tricky which leads to some false positives. This post contains a potential "fix" for a Contains false positive situation.
• Introducing Ghostwriter v3.0. The report and domain management tool turns 3.0! It can be managed with a new CLI tool and has support for CVSS scoring among other fixes and additions.
• AMFI Launch Constraints - First Quick Look. New security restrictions on system binaries in macOS Ventura will kill a whole exploit class!
• ProcEnvInjection - Remote code injection by abusing process environment strings. Another unique injection technique from x86matthew.
• Zimbra Email - Stealing Clear-Text Credentials via Memcache injection. Very cool bug and exploit!

Tools and Exploits

• CVE-2022-23222 - Linux Kernel eBPF Local Privilege Escalation.
• CVE-2022-30075 - Tp-Link Archer AX50 Authenticated RCE (CVE-2022-30075).
• apk-instrumentation Some tools to rewrite code of release APK packages.
• dot The Deepfake Offensive Toolkit.
• VX-API Malware rapid development framework. "We've released the vx-underground "VX-API", a Windows malware rapid application development framework written in C/C++. It is a compilation of code written by @smelly__vx & @am0nsec. A lot of work needs to be done (including a ReadMe file). More to come."
• Dogwalk-rce-poc 🐾Dogwalk PoC (using diagcab file to obtain RCE on windows).
• sourcegraph-scripts Scripts for Sourcegraph search results. Useful for static analysis.
• kcthijacklib - A Small Library For a Cleaner Execution.
• collector - Utility to analyse, ingest and push out credentials from common data sources during an internal penetration test.
• FirmLoader is an IDA plugin that allows to automatically identify parts of the memory for the firmware images extracted from microcontrollers.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• np - A tool to parse, deduplicate, and query multiple port scans.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Citrix Application Delivery Management Security Bulletin for CVE-2022-27511 and CVE-2022-27512. Remote unauthenticated users can reset the administrator password of the device at next reboot and SSH in.
• Microsoft Patch Tuesday, June 2022 Edition. The best news? IE is officially out of service after 27 years. Follina (MSDT 0day) also got a patch.
• New Research Suggests Always-On Bluetooth Could Be Used to Track Your Phone. Does your phone's Bluetooth chip have a "fingerprint?" Probably.
• Now China wants to censor online comments. Consider this when your local politicians argue that all communication needs a backdoor to "protect the children."

Techniques and Write-ups

• SmarterStats - Yet Another RPC Framework. This is an in-depth code audit of an ASP .NET web long analytics app.
• Guide to Reversing and Exploiting iOS binaries Part 2: ARM64 ROP Chains. Some more binary exploitation on iOS. Be sure to bring a jailbroken iOS device to follow along.
• Running Shellcode Through Windows Callbacks. Unique shellcode execution techniques can help your loader stay under the radar. Check out the AlternativeShellcodeExec for more.
• How do I approach a technical topic? - Packet Capture (Part 1). I really like these types of posts that explore the methodology of solving problems.
• Updated: Technical Advisory and Proofs of Concept - Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552). The U-boot advisory from 2022-06-03 gets updated and expanded.
• NTLM Authentication with Firefox & FoxyProxy. This post shows how to authenticate to a web page over a SOCKS connection with NTLM.
• CVE-2022-26809 Reaching Vulnerable Point starting from 0 Knowledge on RPC. A great zero to PoC post, but note this particular exploit requires sending 1,048,577 packets.
• Automating Cobalt Strike with Python. The sleep language used to script Cobalt Strike is, unique, to say the least. Using something more widely known like Python helps more operators script the routine parts and focus on making assessments valuable for customers.
• Oh my API, abusing TYK cloud API management to hide your malicious C2 traffic. As everything moves to the cloud, hiding C2 traffic alongside legitimate API endpoints will be key to staying out of SOC alerts.
• Hang Fire: Challenging our Mental Model of Initial Access. The term "phishing for persistence" ia a good one. Breaking the link between phish and execution makes it harder to detect.
• Rogue Shortcuts: LNK'ing to Badness. LNKs in zips or ISOs still prove to be an effective delivery mechanism.
• Azure Attack Paths: Common Findings and Fixes (Part 1). Cloud assessments are becoming more common, and this post goes over some basics of Azure attack paths.
• Embedding Payloads and Bypassing Controls in Microsoft InfoPath. Legacy Microsoft file types and handlers (in this case .xsn files) continue to be interesting payload delivery mechanisms.

Tools and Exploits

• DFSCoerce - PoC for MS-DFSNM coerce authentication using NetrDfsRemoveStdRoot method. This can be used when the Spooler service is disable, and RPC filters prevent PetitPotam/File Server VSS authentication elicitation.
• CVE-2022-26937 - Windows Network File System crash PoC.
• hunter-1 (l)user hunter using WinAPI calls only.
• cloud-middleware-dataset. This project contains cloud middleware (i.e. agents installed by cloud security providers) used across the major cloud service providers (Azure, AWS and GCP).
• Ekko. A small sleep obfuscation technique that uses CreateTimerQueueTimer to queue up the ROP chain that performs Sleep obfuscation. Detection: patriot.
• NlsCodeInjectionThroughRegistry Dll injection through code page id modification in registry. Based on jonas lykk research.
• Using macros and constexpr to make API hashing a bit more friendly.
• antnium - A C2 framework and RAT written in Go. Slides about the development process here.
• aced is a tool to parse and resolve a single targeted Active Directory principal's DACL. Aced will identify interesting inbound access allowed privileges against the targeted account, resolve the SIDS of the inbound permissions, and present that data to the operator.
• SliverKeylogger is a Sliver C2 extension to log keystrokes on Windows.
• OfficeIMO Fast and easy to use cross-platform .NET library that creates or modifies Microsoft Word and later also Excel files without installing any software. This could be useful to automate phishing lures.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• AlternativeShellcodeExec - Alternative Shellcode Execution Via Callbacks.
• Sealighter - Sysmon-Like research tool for ETW.
• npmdomainchecker - Checks all maintainers of all NPM packages for hijackable domains.
• snallybuckster - Locate interesting files in grayhatwarfare.com open S3 buckets and Azure blobs automatically!
• NoteThief - Grab unsaved Notepad contents with a Beacon Object File.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Arsenal Kit Update: Thread Stack Spoofing. A new-ish (~6 months) EDR evasion technique comes to the most popular C2 framework out there.
• Introducing Tailscale SSH. The ability to ssh to servers using Tailscale as an auth provider without changing SSH configs is pretty awesome.
• The legacy Local Administrator Password Solution product (aka “LAPS”) is now a native part of Windows and includes many new features:. Microsoft is taking real steps (finally) to lock down Windows (a little).
• [PDF] MEGA: Malleable Encryption Goes Awry. If you were counting on the mega.io encryption to protect your files, you're in for a bad time.
• Splunk Enterprise deployment servers allow client publishing of forwarder bundles. Imagine you land a phish on a workstation managed by the same Splunk forwarder as the Domain Controller and you can pull off a local privilege escalation. You can use Splunk to get a SYSTEM shell on the DC from the workstation. Pretty gnarly.
• Hacking a Samsung Galaxy for $6,000,000 in Bitcoin!?. This video plays up the drama of the situation, but the hack is legit.
• Cloudflare outage on June 21, 2022. Yes, cloudflare went down, but it had the root cause analysis published in six hours. In my view, an excellent PR move.

Techniques and Write-ups

• WarCon 2022 - Modern Initial Access and Evasion Tactics. If you only read one post from this week as a red team, read this one and review the deck. Great modern red team tactics and techniques all in one spot.
• Hacking into the worldwide Jacuzzi SmartTub network. This is in the running for the best LWiS headline of 2022. Some impressively bad design (think my first web ctf challenge) was used to "secure" the global Jacuzzi network.
• Hack with 'goodfaith' - A tool to automate and scale good faith hacking. The tough part about hacking is to stay in scope. Hacker and security researcher Ryan Elkins (@ryanelkins) revealed a new tool that is intended to help hackers and security researchers avoid generating traffic against out-of-scope targets.
• The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION GROUP. Even the Equation Group used port 4444 at one point.
• Miracle - One Vulnerability To Rule Them All. "We successfully achieved pre-auth RCE on login.oracle.com" is a pretty crazy sentence to read. Even more crazy, they say they have another pre-auth RCE. If you have any interest in Java bugs, deserialization attacks, or massive pre-auth RCE on a cloud provider, don't skip this one.
• Relaying to ADFS Attacks. Relay that NTLM to the cloud! Tool here.
• Maelstrom: Writing a C2 Implant. These posts from pre.empt.dev have been a great resource for anyone starting to develop "modern" C2.
• Hacking Some More Secure USB Flash Drives (Part II). This hardware hack has some extra fun, like emulating the "installer" of the USB drive to deliver malware.
• Dealing with large BloodHound datasets. This is a great overview of Bloodhound, collectors, and processors once the data is in the DB.
• Attacking With WebView2 Applications. If you open a site in a "WebView2" application, you can inject all kinds of goodies into it. WebView2-Cookie-Stealer has the source.

Tools and Exploits

• Add WerFault Silent Process Exit: --werfault to nanodump. You can now force WerFault.exe to dump LSASS for you.
• FLOSS Version 2.0. "Over the last few months, we've added new functionality and improved the tool's performance. In this blog post we will share exciting new features and improvements including a new string deobfuscation technique, simplified tool usage, and much faster result output."
• awesome-hacker-search-engines - A list of search engines useful during Penetration testing, vulnerability assessments, red team operations, bug bounty, and more.
• kernel-mii - Cobalt Strike (CS) Beacon Object File (BOF) foundation for kernel exploitation using CVE-2021-21551.
• Chrome-Android-and-Windows-0day-RCE-SBX - Chrome Android and (patched) Windows 0day RCE+SBX... from the DPRK (in 2021).
• Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs.
• callback_injection-Csharp - this repo is to cover the other undocumented or published / in different languages to achieve shellcode injection via windows callback functions.
• tlsx - Fast and configurable TLS grabber focused on TLS based data collection.
• dismember - 🔪 Scan memory for secrets and more (linux).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Damn Vulnerable DeFi - The offensive security playground for decentralized finances. Learn up and get those massive bounties. Also check out CryptoVulhub.
• HTTPLoot - An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and "loot" secrets out of the client-facing code of sites.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• 2022 0-day In-the-Wild Exploitation…so far. Browsers and phones are were people do most of their work these days, and thats where most of the 0days are too, unsurprisingly.
• Issue 2268: Windows: Windows Defender Remote Credential Guard Authentication Relay EoP. The handling of Windows Defender Remote Credential Guard credentials is vulnerable to authentication relay attacks leading to elevation of privilege or authentication bypass. Fixed on 2022-06-15 as CVE-2022-30150.
• GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5. TLDR: authenticated RCE. "an authorised user could import a maliciously crafted project leading to remote code execution," plus other issues.
• Bug Bounty Platform's Employee Abused Internal Access to Steal Bounties. As if bug bounty providers needed any more bad press...
• Service Fabric Privilege Escalation from Containerized Workloads on Linux. A compromised container could escape the container and compromise the entire cluster. Yikes! More at FabricScape: Escaping Service Fabric and Taking Over the Cluster.
• Malware Steel Mill. "Some Malware causing a catastrophic failure of a bucket full of molten steel." Iran seems to be the testing ground for cyber-physical attacks.
• When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. This will surely add fuel to the C2 twitter drama fire.

Techniques and Write-ups

• CloudGoat detection_evasion Scenario: Avoiding AWS Security Detection and Response. Step up your AWS exploitation game by not getting caught by automated defenses in this new scenario.
• Golang code review notes. This post is a good summary of some of the bug classes in Go.
• Spoofing Call Stacks To Confuse EDRs. Thread stack spoofing isn't new, but this post leverages it to actively trick EDRs with legitimate looking stacks while doing nasty things (like dumping lsass). CallStackSpoofer is the GitHub project.
• One I/O Ring to Rule Them All: A Full Read/Write Exploit Primitive on Windows 11. "This technique is a post exploitation primitive unique to Windows 11 22H2+ - there are no 0-days here. Instead, there's a method to turn an arbitrary write, or even arbitrary increment bug in the Windows kernel into a full read/write of kernel memory." Code is IoRingReadWritePrimitive.
• Abuse Cloudflare Zerotrust for C2 channels. Abuse is a strong word. "Repurpose" is perhaps a better term. Cool research, and as these kinds of services become more widespread, organizations are going to have to determine how to handle them. Want more cloudflare repurposing? Check out MitM at the Edge: Abusing Cloudflare Workers.
• Bulk Analysis of Cobalt Strike's Beacon Configurations. How unique are your post-ex and C2 profile choices?
• Bypassing .NET Serialization Binders. "Serialization binders are often used to validate types specified in the serialized data to prevent the deserialization of dangerous types that can have malicious side effects with the runtime serializers such as the BinaryFormatter. This blog post looks into cases where this can fail and consequently may allow to bypass validation and walks though two real-world examples of insecure serialization binders in the DevExpress framework (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277), that both allow remote code execution."
• CVE-2022-28219: Unauthenticated XXE to RCE and Domain Compromise in ManageEngine ADAudit Plus. Java web applications and deserialization vulnerability, name a more iconic duo.
• Enforcing a Sysmon Archive Quota. If you are using Sysmon's FileDelete archive hook to store deleted files, you likely already have a solution like this but if not, it should come in handy.
• Get root on macOS 12.3.1: proof-of-concepts for Linus Henze's CoreTrust and DriverKit bugs (CVE-2022-26766, CVE-2022-26763). macOS local privilege escalation walk thorough with PoC code.
• Exploiting Intel Graphics Kernel Extensions on macOS. More macOS exploitation?! ret2systems posts are always excellent and this is no exception.
• Relaying NTLM Authentication from SCCM Clients. What can't you relay authentication with in an active directory environment these days? But SCCM has even more fun in store: The Phantom Credentials of SCCM: Why the NAA Won't Die.
• A Diamond in the Ruff. You've heard of Golden Tickets but what about Diamond Tickets? They offer some OPSEC advantages, and you can use them in Rubeus with this pull request.
• nday exploit: netgear orbi unauthenticated command injection (cve-2020-27861). A detailed post on how the vulnerability was found and exploited.
• Offensive Hunting. The automation and "offensive hunts" in the presentation are awesome. RedELK is great and advanced teams should be using it already. Excited to see more development with it!

Tools and Exploits

• PINKPANTHER Windows x64 handcrafted token stealing kernel-mode shellcode. Be sure to check out the caveats.
• the-poor-mans-obfuscator - Binary & scripts associated with "The Poor Man's Obfuscator" presentation.
• TripleCross - A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
• CVE-2019-7040 + CVE-2021-21042. POCs and exploit code for Microsoft Internet Explorer & Microsoft Word (in DOCX & RTF formats).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• awsEnum - Enumerate AWS cloud resources based on provided credentials.
• nali - An offline tool for querying IP geographic information and CDN provider.
• maldev-for-dummies - A workshop about Malware Development.
• ExtractedDefender - An attempt to group extracted data from Defender for research purposes.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Microsoft rolls back decision to block Office macros by default. If you are a big enough Microsoft customer you can escalate your trouble ticket all the way up to rolling back a security feature? VBA macros will continue to be a popular initial access vector it seems.
• PyPI 2FA Security Key Giveaway
• PQC Standardization Process: Announcing Four Candidates to be Standardized, Plus Fourth Round Candidates
• Apple expands industry-leading commitment to protect users from highly targeted mercenary spyware. Apple does not expand any ability to look at basic system logs from the phone though...
• Facebook has started to encrypt links to counter privacy-improving URL Stripping.
• [PDF] RETBLEED: Arbitrary Speculative Code Execution with Return Instructions

Techniques and Write-ups

• Rediscovering Epic Games 0-Days (Forever Unpatched?). Installers are rich hunting ground for file overwrite/file delete vulnerabilities.
• Account hijacking using "dirty dancing" in sign-in OAuth-flows. Oauth flows can be complicated, and thus vulnerable to strange edge cases. Excellent work here to explore some interesting ways to leak data and exploit login flows.
• Maelstrom: Working with AMSI and ETW for Red and Blue
• Maelstrom: EDR Kernel Callbacks, Hooks, and Call Stacks
• CVE-2022-30136: Microsoft Windows Network File System v4 Remote Code Execution Vulnerability
• Abusing forgotten permissions on computer objects in Active Directory
• Altiris Methods for Lateral Movement
• Heap Overflows on iOS ARM64: Heap Grooming, Use-After-Free (Part 3)
• DirSync: Leveraging Replication Get-Changes and Get-Changes-In-Filtered-Set
• Lord Of The Ring0 - Part 1 | Introduction
• Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706
• Recreating an ISO Payload for Fun and No Profit

Tools and Exploits

• Issue 2278: Windows: LSA Service LsapGetClientInfo Impersonation Level Check EoP
• Rolling Pwn Attack. Honda keyless entry hack.
• Koh: The Token Stealer
• Affinis Recurrent Neural Network SubDomain Discovery Tool
• stealCredsPayload.js from Scraping Login Credentials With XSS.
• crux A proof-of-concept malicious Chrome extension
• Chisel-Strike A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
• RDPHijack-BOF Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking.
• iscsicpl_bypassUAC UAC bypass for x64 Windows 7 - 11
• persistence-info.github.io tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios.
• OneDriveUpdaterSideloading Payload for DLL sideloading of the OneDriveUpdater.exe, based on the PaloAltoNetwork Unit42's blog post.
• CoffeeLdr Beacon Object File Loader.
• pretender Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover as well as mDNS, LLMNR and NetBIOS-NS spoofing.
• powerview.py PowerView alternative.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Raycast is a blazingly fast, totally extendable launcher. It lets you complete tasks, calculate, share common links, and much more.
• cervantes is an opensource collaborative platform for pentesters or red teams who want to save time to manage their projects, clients, vulnerabilities and reports in one place.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Questions For Confluence Security Advisory 2022-07-20. "A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to." What year is it again?
• Zyxel security advisory for local privilege escalation and authenticated directory traversal vulnerabilities of firewalls. At least they are authenticated vulnerabilities?
• DNS-over-HTTP/3 in Android. This is going to make DNS over HTTP/3 tunneling harder to pick out due to the volume of legitimate requests.
• The Return of Candiru: Zero-days in the Middle East. A sophisticated campaign that used a compromised site to host a WebRTC 0day (affecting at least Chrome, possibly other browsers) isn't your every day drive by compromise.
• Continued cyber activity in Eastern Europe observed by TAG. Fake mobile DDoS app to "help stop Russian aggression against Ukraine," actually sent all your information to Russia. At least the "number of installs was miniscule."

Techniques and Write-ups

• The End of PPLdump. The July 2022 update changes how PPL processes to no longer rely on Known DLLs, a critical step in the PPLdump bypass. Check the post for the full RE teardown of NTDLL.dll.
• Technical Advisory - Multiple vulnerabilities in Nuki smart locks. As the saying goes: "The 'S' in IoT stands for security."
• How I Met Your Beacon. This currently 2 part series takes a look at the behavioral tells of popular C2 frameworks, highlighting common anomalies that make beacons of all types stand out. The implicit message is that Nighthawk, MDSec's own commercial C2 doesn't display these anomalies. Part 2 includes new network based detections for Cobalt Strike Team Servers.
• WordPress Transposh: Exploiting a Blind SQL Injection via XSS. This little manuever netted Julien $30,000 in bounties and forced WordPress's removal of the plugin from its directory.
• Encrypting Strings at Compile Time. A single header file can encrypt your C++ strings at compile time, but be aware that tweaks will be needed to defat FLARE Obfuscated String Solver.
• AddExeImport - Add a hardcoded DLL dependency to any EXE. No DLL hijack convenient for your use? Create one! Another cool, creative technique from x86matthew. Be aware, signatures will no longer be valid.
• Browser Exploitation: Firefox Integer Overflow - CVE-2011-2371. An older vulnerability, but a great introduction to heap vulnerabilities in browsers.
• ProtectMyTooling - Don't detect tools, detect techniques. A suite of tools to rid yourself of static signatures and force Blue teams to detect techniques instead.
• Phishing: Better Proxy than Story details a "modern" phishing stack.
• Red Team? Or EDR Bypass Team. An interesting post on where value is derived from a red team assessment.
• Gitlab Project Import RCE Analysis (CVE-2022-2185). This was a nasty vulnerability (CVSS 9.9) in Gitlab where a crafted project import resulted in RCE. How you ask? this post breaks it down in detail.

Tools and Exploits

• DiagTrackEoP - another way to abuse SeImpersonate privilege.
• terry-the-terraformer A Python CLI tool for deploying red team infrastructure across multiple cloud providers, all integrated with a virtual Nebula network.
• IAM-Deescalate IAM-Deescalate helps mitigate privilege escalation risk in AWS identity and access management (IAM). More info here.
• RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows (patched in the July 2022 patch).
• AlanFramework - A C2 post-exploitation framework. This framework has been around for a while, but last week became open source (Attribution-NonCommercial-NoDerivatives 4.0 International).
• Lastenzug - Socks4a proxy leveraging PIC, Websockets and static obfuscation on assembly level.
• CVE-2022-34918-LPE-PoC - This exploit has been written for the kernel Linux ubuntu 5.15.0-39-generic. More details here.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• ropr - A blazing fast™ multithreaded ROP Gadget finder. ropper / ropgadget alternative.
• RedGuard "is a derivative work of the C2 facility pre-flow control technology." Looks a lot like RedWarden?

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Unauth XXE (CVE-2022-2414) in FreeIPA Check the image here.
• Red Team Ops II RTO II is a continuation (not a replacement) of Red Team Ops and aims to build on its foundation. The primary focus of this course is to provide more advanced OPSEC tactics and defense bypass strategies.
• Leaked documents show the purchase (and documentation of) an $8,000,000 iOS Remote Code Execution 0day access as a service... service.
• Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus
• Cobalt Strike 4.7: The 10th Anniversary Edition. Seeing some issues with UDRLs that were working on 4.6, be sure to test before you update prod!
• Ridiculous vulnerability disclosure process with CrowdStrike Falcon Sensor
• Offensive Lateral Movement Workshop - Free and online in September.
• How a Third-Party SMS Service Was Used to Take Over Signal Accounts. TLDR: Set up a Signal PIN if you don't have one yet!
• Announcing Google's Open Source Software Vulnerability Rewards Program
• Former security chief claims Twitter buried 'egregious deficiencies'. Getting hired to report security issues and being ignored? Mudge could be a red team consultant.
• IAM Whoever I Say IAM :: Infiltrating VMWare Workspace ONE Access Using a 0-Click Exploit
• Introducing BloodHound 4.2 — The Azure Refactor
• SANS ICS HyperEncabulator. Not as good as the Rockwell iteration, but pretty solid.

Techniques and Write-ups

• Discovering Domains via a Time-Correlation Attack on Certificate Transparency
• 10 real-world stories of how we've compromised CI/CD pipelines
• [PDF] Taking Kerberos To The Next Level
• CVE-2022-30216 - Authentication coercion of the Windows “Server” service. The latest coercion technique for Windows.
• WMI Internals Part 2 - Reversing a WMI Provider
• Malware sandbox evasion in x64 assembly by checking ram size - Part 2
• DevAttackOps: Containerizing Red Team Infrastructure (Part 1) and DevAttackOps: Container CI/CD Pipelines (Part 2)
• Masky release (v0.0.3) - Masky is a python library providing an alternative way to remotely dump domain users' credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily harvest PFX, NT hashes and TGT on a larger scope.
• Living off the land, AD CS style. This post introduces the PIVert tool to abuse AD CS.
• Harvesting Active Directory credentials via HTTP Request Smuggling
• Maelstrom: Static OpSec Review. This series continues to be superb.
• Anatomy of a basic extension. As the world moves to SaaS, the browser becomes the OS, and malware will be written as extensions.
• The cloud has an isolation problem: PostgreSQL vulnerabilities affect multiple cloud vendors. How Wiz Research uncovered multiple related vulnerabilities in PostgreSQL-as-a-Service offerings from GCP, Azure, and others.
• Abusing SharedUserData For Defense Evasion and Exploitation
• Shellcode: Base-N Decoding for Text-Only Compression and Obfuscation
• Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS!. When Orange writes, you should read.
• The LDT, a Perfect Home for All Your Kernel Payloads. Using the HIB segment to bypass KASLR on x86-based macOS.
• Bypassing AppLocker by abusing HashInfo
• ClipboardInject - Abusing the clipboard to inject code into remote processes
• Sleeping With Control Flow Guard
• Blind exploits to rule WatchGuard firewalls. This is one of the craziest exploit development writeups I've read in a while. Impressive ability to keep going in the face of adversity.

Tools and Exploits

• TamperingSyscalls is a 2 part novel project consisting of argument spoofing and syscall retrieval which both abuse EH in order to subvert EDRs. This project consists of both of these projects in order to provide an alternative solution to direct syscalls.
• EntropyFix is a tool with no ascii art that reduces the entropy of your payload.
• BlueHound is an open-source tool that helps blue teams pinpoint the security issues that actually matter. By combining information about user permissions, network access and unpatched vulnerabilities, BlueHound reveals the paths attackers would take if they were inside your network.
• AceLdr Cobalt Strike UDRL for memory scanner evasion. [This is the best UDRL yet.]
• Hijack Libs - The database contains 341 Sideloading, 88 Environment Variable, 8 Phantom and 5 Search Order entries.
• Burp2Malleable Quick python utility I wrote to turn HTTP requests from burp suite into Cobalt Strike Malleable C2 profiles.
• ExportDumper A small tool to dump the export table of PE files. The primary use case was intended for use within DLL proxying.
• WFH - Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit, to assist in potentially identifying common “vulnerabilities” or “features” within Windows executables. WFH currently has the capability to automatically identify potential Dynamic Linked Library (DLL) sideloading and Component Object Model (COM) hijacking opportunities at scale.
• jscythe - Abuse the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code.
• DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege. Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged.
• SilentHound - Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
• jwt-reauth is a Burp plugin to cache authentication tokens from an "auth" URL, and then add them as headers on all requests going to a certain scope.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure - You'll also want WebclientServiceScanner.
• Defaultinator is a data repository for storing and querying default passwords for common devices and applications.
• hakscale - Distribute ordinary bash commands over many systems.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Nmap 7.93 - 25th Anniversary Release!. The network scanner you know and love turns 25.
• China Accuses NSA of Hacking Its Military Research University “Regardless of whether the claims are true or false, this coordination of official statements and covert activity may be part of a broader propaganda campaign to negatively portray the U.S. and show off Chinese cybersecurity capabilities,” Zhang told VICE World News.
• Clop ransomware gang published screenshots that show SCADA interfaces for a UK water supplier. This is not the first ICS hack, and will not be the last. The stakes of cybersecurity are only increasing as we become more connected and reliant on connected infrastructure.
• Was tiktok hacked by a user 'Against the West'?. It's still not clear if this was an actual breach or a breach of a 3rd party scraping service.
• HelpSystems welcomes Outflank. The Dutch cybersecurity startup with some impressive tooling and initial access work gets acquired by the US based HelpSystems who also scooped up Cobalt Strike. This may aid US based purchases of Outflanks "Offensive Security Toolkit."

Techniques and Write-ups

• Sharkbot is back in Google Play. Good breakdown of Android malware.
• How to Decrypt Manage Engine PMP Passwords for Fun and Domain Admin - a Red Teaming Tale. It's a great day when you can find and decrypt password managers on red team engagements. The use of a password manager to diversify passwords across sites and generate truly random passwords still greatly outweighs the risk of having all passwords centralized. My go-to recommendation is Bitwarden, an open source option that just raised $100 million. You can self-host the backend with vaultwarden and use the official applications, but their free tier is good enough for many use cases.
• PersistAssist: Your Persistence Assistant!. PersistAssist is a fully modular persistence framework written in C# which automates persistence deployment and clean up. Code here.
• Automating Azure Abuse Research — Part 2. This post dives into the BloodHound Attack Research Kit (BARK) and explains how the BloodHound Enterprise team uses BARK to perform so-called “continuous abuse primitive validation.”
• SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250). The amount of work for a modern Linux privesc to work is impressive. This post breaks down each step of the exploitation discovery process.
• Abusing Microsoft Teams Direct Routing. An external, unauthenticated attacker is able to send specially crafted SIP messages, that pretend to originate from Microsoft and are therefore correctly classified by the victim's Session Border Controller. As a result, unauthorized external calls are made through the victim's phone line (toll fraud).
• Attacks on Sysmon Revisited - SysmonEnte. The state of the art in blinding Sysmon has arrived. SysmonEnte is an impressive tool.
• Living-Off-the-Blindspot - Operating into EDRs' blindspot. Signed, widely used tools combined with lack of dynamic code introspection makes the perfect storm for EDR evasion.

Tools and Exploits

• SSD Advisory - Linux CONFIG_WATCH_QUEUE LPE. A vulnerability in the way Linux handles the CONFIG_WATCH_QUEUE allows local attackers to reach a race condition and use this to elevate their privileges to root. PoC and Exploit included.
• EvilnoVNC - Ready to go Phishing Platform built on noVNC. Why intercept creds when you can have your victim use a real browser you control?
• PXEThief is a set of tooling that can extract passwords from the Operating System Deployment functionality in Microsoft Endpoint Configuration Manager. You'll probably also want configmgr-cryptderivekey-hashcat-module, a Hashcat module that can crack a password used to derive an AES-128 key with CryptDeriveKey from CryptoAPI.
• MsSettingsDelegateExecute. Bypass UAC on Windows 10/11 x64 using ms-settings DelegateExecute registry key.
• NoFaxGiven. Code Execution & Persistence in NETWORK SERVICE FAX Service.
• CVE-2022-2639-PipeVersion. It was taken down before I even got to it. Untested. Kernels 3.13 to 5.18 are vulnerable (fix committed 2022-04-15).
• Origami - Packer compressing .net assemblies, (ab)using the PE format for data storage. Updated last week with .NET Core support, Costura support, and a simplified loader.
• reinschauer - A PoC to remotely control Windows machines over Websockets.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• SCMKit allows the user to specify the Source Code Management system and attack module to use, along with specifying valid credentials (username/password or API key) to the respective SCM system. Currently, the SCM systems that SCMKit supports are GitHub Enterprise, GitLab Enterprise and Bitbucket Server. The attack modules supported include reconnaissance, privilege escalation and persistence.
• Headway Self-hostable maps stack, powered by OpenStreetMap.
• Use TouchID to Authenticate sudo on macOS. Your TouchID equipped Mac can easily be configured to use your fingerprint to approve sudo commands.
• The Immediate Sound of Distant Hammers. The first sci-fi short story from Universal Shards in over a year!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically. OSS-fuzz recently found a trivial Command injection and its hungry for more vulnerability classes.
• Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection. Why encrypt entire files or every file when encrypting parts of files still achieves the same effect with greater speed and fewer detections?
• Google Completes Acquisition of Mandiant. First FireEye, now Google. Kevin Mandia must be Scrooge McDuck-ing into a pool of gold coins at this point.
• Sensitive Command Token - So much offense in my defense. There is a new Canary token for commands executed on Windows.

Techniques and Write-ups

• Avoiding Memory Scanners This is a written version of the presentation/deck ([PDF] Avoiding Memory Scanners - Customizing Malware to Evade YARA, PE-sieve, and More) and DEF CON presentation.
• Thoughts on the use of noVNC for phishing campaigns. Last week's EvilnoVNC has some flaws. I think with some more customization and effort, "browser emulation phishing" has its place, especially as login portals get better and better at defeating malicious reverse proxies.
• Solving the Unredacter Challenge. This is your weekly reminder to only redact with black boxes.
• Smart App Control Internals (Part 2). Deep dive into the internals of the new Windows Security feature: "Smart App Control."
• Fork Bomb for Flutter. This post discusses the creation of reFlutter, the Flutter Reverse Engineering Framework.
• Get Your SOCKS on with gTunnel. Steps to setup a wicked fast SOCKS proxy with a tool called gTunnel.
• WMI Internals Part 3. This blog looks at what happens after the COM method ITaskServices:NewTask.
• Video Blog: Using DLL Persist to Avoid Detection. "During an Incident Response case, the TrustedSec IR team came across a novel method used by an attacker to maintain access to the target's servers. After gaining access to the systems, the attacker then modified a DLL required by a service to include malicious code. This video demonstrates a similar process for embedding malicious code into a benign DLL to create a method of persistence that is not easily detected." Not sure I love the video blog format.
• Credential Gathering From Third-Party Software. A nice quick reference guide for red teamers.
• WriteProcessMemoryAPC - Write memory to a remote process using APC calls. Does what it says on the tin.
• "GIFShell" — Covert Attack Chain and C2 Utilizing Microsoft Teams GIFs. GIFShell allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft's own infrastructure. 3rd party C2 is on the rise and here to stay.
• CVE-2022-22629. This post is about the poc for the WebGL bug that was patched in Safari 15.4 security updates. See related: Step-by-Step Walkthrough of CVE-2022-32792 - WebKit B3ReduceStrength Out-of-Bounds Write.
• Quasar: Compromising Electron Apps. This post introduces a tool for backdooring electron app's ASAR archives: quASAR.
• New 2.5G Ethernet Expansion Card for Framework Laptops. If you haven't seen the framework laptop, check it out. I hope they can make it in the much attempted but never sustained reparable tech space.
• GeoSn0w demos his blizzard jailbreak on ios 15 and 16 booting from custom app. This should allow iPhone X and older devices to boot into a jailbroken state on any iOS version, a boon for researchers.

Tools and Exploits

• Athena v0.2. A big update to an up and coming Mythic C2 agent.
• pfBlockerNG Unauth RCE Vulnerability. This is only vulnerable on the LAN side of the firewall, unless you have some strange WAN rules that allow access to the pfblockerNG pages from WAN. Patched in 2022-06, its still a bad vulnerability. Poc here.
• QUEST KACE Desktop Authority Pre-Auth Remote Code Execution (CVE-2021-44031). Pre-Auth RCE is the flavor of the week it seems.
• Tool Release - Monkey365. Monkey 365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex admin panels from the start.
• Command injection vulnerability in Netgear R6200_v2 and R6300v2 routers. Authenticated and LAN side only it looks like.
• Sandbox_Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in the assembly of IOCs, understanding attack movement and in threat hunting.
• cobaltstrike-headless - Aggressorscript that turns the headless aggressor client into a (mostly) functional cobalt strike client.
• CVE-2022-27925 - Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-27925)
• TangledWinExec - This repository is for investigation of Windows process execution techniques. Most of PoCs are given a name corresponding to the technique. WmiSpawn is brand new and looks very interesting.
• chameleon provides better content discovery by using wappalyzer's set of technology fingerprints alongside custom wordlists tailored to each detected technologies.
• autobloody - Tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound. "Automatic" and "Exploit" are two words that when used together cause me great concern.
• evilgophish - evilginx2 + gophish.
• rust_syscalls Single stub direct and indirect syscalling with runtime SSN resolving for windows.
• HideProcessHook - DLL that hooks the NtQuerySystemInformation API and hides a process name.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• ContainerSSH: Launch containers on demand. ContainerSSH launches a new container for each SSH connection in Kubernetes, Podman, or Docker. The user is transparently dropped in the container and the container is removed when the user disconnects. Authentication and container configuration are dynamic using webhooks, no system users required.
• TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts.
• buildg - Interactive debugger for Dockerfile, with support for IDEs (VS Code, Emacs, Neovim, etc.).
• wappalyzergo - A high performance go implementation of Wappalyzer Technology Detection Library.
• Ekko_CFG_Bypass A PoC for adding NtContinue to CFG allowed list in order to make Ekko work in a CFG protected process

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Security update (Uber). The Uber hack made headlines last week, and for good reason. Looks like a single social engineering success (MFA push is too annoying?) plus some share drive spelunking allowed the attacker to achieve widespread system compromise. I wish this was surprising. It looks like they're hiring security engineers now.
• A New Life for Certificate Revocation Lists. Interesting thoughts from Scott on twitter.
• Twitter Whistleblower Says There Was at Least One Chinese Spy Working at the Company. Mudge's rumored $7MM severance and non-disclosure didn't cover congressional hearing it seems. Look's like someone is trying to dig up dirt on him.
• GTA 6 source code and videos leaked after Rockstar Games hack. This looks like a "legitimate" insider as opposed to the Uber hack.

Techniques and Write-ups

• Traces of Windows remote command execution. The quieter you become, the more... you know the joke. This post shows the artifacts left behind from a variety of "RCE" techniques (lateral movement) on Windows.
• Introducing: CloudFox. Cloudfox helps you gain situational awareness in unfamiliar cloud environments. It's a command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
• Use-after-freedom: MiraclePtr. Google's quest to prevent memory corruption exploits continues with a novel C++ add-on to Chrome for Windows and Android as of Chrome 102. Props to the team for pushing this out despite a tiny performance hit.
• Jetty Features for Hacking Web Apps. Some neat tricks specific to Jetty in this post.
• Myths About External C2. This post shows the basics of External C2 using a mock teamserver and agent (python).
• The Blind Spots of BloodHound. Nice attack graph you have there; it'd be a shame if something... happened to it...
• Practical Attacks against NTLMv1. Or check out the tweet-length-summary. TLDR: disable NTLMv1 everywhere!
• Fighting Golden Ticket Attacks with Privileged Attribute Certificate (PAC). PAC enforcement is scheduled for October 2022, are your golden ticket tools ready? The table at the end of the article is worth the price of admission.
• A Basic Guide to iOS Testing in 2022. Enough to get you started!
• Stealing Access Tokens From Office Desktop Applications. Your apps authenticate to MS services as you, and so the authentication material is in memory. This post shows you how to extract and use it - to read Outlook emails for example.
• Relaying YubiKeys. Hardware FIDO2 keys are the answer to all phishing right? Right!? Well if an attacker has your PIN and you don't have "touch to sign" enabled, then yes, its just another annoying step. "Touch to sign" is what keeps this from being practical, as the attacker would then also have to trick the user into touching the key for every blob they wanted to sign. Could always skip all that and use virtual-fido to nullify all the benefits of a hardware security device.

Tools and Exploits

• Mimikatz update. Now you can dump plaintext Citrix passwords from memory. Best part is you don't even need elevated rights for the current use context! If anyone has this as a BOF, DM me!
• ldapnomnom - Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP).
• CVE-2022-37706-LPE-exploit - A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04) - NOTE: only for enlightenment window manager (Tizen based TVs and... thats it?).
• MasqueradingPEB - Maquerade any legitimate Windows binary by changing some fields in the PEB structure.
• CVE North Stars - Leveraging CVEs as North Stars in vulnerability discovery and comprehension.
• ExecRemoteAssembly - Execute Remote Assembly with args passing and with AMSI and ETW patching.
• Teamsniper is a tool for fetching keywords in a Microsoft Teams such as (passwords, emails, database, etc.).
• DylibHijackTest - Discover DYLD_INSERT_LIBRARIES hijacks on macOS.
• Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code, and is developed for offensive security engagements such as Red/Purple Teams. What separates Codecepticon from other obfuscators is that it targets the source code rather than the compiled executables, and was developed specifically for AV/EDR evasion.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• CheeseOunce - Coerce Windows machines auth via MS-EVEN. Will we ever run out of coercion techniques?
• How we built Pingora, the proxy that connects Cloudflare to the Internet. Some companies are large enough where the milliseconds matter. I hope Pingora is opensourced soon!
• requests-ip-rotator - A Python library to utilize AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.
• DiffusionBee - Stable Diffusion GUI App for M1 Mac. DiffusionBee is the easiest way to run Stable Diffusion (AI image generation) locally on your M1 Mac. Comes with a one-click installer. No dependencies or technical knowledge needed.
• CitrixSecureAccessAuthCookieDump - Dump Citrix Secure Access auth cookie from the process memory.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Out Of Band Update: Cobalt Strike 4.7.1. Cobalt Strike gets a rare out of band update after HTML injection in the victim controlled username was discovered. Other fixes for DoS prevention and a sleep mask bug were fixed as well.
• Resolved RCE in Sophos Firewall (CVE-2022-3236). RCE in your firewall has got to hurt.
• Antivirus Used by Millions Blocked All Google Sites by Mistake, Sowing Chaos. "Sowing Chaos" seems a bit much for an hour of outage. "For around an hour on Wednesday morning, some people who had Malwarebytes antivirus installed on their computers could not visit any Google site or use services like Gmail or the Google Play Store."
• The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities. I skip most of these "APT" teardown blogs, because the "APTs" getting caught are using powershell and certutil, asking to be caught. This one however, shows a bit more sophistication.

Techniques and Write-ups

• AttachMe: critical OCI vulnerability allows unauthorized access to customer cloud storage volumes. This has to be one of the worst cloud vulnerabilities. Arbitrary access to any storage volume by just knowing the identifier. Its a classic IDOR vulnerability, except it gets you cloud storage volumes! Wiz again proves their dominance in the cloud security space.
• Giving JuicyPotato a second chance: JuicyPotatoNG. The potatoes are the Windows privesc class that seems to never die. This one will take you from a service account to SYSTEM. I have 16 unique potato tools in my collection, and the authors hint they have yet another on the way!
• Part 2: Target Phishing — It's Gotten Personal. This kind of drawn out phishing is extremely effective.
• Tool Release - Project Kubescout: Adding Kubernetes Support to Scout Suite. Now you can use the familiar Scout Suite with your k8s clusters too!
• Skidaddle Skideldi - I just pwnd your PKI. This post is a one stop shop for AD CS pwnage walkthroughs.
• I don't know how to solve prompt injection. This is an interesting attack vector in "AI" powered bots. By feeding them input that looks like a back and forth, you can leak the original prompt. Who knew that natural language processing would lead to exploits in plain english.
• I Wanna Go Fast, Really Fast, like (Kerberos) FAST. The new protections in Kerberos (Flexible Authentication Secure Tunneling [FAST]) provide good protection against "offline" kerberoasting attacks, but are ineffective against attacks that leverage lsass to generate requests (certain Rubeus commands) and are difficult to implement correctly. From the MS docs: "This policy setting is affected by another setting. When a domain does not support Kerberos armoring by enabling KDC support claims, compound authentication, and Kerberos armoring, all authentication attempts for all its users will fail from computers that have this policy enabled."
• Exploiting a Seagate service to create a SYSTEM shell (CVE-2022-40286). From driver download to LPE. Excellent write up!
• Bypassing Intel CET with Counterfeit Objects. Some great low level exploit dev content here. Control Enforcement Technology (CET) was supposed to stop ROP at the hardware level, until Counterfeit Object-Oriented Programming (COOP) showed up to take its place. This post shows COOP working on modern Windows with CET enabled.
• Sapphire tickets. These might be the best precious-metal themed tickets yet. By not only requesting a ticket before modifying the PAC (Diamon Ticket), Sapphire tickets also request a ticket that contains a legitimate elevated privilege PAC to use with the previously requested ticket. This way, the information in the ticket matches exactly with whats in AD, making detection very difficult.
• Spoofing Calendar Invites Using .ics Files. I'm a bit sad this was posted as this technique has been extremely effective.

Tools and Exploits

• AutoHoneyPoC. Automatically generate "HoneyPoC" scripts to catch people running things without understanding them.
• SandboxSpy. Code for profiling sandboxes - Initially an idea to profile sandboxes, the code is written to take enviromental variables and send them back in a Base32 string over HTTP to an endpoint.
• githubC2 - Abusing Github API to host our C2 traffic, useful for bypassing blocking firewall rules if github is in the target white list , and in case you don't have C2 infrastructure, now you have a free one.
• monomorph- MD5-Monomorphic Shellcode Packer - all payloads have the same MD5 hash.
• FilelessRemotePE - Loading Fileless Remote PE from URI to memory with argument passing and ETW patching and NTDLL unhooking and No New Thread technique.
• mordor-rs - Rusty Hell's Gate / Halo's Gate / Tartarus' Gate and FreshyCalls / Syswhispers2 Library.
• GwisinMsi - PoC MSI payload based on ASEC/AhnLab's blog post.
• BloodHound.py-Kerberos - A Python based ingestor for BloodHound, now with kerberos support on Linux.
• DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
• CVE-2022-2588 This linux LPE effects 3.17 to 5.19 (Ubuntu 17-22).
• Cronos PoC for a new sleep obfuscation technique leveraging waitable timers to evade memory scanners.
• spycast A crossplatform mDNS enumeration tool.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• bbot - OSINT automation for hackers.
• NetCoreServer - Ultra fast and low latency asynchronous socket server & client C# .NET Core library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and 10K connections problem solution.
• A Free Pen Testing Learning Platform. Spin up your own cloud scenarios using these free templates.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Activate phishing-resistant MFA. No excuse to not have hardware MFA at this point. Cloudflare makes it $10 per key for high quality Yubikey 5's. This is the best $-to-protection ratio you will ever spend (if you enforce it).
• Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server. Microsoft pushed out a temporary rewrite rule to Exchange on prem, but my advice would be to stop hosting this RCE-as-a-service product in your environment. Sadly, the big providers have taken over the dream of a decentralized internet with email for now.
• Former NSA Employee Arrested on Espionage-Related Charges . I suppose you only read about the ones with bad OPSEC but man, this guy wasn't even really trying. I suspect his short employment period also put him under extra scrutiny. With OPSEC this bad, perhaps he should have applied to work at the CIA and contribute to America's Throwaway Spies.
• Introducing Wolfi - the first Linux (Un)distro designed for securing the software supply chain. I'm not fully sold on this "undistro." Seems a bit like Nix but with the package manager removed?
• PS5-4.03-Kernel-Exploit An experimental webkit-based kernel exploit (Arb. R/W) for the PS5 on 4.03FW. Not really useful for red teaming, but a neat exploit chain.

Techniques and Write-ups

• Introducing FingerprintX: The fastest port fingerprint scanner. httpx is a great tool for web scanning, but fingerprintx expands it other ports and protocols. Grab the code and start scanning!
• Two Lines of JScript for $20,000 - Pwn2Own Miami 2022. Exploitation doesn't always have to be "hard." If calc pops, it doesn't matter if you spent 2 hours or 2 years working on the exploit. Try some simple things first!
• Issue 2310: Windows: Kerberos RC4 MD4 Encryption Downgrade EoP. James Forshaw, destroyer of Windows worlds, is at it again. Who knew you could downgrade Kerberos encryption so badly, as well as other tricks to get the actual amount of data you need to brute force down to a single byte. Well played.
• The difference between signature-based and behavioral detections. A good primer on types of AV/EDR detections and ideas for how to get around them. TLDR: You will be writing custom code.
• What I learnt from reading 220* IDOR bug reports.. You're going to learn about IDOR today!
• YARI: A New Era of YARA Debugging. Woah, this is seriously cool if you work with yara. Code here.
• Kernel Driver Exploit: System Mechanic. I know I am late on this one (technically not last week), but it was too good to not include. Don't worry the blog is now monitored.
• Phishing With Chromium's Application Mode In this blog post mr.d0x shows how Chromium's application mode allows us to easily create realistic desktop phishing applications.

Tools and Exploits

• Iscariot Suite is a collection of tools to enhance and augment trusted open-source and commercial Blue Team/Sysadmin products, turning them into traitorware to achieve offensive security goals.
• Havoc. This is the much anticipated C2 from @C5pider. It also supports Third Party Agents.
• ASNMap - A Golang CLI tool for speedy reconnaissance using ASN data.
• constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.
• VirusTotalC2 Abusing VirusTotal API to host our C2 traffic, useful for bypassing blocking firewall rules if VirusTotal is in the target white list, and in case you don't have C2 infrastructure, now you have a free one.
• AzTokenFinder is a small tool to extract JWT (or JWT like looking data) from different processes, like PowerShell, Excel, Word or others.
• Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods.
• ChTimeStamp - Changing the Creation time and the Last Written time of a dropped file by the timestamp of other one , like the "kernel32.dll" timestamp.
• ADSrunner - Write a UUIDs bytes array "*" collected to the Alternate Data Stream of the current binary , then the ADS Runner will get the DATA tranfert it into a char table nice UUIDS shellcode and Run it.
• FileLessRemoteShellcode - Run Fileless Remote Shellcode directly in memory with Module Unhooking, Module Stomping, No New Thread. This repository contains the TeamServer and the Stager.
• DumpThatLSASS - Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk, plus functions and strings obfuscation, it contains Anti-sandbox, if you run it under unperformant Virtual Machine you need to uncomment the code related to it and recompile.
• airstrike is a basic stage 0 implant.
• KnownDllUnhook - Replace the .txt section of the current loaded modules from KnownDllsto bypass edrs.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• monkey365 provides a tool for security consultants to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews.
• lemmeknow. The fastest way to identify anything!
• jot - Rapid note management for the terminal.
• SnaffPoint - A tool for pointesters to find candies in SharePoint.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• The source code to the Intel Alder Lake has been leaked online. Critically, this seems to include the KetManifest signing key needed to sign BootPolicy and therefore bypass SecureBoot. A boon to CoreBoot and bootkits alike.
• Attacker managed to upload files into Web Client directory. CPIO unpacking in the AV engine used by Zimbra lead to arbitrary file writes (webshell) and RCE. You hate to see the AV used as an attack vector but it does happen.
• OnionPoison: infected Tor Browser installer distributed through popular YouTube channel. Always check the hash from the official source.
• WebVM: Linux Virtualization in WebAssembly with Full Networking via Tailscale. The x86 VM running in javascript in your browser window now has a networking stack. This must be a sign of the end times.
• Bofloader - Windows Meterpreter Gets Beacon Object File Loader Support. BOFs are the atomic element of offensive tools now.

Techniques and Write-ups

• The Follower - Using open cameras and AI to find how an Instagram photo is taken.. Imagine what governments/surveillance companies are doing...
• Jamf Threat Labs identifies macOS Archive Utility vulnerability allowing for Gatekeeper bypass. Very thorough research into a sneaky bug in the archive utility on macOS.
• Persistent php payloads in PNGs: how to inject php code in an image - and keep it there!. Some nice tricks to stashing PHP payloads in PNGs.
• How To Implement The Exchange Split Permissions Model?. If you still have on-prem exchange, this is for you. Also, seek help.
• Common conditional access misconfigurations and bypasses in Azure. Your target may required MFA, except if certain conditions are met.
• Evil Twin Enterprise WiFi Network using Hostapd-Mana. A good one for your next on-site or physical assessment.

Tools and Exploits

• VMware vCenter Server Platform Services Controller Unsafe Deserialization vulnerability. "A post-authentication java deserialization vulnerability exists in the data handler of the psc (Platform Services Controller) service."
• ObfLoader - MAC, IPv4, UUID shellcode Loaders and Obfuscators to obfuscate the shellcode and using some native API to converts it to it binary format and loads it.
• aftermath is a free macOS IR framework from Jamf.
• GooFuzz is a tool to perform fuzzing with an OSINT approach, managing to enumerate directories, files, subdomains or parameters without leaving evidence on the target's server and by means of advanced Google searches (Google Dorking).
• GitFive - 🐙 Track down GitHub users.
• eviltree - A python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches.
• Caught somewhere in time: Hunting for timer-queue timers. Timers are the "default" method rats use to sleep in memory. If you can detect suspect timers, you can probably find some interesting things. Code here.
• Added simple command to test CVE_2022_33679.. Now you can run 'askrc4' and exploit CVE-2022-33679 (KDC allows an interposing attacker to downgrade to RC4 MD4 encryption in compromising the user's TGT session key resulting in EoP). See this tweet <https://twitter.com/m3g9tr0n/status/1577783061919457281> and this project zero post.
• vba2clr - Running .NET from VBA.
• LockSmith - ObjectiveC CLI tool for interacting with macOS Keychain. I was just struggling with this a few weeks ago! Be sure to check out the slides in the repo.
• palera1n - iOS 15.0-15.3.1 tethered checkm8 "jailbreak" (rootless is 15.0-15.7 semi-tethered, no tweaks),
• ShadowSpray - A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
• RITM - Roast in the Middle.
• dissect - This project is a meta package, it will install all other Dissect modules with the right combination of versions.
• SharpNTLMRawUnHide - C# version of NTLMRawUnHide.
• NimShellcodeFluctuation - ShellcodeFluctuation PoC ported to Nim.
• MinHook.NET - A C# port of the MinHook API hooking library (now with D/Invoke).
• HavocNotion - A simple ExternalC2 POC for Havoc C2. Communicates over Notion using a custom python agent, handler and extc2 channel.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• AoratosWin - A tool that removes traces of executed applications on Windows OS.
• wodat - Windows Oracle Database Attack Toolkit.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Out Of Band Update: Cobalt Strike 4.7.2. The rumors and tweets were true, there was RCE i 4.7.1. Read the full details in Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1. Here's a PoC.
• Security of Passkeys in the Google Password Manager. GA later this year. With iOS/macOS already on board, nearly all mobile users will have passkeys by the end of the year. As services adopt FIDO2 solutions, offensive teams will have to adapt.
• WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware. APTs are using signed DLLs for DLL hijacking. Are you?
• Potential Log4shell situation. Developing...
• Disposable Root Servers. This is the coolest thing I've seen in a long time. Or it's a honey pot. 50/50.

Techniques and Write-ups

• DevAttackOps: Deploying Containers with Docker Compose (Part 3). DevOps and red teaming are friends - automate the boring stuff!
• Compromising a Backup System by iSCSI Interface During a Routine Penetration Test. Don't sleep on those open iSCSI ports!
• Hello World under the microscope. This is an interesting post that is the python version of "what does your computer do when you type google.com in a browser and hit enter."
• Writing an Independent Malware. Make your malware smaller (and import fewer DLLs) with the tricks in this post.
• Analysing LastPass, Part 1. The Chrome debugging protocol is very powerful and should be flagged by defenders any time it is invoked, but isn't (yet).
• Practical Attacks against NTLMv1. Why work hard against good protocols when you can downgrade to NTLMv1?
• Toner Deaf - Printing your next persistence (Hexacon 2022). Go where the EDR isn't. Not only a remote root RCE, but also persistence. Very cool stuff.
• Set up an Android Hacking Lab for $0. While not as good as a physical device, an emulator will get you pretty far.
• Diamond And Sapphire Tickets. Gold is old. Upgrade your tickets to the latest precious gem.
• Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 1: Root Cause Analysis. A Windows privesc in the common log file system driver (CLFS.sys).
• Relaying YubiKeys Part 2. I think this is the first code published that can actually interface with FIDO2 devices for phishing. Hardware tokens are good guards against phishing as they require an attacker to have access to the user's endpoint and the user and device must be present at/in the device when the attacker wants to use them OR the attacker has to control a subdomain of the valid site being targeted (if origins are not validated). This is a much more difficult situation for an attacker to achieve compared to a relatively simple MiTM proxy for TOTP or SMS 2FA on a look-a-like site. Code here.

Tools and Exploits

• CVE-2022-40684 - A proof of concept exploit for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager.
• XorStringsNET - Easy XOR string encryption for NET based binaries.
• akamai-security-research - This repository includes code and IoCs that are the product of research done in Akamai's various security research teams. Includes a fresh Windows Workstation Service Elevation of Privilege Vulnerability.
• RedEye - is a visual analytic tool supporting Red & Blue Team operations from CISA.
• CVE-2022-41852 - Remote Code Execution in JXPath Library (CVE-2022-41852) Proof of Concept.
• WAMBam - Tooling related to the WAM Bam - Recovering Web Tokens From Office blog post.
• RustHound - Active Directory data collector for BloodHound written in rust. 🦀
• PsyloDbg is a very simple Windows Debugger that currently only monitor for debug events.
• Add SCCM NTLM Relay Attack #1425. This is a little known but very cool attack I expect to work for decades to come.
• AtomPePacker - A Highly capable Pe Packer.
• Janus is a pre-build event that performs string obfuscation during compile time. This project is based off the CIA's Marble Framework.
• ProvisionAppx. Some fun lateral movement?!
• ShadowSpray - A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Oh my Git! An open source game about learning Git!. A resource for new (or even old) team members to help learn git.
• ElectricEye - Continuously monitor your AWS attack surface and evaluate services for configurations that can lead to degradation of confidentiality, integrity or availability. All results can be exported to Security Hub, JSON, CSV, Databases, and more for further aggregation and analysis.
• wiresocks A sock, with a wire, so you can tunnel all you desire. This is a great solution that may be even better than proxycap et al.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Investigation Regarding Misconfigured Microsoft Storage Location. SOCRadar put Microsoft on blast with their post Sensitive Data of 65,000+ Entities in 111 Countries Leaked due to a Single Misconfigured Data Bucket. 6 Azure buckets holding some sensitive items like statements of work were misconfigured and publicly accessible.
• Ghostwriter v3.1 Now Available. Now with deconfliction support!
• TikTok Parent ByteDance Planned To Use TikTok To Monitor The Physical Location Of Specific American Citizens. Is anyone surprised?
• IDA Pro Owner Hex-Rays Acquired by European VC Firm. With more competition VC firms are getting into the game.
• Iran's atomic energy organization says e-mail was hacked. I think "has been hacked by multiple parties" would probably be more accurate here...
• GitHub Copilot investigation. Surely the Microsoft lawyers signed off on Copilot?
• DEF CON 30 Videos Released. Enjoy!

Techniques and Write-ups

• Legitimate Rats: A Comprehensive Forensic Analysis of the Usual Suspects. Good to see people taking traitorware seriously.
• I'm in your hypervisor, collecting your evidence. Fox-IT adds ESXi live acquisition to its dissect tool suite.
• Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals. Most people use their OS as a loader for Chrome, so Chrome has become a target for all kinds of adversaries. However, actually understanding and exploiting Chrome is very difficult. This intro post shows some of the complexity involved.
• Microsoft Office Online Server Remote Code Execution. Web based authentication coercion that Microsoft claims it's a feature!
• PHP Filters Chain: What Is It and How to Use It. "Searching for new gadget chains to exploit deserialization vulnerabilities can be tedious. In this article we will explain how to combine a recently discovered technique called PHP filters [LOKNOP-GIST], to transform file inclusion primitives in PHP applications to remote code execution. To support our explanations we will rely on a Laravel file inclusion gadget chains that was discovered during this research."
• The Curious Case of the Password Database. Yes, passwords can be encrypted by a product, but unless they require user input to decrypt passwords there must be a way the software decrypts them. I've seen this is multiple products so Manage Engine is not unique. It's usually just a mater of finding the static key and encryption parameters.
• Dameware Mini: The Sleeper Hit of 2019?. More traitorware!
• SharedMemUtils - A simple tool to automatically find vulnerabilities in shared memory objects. Sometimes you can write to shared memory objects of high-privileged services on Windows. A fun primitive to explore potential privescs.
• Microsoft Office 365 Message Encryption Insecure Mode of Operation. ECB mode, not even once.
• osquery-defense-kit - Production-ready detection & response queries for osquery.
• Changing memory protection using APC. Not brand new, but a deeper drive into it.

Tools and Exploits

• Azure-AccessPermissions - Easy to use PowerShell script to enumerate access permissions in an Azure Active Directory environment. Check out the blog post for details.
• cypherhound - Python3 terminal application that contains 200+ Neo4j cyphers for BloodHound data sets
• ScreenshotBOF - An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file.
• SharpEfsPotato - Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
• PatchThatAMSI - This repo contains 6 AMSI patches, both force the triggering of a conditional jump inside AmsiOpenSession() that close the Amsi scanning session. The 1st patch by corrupting the Amsi context header and the 2nd patch by changing the string "AMSI" that will be compared to the Amsi context header to "D1RK". The other just set ZF to 1.
• ScubaGear - Automation to assess the state of your M365 tenant against CISA's baselines.
• Bitmancer - Nim Library for Offensive Security Development.
• GetFGPP - Get Fine Grained Password Policy.
• syser - syser debugger x32/x64 ring3 with source level debugging/watch view/struct view.
• webpty - A secure webshell. Built for legitimate access, I could see it adopted for red team uses.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• linen.dev - Google-searchable Slack alternative for Communities.
• usbsas - Tool and framework for securely reading untrusted USB mass storage devices.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Forthcoming OpenSSL Releases. Behind this simple title is a spooky Halloween statement: "OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL." OpenSSL 3+ isn't that widespread yet, but this might be an interesting bug.
• Privacy Gateway: a privacy preserving proxy built on Internet standards. Domain fronting/hiding just went legit. Currently the relay domains are unique to the applications (and thus not useful for censor evasion) but there is no technical reason that has to remain the case. Check out the first implementation here. Keep in mind with this Cloudflare positions itself to collect that delicious metadata (although they seem to be actively trying to actually "don't be evil" - hopefully that continues).
• Check out our new Microcorruption challenges!. Excellent embedded security CTF!
• Stable Channel Update for Desktop. A good reminder to stay on top of your Chrome updates. Or use Firefox developer edition to break all the ROP gadgets.
• Apple clarifies security update policy: Only the latest OSes are fully patched. Apple going full opposite of the "still supports 16 bit DOS applications from 1993" stance of Microsoft and only fully patching the latest OS they release. Enterprises that use macOS can't be pleased by this, as even with developer betas there may be issues with production workflows on the latest OS version for some time after release. Hardware than can't be upgrade is now forever vulnerable? 2017 MacBook Pros are unable to be updated and aren't that old...
• It's here: Dark Mode Process Explorer!

Techniques and Write-ups

• Binary File Write via Microsoft Speech API. It's tricky to write files from macros in 2022 without Defender or other AV getting unhappy. This lesser known API has the ability to write binaries, which is a very useful primitive for a maldoc.
• RC4 Is Still Considered Harmful. Kerberos continues to be an issue for enterprises, and "just turn off X" is never that simple. Consider turning on FAST though (and disable RC4 if you can).
• Autodial(DLL)ing Your Way. The Winsock2 registry is used by anything that makes a network connection and thus is a good spot for persistence, lateral movement, and even credential dumping via SSP loads. Code here.
• From Self-Hosted GitHub Runner to Self-Hosted Backdoor. CI/CD compromise is scary because it not only affects your organization but potentially everyone who uses the product being build by that CI/CD pipeline.
• One shell to HANDLE them all. A webshell that can abuse leaked user token handles? Sign me up.
• Juniper SSLVPN / JunOS RCE and Multiple Vulnerabilities. Can we please go more than a week without an unauth RCE in a major SSL VPN? Zero trust can't come fast enough. Or things like Pre-authenticated Remote Code Execution in VMWare NSX Manager?
• PAWNYABLE UAF Walkthrough (Holstein v3). Some good technical binary exploitation content.
• The dangers of trust policies in AWS. The cloud is built on trust, so understanding best policies for trust policies is critical.
• A New Attack Surface on MS Exchange Part 4 - ProxyRelay!. If you're still running on-prem exchange... stop it. If you email is too sensitive to trust to a cloud provider, it certainly shouldn't be in the swiss cheese that is Exchange.
• Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 2: Exploit Analysis. More details on the Windows local privilege escalation vulnerability.
• GetDomain vs GetComputerDomain vs GetCurrentDomain. If you're in a network with complicated trust relationships or multiple forests, its a good idea to test your tools to make sure they are acting on the objects you expect!

Tools and Exploits

• guac aggregates software security metadata into a high fidelity graph database.
• Open-Obfuscator: A free and open-source obfuscator for mobile applications. A free and open-source solution for obfuscating mobile applications. Also some of the best looking docs I've seen in a long time.
• Free: Dastardly from Burp Suite is a free, lightweight web application security scanner for your CI/CD pipeline, from the makers of Burp Suite.
• TerraLdr - Payload Loader Designed With Advanced Evasion Features.
• BOF-herpaderping - Beacon Object File partial implementation of process herpaderping technique.
• Spartacus - DLL Hijacking Discovery Tool.
• siphon ⚗️ Intercept stdin/stdout/stderr for any process.
• SharpC2. This looks to be a rewrite/less featured version of Rastamouse's collab with xpn that was also called SharpC2 (now pulled from GitHub)?

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• caOptics - Azure AD Conditional Access gap analyzer
• Sandman is a NTP based backdoor for red team engagements in hardened networks.
• potto A minimum cross-platform implementation of COM (Component Object Model), DI/IOC framework.
• vhs Your CLI home video recorder 📼

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows. Sometimes the hype is just hype. This looks extremely hard to exploit with modern mitigations and a limited userbase.
• [PDF] How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub. Over 10% of PoCs were malicious! There is a reason there is a disclaimer at the end of each of these posts.
• LinkedIn Adds Verified Emails, Profile Creation Dates. Your favorite profile backstop just got a little harder to fake.
• Nighthawk 0.2.1 - Haunting Blue. Some cool features in the latest release of this commercial red team tool.
• Meet Fortra™ The new face of HelpSystems. HelpSystems (Cobalt Strike/Outflank's buyers) have rebranded - now with more generic corporate stock photos.
• [SimpleX] Security assessment by Trail of Bits. I've been playing with this new messenger app for a while and I think it has the potential to unseat Signal in a few versions. No shady CIA money, "open source" (but not really), blockchain silliness, etc. The pace of development is also impressive. They list their Monero address above their Bitcoin address - legit.
• urlscan.io's SOAR spot: Chatty security tools leaking private data. Careful what you auto-submit to external vendors.
• radare2.online. Your OS is just a bootloader for your browser. HTML/CSS/Javascript won the language war and will be the universal language of the future. Scary.
• [PDF] VX-Underground's Black Mass. Tmp.out and vx-underground keep the zine scene alive.

Techniques and Write-ups

• Exploiting Static Site Generators: When Static Is Not Actually Static. File this under "Serverless and other myths."
• A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain. Mobile exploit chains are always a trip. This one look surprisingly easy to understand compared to most.
• Lessons Learned from Cloning Windows Binaries and Code Signing Implants. Some good lessons here. Another option is to just used signed binaries for other purposes ...
• How one misconfiguration in ADCS can lead to full AD Forest compromise. ADCS is the gift that keeps on giving.
• CVE-2022-26730 | ColorSync | Hoyt LLC. macOS memory corruption in the processing of image ICC profiles can lead to RCE. Comes with the shorted PoC I have seen in a while (now patched).
• BYODC - Bring Your Own Domain Controller. This meme makes a comeback. This is some great traitorware - why fake a DCSync, if you can just do an actual DCSync? DCShadow is a previously discovered/implemented version of this.
• Checkmk: Remote Code Execution by Chaining Multiple Bugs (1/3). Quite a chain for unauth RCE across different tech/lanugages.

Tools and Exploits

• Volumiser is a command line tool and interactive console GUI for listing, browsing and extracting files from common virtual machine hard disk image formats.
• katana - A next-generation crawling and spidering framework from projectdiscovery.
• KeeFarceReborn - A standalone DLL that exports databases in cleartext once injected in the KeePass process.
• CVE-2022-33679 One day based on RC4 is still considered harmfrul.
• stager_libpeconv A basic meterpreter protocol stager using the libpeconv library by hasherezade for reflective loading.
• CVE-2022-40146_Exploit_Jar. Apache Batik SSRF to RCE Jar Exploit.
• awsrecon - Tool for reconnaissance of AWS cloud environments.
• exe_who - Executables on Disk? Bleh 🤮.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• The Information Security Kardashev Scale. Interesting way to tier out cybersecurity.
• PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.
• Kernelhub 🌴Kernel privilege escalation vulnerability collection, with compilation environment, demo GIF map, vulnerability details, executable file (Windows only).
• grace It's strace, with colors.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Russian Hackers Are Publishing Stolen Abortion Records on the Dark Web. Much like the Finnish mental health breach and hospital attacks this shows that no targets are off limits for criminals. Putting a digital red cross probably won't help.
• ISOs from the internet will have MotW. It was fun while it lasted. On to the next one.
• About the security content of iOS 16.1.1 and iPadOS 16.1.1. XML parsing bugs could lead to RCE. The bug details are here and here. The update also limits AirDrop 'Everyone' option to 10 minutes in China with the speculation being that censors can't monitor airdropped content.
• Amazon once again lost control (for 3 hours) over the IP pool in a BGP Hijacking attack. It is a little wild to me that in 2022 we still use protocols developed for use among friendly research institutions as the underlying infrastructure for cryptocurrencies whose original goal was to survive in a network of adversarial participants.
• Mysterious company with government ties plays key internet role. I said last week, "your OS is just a bootloader for your browser." Perhaps we should take a look at who gets trusted by default in our browsers...
• A Russian Missile Crew Was Geolocated From Just This Photo. OSINT is wild.
• Intel 471 Acquires SpiderFoot. Attack surface monitoring is hot right now.
• Github code search launches. I've been impressed with GitHub since the Microsoft acquisition. Let's see how long it lasts but so far so good.

Techniques and Write-ups

• Introducing ROADtools Token eXchange (roadtx) - Automating Azure AD authentication, Primary Refresh Token (ab)use and device registration. Dirk-jan is in the pantheon of researchers where every post is a must read. When it comes with a tool release... oh baby..
• Certificates and Pwnage and Patches, Oh My!. After a year, AD CS attacks have proven more pervasive than I thought they would be, led to more discoveries, and even patches from Microsoft to the way certs were mapped to identities. I guess you could say releasing their tooling really... imposed cost... as opposed to keeping it closed source.
• Accidental $70k Google Pixel Lock Screen Bypass. This would be a perfect "bugdoor" (intentional bug used as a backdoor), but it looks like an honest mistake with a complex system of overlapping lockscreen.
• Analysis of a LoadLibraryA Stack String Obfuscation Technique with Radare2 & x86dbg. Well laid out post on malware analysis.
• Untangling Azure Active Directory Permissions II: Privileged Access. Building on part 1, this post explores more Azure Active Directory access concepts.
• Microsoft Defender for Identity Recent Bypasses Comments. Some good tips for defenders.
• Tales of Windows detection opportunities for an implant framework. Some interesting detection techniques in here with code samples.
• Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server. RCE, privilege escalation, and directory traversal - the holy trinity.
• CVE-2019-8561: A Hard-to-Banish PackageKit Framework Vulnerability in macOS. A good post that also shows the Apple commitment to "old" OSs isn't there. Monterey's latest release (12.6.1) does not include the fix...

Tools and Exploits

• EDD - FindEmptySystem. More details here
• laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.
• Tool Release - Web3 Decoder Burp Suite Extension. Get those obnoxious cryptocurrency bounties!
• TelemetrySource - Project created to map functions responsible for triggering events from various telemetry sources. Details here.
• Introducing cnquery and cnspec. Imagine osquery but with GraphQL. Very cool.
• CInject Windows Kernel inject (no module no thread).
• SharpGmailC2 Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol.
• cve-2022-41352-zimbra-rce Zimbra <9.0.0.p27 RCE.
• AMSI-ETW-Patch Patch AMSI and ETW using a single byte patch for both.
• CVE-2022-3699 Lenovo Diagnostics Driver EoP - Arbitrary R/W.
• drv-vuln-scanner Finds imports that could be exploited, still requires manual analysis.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• squarephish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.
• Digital detritus. As a digital hoarder (look at me right now trying to collect and label all the relevant security stuff from last week) this post resinated with me.
• GPT-4 Rumors From Silicon Valley. AI is getting scary.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• A Confused Deputy Vulnerability in AWS AppSync. The cloud is just someone else's computer. And sometimes it has vulnerabilities too. This one is particularly bad; case insensitivity led to the ability to access resources in other AWS accounts - aka the worst thing possible in a cloud provider. There is a reason some workloads should stay on prem - but only if your on prem security is better than AWS's ability to prevent cross account access (unlikely).
• Stable Diffusion 2.0 Release. AI is shaping up to be a major disruptor. Play with it locally with DiffusionBee. Want to be more awed by the power of AI? Read this.
• Researchers Quietly Cracked Zeppelin Ransomware Keys. Score one for the good guys.
• CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures. Another border device manufacturer with RCE...

Techniques and Write-ups

• Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice. This post digs into some of the technical details of the Nighthawk commercial C2 agent. MDSec claims the same was collected as part of legitimate red team activity and posted their own rebuttal: Nighthawk: With Great Power Comes Great Responsibility.
• Mind the Gap. TLDR: The patch gap is real, take advantage of it.
• A dive into Microsoft Defender for Identity. Some good ideas for detecting MDI after you land a phish or start an internal assessment with low privileges.
• Microsoft Defender for Identity Encrypted Password. More MDI fun, along with a tool release: Microsoft-Defender-for-Identity-Encrypted-Password.
• An End to KASLR Bypasses?. The new THREATINT_PROCESS_SYSCALL_USAGE ETW event coming to Windows 11 23H2 might make API based kernel address leaks, VM detection, and hardware persistence more difficult to get away with undetected.
• CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management. "A remote authenticated attacker can exploit the vulnerability by sending a crafted request to the target server. Successful exploitation could lead to arbitrary SQL code execution in the security context of the database service, which runs with SYSTEM privileges."
• Chrome Browser Exploitation, Part 2: Introduction to Ignition, Sparkplug and JIT Compilation via TurboFan. Another meaty post on Chrome internals and exploitation - the best browser exploit series since Connor McGarr's posts on Edge exploitation.
• Analysing Misconfigured Firebase Apps: A Tale of Unearthing Data Breaches (Wave 10). Back in the day I worked on an app with a firebase backend and the permission model was non-trivial. Not surprised this research showed that 20% of tested firebase instances exposed data. Want to try your hand at it? Check out firebaseExploiter.
• Tips and Tricks: Debugging .NET Malware in a Multi-Stage Malware Deployment. .NET may be easy to decompile but it can still be tricky to trace a mutli-stage dropper all the way back.
• The Art of Bypassing Kerberoast Detections with Orpheus. Kerberoasting becomes fully customizable with the orpheus tool. Beware of honeySPNs, but otherwise, targeted-roast away!
• macOS Sandbox Escape vulnerability via Terminal. One ENV variable could be set to escape the sandbox on macOS!
• Yet Another Azure VM Persistence Using Bastion Shareable Links. Convenient.

Tools and Exploits

• Sapling: A Scalable, User-Friendly Source Control System. Meta open sourced their in house version control system. Don't worry, it's written in Rust.
• BrokenFlow A simple PoC to invoke an encrypted shellcode by using an hidden call.
• nanorobeus COFF file (BOF) for managing Kerberos tickets.
• GCTI CobaltStrike rules. 165 yara rules for CobaltStrike. More info here.
• ReverseSock5Proxy A tiny Reverse Sock5 Proxy written in C.
• psmsi Create MSIs using PowerShell.
• MemoryEvasion A Cobalt Strike memory evasion loader for redteamers.
• geacon_pro A cross-platform Cobalt Strike Beacon written in Go, supports 4.1+.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• nuvola is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax.
• ofrak is a binary analysis and modification platform that combines the ability to unpack, analyze, modify, and repack binaries.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• ChatGPT: Optimizing Language Models for Dialogue. Well, this exploded last week. If you haven't tried it, it's worth some specific technical queries. You can even jailbreak it or run a 'virtual machine' in it.
• Anker's Eufy Cameras Caught Uploading Content to the Cloud Without User Consent. While it was only thumbnail images being uploaded, still a bad look for a brand that is heavy on "local only" branding. Compared to Ring cameras that will find their own wifi to steam video to the cloud, this seems minor. Put your cameras on a VLAN without egress, and VPN in to view them - trust no one.
• Web browsers drop mysterious company with ties to U.S. military contractor. Props to The Washington Post for exposing the root CA and finally getting enough pressure to have it removed from browsers (12 years too late?).
• The FreeBSD Project - Stack overflow in ping(8). Despite the scary title, it only applies to ping responses, and the ping process "runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur." I doubt this will yield remote shells any time soon. LPE however...
• Memory Safe Languages in Android 13. No memory safety related bugs in the Rust code added to Android (yet). It's not a magic bullet, but the evidence shows it really does help prevent memory safety bugs.
• We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012. Control character injection lets you register emails that "matched" actual users, and thereby take over their car via the internet. What a time to be alive. Not broad enough? What about taking over multiple brands of cars via SiriusXM?.
• Hell's Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access. Potential access to the CI of the IBM cloud. Yikes!

Techniques and Write-ups

• Shedding Light on Huawei's Security Hypervisor. This post tears apart the encrypted security hypervisor used in Huawei devices and nets a CVE: CVE-2021-39979 OOB Accesses Using the Logging System.
• CVE-2022-41924 - RCE in Tailscale, DNS Rebinding, and You. The rebinding attacks are neat (if a bit hard to pull off in the real world), but the vendor response is downright amazing, and in a good way this time!
• Pre-Auth RCE with CodeQL in Under 20 Minutes. CodeQL is a force multiplier, I've said it before and I'll say it again.
• Debugging Protected Processes. Debugging protected processes on Windows can be tricky, so what if you made your debugger have the same level of protection instead? Now you can with PPLcontrol.
• Stalking inside of your Chromium Browser. Browsers are where lots of important information is accessed. If you don't have good access methods to leverage endpoint access to dump browser information, or better yet live inside the browser, you should prioritize development.
• How to mimic Kerberos protocol transition using reflective RBCD. Kerberos contains more foot-guns than any authentication protocol I've seen.
• Making unphishable 2FA phishable. Thanks to non-input enabled devices, even the best 2FA can be phished (sometimes).

Tools and Exploits

• SysmonEoP - Proof of Concept for arbitrary file delete/write in Sysmon (CVE-2022-41120).
• Visual Studio Code: Remote Code Execution. Jypiter notebook links could have led to RCE in vscode when clicked.
• SilentMoonwalk is a PoC implementation of a true call stack spoofer, implementing a technique to remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow. Want it in rust? Try Unwinder.
• PrintNotifyPotato - Another potato, using PrintNotify COM service for lifting rights.
• BumbleCrypt - A Bumblebee-inspired Crypter.
• google_lure.py - Generate phishing lures that exploit open-redirects from www.google.com using Google Docs.
• NimDllSideload allows you to easily generate Nim DLLs you can use sideloading/proxy loading. If you're unfamiliar with what DLL sideloading is, take a gander at this blog post.
• Defender_Exclusions-BOF - A BOF to determine Windows Defender exclusions.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Neton is a tool for getting information from Internet connected sandboxes.
• kubeshark , the API Traffic Viewer for kubernetes, provides deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster. Think of a combination of Chrome Dev Tools, TCPDump and Wireshark, re-invented for Kubernetes.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Apple advances user security with powerful new data protections. This is a great step forward for a company who has marketed "privacy" but technically had some work to do. While iMessage has always been end-to-end encrypted, iCloud backups, which contain all your iMessages conveniently have not been. Thus, with a simple court order, all your iPhone contents are available to any legally valid request. With this change, everything except Email, Contacts, and Calendar are encrypted on iCloud, rendering those data requests useless. iMessage Contact Key Verification feels a lot like Signal, and security key support for iCloud accounts is long overdue. While none of these steps are groundbreaking, Apple is pushing the boundaries for "mainstream" tech privacy.
• ChatGPT bid for bogus bug bounty is thwarted. It was inevitable. Perhaps bugs will be triaged by AI soon, and the AIs can fight it out amongst themselves.
• Anker's Eufy lied to us about the security of its security cameras. Last week's story was only about the notification image, but it appears that you could get an unencrypted stream URL from Eufy cameras that worked over the internet until recently. So much for local only. I repeat: Put your cameras on a VLAN without egress, and VPN in to view them - trust no one.
• Releasing Semgrep 1.0. Now you have no excuse for not using it to find vulns.

Techniques and Write-ups

• Precious Gemstones: The New Generation of Kerberos Attacks. This is a great refresher if you have missed the last few Kerberos attack releases and need to catch up.
• Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass. It boils down to an undocumented Windows kernel method and structure to implement syscall hooks. "This is a very brave and cool feature." This post contains good general investigative process documentation that will be applicable to kernel hackers and other low level devs.
• GOAD - part 11 - ACL. The latest in a series that walks through the excellent GOAD vulnerable active directory environment.
• Cool vulns don't live long - Netgear and Pwn2Own. Having two vulnerabilities patched the day before a competition is heartbreaking. Perhaps parallel discovery?
• Exploiting CVE-2022-42703 - Bringing back the stack attack "This exploit demonstrates a highly reliable and agnostic technique that can allow a broad spectrum of uncontrolled arbitrary write primitives to achieve kernel code execution on x86 platforms.""
• Part 3: I Hope This Vishing Call Finds You Well…. Vishing can be that extra push to get a phishing campaign across the line. It is being used by adversaries to great effect already; consider adding it to your next service offering.
• Replicating CVEs with KLEE. Symbolic execution engines for bug hunting aren't new, but KLEE is new to me.
• An open source SMS gateway for pentest projects. smsgate holds the code.
• Issue 2346: Windows: HTTP.SYS Kerberos PAC Verification Bypass EoP. A tasty LPE (now patched).
• Assessing Standalone Managed Service Accounts. Managed Service Accounts (MSA) have automatic password management, but that doesn't mean the passwords can't be dumped, hashes reused, and account privileges abused.
• StealthHook - A method for hooking a function without modifying memory protection. "This post describes a method for stealthily hooking a function without modifying memory protection. By overwriting a global pointer or virtual table entry that is nested within the target function, it is possible to hook the function without raising suspicion because many of these memory regions already have write permissions enabled."
• Unauthenticated Command Injection (Cacti). An authentication bypass and a command injection combine for a deadly bug.
• [PDF] Knockout win against TCC, a.k.a. 20+ NEW ways to bypass your macOS privacy mechanisms. Two of the best macOS security researchers team up to take down TCC.

Tools and Exploits

• RedditC2 - Abusing Reddit API to host the C2 traffic, since most of the blue-team members use Reddit, it might be a great way to make the traffic look legit.
• emailGPT - a quick and easy interface to generate emails with ChatGPT.
• noseyparker is a command-line program that finds secrets and sensitive information in textual data and Git history.
• CVE-2022-44721 Crowdstrike Falcon Uninstaller.
• DCOMPotato - Exploit collection for some Service DCOM Object local privilege escalation vulnerabilities (SeImpersonatePrivilege abuse).
• WindowSpy is a Cobalt Strike Beacon Object File meant for targetted user surveillance. The goal of this project was to trigger surveillance capabilities only on certain targets, e.g. browser login pages, confidential documents, vpn logins etc.
• Wiretap is a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• BlueMap helps penetration testers and red teamers to perform Azure auditing, discovery & enumeration, and exploitation in interactive mode that saves complex opsec and overhead that usually exists in Azure penetration testing engagements.
• TProxy is an interception proxy for TCP traffic. It can be used to monitor, drop, modify or inject packets in an existing TCP connection. For monitoring purposes, TProxy has the ability to decrypt incoming TLS traffic and re-encrypt outgoing packets. It also leverages Wireshark dissectors to build a dissection tree of each intercepted packet.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• [LastPass] Notice of Recent Security Incident. The breach from August is worse than initially reported, with encrypted password vaults stolen. Despite their encryption, weak master passwords or perhaps other issues could lead to passwords and other information leaking to the perpetrators. If you use a password manager (cloud based or not), the loss of your vault has to be part of your threat model. Other services have been quick to capitalize on LastPass' failure.
• Announcing OSV-Scanner: Vulnerability Scanner for Open Source. Google launches an open source dependency vulnerability scanner based on their OSV database.
• OWASSRF, a new exploit for Exchange vulnerabilities, exploited in the wild: everything you need to know. At this point, self-hosting Microsoft Exchange is an extremely risky proposition. Unless it's behind a VPN or Zero Trust Network Access (making it hard to use with Outlook/etc), you're asking for compromise.
• 2022 Adversary Infrastructure Report. Cobalt Strike still dominates.
• Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability. In the unlikely case you are running SMB using the new kernel module and not samba, update now or face unauthenticated RCE.
• Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users. The title is a bit bland, but this is official FBI communication encouraging the use of ad blockers. I've heard stories of companies that force uBlock Origin as part of their managed Chrome install to great effect.
• Sunsetting DetectionLab. One of the best automated lab tools is ending development. The scene is set for an open source, modular, lab infrastructure system to be released...
• Crack the ELF RE challenges - "Here are some reverse-engineering challenges I've made on my spare time."

Techniques and Write-ups

• Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg. Some great technical Linux exploitation detail in this write up.
• Spice up your persistence: loading PHP extensions from memory. This technique is neat as your backdoor lives in the PHP process with only some suspect memory maps to give it away after loading from disk (and unloading the disk backed copy of the backdoor).
• Writing x64dbg scripts and Writing x64dbg plugins will help you level up your x64dbg game.
• Puckungfu: A NETGEAR WAN Command Injection. This command injection requires control of DNS on the WAN side of the router.
• MeshyJSON: A TP-Link tdpServer JSON Stack Overflow. In contrast to the relatively simple command injection exploit in Puckungfu, this exploit is a address leak and heap spray to bypass KASLR to execute a ROP gadget. Impressive stuff.
• CVE-2021-43444 to 43449: Exploiting ONLYOFFICE Web Sockets for Unauthenticated Remote Code Execution. This is a great read for any web app pentesters. The inital bug doesn't look so bad, but the chain to RCE is impressive.
• Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 1). This post is all lab/dev setup and a Hello World, but the series could get interesting quickly. For a finished series, check out Lord Of The Ring0.
• LABScon Replay | Breaking Firmware Trust From The Other Side: Exploiting Early Boot Phases (Pre-Efi). You've heard of bootkits, but what about pre-bootkits?
• Trend Micro drops 2x macOS LPE posts: Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities and A Technical Analysis of CVE-2022-22583 and CVE-2022-32800.
• Navigating the Vast Ocean of Sandbox Evasions. Palo Alto's sandbox is custom and has fixes for many common sandbox detections. Would your detections get caught in this sandbox?
• Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463. Part 3 of the amazingly detailed browser exploitation series is here!
• Gatekeeper's Achilles heel: Unearthing a macOS vulnerability. Microsoft digs into a strange "AppleDouble" file format and finds a Gatekeeper bypass.
• .NET Startup Hooks. If you can set environment variables for .NET programs, you can inject arbitrary code. Could be a useful persistence technique as there are built in .NET binaries in Windows.

Tools and Exploits

• Avoiding Detection with Shellcode Mutator. By randomly adding nops or nop equivalent instructions, ShellcodeMutator can break yara rules that look for specific assembly sequences in shellcode.
• Dirty-Vanity - A POC for the new injection technique, abusing windows fork API to evade EDRs. See the slides from BlackHat EU here.
• DirCreate2System - Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting.
• CVE-2022-2602-Kernel-Exploit and CVE-2022-2602 are Linux LPEs for Linux kernel upstream stable 5.4.x, 5.15.x, and later versions. 5.10.x may be vulnerable as well.
• Cohab_Processes - A small Aggressor script to help Red Teams identify foreign processes on a host machine.
• CaFeBiBa - COFF parser - a COFF parser for binaries compiled with MSVC.
• Offensive-Rust - Various offensive techniques in Rust.
• ASRenum-BOF - Cobalt Strike BOF that identifies Attack Surface Reduction (ASR) rules, actions, and exclusion locations.
• CVE-2022-42046 - CVE-2022-42046 Proof of Concept of wfshbr64.sys local privilege escalation via DKOM.
• linux_injector - A simple ptrace-less shared library injector for x64 Linux.
• Venom is a library that meant to perform evasive communication using stolen browser socket.
• wanderer - An open-source process injection enumeration tool written in C#.
• Invoke-Retractor - Build a Seatbelt executable containing only commands you specify.
• WTSRM2 - Writing Tiny Small Reliable Malware 2. This has a ton of cool features, worth a look.
• PassTheChallenge - Recovering NTLM hashes from Credential Guard. See the blog post for more details.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• pike is a tool for determining the permissions or policy required for IAC code.
• policies - Security policies for Tailscale.
• A Visual Guide to SSH Tunnels: Local and Remote Port Forwarding. I use SSH tunnels on a daily basis, and this is a great visual guide to anyone new to the concept (or as a reference if you forget!).
• portable-secret - Better privacy without special software.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• CircleCI security alert: Rotate any secrets stored in CircleCI (Updated Jan 7). Ouch. If you use any kind of secrets in CI (not bad by itself, depending on your threat model etc), please use canary tokens so you know when you need to drop everything and rotate secrets and take a hard look at your logs.
• Researchers Could Track the GPS Location of All of California's New Digital License Plates. Because of course they can. File this under "shockingly bad idea is still bad for all the reasons we thought." For all the car hacks of 2022 check out Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More.
• Security Update Guide Improvement - Representing Hotpatch Updates. You can now easily identify hotpatches for Windows Server VMs in Azure which can be applied without a reboot (feature introduced last year). Linux users heard saying "what took so long?"
• [PDF] Factoring integers with sublinear resources on a superconducting quantum processor. Researchers out of China claim to have a system where "traditional" lattice-reduction math is used to dramatically reduce the number of qbits a quantum computer needs to factor numbers (the basis of RSA). If correct, they could theoretically break 2048-bit RSA with 372 qbits (which IBM already has). However, "this destroys the RSA cryptosystem" is a statement other papers have made, and so far, failed to deliver.
• U.S. Targets Non-Compete Clauses That Block Workers From Better Jobs. A staple of any tech employment contract, the non-compete could be coming to an end.
• Making an SSH client the hard way. Your weekly reminder that the modern browser is the OS of tomorrow.

Techniques and Write-ups

• TouchEn nxKey: The keylogging anti-keylogger solution. Every article I read by Wladimir makes me more and more scared of any browser extension. In this case, an all-but-required extension for Korean banking can be repurposed as a keylogger easily among other scarry things.
• Escaping from bhyve. A sesonsed VM escaper (QEMU previously) tries their hand at bhyve, FreeBSD's hypervisor, and comes away with a new VM escape. It's impressive to witness people who can point their attention at something and have impressive bugs fall out.
• A study on Windows HTTP authentication (Part II). Kerberos over HTTP? Windows authentication options are impressive in their vastness. This is a great post for any Windows network assessor, and the Prox-Ez tool will certainly come in handy once inside your next corporate network.
• Bypass firewalls with of-CORs and typo-squatting. The dangers of "just clicking a link" are real in 2023, but not because your computer will get compromised (excluding browser 0day+SBX) but because your company's internal web apps are YOLOing their CORS and authentication, allowing any browser on the network to pull data. This is really neat attack that is only possible because of overpermissive internal web apps. Use of-CORS to pull off your own sweet CORS hacks.
• CVE-2022-27510, CVE-2022-27518 - Measuring Citrix ADC & Gateway version adoption on the Internet. The cool part of this post isn't the Citrix exploits, its the method of getting your hands on different versions of Citrix ADC images and fingerprinting the versions.
• Microsoft Defender for Identity JSON API. The inner workings of the Microsoft Defender for Identity and its API can hold some secrets if you compromise a machine running a sensor. Use Microsoft-Defender-for-Identity-API-Fiddler to play with it.
• CVE-2022-25026 & CVE-2022-25027: Vulnerabilities in Rocket TRUfusion Enterprise. Some classic web app vulnerabilities in this post.
• DeTT&CT: Automate your detection coverage with dettectinator . This post introduces a new tool, dettectinator, which is a framework that helps blue teams in using MITRE ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviors.
• Passwordless Persistence and Privilege Escalation in Azure. TIL that Azure comes with its own privesc to Global Admin. Neat.
• Lateral movement risks in the cloud and how to prevent them - Part 2: from compromised container to cloud takeover. What can you do once you land in a prod pod? Depends on the cloud, but probably a lot.

Tools and Exploits

• iCDump. A Modern Objective-C Class Dump. Blog here.
• UnhookingPatch - Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime.
• HellHall is a combination of HellsGate and indirect syscalls.
• WalkerGate is a method to take syscall with memory parsing of ntdll.
• zsyscall is an implementation of the Hell's Gate VX technique. The main difference with the original implementation is the use of the zsyscall procedure instead of HellsGate and HellDescent for using syscalls.
• SOC-Multitool - A free and open source tool to aid in SOC investigations!
• Alcatraz is a x64 binary obfuscator that is able to obfuscate various different pe formats.
• sub-scout is a simple bash script to automate your inital recon and extend your attack surface using popular tools made by infosec community.
• MITRE_ATTACK_CLI - CLI Search for Security Operators of MITRE ATT&CK URLs.
• nuclearpond is a utility leveraging Nuclei to perform internet wide scans for the cost of a cup of coffee.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• A New PyRDP Release: The Rudolph Desktop Protocol!. The gosecure RSS feed was slow on this one?
• KubeStalk discovers Kubernetes and related infrastructure based attack surface from a black-box perspective.
• NTLMRecon - A tool for performing light brute-forcing of HTTP servers to identify commonly accessible NTLM authentication endpoints.
• smudge - Passive OS detection based on SYN packets without Transmitting any Data

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Supporting the Use of Rust in the Chromium Project. Rust is coming, and its taking down memory safety bugs/exploits as its spreads.
• Sustaining Digital Certificate Security - TrustCor Certificate Distrust. As previously reported, reporting from the Washington Post has led to questions about TrustCor, and this is the official announcement that Google is dropping them from the Chrome CA root store.
• CircleCI incident report for January 4, 2023 security incident. There is still some detail missing (no detail on how they know "the third party extracted encryption keys from a running process" and no public samples of the malware), but the incident report does shed light on how all of CircleCI was compromised. A single employee had their SSO session cookie stolen, and the production system fell. Now is a good time to tabletop what would happen at your company if your lead engineer had their SSO cookie stolen... In the meantime, follow this IR guide.
• [PDF] P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk. People still choose terrible passwords. Arm your users with a password manager and teach them how to use it. Enforce MFA everywhere you can. Hand out hardware tokens and enforce their use. With the rise of passkeys, a passwordless future is possible, but legacy password support will be around for at least the next 25 years.
• Recovering from Attack Surface Reduction rule shortcut deletions. Friday the 13th saw Attack Surface Reduction users get an updated definition that "resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files." This manifested itself with users calling the help desk stating that "all my apps are gone," which sounds a lot like ransomware. Thanks Microsoft. AddShortcuts.ps1 might help recover shortcuts for users.

Techniques and Write-ups

• SCCM Site Takeover via Automatic Client Push Installation. SCCM is perhaps the best lateral movement technique against organizations that use it, but the issue for red teams was compromising the primary server. With this research, it's possible to land a single phish (get any authenticated domain user), and coerce/relay your way to SCCM site takeover, which enables you to push out arbitrary executables or run scripts on every machine managed by SCCM. If ransomware crews aren't already doing this, they soon will be. Protect the MSSQL endpoints that SCCM use!
• Microsoft Defender for Identity Lateral Movement from Forest to Forest without a Forest trust. Using Defender to jump between untrusted forests? Awesome.
• Malware-based attacks on ATMs - A summary. Perhaps not the most relevant article for red/blue teams, but still interesting.
• A LAPS(e) in Judgement. A good overview of the local admin password solution (LAPS) for Windows domains, how to set it up, how to abuse it, and how to detect that abuse.
• T95-H616-Malware. "Pre-Owned" malware in ROM on T95 Android TV Box (AllWinner H616).
• Sliver vs havoc. If you aren't familiar with two of the more popular non-Cobalt Strike C2s that are available, this post breaks them down.
• CVE-2021-31985: Exploiting the Windows Defender AsProtect Heap Overflow Vulnerability. The irony of using Windows Defender to get a SYSTEM shell is delicious.

Tools and Exploits

• secret_handshake - A prototype malware C2 channel using x509 certificates over mTLS.
• phishim is a phishing tool which reduces configuration time and bypasses most types of MFA by running a chrome tab on the server that the user unknowingly interacts with.
• CoffLoader - an implementation of in-house CoffLoader supporting CobaltStrike standard BOF and BSS initialized variables.
• latma - Lateral movement analyzer (LATMA) collects authentication logs from the domain and searches for potential lateral movement attacks and suspicious activity. The tool visualizes the findings with diagrams depicting the lateral movement patterns.
• gophish - GoPhish automation.
• CVE-2023-0179: Linux kernel stack buffer overflow in nftables: PoC and writeup. PoC has been pulled for the time being, but as this effects Linux from ~2019 and later, it could be a pretty widespread LPE and potentially some LAN crashes or RCE.
• LocalPotato is coming soon! - Watch this space.
• Issue 2361: XNU race condition in vm_map_copy_overwrite_unaligned allows writing to read-only mappings. Ian Beer drops his "MacDirtyCow" which is already being used in the jailbreaking scene to do non-persistent tweaks.
• OffensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises. Version 2 just dropped.
• Open Sourcing Incident Management system. The HARP incident management system, designed to help teams quickly and effectively respond to and resolve any incidents that may occur, specifically in the tech industry, is now open source!

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Crassus - Windows privilege escalation discovery tool
• ShellWasp is a tool to help build shellcode that utilizes Windows syscalls, while overcoming the portability problem associated with Windows syscalls. ShellWasp is built for 32-bit, WoW64.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• how to completely own an airline in 3 easy steps. The US "No fly list" was found on an exposed jenkins server belonging to CommuteAir. 80MB of NOFLY.CSV. Classic.
• Introducing LogSlash and The End of Traditional Logging. An interesting idea so save the "meaning" of a series of logs without all the raw data. I think large firms will still be saving all the raw data as all their detections are built on it, but I like the idea.
• HC-tree. A very non-descriptive title for a really cool feature. HC-tree is a high performance backend for SQLite that enables concurrency, replication, and massive size SQLite DBs. There aren't many small applications that shouldn't be using SQLite today as their DB, but with HC-tree, there will be almost none that need anything but SQLite.
• Visual Studio Spell Checker Preview Now Available. Misspellers of the world, untie! (it won't help in this case... oh well.)
• Pirate Bay Proxy Portal Taken Down by Github. Opinions of The Pirate Bay aside, GitHub took down a page that was hosting links to proxies, not even The Pirate Bay itself. The Tor Project is still on GitHub. Strange to see where the line is drawn sometimes.

Techniques and Write-ups

• CVE-2022-35690: Unauthenticated RCE in Adobe ColdFusion. ColdFusion is not only still a thing, but it's also still full of holes.
• Pwning the all Google phone with a non-Google bug. The bug here is cool, and the patch gap between ARM and Android on a hardware controlled by it's OS maker (Pixel 6) is worrying.
• CVE from 2018 Strikes Again. I've said it before and I'll say it again, just because a vulnerability is patched, doesn't mean its fixed. This is a one such case, albeit a simple one.
• Bitwarden design flaw: Server side iterations. With LastPass's recent issue, many have been searching for a new password manager, and researchers have been taking a look too. Positive change has already taken place because of this, and the open source BitWarden is getting more secure. However, you may want to manually increase your PBKDF2 iteration setting (Vaultwarden is also set at 100,000 by default as of 2023-01-23). The use of a secret key like 1Password has is a feature many would like to see implemented in other password managers. Need more password manager (patched) flaws? Unsandboxed Password Manager has them.
• Client-Side SSRF to Google Cloud Project Takeover [Google VRP]. A combo of Google properties (FeedBurner + VertexAI) combined for a nice Google Cloud takeover. It's not just Google, as Microsoft resolves four SSRF vulnerabilities in Azure cloud services.
• AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass. Why is a CloudTrail bypass a big deal? When you are looking for ways to validate AWS keys without falling victim to a Canary Token finding a method to use them without showing up in CloudTrail is the only way. Speaking of canary tokens they just released new credit card tokens.
• ManageEngine CVE-2022-47966 Technical Deep Dive. A quick run through of the RCE starting with the patch.
• [PDF] Sudoedit bypass in Sudo <= 1.9.12p1 CVE-2023-22809. A simple command injection-style bug in the EDITOR environement variable allowed a user with sudoedit permissions on a single file to write to arbitray files as root. Perhaps not a common setup to have sudoedit enabled, but an easy LPE if it is!
• CrossTalk and Secret Agent: Two Attack Vectors on Okta's Identity Suite. Some excelent creative hacking that will become more important as more things move to SaaS.
• Exploiting null-dereferences in the Linux kernel. Not crashing the kernel and instead "oops"-ing is better, but can have unintended consequences.
• making malware #0. Not sure a public "API" is the best for tooling's long term evasion, but it might help in some cases.

Tools and Exploits

• CVE-2022-42864 - Proof-of-concept for the CVE-2022-42864 IOHIDFamily race condition that was fixed in iOS 16.2 / macOS Ventura 13.1. Read more at Diabolical Cookies.
• Credmaster2. Your favorite credential spraying tool is back with more plugins.
• pdtm - ProjectDiscovery's Open Source Tool Manager.
• Caido - A lightweight web security auditing toolkit. Built from the ground up in Rust, Caido aims to help security professionals and enthusiasts audit web applications with efficiency and ease.
• Silhouette is a POC that mitigates the use of physical memory to dump credentials from LSASS.
• git-sim: Visually simulate Git operations in your own repos. Complex git operations can be scary. They're less scary if you can see a pretty picture of what is happening.
• a.socks.proxy.shellcode is SOCKS4 server in shellcode for armv5, armv7, mipseb, and x64.
• SeeProxy - Golang reverse proxy with CobaltStrike malleable profile validation.
• golddigger is a simple tool used to help quickly discover sensitive information in files recursively.
• APCLdr - Payload Loader With Evasion Features.
• CVE-2023-0179-PoC. This is the Linux CVE from last week where the PoC was pulled. It's out now!

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• git-cliff - A highly customizable Changelog Generator that follows Conventional Commit specifications ⛰️
• sh4d0wup - Signing-key abuse and update exploitation framework. This thing is fully featured and scary!
• ulexecve is a userland execve() implementation which helps you execute arbitrary ELF binaries on Linux from userland without the binaries ever having to touch storage. This is useful for red-teaming and anti-forensics purposes.
• SANS SEC760: Advanced Exploit Development for Penetration Testers - Review. The review isn't the interesting part here, its section 3: Recommendations that are gold.
• infisical ♾ Infisical is an open-source, end-to-end encrypted tool to sync secrets and configs across your team and infrastructure.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Hackers Demand $10M From Riot Games to Stop Leak of 'League of Legends' Source Code. "It is alarming to know that you can be hacked within a matter of hours by an amateur-level hack." Is it?
• Protecting Against Malicious Use of Remote Monitoring and Management Software. Someone at CISA finally watched my talk on Traitorware?
• U.S. Department of Justice Disrupts Hive Ransomware Variant. Don't do crimes.
• Yandex Services Source Code Leak. No git history, no ML models, but lots of source code.
• The Microsoft Edge team no longer offers VM image downloads for the testing of Microsoft Edge and Internet Explorer.. The go-to source for quick, legitimate test VMs is gone. This on the back of the news that detection lab is not being maintained has opened a hole in the test VM/lab/management area... (stay tuned).

Techniques and Write-ups

• At the Edge of Tier Zero: The Curious Case of the RODC. Just because its read-only doesn't mean it can't lead to domain dominance.
• Operator's Guide to the Meterpreter BOFLoader. BOFs come to Meterpreter - they are truly the cross-C2 primitive of modern red teaming. You can run them from Python3 now with pybof. Hell, I even put them in osquery.
• Exploiting Hardcoded Keys to achieve RCE in Yellowfin BI. Hardcode a private key == hardcode a bad time.
• Password strength explained. This is a good explainer. Dice-chosen word-based passwords are the way to go.
• Abusing Exceptions for Code Execution, Part 2. This one is meaty and really cool. If you though SEH exploitation died in 2008, buckle up.
• Extending PersistAssist: Act I. How to add your own modules and stick around even after a reboot.

• Web Hacking

  • Using 0days to Protect the United Nations. Some web apps are frighteningly bad at security - this is one of them.
  • Froxlor v2.0.6 Remote Command Execution (CVE-2023-0315). A nice authenticated RCE chain.
  • MyBB <= 1.8.31: Remote Code Execution Chain. This is just quality web app hacking.

• Insomni'hack 2023 CTF Teaser - InsoBug. CTF writeups don't usually make the blog, but this one is particularly interesting and Windows based which is extremely rare.
• gaylord M FOCker - ready to pwn your MIFARE tags. If you're getting started in the RFID card space, this post will give you a quick overview of the various attacks.
• Microsoft Defender Vulnerability Management Authenticated Scan Security Risks. Authenticated scans can give attackers hashes when 'Negotiate' is enabled.
• CVE-2023-23504: XNU Heap Underwrite in dlil.c. "This can be triggered by a root user creating 65536 total network interfaces." Seems pretty far fetched, but a physical attack (malicious USB) is a potential vector.
• How to access data secured with BitLocker? Do a system update. BitLocker effectively disables itself during updates.
• Give me a browser, I'll give you a Shell. The javascript to create a browse button was neat.
• Fun with macOS's SIP. A nify trick to "bypass" (but not really) System Integrity Protection on macOS.
• Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks. Loader/AV bypassers take note.

Tools and Exploits

• gato GitHub Self-Hosted Runner Enumeration and Attack Tool. More information in this post.
• starhound-importer - Import data from SharpHound and AzureHound using CLI instead of GUI BloodHound using "BloodHound's code". Detail here.
• azbelt - AAD related enumeration in Nim.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• yaralyzer Visually inspect and force decode YARA and regex matches found in both binary and text data. With Colors.
• Forking Chrome to render in a terminal. Simply amazing.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.