News

• Questions For Confluence Security Advisory 2022-07-20. "A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to." What year is it again?
• Zyxel security advisory for local privilege escalation and authenticated directory traversal vulnerabilities of firewalls. At least they are authenticated vulnerabilities?
• DNS-over-HTTP/3 in Android. This is going to make DNS over HTTP/3 tunneling harder to pick out due to the volume of legitimate requests.
• The Return of Candiru: Zero-days in the Middle East. A sophisticated campaign that used a compromised site to host a WebRTC 0day (affecting at least Chrome, possibly other browsers) isn't your every day drive by compromise.
• Continued cyber activity in Eastern Europe observed by TAG. Fake mobile DDoS app to "help stop Russian aggression against Ukraine," actually sent all your information to Russia. At least the "number of installs was miniscule."

Techniques and Write-ups

• The End of PPLdump. The July 2022 update changes how PPL processes to no longer rely on Known DLLs, a critical step in the PPLdump bypass. Check the post for the full RE teardown of NTDLL.dll.
• Technical Advisory - Multiple vulnerabilities in Nuki smart locks. As the saying goes: "The 'S' in IoT stands for security."
• How I Met Your Beacon. This currently 2 part series takes a look at the behavioral tells of popular C2 frameworks, highlighting common anomalies that make beacons of all types stand out. The implicit message is that Nighthawk, MDSec's own commercial C2 doesn't display these anomalies. Part 2 includes new network based detections for Cobalt Strike Team Servers.
• WordPress Transposh: Exploiting a Blind SQL Injection via XSS. This little manuever netted Julien $30,000 in bounties and forced WordPress's removal of the plugin from its directory.
• Encrypting Strings at Compile Time. A single header file can encrypt your C++ strings at compile time, but be aware that tweaks will be needed to defat FLARE Obfuscated String Solver.
• AddExeImport - Add a hardcoded DLL dependency to any EXE. No DLL hijack convenient for your use? Create one! Another cool, creative technique from x86matthew. Be aware, signatures will no longer be valid.
• Browser Exploitation: Firefox Integer Overflow - CVE-2011-2371. An older vulnerability, but a great introduction to heap vulnerabilities in browsers.
• ProtectMyTooling - Don't detect tools, detect techniques. A suite of tools to rid yourself of static signatures and force Blue teams to detect techniques instead.
• Phishing: Better Proxy than Story details a "modern" phishing stack.
• Red Team? Or EDR Bypass Team. An interesting post on where value is derived from a red team assessment.
• Gitlab Project Import RCE Analysis (CVE-2022-2185). This was a nasty vulnerability (CVSS 9.9) in Gitlab where a crafted project import resulted in RCE. How you ask? this post breaks it down in detail.

Tools and Exploits

• DiagTrackEoP - another way to abuse SeImpersonate privilege.
• terry-the-terraformer A Python CLI tool for deploying red team infrastructure across multiple cloud providers, all integrated with a virtual Nebula network.
• IAM-Deescalate IAM-Deescalate helps mitigate privilege escalation risk in AWS identity and access management (IAM). More info here.
• RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows (patched in the July 2022 patch).
• AlanFramework - A C2 post-exploitation framework. This framework has been around for a while, but last week became open source (Attribution-NonCommercial-NoDerivatives 4.0 International).
• Lastenzug - Socks4a proxy leveraging PIC, Websockets and static obfuscation on assembly level.
• CVE-2022-34918-LPE-PoC - This exploit has been written for the kernel Linux ubuntu 5.15.0-39-generic. More details here.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• ropr - A blazing fast™ multithreaded ROP Gadget finder. ropper / ropgadget alternative.
• RedGuard "is a derivative work of the C2 facility pre-flow control technology." Looks a lot like RedWarden?

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Microsoft rolls back decision to block Office macros by default. If you are a big enough Microsoft customer you can escalate your trouble ticket all the way up to rolling back a security feature? VBA macros will continue to be a popular initial access vector it seems.
• PyPI 2FA Security Key Giveaway
• PQC Standardization Process: Announcing Four Candidates to be Standardized, Plus Fourth Round Candidates
• Apple expands industry-leading commitment to protect users from highly targeted mercenary spyware. Apple does not expand any ability to look at basic system logs from the phone though...
• Facebook has started to encrypt links to counter privacy-improving URL Stripping.
• [PDF] RETBLEED: Arbitrary Speculative Code Execution with Return Instructions

Techniques and Write-ups

• Rediscovering Epic Games 0-Days (Forever Unpatched?). Installers are rich hunting ground for file overwrite/file delete vulnerabilities.
• Account hijacking using "dirty dancing" in sign-in OAuth-flows. Oauth flows can be complicated, and thus vulnerable to strange edge cases. Excellent work here to explore some interesting ways to leak data and exploit login flows.
• Maelstrom: Working with AMSI and ETW for Red and Blue
• Maelstrom: EDR Kernel Callbacks, Hooks, and Call Stacks
• CVE-2022-30136: Microsoft Windows Network File System v4 Remote Code Execution Vulnerability
• Abusing forgotten permissions on computer objects in Active Directory
• Altiris Methods for Lateral Movement
• Heap Overflows on iOS ARM64: Heap Grooming, Use-After-Free (Part 3)
• DirSync: Leveraging Replication Get-Changes and Get-Changes-In-Filtered-Set
• Lord Of The Ring0 - Part 1 | Introduction
• Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706
• Recreating an ISO Payload for Fun and No Profit

Tools and Exploits

• Issue 2278: Windows: LSA Service LsapGetClientInfo Impersonation Level Check EoP
• Rolling Pwn Attack. Honda keyless entry hack.
• Koh: The Token Stealer
• Affinis Recurrent Neural Network SubDomain Discovery Tool
• stealCredsPayload.js from Scraping Login Credentials With XSS.
• crux A proof-of-concept malicious Chrome extension
• Chisel-Strike A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
• RDPHijack-BOF Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking.
• iscsicpl_bypassUAC UAC bypass for x64 Windows 7 - 11
• persistence-info.github.io tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios.
• OneDriveUpdaterSideloading Payload for DLL sideloading of the OneDriveUpdater.exe, based on the PaloAltoNetwork Unit42's blog post.
• CoffeeLdr Beacon Object File Loader.
• pretender Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover as well as mDNS, LLMNR and NetBIOS-NS spoofing.
• powerview.py PowerView alternative.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Raycast is a blazingly fast, totally extendable launcher. It lets you complete tasks, calculate, share common links, and much more.
• cervantes is an opensource collaborative platform for pentesters or red teams who want to save time to manage their projects, clients, vulnerabilities and reports in one place.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• 2022 0-day In-the-Wild Exploitation…so far. Browsers and phones are were people do most of their work these days, and thats where most of the 0days are too, unsurprisingly.
• Issue 2268: Windows: Windows Defender Remote Credential Guard Authentication Relay EoP. The handling of Windows Defender Remote Credential Guard credentials is vulnerable to authentication relay attacks leading to elevation of privilege or authentication bypass. Fixed on 2022-06-15 as CVE-2022-30150.
• GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5. TLDR: authenticated RCE. "an authorised user could import a maliciously crafted project leading to remote code execution," plus other issues.
• Bug Bounty Platform's Employee Abused Internal Access to Steal Bounties. As if bug bounty providers needed any more bad press...
• Service Fabric Privilege Escalation from Containerized Workloads on Linux. A compromised container could escape the container and compromise the entire cluster. Yikes! More at FabricScape: Escaping Service Fabric and Taking Over the Cluster.
• Malware Steel Mill. "Some Malware causing a catastrophic failure of a bucket full of molten steel." Iran seems to be the testing ground for cyber-physical attacks.
• When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. This will surely add fuel to the C2 twitter drama fire.

Techniques and Write-ups

• CloudGoat detection_evasion Scenario: Avoiding AWS Security Detection and Response. Step up your AWS exploitation game by not getting caught by automated defenses in this new scenario.
• Golang code review notes. This post is a good summary of some of the bug classes in Go.
• Spoofing Call Stacks To Confuse EDRs. Thread stack spoofing isn't new, but this post leverages it to actively trick EDRs with legitimate looking stacks while doing nasty things (like dumping lsass). CallStackSpoofer is the GitHub project.
• One I/O Ring to Rule Them All: A Full Read/Write Exploit Primitive on Windows 11. "This technique is a post exploitation primitive unique to Windows 11 22H2+ - there are no 0-days here. Instead, there's a method to turn an arbitrary write, or even arbitrary increment bug in the Windows kernel into a full read/write of kernel memory." Code is IoRingReadWritePrimitive.
• Abuse Cloudflare Zerotrust for C2 channels. Abuse is a strong word. "Repurpose" is perhaps a better term. Cool research, and as these kinds of services become more widespread, organizations are going to have to determine how to handle them. Want more cloudflare repurposing? Check out MitM at the Edge: Abusing Cloudflare Workers.
• Bulk Analysis of Cobalt Strike's Beacon Configurations. How unique are your post-ex and C2 profile choices?
• Bypassing .NET Serialization Binders. "Serialization binders are often used to validate types specified in the serialized data to prevent the deserialization of dangerous types that can have malicious side effects with the runtime serializers such as the BinaryFormatter. This blog post looks into cases where this can fail and consequently may allow to bypass validation and walks though two real-world examples of insecure serialization binders in the DevExpress framework (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277), that both allow remote code execution."
• CVE-2022-28219: Unauthenticated XXE to RCE and Domain Compromise in ManageEngine ADAudit Plus. Java web applications and deserialization vulnerability, name a more iconic duo.
• Enforcing a Sysmon Archive Quota. If you are using Sysmon's FileDelete archive hook to store deleted files, you likely already have a solution like this but if not, it should come in handy.
• Get root on macOS 12.3.1: proof-of-concepts for Linus Henze's CoreTrust and DriverKit bugs (CVE-2022-26766, CVE-2022-26763). macOS local privilege escalation walk thorough with PoC code.
• Exploiting Intel Graphics Kernel Extensions on macOS. More macOS exploitation?! ret2systems posts are always excellent and this is no exception.
• Relaying NTLM Authentication from SCCM Clients. What can't you relay authentication with in an active directory environment these days? But SCCM has even more fun in store: The Phantom Credentials of SCCM: Why the NAA Won't Die.
• A Diamond in the Ruff. You've heard of Golden Tickets but what about Diamond Tickets? They offer some OPSEC advantages, and you can use them in Rubeus with this pull request.
• nday exploit: netgear orbi unauthenticated command injection (cve-2020-27861). A detailed post on how the vulnerability was found and exploited.
• Offensive Hunting. The automation and "offensive hunts" in the presentation are awesome. RedELK is great and advanced teams should be using it already. Excited to see more development with it!

Tools and Exploits

• PINKPANTHER Windows x64 handcrafted token stealing kernel-mode shellcode. Be sure to check out the caveats.
• the-poor-mans-obfuscator - Binary & scripts associated with "The Poor Man's Obfuscator" presentation.
• TripleCross - A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
• CVE-2019-7040 + CVE-2021-21042. POCs and exploit code for Microsoft Internet Explorer & Microsoft Word (in DOCX & RTF formats).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• awsEnum - Enumerate AWS cloud resources based on provided credentials.
• nali - An offline tool for querying IP geographic information and CDN provider.
• maldev-for-dummies - A workshop about Malware Development.
• ExtractedDefender - An attempt to group extracted data from Defender for research purposes.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Arsenal Kit Update: Thread Stack Spoofing. A new-ish (~6 months) EDR evasion technique comes to the most popular C2 framework out there.
• Introducing Tailscale SSH. The ability to ssh to servers using Tailscale as an auth provider without changing SSH configs is pretty awesome.
• The legacy Local Administrator Password Solution product (aka “LAPS”) is now a native part of Windows and includes many new features:. Microsoft is taking real steps (finally) to lock down Windows (a little).
• [PDF] MEGA: Malleable Encryption Goes Awry. If you were counting on the mega.io encryption to protect your files, you're in for a bad time.
• Splunk Enterprise deployment servers allow client publishing of forwarder bundles. Imagine you land a phish on a workstation managed by the same Splunk forwarder as the Domain Controller and you can pull off a local privilege escalation. You can use Splunk to get a SYSTEM shell on the DC from the workstation. Pretty gnarly.
• Hacking a Samsung Galaxy for $6,000,000 in Bitcoin!?. This video plays up the drama of the situation, but the hack is legit.
• Cloudflare outage on June 21, 2022. Yes, cloudflare went down, but it had the root cause analysis published in six hours. In my view, an excellent PR move.

Techniques and Write-ups

• WarCon 2022 - Modern Initial Access and Evasion Tactics. If you only read one post from this week as a red team, read this one and review the deck. Great modern red team tactics and techniques all in one spot.
• Hacking into the worldwide Jacuzzi SmartTub network. This is in the running for the best LWiS headline of 2022. Some impressively bad design (think my first web ctf challenge) was used to "secure" the global Jacuzzi network.
• Hack with 'goodfaith' - A tool to automate and scale good faith hacking. The tough part about hacking is to stay in scope. Hacker and security researcher Ryan Elkins (@ryanelkins) revealed a new tool that is intended to help hackers and security researchers avoid generating traffic against out-of-scope targets.
• The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION GROUP. Even the Equation Group used port 4444 at one point.
• Miracle - One Vulnerability To Rule Them All. "We successfully achieved pre-auth RCE on login.oracle.com" is a pretty crazy sentence to read. Even more crazy, they say they have another pre-auth RCE. If you have any interest in Java bugs, deserialization attacks, or massive pre-auth RCE on a cloud provider, don't skip this one.
• Relaying to ADFS Attacks. Relay that NTLM to the cloud! Tool here.
• Maelstrom: Writing a C2 Implant. These posts from pre.empt.dev have been a great resource for anyone starting to develop "modern" C2.
• Hacking Some More Secure USB Flash Drives (Part II). This hardware hack has some extra fun, like emulating the "installer" of the USB drive to deliver malware.
• Dealing with large BloodHound datasets. This is a great overview of Bloodhound, collectors, and processors once the data is in the DB.
• Attacking With WebView2 Applications. If you open a site in a "WebView2" application, you can inject all kinds of goodies into it. WebView2-Cookie-Stealer has the source.

Tools and Exploits

• Add WerFault Silent Process Exit: --werfault to nanodump. You can now force WerFault.exe to dump LSASS for you.
• FLOSS Version 2.0. "Over the last few months, we've added new functionality and improved the tool's performance. In this blog post we will share exciting new features and improvements including a new string deobfuscation technique, simplified tool usage, and much faster result output."
• awesome-hacker-search-engines - A list of search engines useful during Penetration testing, vulnerability assessments, red team operations, bug bounty, and more.
• kernel-mii - Cobalt Strike (CS) Beacon Object File (BOF) foundation for kernel exploitation using CVE-2021-21551.
• Chrome-Android-and-Windows-0day-RCE-SBX - Chrome Android and (patched) Windows 0day RCE+SBX... from the DPRK (in 2021).
• Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs.
• callback_injection-Csharp - this repo is to cover the other undocumented or published / in different languages to achieve shellcode injection via windows callback functions.
• tlsx - Fast and configurable TLS grabber focused on TLS based data collection.
• dismember - 🔪 Scan memory for secrets and more (linux).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Damn Vulnerable DeFi - The offensive security playground for decentralized finances. Learn up and get those massive bounties. Also check out CryptoVulhub.
• HTTPLoot - An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and "loot" secrets out of the client-facing code of sites.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Citrix Application Delivery Management Security Bulletin for CVE-2022-27511 and CVE-2022-27512. Remote unauthenticated users can reset the administrator password of the device at next reboot and SSH in.
• Microsoft Patch Tuesday, June 2022 Edition. The best news? IE is officially out of service after 27 years. Follina (MSDT 0day) also got a patch.
• New Research Suggests Always-On Bluetooth Could Be Used to Track Your Phone. Does your phone's Bluetooth chip have a "fingerprint?" Probably.
• Now China wants to censor online comments. Consider this when your local politicians argue that all communication needs a backdoor to "protect the children."

Techniques and Write-ups

• SmarterStats - Yet Another RPC Framework. This is an in-depth code audit of an ASP .NET web long analytics app.
• Guide to Reversing and Exploiting iOS binaries Part 2: ARM64 ROP Chains. Some more binary exploitation on iOS. Be sure to bring a jailbroken iOS device to follow along.
• Running Shellcode Through Windows Callbacks. Unique shellcode execution techniques can help your loader stay under the radar. Check out the AlternativeShellcodeExec for more.
• How do I approach a technical topic? - Packet Capture (Part 1). I really like these types of posts that explore the methodology of solving problems.
• Updated: Technical Advisory and Proofs of Concept - Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552). The U-boot advisory from 2022-06-03 gets updated and expanded.
• NTLM Authentication with Firefox & FoxyProxy. This post shows how to authenticate to a web page over a SOCKS connection with NTLM.
• CVE-2022-26809 Reaching Vulnerable Point starting from 0 Knowledge on RPC. A great zero to PoC post, but note this particular exploit requires sending 1,048,577 packets.
• Automating Cobalt Strike with Python. The sleep language used to script Cobalt Strike is, unique, to say the least. Using something more widely known like Python helps more operators script the routine parts and focus on making assessments valuable for customers.
• Oh my API, abusing TYK cloud API management to hide your malicious C2 traffic. As everything moves to the cloud, hiding C2 traffic alongside legitimate API endpoints will be key to staying out of SOC alerts.
• Hang Fire: Challenging our Mental Model of Initial Access. The term "phishing for persistence" ia a good one. Breaking the link between phish and execution makes it harder to detect.
• Rogue Shortcuts: LNK'ing to Badness. LNKs in zips or ISOs still prove to be an effective delivery mechanism.
• Azure Attack Paths: Common Findings and Fixes (Part 1). Cloud assessments are becoming more common, and this post goes over some basics of Azure attack paths.
• Embedding Payloads and Bypassing Controls in Microsoft InfoPath. Legacy Microsoft file types and handlers (in this case .xsn files) continue to be interesting payload delivery mechanisms.

Tools and Exploits

• DFSCoerce - PoC for MS-DFSNM coerce authentication using NetrDfsRemoveStdRoot method. This can be used when the Spooler service is disable, and RPC filters prevent PetitPotam/File Server VSS authentication elicitation.
• CVE-2022-26937 - Windows Network File System crash PoC.
• hunter-1 (l)user hunter using WinAPI calls only.
• cloud-middleware-dataset. This project contains cloud middleware (i.e. agents installed by cloud security providers) used across the major cloud service providers (Azure, AWS and GCP).
• Ekko. A small sleep obfuscation technique that uses CreateTimerQueueTimer to queue up the ROP chain that performs Sleep obfuscation. Detection: patriot.
• NlsCodeInjectionThroughRegistry Dll injection through code page id modification in registry. Based on jonas lykk research.
• Using macros and constexpr to make API hashing a bit more friendly.
• antnium - A C2 framework and RAT written in Go. Slides about the development process here.
• aced is a tool to parse and resolve a single targeted Active Directory principal's DACL. Aced will identify interesting inbound access allowed privileges against the targeted account, resolve the SIDS of the inbound permissions, and present that data to the operator.
• SliverKeylogger is a Sliver C2 extension to log keystrokes on Windows.
• OfficeIMO Fast and easy to use cross-platform .NET library that creates or modifies Microsoft Word and later also Excel files without installing any software. This could be useful to automate phishing lures.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• AlternativeShellcodeExec - Alternative Shellcode Execution Via Callbacks.
• Sealighter - Sysmon-Like research tool for ETW.
• npmdomainchecker - Checks all maintainers of all NPM packages for hijackable domains.
• snallybuckster - Locate interesting files in grayhatwarfare.com open S3 buckets and Azure blobs automatically!
• NoteThief - Grab unsaved Notepad contents with a Beacon Object File.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• There's Another New Deputy in Town. SOCKS5 support may finally be coming to Cobalt Strike.
• KrebsOnSecurity in New Netflix Series on Cybercrime. Might be worth a watch but I always worry these shows will be too much drama and not enough technical detail for my taste.
• ANOTHER Guy Has Leaked Classified Military Documents On The SAME TANK GAME'S forums. Not all that relevant, but goes to show that useful information can be fond in the strangest places.
• [PDF] clickstudios Passwordstate Incident Management Advisory #03. A digital signing certificate published online for 2 days was enough for it to be scooped up and used by a malware crew. No one is safe from the scrapers.

• Logo'd bugs

  • PACMAN Attacking ARM Pointer Authentication with Speculative Execution. I'd put this in the same camp as spectre, if you already have privilieged code execution, this may be useful, otherwise its a fun academic exercise but has a very narrow useful window.
  • Hertzbleed Attack. This one may be slightly more useful, with the potential to extract key material from "constant time" cryptographic routines, even remotely. Intel and AMD are affected, with the potential for ARM chips to be vulnerable as well. Code here.

• Google suspends engineer who claims its AI is sentient. You can read the editied chat transcripts here and decide for yourself. Either way this is 10/10 marketing for Google.

Techniques and Write-ups

• How to Reverse Engineer and Patch an iOS Application for Beginners: Part I. There is a need for these kinds of write ups that introduce a complex topic from first principles. Unfortunately, by the time people learn the skills, they don't write the posts! You'll need a mac and a jailbroken iOS device to follow along at home.
• Managed Identity Attack Paths, Part 2 and 3. Two more posts in the series started last week.
• Hacking Some More Secure USB Flash Drives (Part I). Some very in-depth hardware hacking against "secure" USB drives.
• Covenant In 2022. This post has some ideas on how to wrap or modify grunts to bypass some EDR solutions.
• CVE-2022-26937: Microsoft Windows Network File System NLM Portmap Stack Buffer Overflow. RCE as SYSTEM but careful, "unsuccessful exploitation results in a crash of the target system." No PoC available yet.
• Avoiding B.A.D. behaviour: The difficult relationship between nihilism, cybersecurity professionals and Being-A-Dick behaviour. Not technical, but potentially useful.
• Pwn2Own 2021 Canon ImageCLASS MF644Cdw writeup. An unbound base64 decode leads to RCE in a printer. Great post that goes from firmware extraction to RCE.
• Gone in 130 seconds: New Tesla hack gives thieves their own personal key. This feels like something a basic internal security audit would have found?
• Beware of BloodHound's Contains Edge. AD relationships are complex, and mapping them is tricky which leads to some false positives. This post contains a potential "fix" for a Contains false positive situation.
• Introducing Ghostwriter v3.0. The report and domain management tool turns 3.0! It can be managed with a new CLI tool and has support for CVSS scoring among other fixes and additions.
• AMFI Launch Constraints - First Quick Look. New security restrictions on system binaries in macOS Ventura will kill a whole exploit class!
• ProcEnvInjection - Remote code injection by abusing process environment strings. Another unique injection technique from x86matthew.
• Zimbra Email - Stealing Clear-Text Credentials via Memcache injection. Very cool bug and exploit!

Tools and Exploits

• CVE-2022-23222 - Linux Kernel eBPF Local Privilege Escalation.
• CVE-2022-30075 - Tp-Link Archer AX50 Authenticated RCE (CVE-2022-30075).
• apk-instrumentation Some tools to rewrite code of release APK packages.
• dot The Deepfake Offensive Toolkit.
• VX-API Malware rapid development framework. "We've released the vx-underground "VX-API", a Windows malware rapid application development framework written in C/C++. It is a compilation of code written by @smelly__vx & @am0nsec. A lot of work needs to be done (including a ReadMe file). More to come."
• Dogwalk-rce-poc 🐾Dogwalk PoC (using diagcab file to obtain RCE on windows).
• sourcegraph-scripts Scripts for Sourcegraph search results. Useful for static analysis.
• kcthijacklib - A Small Library For a Cleaner Execution.
• collector - Utility to analyse, ingest and push out credentials from common data sources during an internal penetration test.
• FirmLoader is an IDA plugin that allows to automatically identify parts of the memory for the firmware images extracted from microcontrollers.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• np - A tool to parse, deduplicate, and query multiple port scans.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Announcing PSP's cryptographic hardware offload at scale is now open source. What happens when the NSA draws a smiley face on your network map? You spend a decade perfecting encryption that you can offload to smart NICs so that all traffic is encrypted in transit. I wonder where the next smiley face will be drawn...
• Confluence Server and Data Center - CVE-2022-26134 - Critical severity unauthenticated remote code execution vulnerability. "Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance."
• Information Security Controls: Cybersecurity Items. The US joins Europe with its own "Wassenaar Arrangement" rule by the Industry and Security Bureau. TLDR don't sell cyber capabilities to Country Group D.

Techniques and Write-ups

• Abusing CVE-2022-26923 Through SOCKS5 on a Mythic C2 Agent. This post explores the AD CS vulnerability but uses Mythic an an Apollo agent with SOCKS forwarding to pull it off. Nice practical usage example!
• From open redirect to RCE in one week. This is a wild ride through a series of strange small bugs that result in full RCE. Web app hackers take note.
• Technical Advisory - Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552). This one is for the embedded device hackers (and chromebook hackers).
• Managed Identity Attack Paths, Part 1: Automation Accounts. Azure Automation Accounts, Logic Apps, and Function Apps all use "Managed Identity assignments" which allows scripts to authenticate as a specific Service Principle. These services can be used by an attacker to leak their JWT which can be used to authenticate outside the context of the Authentication Account.
• DeepPass — Finding Passwords With Deep Learning. It's starting to feel like Will is lining up a career change into data science, but as long as he keeps the red team angle I'm here for it. Here he trains a model (DeepPass) to recognize passwords in arbitrary documents. How long before this is repackaged and sold as "AI/ML deep learning information disclosure hunter 9000" at RSA?
• LSASS needs an IV. Spoiler: It doesn't really need an IV if you can guess a few characters of a password. Interesting deep dive into the (poor?) cryptographic decisions in LSASS.
• Enumeration and lateral movement in GCP environments. Lateral movement is more fun in the cloud.

Tools and Exploits

• COM-Hunter - COM Hijacking voodoo.
• VoightKampff - Beating Google ReCaptcha and the funCaptcha using AWS Rekognition.
• Nidhogg Nidhogg is an all-in-one simple to use rootkit for red teams.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• The Surreal Case of a C.I.A. Hacker's Revenge. I haven't read this one yet but its on my list.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack. Follina aka CVE-2022-30190 is an RCE vector that uses the Microsoft Support Diagnostic Tool via a URL handler in a Word document (no macro) to execute code. There is more analysis here as well as official guidance. follina.py is the PoC.
• Welcome to the next generation of ngrok. The popular tunneling utility used to exposed local ports to the public internet released version 3 with some cool new features. Oauth and OpenID support with a few command line switches make authentication easy. Ngrok has been used to host short lived phishing pages by threat actors in the past.
• Broadcom to Acquire VMware for Approximately $61 Billion in Cash and Stock. If anyone witnessed the Symantec acquisition br Broadcom this is scary if you use any VMware products (vCenter, Carbon Black, etc). For what it's worth I've been using Proxmox at home and in production for a while and it's pretty great.
• How I hacked CTX and PHPass Modules. This is a great example of how NOT to conduct "security research." By deploying malicious packages that actively harvested sensitive environment variables, this crosses the line and I would not consider it "good faith" research. However, the automated techniques used to target package registries are relatively low effort for an extremely high impact. The next attacker will not claim "research" and will use this access for ransomware or worse.
• FTC fines Twitter $150M for using 2FA info for targeted advertising. Twitter used its 2FA phone numbers for advertising and got caught. I suppose when you loose 221 million USD a year you get desperate and every piece of data is up for sale.
• Serious security vulnerability in Tails 5.0. Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information. 5.1 will be released 2022-05-31.

Techniques and Write-ups

• Spoofing Microsoft 365 Like It's 1995. What if you wanted a scanner to send emails to your internal users but you use O365 email? How about an MS mail server that listens on port 25, has no auth, and delivers mail straight to your users from any email even if it doesn't exist in your domain? What could go wrong?
• Issue 2254: Zoom: Remote Code Execution with XMPP Stanza Smuggling. XML being parsed differently by two different libraries ends ups in RCE. Impressive research.
• A Kernel Hacker Meets Fuchsia OS. This is a long post that goes from "download the src" to "plant a rootkit."
• The printer goes brrrrr!!!. The ability to exploit an implant a network printer could give you network access for years. No one watches their printers, and the often have access to many subnets.
• Debugging and Reversing ALPC. No big reveal at the end of the post, but it does give good instructions on setting up a Windows VM for local or remote kernel debugging. For a more detailed post check out Offensive Windows IPC Internals 3: ALPC.
• Leveraging AWS QuickSight dashboards to visualize recon data. Use the AWS "business intelligence" tool to visualize all your "business intelligence" or make sense of some very verbose command line output.
• Capitalizing on BloodHound's Data: Cypher, Object Ownerships and Trusts. Investigate object ownerships across domains using custom Cypher queries.
• Taking ESF For A(nother) Spin. ESF is the macOS ETW.
• Security Code Audit - For Fun and Fails. While there is no epic RCE to end this post, there is tons of good knowledge and process described throughout.
• Intro to Web App Security Testing: Burp Suite Tips & Tricks. Some basic Burp Suite usage to get you started poking at web apps.
• Automating Azure Abuse Research — Part 1. Every website has an API, some just make you work harder to automate their usage than others. In this case Andy automates the "Run Command Script" function of Azure via Powershell, but the technique is generally applicable.
• VMware Authentication Bypass Vulnerability (CVE-2022-22972) Technical Deep Dive. Host header manipulation and a custom "logon server" allow you to bypass authentication on multiple VMware products. PoC here.

Tools and Exploits

• DeepSleep is a variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC.
• VLANPWN is a VLAN attack toolkit (double tagging and DTP hijacking).
• mempeek is a command line tool that resembles a debugger as well as Cheat Engine, to search for values in memory.
• KaynStrike is a User Defined Reflective Loader for Cobalt Strike Beacon that spoofs the thread start address and frees itself after entry point was executed.
• freeBokuLoader is a simple BOF that tries to free the memory region where the User Defined Reflective Loader is stored.
• Shelltropy - A technique of hiding malicious shellcode via Shannon encoding.
• MachoBins is designed to provide information on Mac lolbins, similar to https://gtfobins.github.io/ or https://lolbas-project.github.io/, but specifically for Mac!
• NimlineWhispers3 - A tool for converting SysWhispers3 syscalls for use with Nim projects.
• CdpSvcLPE - Windows Local Privilege Escalation via CdpSvc service (Writeable SYSTEM path Dll Hijacking).

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• BofRoast - Beacon Object Files for roasting Active Directory.
• BatchGuard - Batch file AV evasion and obfuscation solution.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Pwn2Own Vancouver 2022 - The Results. Always cool to see some nice 0day chains take down major names.
• DOJ Announces It Won't Prosecute White Hat Security Researchers. It's all about intent. However this is just an "agency policy" and doesn't actually change the law. Read the full PDF here.
• Kali Linux 2022.2 Release (GNOME 42, KDE 5.24 & hollywood-activate). Nothing crazy here, just quality of life improvements, version bumps, and a "hacker" screensaver.
• When Your Smart ID Card Reader Comes With Malware. Supply chain attacks in equipment meant to secure systems. The ultimate trojan horse? The major user of PIVs in the US is the government, so this attack would likely land on personal (or maybe even official computers) of government employees.
• CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware. Supply chain attacks aren't new, and this one was likely targeting other software supply chains via their CI to expand its reach.
• [PDF] Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission. "On thousands of sites email addresses are collected from login, registration and newsletter subscription forms; and sent to trackers before users submit any form or give their consent."
• CISA, NSA, FBI and International Cyber Authorities Issue Cybersecurity Advisory to Protect Managed Service Providers (MSP) and Customers. Why hack individual companies when you can hack MSPs that have SYSTEM level access to all the endpoints in hundreds or thousands of companies?
• Out Of Band Update: Cobalt Strike 4.6.1. Minor fixes to the 4.6 release.
• **authenticated** PetitPotam still works even after latest updates.. Windows machines just really want to authenticate to you.

Techniques and Write-ups

• Nighthawk 0.2 - Catch Us If you Can. MDSec releases the second version of their in-house C2, and is kind enough to detail its features. If you are looking for an advanced red team framework to support engagements, seriously consider Nighthawk. I haven't gotten any hands on time yet, but it sure looks impressive. If anyone at MDSec wants to hook me up with a trial contact me.
• Exploiting an Unbounded memcpy in Parallels Desktop. This post details the development of a guest-to-host virtualization escape for Parallels Desktop on macOS, as used in a successful Pwn2Own 2021 entry to achieve code execution on a macOS host from a running a Linux guest via Parallels.
• EntropyCapture: Simple Extraction of DPAPI Optional Entropy. If you've decrypted DPAPI blobs but were left with gibberish data, perhaps the encrypting appliaction was supplying optional entropy to DPAPI. The new EntropyCapture uses hooks to capture that entropy so you can decrypt the blobs successfully.
• Exploit Development: No Code Execution? No Problem! Living The Age of VBS, HVCI, and Kernel CFG. Hypervisor-Protected Code Integrity (HVCI) and other modern protections make kernel level code execution difficult. Connor threads the needle with kernel-mode ROP in the post and takes you along every step of the way.
• S4fuckMe2selfAndUAndU2proxy - A low dive into Kerberos delegations. This post explores Kerberos delegation and ways to detect and exploit it, including the sometimes complicated S4U2self/proxy attacks.
• No-Fix Local Privilege Escalation Using KrbRelay With Shadow Credentials. This "manual" KerbRelayUp shows how the pieces work together to get a SYSTEM shell.
• Revisiting a Credential Guard Bypass. Patching two offsets in LSASS can bypass credential guard, but until now, those offsets have been hard-coded in tools. This post shows how they an be dynamically located at run time. The proof of concept is on GitHub.
• How I could exploit the CVE-2022-1388, F5 BIG IP iControl Authentication bypass to RCE. This is the background on the biggest bug of the last few weeks.

Tools and Exploits

• ghostrings - Ghidra scripts for recovering string definitions in Go binaries. More info in this blog post.
• Mortar Loader v2. Lots of improvements to this loader in version 2.
• SharpEventPersist. Persistence by writing/reading shellcode from Event Log.
• DynamicWrapperDotNet. Dynamically Loads Assembly and Calls Methods from JScript.
• bin2memfd. Encodes a program (which can be a script, despite the name) to a Perl or Python script which sticks it in a Linux memfd and runs it. The goal is to enable staged implants to be run with curl | perl, or something similar.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• BinAbsInspector - Vulnerability Scanner for Binaries.
• Labtainers - Docker-based cyber lab framework.
• privaxy - (work in progress) Privaxy is the next generation tracker and advertisement blocker. It blocks ads and trackers by MITMing HTTP(s) traffic.
• Argus is a lightweight monitor to notify of new software releases via Gotify/Slack messages and/or WebHooks.
• Red-Lambda - Leveraging AWS Lambda Function URLs for C2 Redirection.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Taking on the Next Generation of Phishing Scams. Phishing is going to get more difficult, but backwards compatibility will be there for a while longer.
• Wildcard proxy for everyone. Wildcard certificates are useful to hide your specific domains from certificate transparency logs, and wildcard DNS entries do the same for DNS aggregators/change monitors.
• Microsoft Patch Tuesday, May 2022 Edition. Maybe hold off on your domain controllers?

Techniques and Write-ups

• Scheduled Task Tampering. It's possible to add scheduled tasks without logging using the registry and some tricks. However, task execution will still log unless you tamper with ETW in the scheduler process itself. Some cool options to increase red team opsec in this post as well as a nice Sigma rule for defenders.
• Cloudflare Pages, part 1: The fellowship of the secret
• Cloudflare Pages, part 2: The two privescs
• Cloudflare Pages, part 3: The return of the secrets
• Authenticating with certificates when PKINIT is not supported
• New Wine in Old Bottle - Microsoft Sharepoint Post-Auth Deserialization RCE (CVE-2022-29108)
• F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive
• Spoofing SaaS Vanity URLs for Social Engineering Attacks. Some good lure techniques in here.
• Defending the Three Headed Relay
• Azure Virtual Machine Execution Techniques. All major clouds have this "feature."
• Resolving System Service Numbers using the Exception Directory
• Introducing SharpWSUS
• Introducing MalSCCM
• Introducing pyCobaltHound – Let Cobalt Strike unleash the Hound
• PPID Spoofing & BlockDLLs with NtCreateUserProcess
• LDAPSearch Reference
• Learning Machine Learning Part 3: Attacking Black Box Models
• Studying “Next Generation Malware” - NightHawk’s Attempt At Obfuscate and Sleep
• Diving into pre-created computer accounts
• Office365 User Enumeration
• Electron Shellcode Loader
• Fortalice BOFHound Release - Granularize Your Active Directory Reconnaissance Game

Tools and Exploits

• ELFLoader. Be sure to read the blog post.
• hakoriginfinder is a tool for discovering the origin host behind a reverse proxy. Useful for bypassing cloud WAFs.
• SpoolTrigger - Weaponizing for privileged file writes bugs with windows problem reporting
• XLL_Phishing - XLL Phishing Tradecraft
• mitmproxy2swagger - Automagically reverse-engineer REST APIs via capturing traffic
• uru is a payload generation tool that enables you to create payload based on a configuration file.
• pyldapsearch - Tool for issuing manual LDAP queries which offers bofhound compatible output

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Markdoc

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• RFC 9116: A File Format to Aid in Security Vulnerability Disclosure. The security.txt file for security disclosure is an official RFC!
• Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators. A breach is bad, but having GitHub have to tell you about your breach is even worse. Good on GitHub for identifying the malicious use of "legitimate" OAuth tokens from a Heroku and Travis CI.
• Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution. AWS last week, Azure this week. This one is much worse as you could gain access to other customer's databases. Full details here.
• $90 million stolen from DeFi platforms over the weekend. The early adopter phase has a really steep entrance fee.

Techniques and Write-ups

• Introduction to VirtualBox security research. "This article introduces VirtualBox research and explains how to build a coverage-based fuzzer, focusing on the emulated network device drivers."
• Bypassing LDAP Channel Binding with StartTLS. Even if you have "LDAP server channel binding token requirements: Always" set as a GPO, if authentication is started unencrypted and then upgrade via StartTLS, channel binding is bypassed!
• Access Token Manipulation Part 0x02. Build a token vault in memory to store stolen tokens!
• Learning Machine Learning Part 2: Attacking White Box Models. A very detailed look at attacking ML models.
• Augury: Using Data Memory-Dependent Prefetchers to Leak Data at Rest. Prefetch vulnerabilities arrive on Apple Silicon. No one is immune to this vulnerability class it seems.
• Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn. Directory traversal (CVE-2022-29799) and a time-of-check-time-of-use (TOCTOU) race condition (CVE-2022-29800) in networkd-dispatcher lead to LPE.
• g_CiOptions in a Virtualized World. This post explores some ways to get your code running in the Windows kernel with Virtualization Based Security (VBS) enable but no Hypervisor Code Integrity (HVCI).
• Evasive Phishing Techniques Threat Actors Use to Circumvent Defense Mechanisms. If phishing is part of your assessment procedures, it's good to read up on what the real adversaries are up to. To that end, VSTO files are in right now.
• Shellcode: Linux on RISC-V 64-Bit. One day you will b only be popping shells on ARM and RISC-V machines, mark my words. You can use rars to get started.
• Trello From the Other Side: Tracking APT29 Phishing Campaigns. Hosting your own payloads and C2 is so 2020.

Tools and Exploits

• BeaconDownloadSync is a fine-tuned control mechanism for syncing files from the Cobalt Strike Downloads entries in the data model.
• minbeacon is a work in progress of constructing a minimal http(s) beacon for Cobalt Strike.
• CS-Remote-OPs-BOF is an addition to TrustedSec's CS-Situational-Awareness-BOFs that modify systems (injection, persistence, etc).
• Dylib_Runner is Swift code to run a dylib on disk.
• okta-sprayer is a Python3 Script to perform a password spray against an okta instance.
• nimc2 is a c2 fully written in nim.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• pyscript. Python directly in HTML (via a WASM shim).
• O365-Doppelganger is a quick handy script to harvest credentials off of a user during a Red Team and get execution of a file from the user.
• ecapture can capture SSL/TLS text content without CA cert using eBPF.
• howdy is Windows Hello™ style facial authentication for Linux.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• The More You Know, The More You Know You Don't Know: A Year in Review of 0-days Used In-the-Wild in 2021. "When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities." Keep looking for adjacent vulnerabilities!
• Pwn2Own Miami 2022 Results. 26 ICS focused 0days!
• Cobalt Strike 4.6: The Line In The Sand. Minor updates include a new user defined size limit for execute-assembly, and a unified "arsenal kit." The bigger updates are around the "security" (anti-piracy) features which may make it harder for criminals to use Cobalt Strike.
• Infosec Salaries - the myth and the reality. TLDR: Always take more base over options.
• SMB1 now disabled by default for Windows 11 Home Insiders builds. The unwillingness of Microsoft to break backward compatibility has caused many a vulnerability, perhaps the tide is turning? You can still enable SMBv1 but soon even the binaries will be gone and will be a separate unsupported install.
• OffensiveCon22 Youtube Playlist. Which talks were your favorite?

Techniques and Write-ups

• No Hardware, No Problem: Emulation and Exploitation. This is a good post for anyone interested in IoT devices as it contains some nice gotchas and workarounds.
• Adobe Acrobat hollowing out same-origin policy. Browser add-ons continue to be a silent killer. No one seems to be publicizing the power they have now that every app is a web app. Perhaps it will take a large add-on compromise for the industry to wake up?
• Bypassing PESieve and Moneta (The "easy" way....?). Memory scanners can pose an problem to red team tooling, but there are clever (not not new) tricks to keep memory encrypted until it's needed.
• CVE-2022-21449: Psychic Signatures in Java. "If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU)." A Java rewrite of a C++ cryptographic library introduced this flaw in Java 15. All those enterprise Java apps still on Java 8 are safe 😂. PoC to demonstrate the vulnerability here.
• A not-so-common and stupid privilege escalation. These kinds of hard-to-automatically-find vulnerabilities are what make red teams valuable. This is a cool find, and one to look out for on your next assessment or in your own environment. Lock down those shares!
• Adventures with KernelCallbackTable Injection. This is a shellcode injection technique not often used. PoC here: KernelCallbackTable-Injection.
• Access Token Manipulation Part 0x01. How do the token tricks for your favorite C2 work under the hood? It turns out the Windows APIs for tokens are pretty straight forward.
• Resolving System Service Numbers using the Exception Directory. The use of a Control Flow Guard "feature" for malware dev is juicy. Classic hacking. The runtime function table method has a wider set of compatibility, and may be more useful.
• AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation. Two weeks in a row with AWS issues, that's unusual. In this case a hotpatch was a bit too hot and ran any process named "java" in a container with elevated permission in order to patch them. This has been fixed, and AWS has an official announcement.
• Abusing Azure Container Registry Tasks. The cloud is just someone else's computer, and if you configure it poorly, there are shells to be had.

Tools and Exploits

• KrbRelayUp is a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
• memray is a memory profiler for Python. Not specifically security related, but very cool.
• Issue 2274: Linux: watch_queue filter OOB write (and other bugs). Google Project Zero found another Linux LPE. This one affects kernel from 5.8 to 2022-03-11 (5.16.15, 5.15.29, 5.10.106). PoC exploit is included, but may be unstable.
• C2-Tool-Collection is a collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques. This is from Outflank so you know its going to be good.
• cdnstrip is a tool for striping CDN IPs from a list of IP Addresses.
• elfpack does ELF Binary Section Docking for Stageless Payload Delivery.
• HalosUnhooker is a Halos Gate-based NTAPI Unhooker.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• htmlq is like jq, but for HTML. Uses CSS selectors to extract bits of content from HTML files.
• KDStab is a BOF combination of KillDefender and Backstab.
• ADReaper is a fast enumeration tool for Windows Active Directory Pentesting written in Go.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Microsoft Patch Tuesday, April 2022 Edition. This was a big one: 120 security vulnerabilities in Windows, including a "wormable" RPC RCE CVE-2022-26809.
• APT Cyber Tools Targeting ICS/SCADA Devices. Some significant ICS/SCADA malware is on the loose. The use of a known-vulnerable driver for kernel code execution is a known tactic, but paired with the ICS capabilities described in this report can have serious physical world consequences. As always, vx-underground has the samples
• Web scraping is legal, US appeals court reaffirms. LinkedIn looses another round against scrapers. Public data is public, no matter how mad you get when someone accesses it in a way you don't like.
• Git security vulnerability announced. On Windows, for example, an attacker could create C:.gitconfig, which would cause all git invocations that occur outside of a repository to read its configured values. The Git uninstaller for Windows also had an privilege escalation vulnerability (DLL hijack in C:WindowsTemp).
• AWS RDS Vulnerability Leads to AWS Internal Service Credentials. The cloud is just someone else's computer, and they don't always lock it down as much as they should (but probably much better than most IT departments could). Official AWS publication here.
• Law Enforcement Seizes RaidForums, One of the Most Important Hacking Sites. One of the most important hacking sites? That might be a reach.
• Pwn2Own Miami 2022 Schedule. Looks like some good stuff on the docket if you are into ICS pwnage.

Techniques and Write-ups

• A blueprint for evading industry leading endpoint protection in 2022. Tons of gold in this post. Do not skip.
• From a Phishing Page to a Possible Threat Actor. "Cyber attackers are humans. Humans make mistakes or let behind actions details that could be used to trace them." The phishing site to creator's mirror selfie trip proves that nicely.
• Implementing Global Injection and Hooking in Windows. The technical bits to this are very cool, and the code for the injection can be found here. Want to be able to hook any function of any process? Why not just inject a DLL into every process? Bold.
• Teaching Burp a new HTTP Transport Encoding. If you ever need to implement a custom transport encoding scheme for a Burp extension, this blog will save you a lot of time. Code here.
• CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers. If you're hungry for deeply technical iOS vulnerability write ups, Ian Beer has you covered.
• Inside the Black Box | How We Fuzzed Microsoft Defender for IoT and Found Multiple Vulnerabilities. Some cool advanced fuzzing techniques in play in this post.
• Coercing NTLM Authentication from SCCM. Authentication coercion attacks are all the rage, and now you can get some sweet hashes from SCCM. SharpSCCM will help you get what you need.
• Persisting XSS With IFrame Traps. Users navigate away from your XSS payload too quickly? Using an "iframe trap" you can manipulate the address bar and get your victim to stick around long enough for your payload to complete, or even enter credentials on your xss-loaded site!
• In-Process Patchless AMSI Bypass. Using exceptions to patch amsi.dll's AmsiScanBuffer function. Very cleaver. This will make one of my favorite tools (BOF.NET) even more powerful. Example C code here.
• CVE-2022-25165: Privilege Escalation to SYSTEM in AWS VPN Client. Time-of-check-time-of-use (TOCTOU) hits the AWS VPN client (patched in 3.0.0) and allows for arbitrary file overwrite as SYSTEM.
• Diving Deeper into WatchGuard Pre-Auth RCE - CVE-2022-26318. This is a cool look at a leaked exploit and the work needed to really understand how it works and how it can be modified.
• Make phishing great again. VSTO office files are the new macro nightmare?. There are some caveats, but executing .NET code from the internet with just a docx is crazy. Microsoft Office truly has way too many features that 99.9% of people never use, but attackers will happily leverage for shells.

Tools and Exploits

• frostbyte is a POC project that combines different defense evasion techniques to build better redteam payloads.
• msprobe is a tool for finding all things on-prem Microsoft products for password spraying and enumeration.
• spooler-splenumforms-iov is a memory corruption vulnerability in windows spooler service that was patched on most recent Microsoft Patch Tuesday, 2022-04-12.
• SharpWnfScan dumps Windows Notification Facility subscription information from process.
• stunner is a tool to test and exploit STUN, TURN and TURN over TCP servers.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• cdn-proxy is a tool that can be used by web app pentesters to create a copy of a targeted website with CDN and WAF restrictions disabled.
• ADInspect is a PowerShell script that automates the security assessment of Microsoft Active Directory environments.
• maat is an open-source symbolic execution framework. Bonus, the project's site uses m.css like this blog!
• wpgarlic is a proof-of-concept WordPress plugin fuzzer.
• ShadowClone - Unleash the power of cloud. Distribute your long running tasks dynamically across thousands of serverless functions and gives you the results within seconds where it would have taken hours to complete.
• SSOh-No is a tool for user enumeration and password spraying tool for testing Azure AD.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Improving software supply chain security with tamper-proof builds. As there is more pressure to secure the software supply chain, solutions like this will hopefully become more popular. Having to rely on GitHub's hosted runner is a downside I hope can be addressed.
• [PDF] Breaking Point: Is mounting pressure creating a ticking time bomb for a health crisis in cybersecurity?. Sample size of only 200, but perhaps some insight here. I wonder if the kind of people drawn to information security are pre-disposed to mental health issues or if the job is more to blame (a bit of nature vs nurture I suppose).
• IMPORTANT SECURITY BULLETIN: Trend Micro Apex Central Arbitrary File Upload Remote Code Execution (RCE) Vulnerability. Not that noteworthy except that remote, unauthenticated RCE in a security product is always rough. The active in-the-wild exploitation is the cherry on top.
• Establishment of the Bureau of Cyberspace and Digital Policy. Light on details, but a "Digital Freedom Coordinator" at least sounds good?
• New security features for Windows 11 will help protect hybrid work. Some interesting new defaults coming to Windows 11 that will make the OS more secure by default, but also feed more data into the "AI model for application trust within the Microsoft cloud."
• NginxDay - Nginx 18.1 04/09/22 zero-day repo (no code). I'll hold judgement until code is released. This could be a ruse.

Techniques and Write-ups

• Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 3). This series has been a treat. No one else I know of is putting together, detailed, well written, fully documented, modern exploit walk-throughs with DEP, ASLR, CFG, ACG, CIG, and no-child process mitigation bypasses. This is a SANS SEC760 course for free. Great work Connor!
• CVE-2021-30737, @xerub's 2021 iOS ASN.1 Vulnerability. This post explores the bug that was exploited to unlock the San Bernadino iPhone.
• Unmanaged Code Execution with .NET Dynamic PInvoke. C# and P/Invoke have been the go-to solution after Powershell's advanced logging as introduced. This "dynamic" P/Invoke (note: not DInvoke) adds some stealth and different signatures to P/Invoke code.
• ABC-Code Execution for Veeam. Veeam is a widely used enterprise backup solution, and recently patch a few bad bugs. We've detailed the remote RCE in LWiS-2022-03-14 and LWiS-2022-03-21, but this covers two additional vulnerabilities. This post is from 2022-03-29, but the MDSec scraper I have only just updated with it. MDSec please include an RSS/Atom feed with your blog!
• Repurposing Real TTPs for use on Red Team Engagements. The job of a good Adversary Simulation offering is to take real TTPs and expand/adapt them to give customers a realistic but unique look at an adversary. This post explains exactly how that was done for a Bleeding Bear attack. Code here: BreadBear.
• MacOS SUHelper Root Privilege Escalation Vulnerability: A Deep Dive Into CVE-2022-22639. A nice LPE for macOS (patched in 12.3). Code here: CVE-2022-22639.
• Automatically extracting static antivirus signatures. The idea of an automated "AV debugger" isn't 100% novel (see: ThreatCheck), but this certainly goes a step further. avdebugger has the code.
• Making SMB Accessible with NTLMquic. SMB over QUIC support is included in Windows 11 and Server 2022. On Windows 11, it's enabled by default and will be attempted if normal TCP/445 fails. This might allow some authentication elicitation from restricted networks that allow QUIC out. Demo and code are up.
• ImportDLLInjection - An alternative method of injecting DLLs by modifying PE headers in memory. What if you simply replace the entire IMAGE_NT_HEADERS structure in a spawned process to include your DLL in the import descriptor list? This post does that and the spawned process will import the DLL!
• Abusing LargePageDrivers to copy shellcode into valid kernel modules. Once again the game cheat community is leading the charge with kernel exploit development.

Tools and Exploits

• ARCInject can overwrite a process's recovery callback and execute with WER.
• Jeeves is made for looking to Time-Based Blind SQLInjection through recon.
• bore is a simple CLI tool for making tunnels to localhost.
• ransomware-simulator is a ransomware simulator written in Golang.
• SwiftInMemoryLoading is a Swift implementation of in-memory Mach-O loading on macOS. Blog post soon?
• inflate.py artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.
• com_inject performs process injection via Component Object Model (COM) IRundown::DoCallback(). Blog post here.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• WeakestLink is a browser extension that extracts users from LinkedIn company pages.
• uncover quickly discovers exposed hosts on the internet using multiple search engines.
• sub3suite is a research-grade suite of tools for Subdomain Enumeration, OSINT Information gathering & Attack Surface Mapping that supports both manual and automated analysis on variety of target types with many available features & tools.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Spring Core on JDK9+ is vulnerable to remote code execution. "Spring4Shell" aka "SpringShell" aka CVE-2022-22865 is a one-request RCE against some Spring Core installs (tomcat hosted). TrustedSec has technical goodies.
• Now in preview: Azure Virtual Machines with Ampere Altra Arm-based processors. You can spin up ARM VMs in Azure (Linux and Windows 11). The age of ARM is upon us. The feature is in preview, so you'll have to fill out this form.
• The price of Cobalt Strike for new customers will be $5,900 per user for a one-year license. Bigger development team = bigger budget.
• GitLab Critical Security Release: 14.9.2, 14.8.5, and 14.7.7. GitLab security releases often include serious vulnerability patches, but this one is especially bad. "A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts." You can see the change to o_auth/user.rb here.
• .ISO Files With Office Maldocs & Protected View in Office 2019 and 2021. After the news that macros will be blocked by default this month, many attackers were comforted by the fact there are many ways to deliver a payload without a Mark-of-the-web. The Microsoft Office team has taken one option off the table with some specific ISO inspections. This is an Office feature, as Windows does not add the MOTW to files in an ISO. You can still use other formats in tools such as PackMyPayload.
• Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests. Why hack when you can just ask for data? KrebsOnSecurity has more detail.
• MailChimp have confirmed that their service has been compromised by an insider targeting crypto companies.. Time to update your threat models.

Techniques and Write-ups

• FORCEDENTRY: Sandbox Escape. This post focuses on the sandbox escape used in the wild GIF JBIG2 decoder-as-stack-based-VM exploit.
• Veni, MIDI, Vici — Conquering CVE-2022-22657 and CVE-2022-22664. The bugs aren't the coolest, but the technique of "associative fuzzing" is valid and underused.
• Sharing is Caring: Abusing Shared Sections for Code Injection. After being forced to look for a new position due to sharing of LASPUS$ victim IR report screenshots (I guess?), Bill is back to writing interesting technical blogs (although he never stopped). A loss for Zoom, a win for us!
• PHP Supply Chain Attack on PEAR. Insufficient randomness strikes again!
• Fuzzing Like A Caveman 6: Binary Only Snapshot Fuzzing Harness. Fuzzing is all about speed, so being able to reset state and feed input from memory means more test cases, and hopefully more unique crashes.
• New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits. Digitally signed rootkit drivers are scary, but there are lots of potential IOCs here that should be detected. Even the digital signature should have been suspect in an enterprise (unless you are a game dev perhaps).
• EventPipe - An IPC method to transfer binary data between processes using event objects. A clever, but perhaps low bandwidth way to do inter-process communication on Windows that may not be as detected as standard named pipes or shared memory.
• Pwning 3CX Phone Management Backends from the Internet. This is an interesting journey from "whats on shoadan" to RCE.
• IIS - SOAP. IIS will process .soap files, enabling webshells with this little known extension.

Tools and Exploits

• Introducing PoshC2 v8.0. BOF compatibility, and a very slick Linux loader make version 8 worth checking out.
• CVE-2022-1015 Local privilege escalation PoC for a bug in the nf_tables component of the linux kernel. More details here.
• Smug_Fu3k is a HTML smuggling generator.
• Introducing PacketStreamer: distributed packet capture for cloud-native platforms. tcpdump is perhaps my favorite debugging tool, but with the #distributed #microservices world we live in now, it can be hard to actually get packets from where you need them. PacketStreamer aims to be a universal packet forwarder to enable network visibility and debugging.
• DDexec is a technique to run binaries filelessly and stealthily on Linux by tricking dd into pwning itself (reflective injection).
• boopkit is a Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin.
• nim-loader is a WIP shellcode loader in nim with EDR evasion techniques.
• Dump-Chrome-Cookies a modified version of CookieBro and scripts to leverage it to dump Chrome cookies. Check out the blog post for more info.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Melody is a language that compiles to regular expressions and aims to be more easily readable and maintainable.
• Rip Raw is a small tool to analyze the memory of compromised Linux systems.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Google is aware that an exploit for CVE-2022-1096 exists in the wild.. Not everyday you see a Chrome 0day in the wild. Update your browser!
• Countering threats from North Korea. The care put into the exploit kit decoy sites is impressive. When a significant portion of your GDP is from cybercrime, I suppose you get pretty good at it.
• Exodus Intelligence is offering their N-Day vulnerability subscription for FREE from April 1st through July 1st. I've been "added to the queue" but no N-Days yet.
• Resolved Security Vulnerabilities in Sophos (SG) UTM 9.710 MR10 (CVE-2022-0386, CVE-2022-0652). A post-auth SQL injection vulnerability in the Mail Manager of Sophos UTM can lead to RCE. SSL VPN bugs are hot right now, consider replacing your VPN appliances with WireGuard (its faster too).
• Grimes Said She Orchestrated Cyberattack That Shut Down ‘Hipster Runoff’. Famous person admits to crimes - nothing happens. A tale as old as time. How many years in prison would a teen in America get for a DDoS plus "erasing backups" (shell access?)?
• Cloudflare’s investigation of the January 2022 Okta compromise. This has some actionable steps if you are an Okta customer. For more, check out TrustedSec Okta Breach Recommendations.

Techniques and Write-ups

• Mining data from Cobalt Strike beacons. A new library designed to parse Cobalt Strike configruations. Perhaps its time to move away from Cobalt Strike.
• Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121). This is a very detailed walkthrough of a information leak and unchecked return value exploit for a NAS. I love that adding some 'sleep()'s fixed the exploit in the Pwn2Own competition to net them a success.
• [PDF] Double Fetch Vulnerabilities in C and C++. Double Fetch is where checks are properly done for a fetch, but the second fetch is unchecked. This allows an attaker to modify the data between the fetches.
• Yet Another Local Privilege Escalation Attack via Razer Synapse Installer (CVE-2021-44226). Gaming peripherals have been a goldmine of LPEs recently, and Razer is no exception.
• Pwning Microsoft Azure Defender for IoT | Multiple Flaws Allow Remote Code Execution for All. "Unauthenticated attackers can remotely compromise devices protected by Microsoft Azure Defender for IoT by abusing vulnerabilities in Azure’s Password Recovery mechanism." It's bad when you have to number your "Unauthenticated Remote Code Execution As Root" findings because there are more than one.
• Automating DFIR using Cloud services. IR is never fun, but automation to make it less painful can help!
• CVE-2022-27666: Exploit esp6 modules in Linux kernel. Buffer and heap exploits can get confusing quickly, but this write up includes amazing animations that show how data is arranged in memory and make it much easier to understand. I hope this technique of write ups catches on.
• LDAP relays for initial foothold in dire situations. NTLM relaying may be locked down in an environment, but LDAP remains an option. This post pushes the boundaries to relay harder with LDAP. Defenses included at the end as well!
• Every "Guest" you invite in your Microsoft Team meetings can list users from other groups. Flip those toggles!

Tools and Exploits

• tetanus is a Mythic C2 agent targeting Linux and Windows hosts written in Rust.
• DelegationBOF uses LDAP to check a domain for known abusable Kerberos delegation settings. Currently, it supports RBCD, Constrained, Constrained w/Protocol Transition, and Unconstrained Delegation checks.
• OffensivePascal is a Pascal Offsec repo for malware dev and red teaming 🚩.
• CVE-2019-0708 is a BlueKeep proof of concept allowing pre-auth RCE on Windows 7.
• YouMayPasser is an x64 implementation of Gargoyle. Don't sleep on this one ;)
• ctfd-parser is a python script to dump all the challenges locally of a CTFd-based Capture the Flag.
• wireproxy is a Wireguard client that exposes itself as a socks5 proxy
• TCC-ClickJacking is a proof of concept for a clickjacking attack on macOS.
• DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Cronos-Rootkit is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.
• reverse_ssh is a cross platform RAT that uses SSH as the transport protocol. This allows the use of native SSH with all the niceties that SSH offers (port forwarding, scp, etc).
• ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON.
• OffensiveNotion uses Notion as a platform for offensive operations.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Microsoft says Windows 11 File Explorer ads were ‘not intended to be published externally’. Microsoft is slowly turning Windows into a "free to play" operating system. This started with ads in tiles in Windows 8.
• Ides of March – Chariot’s Launch Day. Praetorian launches their continous attack surface monitoring service which looks to be built on Nuclei Templates.
• NPM maintainer targets Russian users with data-wiping ‘protestware’. Another reminder to check your dependency management solution.
• Founder Of Cyberfraud Prevention Company Pleads Guilty To Defrauding Investors Of Over $100 Million. A lot of cybersecurity is snake oil, and this salesman got caught.

Techniques and Write-ups

• Browser In The Browser (BITB) Attack. The creation of false windows inside of browser pages isn't exactly new (see The inception bar) but this is the first time I've seen an fake SSO prompt window. Windows/macOS authentication prompts are also possible - check out @fuzz_sh's work.
• Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 2). Connor is back with part 2 which takes the exploit PoC from a simple crash to a read/write primitive and then to code execution against ChakraCore. ASLR, DEP, and CFG are all on the table as well, so this is an amazing bit of modern exploitation learning.
• Initial Access - Right-To-Left Override [T1036.002]. Not a new technique, but susinctly presented with AV bypasses as well. Code here.
• NotepadExec - Using notepad.exe to launch an EXE without code injection. Right click and "Open" an exe, but programatically.
• Detecting shadow credentials. This post shows how defenders can look into msDS-KeyCredentialLink attributes and the flow to determine if they are legitimate or not.
• Bypassing UAC in the most Complex Way Possible!. Local kerberos funny business with the service control manager on a domain joined machine to bypass UAC? Intersting...
• Arya: The New Tailor-Made EICAR Using Yara. Get "malicious" files from yara rules. These can be the moder EICAR test files of modern purple teams.
• CVE-2022-26500 Veeam Backup & Replication RCE. This is analysis and exploitaiton of the Veeam unauthenticated remote RCE from last week.

Tools and Exploits

• CustomKeyboardLayoutPersistence can achieve execution using a custom keyboard layout, tested in Windows 11 Home version 21H2. Warning: there is no code related to the uninstallation process in the PoC.
• Group3r can find vulnerabilities in AD Group Policy, but do it better than Grouper2 did.
• Malfrat's OSINT Map is an update to the OSINT Framework <https://osintframework.com/>. OSINT-Map is the GitHub repo if you'd like to contribute.
• oxide A PoC packer written in Rust!
• AtlasC2 is a C# C2 Framework centered around Stage 1 operations.
• poro is a tool to scan publicly accessible assets on your AWS cloud environment.
• snoop Secretly record audio and video with chromium based browsers. Be sure to check out VOODOO, the macOS Man in the Browser Framework as well.
• Coeus is an ADSI based Situational Awareness toolkit for domain environments with modularity in mind. Allows for the enumeration of users/groups/computers as well as some common misconfigurations including roasting (AS-REP, kerber) and delegation (Constrained, Unconstrained, RCBD) attacks.
• xepor is a web routing framework for reverse engineers and security researchers, brings the best of mitmproxy & Flask.
• LeakedHandlesFinder is a leaked Windows processes handles identification tool. Useful for identify new LPE vulnerabilities during a pentest or simply as a new research process. Currently supports exploiting (autopwn) procesess leaked handles spawning a new arbitrary process (cmd.exe default).
• AutoSmuggle is a utility to craft HTML smuggled files for Red Team engagements.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• rust_bof. Cobalt Strike Beacon Object Files (BOFs) written in rust with rust core and alloc.
• S1EM. This project is a SIEM with SIRP and Threat Intel, all in one.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• The Dirty Pipe Vulnerability. Linux 5.8+ was vulnerable to a DirtyCOW-esq bug that allows overwriting data in arbitrary read-only files. It can also be used as a Docker container escape. PoCs available here: CVE-2022-0847-DirtyPipe-Exploits.
• Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. Veeam is a very popular virtual machine backup vendor. While hopefully not publically exposed, once inside these vulnerabilities could prove very useful to a red team.
• iCloud Private Relay: information for Cloudflare customers. An interesting post about Cloudflare's role in "Private Relay." The part that stuck out to me was: '"Private Relay is designed to ensure only valid Apple devices and accounts in good standing are allowed to use the service. Websites that use IP addresses to enforce fraud prevention and anti-abuse measures can trust that connections through Private Relay have been validated at the account and device level by Apple." Because of these advanced device and user authorization steps, you might consider allowlisting Private Relay IP addresses explicitly.' Are burner Apple IDs and Private Relay a quick way to bypass anti-fraud controls?
• Cobalt Strike Roadmap Update. Cobalt Strike has continued to grow after the acquisition by HelpSystems, and this post promises to continue that growth. As the most popular adversary simulation tool on the market, Cobalt Strike is the standard that all other C2's and agents are compared to.
• Leaked stolen Nvidia key can sign Windows malware. The Nvidia data has been leaked, and the perpetrators have moved on to Samsung.
• Ubisoft Cyber Security Incident Update. Lapsus$ is a likely culprit. Unconfirmed, but Lapsus$ shared the link on their Telegram with a smirk emoji - that's attribution in 2022 right?.
• Conti Ransomware Group Diaries. Krebs does a great job digging into the Conti chat log leaks. The Conti group was well financed, and run much like you'd expect a mid size business to run - with all the infighting and drama that entails.
• Introducing the InternetDB API. Free, and no API key required. Information isn't super detailed, but you get open ports, Common Platform Enumeration (CPE), hostnames, tags, and vulnerabilities with a single request.

Techniques and Write-ups

• Reversing embedded device bootloader (U-Boot) - p.1. Encrypted kernel images for IoT devices can be a pain, and when they use custom encryption it can be even worse. This post shows the struggle of finding the decryption routine for an ARM powered IoT device that boots with U-boot.
• Finding an Authorization Bypass on my Own Website. If you think prepared SQL statements protect you from all SQL injections, this post is for you. Edge cases can be crazy, and lead to auth bypasses!
• Good file… (What is it good for) Part 1. What PDB paths and GUIDs do your tools use? Maybe time to do some research into good files on your own and reuse "good" elements in your tooling.
• Microsoft Defender for Office 365 Identification. A quick and easy check to see if an organization is using the paid Defender for O365 by sending a single email.
• Disclosure of Vulnerability in Azure Automation Managed Identity Tokens. This is the corporate response, but the simple truth is much more frightening.
• Decrypting Viscosity Passwords. The DPAPI protected credentials for the VPN software are protected with a custom salt that causes common automated DPAPI decryption tools to fail. The use of WinDBG to find the salt is generally applicable and a good trick to stash in your toolbox.
• Manipulating User Passwords Without Mimikatz. Some excellent attack options that avoid well signatured binaries/tools in this post. The ShadowCredentials trick is a sneaky favorite.
• Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 1). If you're even remotely curious about browser exploitation, take an hour and read this post. Connor never disapoints and his blog has more knowledge packed into it than 700 level SANS courses.
• Finding gadgets like it's 2022. CodeQL strikes again, this time in a unqiue application - to find gadgets for Java exploits! You have to have the source code of the target app and be able to compile it, but otherwise, this is a neat new technique to find gadget chains.
• Revisiting Phishing Simulations. I once had a boss tell me "we never will do assumed breach." I hope he reads this. "Given enough time and resources, a motivated and reasonably sophisticated threat actor will eventually gain access to your environment." Purple teams are the way of the future for mature organizations.
• macOS Red Teaming: Bypass TCC with old apps. macOS privacy framework (TCC) got you down? Use an old version of an app that is vulnerable to dylib injection, inherit the legitimate TCC permission, and win!
• Abusing Kerberos Constrained Delegation without Protocol Transition. There seem to be no end to the ways to can abuse Kerberos in special circumstances.
• Expanding the Hound: Introducing Plaintext Field to Compromised Accounts. Modify the BloodHound database to fit your use cases.

Tools and Exploits

• Removing PowerShell Comments, Whitespace, and Handles. A simple script to help make your Powershell less detectible.
• oxasploits. All of these exploits are originally coded by oxagast / Marshall Whittaker. Some of them were already known vulnerabilities that they took and re-evaluated then wrote an exploit for them that they thought was more functional or logical in some way. Some of these vulnerabiltiies are partial PoC exploits that will make something crash, but not actually get root. Some will straight drop you at a root shell. None of this code should ever under any circumstances be run in a production environment, or on a system that you do not have express permission to run a penetration test on.
• RunOF is a .NET application that is able to load arbitrary BOFs, pass arguments to them, execute them and collect and return any output. For more details check out Introducing RunOF – Arbitrary BOF tool.
• graphql-cop is a small Python utility to run common security tests against GraphQL APIs.
• nrich is a command-line tool to quickly analyze all IPs in a file and see which ones have open ports/ vulnerabilities. Can also be fed data from stdin to be used in a data pipeline.
• donut this is a donut fork that contains syscall support for AMSI/WDLP patching.
• SyscallPack is a BOF and some shellcode for full DLL unhooking using dynamic syscalls.
• SysWhispers3 is SysWhispers on Steroids - AV/EDR evasion via direct system calls.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• iocscraper is a python tool that enables you to extract IOCs and intelligence from different data sources.
• litefuzz is a multi-platform fuzzer for poking at userland binaries and servers.
• BlueTeam.Lab is a Blue Team detection lab created with Terraform and Ansible in Azure.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• LAPSUS$ vs Nvidia. Ransomware crews just aren't what they used to be...
• New data wiper malware used in Ukraine. The use of a stolen or shell company digital signature as well as an old but legitimate driver to corrupt data is an interesting twist on the common wiper malware methods.

Techniques and Write-ups

• Stealing a few more GitHub Actions secrets. GitHub actions have been a source of secrets before, but this is a very clever logic bug that allowed a malicious fork write access to a repository.
• Exploit Development: ASLR - Coming To A KUSER_SHARED_DATA Structure Near You!. Connor drops another monster post digging deep into the Windows kernel to show a new feature in the Windows Insider Preview builds. Kernel exploits will now require a full kASLR bypass to be effective, and existing exploits that rely on a writeable KUSER_SHARED_DATA structure will break.
• BrokenPrint: A Netgear stack overflow. Lots of good 32 bit ARM exploitation knowledge in this post.
• Catching bugs in VMware: Carbon Black Cloud Workload Appliance and vRealize Operations Manager. PT security is back with a bunch of different ways to get RCE on VMware products. Some nice web application hacking fundamentals on display in this post.
• Remote Code Execution in pfSense <= 2.5.2. This is an authenticated RCE, but still not good news for a security focused product that's had it's fair share of controversy recently.

Tools and Exploits

• Fennec is an artifact collection tool written in Rust to be used during incident response on nix based systems. fennec allows you to write a configuration file that contains how to collect artifacts.
• TeamsImplant is a stealthy teams implant that proxies the urlmon.dll that teams uses compile and throw this bad boy in the teams directory as urlmon.dll and you got yourself a persistence backdoor whenever teams runs by a user or at startup.
• aws-cloudsaga is for AWS customers to test security controls and alerts within their Amazon Web Services (AWS) environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).
• Nimcrypt2 is yet another PE packer/loader designed to bypass AV/EDR. An improvement on the original Nimcrypt project, with the main improvements being the use of direct syscalls and the ability to load regular PE files as well as raw shellcode.
• Jbin-website-secret-scraper will gather all the URLs from the website and then it will try to expose the secret data from them such as API keys, API secrets, API tokens and many other juicy information.
• LdapSignCheck is a Beacon Object File to scan a Domain Controller to see if LdapEnforceChannelBinding or LdapServerIntegrity has been modified to mitigate against relaying attacks.
• YaraDbg.dev is a free web-based Yara debugger to help security analysts to write hunting or detection rules with less effort and more confidence. By using YaraDbg, you can perform a thorough root-cause-analysis (RCA) on why some of your Yara rules did or did not match with a specific file. It can also help you to better maintain a large set of yara rules.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• PowerBruteLogon is a powershell port of win-brute-logon which can brute force local accounts on a Windows machine. The Administrator account, if enabled, is exempt from lockout.
• opensquat s an opensource Intelligence (OSINT) security tool to identify cyber squatting threats to specific companies or domains, such as Phishing campaigns, Domain squatting, Typo squatting, Bitsquatting, IDN homograph attacks, Doppenganger domains, and Other brand/domain related scams.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• The Cyber Social Contract How to Rebuild Trust in a Digital World. US National Cyber Director Chris Inglis postulates that the free market can't solve cybersecurity. It will be interesting to see how this develops.
• Current MFA Fatigue Attack Campaign Targeting Microsoft Office 365 Users. Overwhelming victims with tons of push MFA messages until they finally click allow just to make them stop is a valid attack. Does your organization detect MFA floods, or does your MFA system lock accounts after a threshold of MFA tokens have been requested with no user action?
• Retrospective: Recent Coinbase Bug Bounty Award. Logic bugs in web apps can be bad, or they can be horrific. This one is horrific. A $250k bounty proves again cryptocurrency is where the money is for bug bounty hunters.
• tmp.Out Volume 2 released. tmp.Out is becoming a linux focused Phrak, and I'm here for it. Excited to dig into these articles!
• Passware Kit Forensic T2 Add-on: The First Password Recovery Tool for Macs With T2 Chips. According to 9to5mac, the exploit only allows ~15 attempts per second, so your 15+ character macOS password is probably safe. The attack requires phyiscal access. M1 macs are not affected.

Techniques and Write-ups

• Relaying Kerberos over DNS using krbrelayx and mitm6. This is the next generation of WPAD relaying! Dirk-jan delivers yet again. I had no idea there was such a thing as an authenticated dynamic update via DNS. I'm not sure how often this happens in production environments, but it's a neat technique to add to your toolbox.
• Hunting for bugs in VMware: View Planner and vRealize Business for Cloud. Seemingly tiny mistakes lead to big vulnerabilities (unauth RCE) in VMware products in this post. A great read for anyone who does web app assessments or source code review.
• A primer on DCSync attack and detection. DCSync is the "slam dunk" of many internal assessments, and this post shows how its done and details how to detect it in your environment including using DCSYNCMonitor.
• Production ready eBPF, or how we fixed the BSD socket API. Cloudflare's use case for tubular, a BSD socket API on steroids is to provide multiple service on the same port and listen on every port, but I can think of some more "rootkity" uses for tubular...
• Zabbix - A Case Study of Unsafe Session Storage. Many web apps store authentication information on the client side in cookies or other browser storage. Problems arrise when misconfigurations allow clients to dictate their role without backend checks, as was this case with Zabbix, whech led to full authentication bypass.
• Never, Ever, Ever Use Pixelation for Redacting Text. "When you need to redact text, use black bars covering the whole text. Never use anything else. No pixelization, no blurring, no fuzzing, no swirling. Oh, and be sure to actually edit the text as an image. Don’t make the mistake of changing your Word document so that it has black background with black text." If you need convincing, check out unredacter.
• Find You: Building a stealth AirTag clone. By exploiting the privacy functioanlity of AirTags and the amazing (and previously blogged about) openhaystack procject, this post shows how you can create, and detect, otherwise undetectable trackers. Check out the code in find-you.
• Useful Libraries for Malware Development. Some old and new friends in here. Worth a read for any tool developer!
• Kernel Karnage – Part 9 (Finishing Touches). This series has been a fun ride. The only sad part is no PoCs.
• Dylib Loads that Tickle your Fancy. macOS is full of strange, archaic, binaries (to be fair, so is every OS). One such binary, tclsh can load arbitrary dynamic libraries.
• Chasing the Silver Petit Potam to Domain Admin. Sometimes you get lucky and can crack the NTLMv1 hash from a DC authentication illicatation. In that case, its just one more step to DA!
• Steal Credentials & Bypass 2FA Using noVNC. Simply genious. Why bother with a tricky proxy solution, when you can just have the user log into a site with a browswer you control?

Tools and Exploits

• Athena is a fully-featured cross-platform agent designed using the .NET 6. Athena is designed for Mythic 2.2 and newer. Crossplatform operations with Athena has all the details.
• IgnoreAppLocker.dll is a DLL to launch a cmd.exe as NT AUTHORITYSERVICE, which doesn't get blocked or logged by AppLocker, and neither do any processes launched by this cmd.exe process.
• PELoader is a PELoader implement various shellcode injection techniques, and use libpeconv library to load encrypted PE files instead of injecting shellcode into remote thread.
• kraken is a dockerized multi-platform distributed brute-force password cracking system with a web front end.
• bflat is a concoction of Roslyn - the "official" C# compiler that produces .NET executables - and NativeAOT (née CoreRT) - the ahead of time compiler for .NET based on CoreCLR. Thanks to this, you get access to the latest C# features using the high performance CoreCLR GC and native code generator (RyuJIT). C# as you know it but with Go-inspired tooling (small, selfcontained, and native executables).
• BananaPhone is a go variant of Hells gate! (directly calling windows kernel functions, but from Go!) - not new, but now with Halo's gate!

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• lossless-cut aims to be the ultimate cross platform FFmpeg GUI for extremely fast and lossless operations on video, audio, subtitle and other related media files. The main feature is lossless trimming and cutting of video and audio files, which is great for saving space by rough-cutting your large video files taken from a video camera, GoPro, drone, etc. It lets you quickly extract the good parts from your videos and discard many gigabytes of data without doing a slow re-encode and thereby losing quality. Not offsec related, but useful!
• fastfinder is a lightweight tool made for threat hunting, live forensics and triage on both Windows and Linux Platforms.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• 🌹 Roses are red, Violets are blue 💙 Giving leets 🧑‍💻 more sweets 🍭 All of 2022!. There is big money in Linux Kernel and Kubernetes 0days and 1days these days.
• Cryptocurrency firm MakerDAO offers record $10m in newly launched bug bounty program. The real money is in hacking smart contracts. Don't believe me? You should.
• Prosecutor will not charge Post-Dispatch for DESE data vulnerability story. Four months after a reporter used "view-source" to find social security numbers on a state run school website, the county prosecutor said he will not prosecute. A bit crazy it had to go all the way to a prosecutor before someone had enough sense to shut it down.
• 2021 Trends Show Increased Globalized Threat of Ransomware (PDF). NCSC, CISA, and the NSA team up to warn everyone about ransomware. This would be a good release for 2017.

Techniques and Write-ups

• Object Overloading. This is a dense but very interesting article. TLDR is you can convince processes to load DLLs from directories on start with ProcessDeviceMap, but this isn't an article to skip over. ObjectOverloadingPOC has the code.
• Eliminating Dangling Elastic IP Takeovers with Ghostbuster. IP takeovers can be dangerous (see compromising the email supply chain of Australia's most respected institutions -also AUS based 🤔), so shubs developed ghostbuster which scans all your cloud assigned IPs, then checks if there are any DNS records pointing to IPs you don't have control over.
• Gaining the upper hand(le). Sometimes SYSTEM level processes on Windows spawn lower integrity processes but keep high integrity handles open. This post shows how that can be exploited and teases a tool that does it all automatically. No release yet though.
• Abusing Exceptions for Code Execution, Part 1. This is a similar post to WindowsNoExec, but with more detail and macOS PoC to boot. Exception oriented programming (EOP) is the future?
• AD CS: from ManageCA to RCE. ManageCA and ManageCertificates permissions were suggested to be dangerous in the Certified Pre-Owned (PDF) paper, but now a user with the ManageCA permission has the ability to perform an arbitrary file write on any local path on the CA server or on any remote path where that server has write permissions, and thus RCE. Check the BlackArrow Certify for the new features.
• Active Directory, whoami?. Last week there was a tool release (SharpLdapWhoami) I didn't fully understand the use for. A helpful reader spelled it out for me!
• Introducing BloodHound 4.1 — The Three Headed Hound. Three new edges arrive in 4.1: AddKeyCredentialLink, AddSelf, and WriteSPN. Read the post to learn about each of them.
• StackScraper - Capturing sensitive data using real-time stack scanning against a remote process. This memory searching tool could be very useful for post-exploitation credential harvesting, or app security research.
• Dropping Files on a Domain Controller Using CVE-2021-43893. The December patch tuesday patch for CVE-2021-43893 (remote privesc against encrypted file systems (EFS)) was't completely patched. Jake from Rapid7 decided to weaponize it and on top of authenticated users being able to write arbitrary files to a DC, the incomplete patch allows for yet another authentication elicitation technique. Sprinkle on some relaying, and before you know it you're authenticated as a DA's machine account (if a machine account in in the DA group that is)! The tool is called blankspace.

Tools and Exploits

• KrbRelay is a framework for Kerberos relaying. The relaying game just got a whole lot more interesting. The demo is very impressive.
• CobaltBus is a Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus.
• TymSpecial is a SysWhispers integrated shellcode loader w/ ETW patching, anti-sandboxing, & spoofed code signing certificates
• PPL_Sandboxer is a A small C POC to make Defender Useless by removing Token privileges and lowering Token Integrity.
• SpoolFool is an exploit for CVE-2022-21999 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE) that should work by default on all Windows desktop versions up to the 2022-02-08 patch.
• hygieia is a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.
• pdfrip is a fast PDF password cracking utility equipped with commonly encountered password format builders and dictionary attacks.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation.
• monorepo.tools. "Everything you need to know about monorepos, and the tools to build them." With a bit of nudging to use Nx because the team the wrote this is selling Nx (but honestly Nx looks pretty awesome).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Vulnerabilities in Cisco Small Business routers could allow unauthenticated attackers persistent access to internal networks. This was the CVE of last week, a full 10.0 on the CVSS scale (RCE as root). SSL VPN gateways continue to be a juicy target for attackers.
• Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution. This takes the #2 spot for most hyped CVE of last week. The vfs_fruit module is used for macOS compatibility, and is enabled on many prosumer NAS devices by default. No PoC yet, technical details here.
• Helping users stay safe: Blocking internet macros by default in Office. It's about time! While there are certainly valid use cases for macros, they should be a bigger challenge to enable than a simple click given the damage they can do. Here's to hoping organizations patch. I'll be pouring one out for this old red team favorite in April.
• Alpha-Omega Project. This project aims to attack open source software vulnerability from both ends, maintainers and end users. Specifics are light, but if it means more fuzzing or code analysis on popular open source projects, that's a good thing.
• It’s Back: Senators Want EARN IT Bill to Scan All Online Messages. US Senate again tries to open up the path for widespread surveillance by making private companies scan all content and report "violations" to law enforcement. I'm sure they will use the line "protect the children" in their push to get it passed.

Techniques and Write-ups

• EmbedExeLnk - Embedding an EXE inside a LNK with automatic execution. This is a really neat multi-layered payload. It's a LNK that runs powershell to extract an EXE from itself, drop, and run that exe. This way LNK based attacks can be totally self contained.
• How Phishers Are Slinking Their Links Into LinkedIn. LinkedIn has marketing "feature" that is proving to be useful for phishers to hide their links. LinkedIn is (for now) a pretty high reputation site.
• A deeper dive into CVE-2021-39137 – a Golang security bug that Rust would have prevented. A headline sure to start a holy war. If you're interested in low level language details you'll enjoy this post.
• Testing Infrastructure-as-Code Using Dynamic Tooling. The Aerides tool is capable of mocking the appropriate AWS API endpoints to allow "normal" tools to run (terraform, etc). This allows infrastructure as code to be tested in CI pipelines with automated tooling easily.
• DNSStager v1.0 stable: Stealthier code, DLL agent & much more. DNS has always been a gamble for me. Either the SOC never sees it because they aren't monitoring DNS, or it gets instantly caught because it sticks out so badly. There isn't really a middle ground. This new version looks like it does well against MS365 (ATP) which is no small feat.
• Apollo 2.0 — New Year, New Features. Hot on the heals of the Mythic update, the Apollo agent gets a massive update! Props to Dwight for such an amazing changelog! Dynamic content loading, P2P over SMB or TCP, SOCK5 proxying, in-process assembly execution, PE execution, and smaller file size. Apollo has arrived!
• I’m bringing relaying back: A comprehensive guide on relaying anno 2022. Appropriate title. If you have missed the developments in relaying over the past few years, this will get you up to speed.
• Using Power Automate for Covert Data Exfiltration in Microsoft 365. Creating "flows" between Microsoft apps can also allow attackers to create "flows" of your data off to OneDrive. Best/worst part? It's enabled by default for any M365 user.
• Sandboxing Antimalware Products for Fun and Profit. This was the original post (and original PoC) that set off a string of researchers implementing the technique in Nim, C++, C#, and even a BOF.
• SysWhispers is dead, long live SysWhispers!. This post is a one-stop-shop for your SysWhispers knowledge.
• This are my principals.pdf [PDF]. This is James Forshaw's deck from OffensiveCon 2022. My rule is to read anything James publishes, but this deck would benefit from the recorded talk to give context.
• Advanced-Process-Injection-Workshop. This is a full workshop, on GitHub, for free! Looks like most of the recent injection methods are here.

Tools and Exploits

• authz0 is an automated authorization test tool. Unauthorized access can be identified based on URLs and Roles & Credentials.
• SharpLdapWhoami is a "WhoAmI" that functions by asking the LDAP service on a domain controller. I'm not 100% sure what this would be useful for without testing it.
• EvilSelenium is a new project that weaponizes Selenium to abuse Chrome - steal cookies, dump creds, take screenshots, add SSH keys to GitHub, etc.
• shelloverreversessh is a simple implant which connects back to an OpenSSH server, requests a port be forwarded to it from the server, and serves up SOCKS4a or a shell to forwarded connections.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• reave is a post-exploitation framework tailored for hypervisor endpoints. Interesting concept, I'll be following it.
• GoodHound uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation.
• ShadowCoerce is an MS-FSRVP coercion abuse PoC. Not sure how I missed this one.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034). Easily the biggest story of the last week. This is the Dirty COW of 2022, except even more stable and trivial to exploit. There are countless PoCs on github. poc-cve-2021-4034 compiles nicely into a single executable.

Techniques and Write-ups

• Custom Previews For Malicious Attachments. This is a nice phishing technique that allows attackers to create fake previews for their malicious attachment with Google Mail using an intercepting proxy.
• Bypassing Little Snitch Firewall with Empty TCP Packets. Some nifty macOS tradecraft to bypass the popular client firewall. However, you'd have to bake this in to your initial access method or have advance knowledge of little snitch use.
• .NET Remoting Revisited. This deprecated .NET architecture is still seen in older .NET projects, and this post breaks down how it works and how it can be exploited.
• Hacking the Apple Webcam (again). 4 0days combine to give an attacker full control over every website visited by the victim and camera access. This bug chain included a universal XSS and netted Ryan $100,500. Given the level of access achieved, that payout seems reasonable.
• Unauthenticated Dumping of Usernames via Cisco Unified Call Manager (CUCM). If you've ever dealt with Cisco phone systems, this post will bring back memories. If not, stash it away for when you inevitably do.
• Notepad++ Plugins for Persistence. These types of semi-legitimate persistence are great and usually undetected.
• Mythic 2.3 — An Interface Reborn. Mythic has become one of the major C2 players in the red team space thanks to its flexibility. This update looks great, and I look forward to trying out all the new features.
• Password spraying and MFA bypasses in the modern security landscape. You don't read much about password spraying these days, but done right it can be a useful technique. This post is a good example of how to spray correctly.

Tools and Exploits

• stratus-red-team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.
• T.D.P. - Thread Description Poisoning uses SetThreadDescription and GetThreadDescription functions to hide the payload from memory scanners.
• CVE-2022-21882 is the win32k LPE bypass CVE-2021-1732.
• NimGetSyscallStub gets fresh Syscalls from a fresh ntdll.dll copy. This code can be used as an alternative to the already published awesome tools NimlineWhispers and NimlineWhispers2 by @ajpc500 or ParallelNimcalls.
• DefenderStop is a C# project to stop the defender service using via token impersonation.
• PurplePanda fetches resources from different cloud/saas applications focusing on permissions in order to identify privilege escalation paths and dangerous permissions in the cloud/saas configurations. Note that PurplePanda searches both privileges escalation paths within a platform and across platforms.
• NimPackt-v1 is a Nim-based packer for .NET (C#) executables and shellcode targeting Windows. It automatically wraps the payload in a Nim binary that is compiled to Native C and as such harder to detect and reverse engineer.
• wholeaked. s a file-sharing tool that allows you to find the responsible person in case of a leakage. I could see this being useful for sending multiple copies of phishing documents and seeing which ones end up on Virus Total or similar sites.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• hobbits is a multi-platform GUI for bit-based analysis, processing, and visualization. This reminds me of the 010 Editor and its templates.
• spraycharles a low and slow password spraying tool, designed to spray on an interval over a long period of time.
• cent or Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place.
• Frida HandBook is an amazing resource for all things binary instrumentation.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• MoonBounce: the dark side of UEFI firmware. UEFI/SPI firmware malware is very scare, as you can "Wipe The Drive" but it won't get rid of the malware. Check out this PDF for the technical details (PDF) and vx-underground for the samples.
• How I hacked a hardware crypto wallet and recovered $2 million. Joe Grand found that the particular firmware version of the target Trezor was copying the PIN to RA so he voltage glitched the MCU to bypass the debug disable which allowed the key to be read from RAM.
• California public office admits Covid-19 healthcare data breach. Exactly zero people are surprised. Any production database is potentially useful to attackers, this one had lots of personally identifiable information to go after.
• Force Chrome major version to 100 in the User-Agent string. This feels like the exact opposite of zer0ver.
• An Armful of CHERIs. Silicon that can enforce memory safety? I'm intrigued.
• Cyber Risks and Business Interruption Insurance - Merck and International Indemnity v ACE (et al.). TLDR (too legal didn't read in this case): the cyber insurers for Merck - the shipping giant cripped by NotPetya ransomware - tried to claim that the "War or Hostile Acts" exclusion would apply since Russia was behind the NotPetya attack. The court said nope, pay up!
• CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.. Yes, even the unsupported Log4j 1.x branch was vulnerable. If you were on an unsupported version of Log4j you've definitely upgraded in the last month right?
• McAfee Enterprise-FireEye relaunches as Trellix, aims to be ‘market leader’ in XDR. RIP McAfee (x2), and also two vulnerabilities.

Techniques

• Multiple RCE vulns in PrinterLogic Web Stack versions 19.1.1.13 SP9 and below. Check out the technical write up, which takes this week's top spot for it's technical merit but also the section on how PrinterLogic was chosen as a research target. Well done Blaine!
• Solarwinds Web Help Desk: When the Helpdesk is too Helpful. This post has some helpful tips on digging into java applications. Who knows, you just might find hard coded credentials!
• Recovering redacted information from pixelated videos. You've seen static text unbluring, but what about video? If you really want to redact something, black boxes are usually the best answer.
• Adding DCSync Permissions from Linux. If you find yourself on a Linux machine but with an AES key to a computer account with WriteDACL over the domain, you might be able to DCSync.
• ZohOwned :: A Critical Authentication Bypass on Zoho ManageEngine Desktop Central. Another Java bug chain, this time on critical remote management software.
• Recovering Randomly Generated Passwords. Yes, randomly generated passwords are very hard to crack, but Hans proves you can do better than a full brute force given time constraints.
• Windows Drivers Reverse Engineering Methodology Paolo sums up his year-long Windows Drivers research and details his methodology for reverse engineering (WDM) Windows drivers. This is a free mini-course on Windows driver RE!
• WMI for Script Kiddies. Nothing groundbreaking, but if you need a one stop shop of WMI knowledge, this is a good candidate.

Tools and Exploits

• chrome-bandit is a proof of concept to show how your saved passwords on Google Chrome and other Chromium-based browsers can easily be stolen by any malicious program on macOS.
• TREVORproxy is a SOCKS proxy written in Python that randomizes your source IP address. Round-robin your evil packets through SSH tunnels or give them billions of unique source addresses!
• chronorace is a tool to accurately perform timed race conditions to circumvent application business logic. Well timed race conditions can allow for uncovering all kinds of interesting edge cases. Here is a good example.
• RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array.
• Sliver v1.5.0. This release has a lot of cool changes. My favorite is BOF support!
• FunctionStomping is a new shellcode injection technique. Given as C++ header or standalone Rust program. Currently undetected by hollows-hunter.
• SharpGhosting is Process Ghosting (x64 only) in C#.
• CVE-2021-45467: CWP CentOS Web Panel – preauth RCE. File inclusion + directory traversal = RCE.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• A month ago AWS accidentally gave themselves read access to every S3 bucket for 12 hours. I missed this news. Such a big gaff should have been widely reported?
• VulnLab is a dockerized web vulnerability lab.
• extrude analyzes binaries for missing security features, information disclosure and more.
• serverManager is an IPMI server manager build for Dell 12th gen servers. If you have an R710 or R720 at home you have to give this a try.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Illegal Activities of members of an organized criminal community stopped (REvil) [Russian, fsb.ru] The FSB claims that due to recent "joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized." You can even see video of the takedowns on YouTube. While 14 individuals were arrested, it's too soon to see if this will impact REvils operations. If it does, what prompted Russia to finally take action? Google translate of the FSB releases says the "basis for the search activities was the appeal of the competent US authorities."
• HTTP Protocol Stack Remote Code Execution Vulnerability. Patch tuesday brought with it an unauthenticated RCE in Window's http.sys drivers for Windows 10 (1809+) and Server (2019+). What looks like a crash PoC is available here, complete with a pointless 17 second sleep.
• Coming Soon: New Security Update Guide Notification System. Microsoft is making it easier to get notifications of changes to security update guides but the biggest news is that this system no longer requires a Live ID. A separate email/password combo can be used for the new system.
• Exploiting IndexedDB API information leaks in Safari 15. "Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session." WebKit is slowly becoming the internet explorer of the modern browsers. PoC code here.

Techniques

• Load nanodump as an SSP. The most advanced lsass dumper BOF was updated to allow you to load it as a Security support provider (SSP) which prevents your process from opening any handles to lsass.exe. More details on SSPs can be found here.
• 10 real-world stories of how we’ve compromised CI/CD pipelines. I like the thesis here that CI/CD pipelines are just "execution engines," and without proper protection can be abused like any other system. This one is worth a read and ponder if your CI/CD pipelines would fall to any of these or similar attacks.
• Creating an Exploit: SolarWinds Vulnerability CVE-2021-35211. This is a great walkthrough of going from CVE to shell.
• Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more. This is incredible research and a serious vulnerability. The smart card demo was particularly impressive. This was patched last Tuesday, but should give pause to using RDP on machines with any high privileged account.
• CyberArk Endpoint Manager Local Privilege Escalation CVE-2021–44049.. Off the high of the last article (written by a CyberArk employee), this one shows that simple permissions issues can lead to LPEs.
• Mixed Messages: Busting Box’s MFA Methods. The use of a valid app-based MFA token for a controlled account allows bypass on a target account when a user only has SMS based MFA. The back end of Box must have been missing some pretty basic checks for this to work, but props for trying it!
• Zooming in on Zero-click Exploits. A deep look at Zoom reveals a buffer overflow and information leak. It's not surprising that the massive code base of Zoom has issues.
• BreadMan Module Stomping & API Unhooking Using Native APIs. This new type of module stomping has some advantages, namely you don't need to load an arbitrary library into our memory space and the starting function call of the thread will point to an address space resolved usually by trusted DLLs such as ntdll.dll. Code here.

Tools and Exploits

• azure-function-proxy is a basic proxy as an azure function serverless app to use *[.]azurewebsites[.]net domain for phishing.
• Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique. This loader has a bunch of nice features and is far beyond the typical loader released on Github.
• ParallelNimcalls is a Nim version of MDSec's Parallel Syscall PoC. Last week it was in C++ and C#, now it's in Nim!

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• vapi is a Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios.
• reFlutter is a Flutter Reverse Engineering Framework for iOS and Android apps. This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• RCE in H2 Console. With all the dust kicked up by the JDNI injection log4j RCE, you just knew that someone would find JDNI injection elsewhere. "There are bound to be more packages that are affected by the same root cause as Log4Shell.".

Techniques

• EDR Parallel-asis through Analysis. "During the development of the Nighthawk C2 MDSec stumbled upon what appears to be a new and novel technique for identifying syscall numbers for certain syscalls which may then be used to load a new copy of ntdll into memory, allowing the remaining syscalls to be read successfully without triggering any installed function hooks." Is this whole post a humble-brag/sales pitch for Nighthawk? Maybe. But I'll gladly take high quality research and PoCs to prove how cool Nighthawk is. Want it in C#? say no more.
• Domain Persistence – AdminSDHolder. The special AdminSDHolder ACL is applied to all groups and accounts that are part of that object every hour, enabling permissions to be continuously restored to an account if detected by the blue team.
• Domain Escalation – sAMAccountName Spoofing. The sAMAccountName/noPac attack dropped last month, but this post shows multiple tools/attack methods to exploit it in practice. TrustedSec has a good blog post on detection opportunities.
• A phishing document signed by Microsoft – part 2. Microsoft signed add-ins are back, and have vulnerabilities. A string of bugs/features were used/abused to enable remote XLL loading. At this point I'm not sure anyone outside of Redmond, WA knows more about office document internals than Pieter, Dima, and the team at Outflank.
• Scanning millions of domains and compromising the email supply chain of Australia's most respected institutions. The use a AWS Lambda and DynamoDB for distributed scanning was clever, but the number sites where SPF/DMARC checks passed just with some light EC2 cycling to get proper IPs was frightening. Very cool research!
• Kernel Karnage – Part 8 (Getting Around DSE). This serious has been great so far, and now that real world protections are turned back on it's really getting good. There is no PoC dropped, but enough code to get you pretty far in your own driver loading BOF adventures. Keep up the great work @cerbersec.
• Get expert training on advanced hunting. This is a great collection of MS defender for endpoint and KQL training.
• Random Mosaic – Detecting unauthorized physical access with beans, lentils and colored rice. If you ever need to be really sure no one has intercepted your package, this is a cool option.
• Staging Cobalt Strike with mTLS using Caddy. Staging is a bad idea. But what if you protected your staging endpoint with mTLS? You'd end up with CaddyStager!

Tools and Exploits

• inject-assembly is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly.
• rathole is a lightweight, stable and high-performance reverse proxy for NAT traversal, written in Rust. An alternative to frp and ngrok.
• insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces. More details here.
• SysmonSimulator is a Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.
• PowerRemoteDesktop is a Remote Desktop client entirely coded in PowerShell. This could be useful for restricted environments like virtual desktops.
• Hunt-Sleeping-Beacons is a project to identify beacons which are unpacked at runtime or running in the context of another process.
• defender-detectionhistory-parser is a parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables. First one to write this as a BOF wins.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
• domains is (probably) the world’s single largest Internet domains dataset.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• China suspends deal with Alibaba for not sharing Log4j 0-day first with the government. Note this isn't as bad as the headline makes it seems, as China only suspended a "cooperative partnership... regarding cybersecurity threats and information-sharing platforms." Regardless, it sends a clear message. If you find a vulnerability in China, you'd better tell the government about it before anyone else.
• ZeroPeril Deep dive into executable packers & malware unpacking Training Course Announcement. New fully remote training that uses x86/x64dbg. Training is fully remote (Teams).
• How did LastPass master passwords get compromised?. A number of users received emails that their master password had correctly been used from a suspicious location, even after changing it. Is this an email error or something deeper? Either way, not a good look for LastPass, which has already lost credibility.
• In 2022, YYMMDDhhmm formatted times exceed signed int range, breaking Microsoft services. Duct tape and glue. It's all just duct tape and glue.

Techniques

• Android Application Testing Using Windows 11 and Windows Subsystem for Android. You've heard of the Windows subsystem for Linux, but how about the Windows subsystem for Andrid? Now you can use your favorite mobile assessment tools like objection and Burp suite without needing a real android device!
• Hopper Disassembler. This post shows how to use Hopper to bypass simple jailbreak detection by modifying a single jump instruction. Sometimes it is that simple, but the trick is knowing which byte to change.
• MS Teams: 1 feature, 4 vulnerabilities. None of these are severe, but some are simple issues that you wouldn't expect a market leader in connectivity to be making.
• Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation (PDF). System on a Chip (SoC) designs can include multiple wireless technologies with shared components. This overlap can lead to one compromised protocol being able to read or edit data on another medium via the shared resources.
• How to exploit Log4j vulnerabilities in VMWare vCenter. Unauthenticated remote code execution as root against vCenter via Log4j. The post covers good post-exploitation options and even drops the PoC: Log4jCenter.
• Where's the Interpreter!? (CVE-2021-30853). This dead-simple Gatekeeper bypass makes you wonder what other silly tricks are out there. Patrick doesn't stop at the PoC and dives deep into the root cause of this bug. Notably this fix is absent for Catalina (10.15.7), however my very limited testing indicates it may not be vulnerable.
• A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard. If you're interested in what "real" APT malware looks like, this long post covers a lot of tools.
• Remote Process Enumeration with WTS Set of Windows APIs. With the proper privileges you can get a remote process list using standard Windows APIs. This would be a nice tool to avoid machines with EDR or other programs running.
• CVE-2021-31956 vulnerability analysis (Chinese). This post explores CVE-2021-31956, a local privilege escalation within Windows due to a kernel memory corruption bug which was patched within the June 2021 Patch Tuesday and contains actual exploit code.
• HyperGuard – Secure Kernel Patch Guard: Part 1 – SKPG Initialization
• Dumping LSASS with Duplicated Handles. Rastamouse walks through how to use duplicated handles to dump LSASS which builds on his previous post on enumerating and duplicating handles. It still dumps to disk, so a pure in-memory implementation will get you even more evasion points.
• Another Log4j on the fire: Unifi. Another great walkthrough on how to go from login page to backdoored appliance from Nicholas at Sprocket Security. 67,000 exposed instances on shodan... RIP in peace.
• Phishing With Spoofed Cloud Attachments. "Abuse the way O365 Outlook renders cloud attachments to make malicious executable cloud attachments look like harmless files." This is phishing gold. Paired with a nice sandbox aware firewall/redirector it will likely yield success with a simple docuement.pdf.exe payload because the mail looks so good.
• Edition 14: To WAF or not to WAF Effectiveness of WAFs are a hotly debated subject in AppSec circles. This post tries to bring a structure to that discussion.

Tools and Exploits

• KaynLdr is a Reflective Loader written in C / ASM. It uses direct syscalls to allocate virtual memory as RW and changes it to RX. It erases the DOS and NT Headers to make it look less suspicious in memory.
• WMEye is a post exploitation tool that uses WMI Event Filter and MSBuild Execution for lateral movement.
• hayabusa is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs. Reminds me of chainsaw.
• Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches. This loader forces Java agents to be loaded and can inject Java or JVMTI agents into Java processes (Sun/Oracle HotSpot or OpenJ9).
• Invoke-Bof loads any Beacon Object File using Powershell!
• Inject_Dylib is Swift code to programmatically perform dylib injection.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Pentest Collaboration Framework is an open source, cross-platform, and portable toolkit for automating routine processes when carrying out vulnerability testing.
• Registry-Spy is a cross-platform registry browser for raw Windows registry files written in Python.
• iptable_evil is a very specific backdoor for iptables that allows all packets with the evil bit set, no matter the firewall rules. While this specific implementation is modeled on a joke RFC, the code could easily be modified to be more stealthy/useful.
• Narthex is a modular & minimal dictionary generator for Unix and Unix-like operating system written in C and Shell. It contains autonomous Unix-style programs for the creation of personalized dictionaries that can be used for password recovery & security assessments.
• whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.
• The HatSploit Framework is a modular penetration testing platform that enables you to write, test, and execute exploit code.
• TokenUniverse is an advanced tool for working with access tokens and Windows security policy.
• LACheck is a multithreaded C# .NET assembly local administrative privilege enumeration. That's underselling it though, this has lots of cool enumeration capabilities such as remote EDR driver enumeration.
• Desktop environment in the browser. This is just... wow. Code here: daedalOS.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Log4j 2.15.0 stills allows for exfiltration of sensitive data. You'll be writing this one up on assessments for years to come. 2.16 was released but also had a DoS-able vulnerability. Third patch is the charm? This whole saga has become the best example of Dependency in recent memory. If you need to exploit Log4j, grab the JNDI-Exploit-Kit. Trying to keep it all straight? This flow chart was up to date when published.
• Updates to the Bug Slayer bug bounty program. If you use CodeQL to find and report bugs, you may be eligible for a bonus bounty.
• Nighthawk 0.1 – New Beginnings. MDSec releases more details about its impressive in-house C2 framework. I'd love to get my hands on it and test it out. DM's open ;).
• REVEN Free Edition - Available as a VM. REVEN is a "Timeless Analysis" system that allows you to triage crashes more effectively. Now it's even easier to try out with a ready made virtual machine.

Techniques

• How I found the Grafana zero-day Path Traversal exploit that gave me access to your logs. A manual source code audit and some fuzzing found this arbitrary file read bug.
• A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution. Wow. NSO used a JBIG2 vulnerability to construct a custom computer architecture they then used to search and modify memory to carry out the next stage of the exploit chain. Talk about weird machines.
• Defeat the Castle - Bypass AV & Advanced XDR solutions.. AV/EDR solutions seem to struggle with the double encryption/encoding used here. Tool available here.
• Yes, fun browser extensions can have vulnerabilities too!. "A one-time visit to a malicious website would have been sufficient to compromise the browser integrity permanently." It's time to start thinking of browsers as OSs and extensions as programs running as root.
• Alternative Process Injection. This processes injects shellcode into the already loaded DLL memory page, which gets around most (but not all) indicators of injection.
• Blackswan Technical Writeup (PDF). Six Windows privescs with beautifully presented write ups? Yes please.

Tools and Exploits

• Cobalt Strike 4.5 Update Specifics:

  • Writing Beacon Object Files: Flexible, Stealthy, and Compatible. This post is great as it covers lesser used concepts like syscalls in x86 BOFs.
  • Process Injection Update in Cobalt Strike 4.5
  • User Defined Reflective Loader (UDRL) Update in Cobalt Strike 4.5
  • Sleep Mask Update in Cobalt Strike 4.5
  • A Deeper Look Into the Max Retry Strategy Option

• moonwalk helps cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.
• The Hacker Tools is focused on documenting and giving tips & tricks on common infosec tools. This is an awesome initiative and an idea I've had for a while. Happy to see it being executed.
• Cobalt-Clip is clipboard addons for Cobalt Strike to interact with clipboard. With this you can dump, edit and monitor the content of a clipboard.
• intruducer is a Rust crate to load a linux shared library into a target process without using ptrace.
• KernelSharp is an example of how to use NativeAOT to compile C# code to a Windows Kernel Mode driver.
• KernelBypassSharp is a C# Kernel Mode Driver to read and write memory in protected processes.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• awspx is a graph-based tool for visualizing effective access and resource relationships in AWS environments.
• mariana-trench is Facebook's security focused static analysis tool for Android and Java applications.
• adPEAS. Note this is not part of the "official" PEAS toolset. It's a Powershell tool to automate Active Directory enumeration.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• log4j logging framework vulnerable to RCE (10.0 CVSS3). Who knew that the ability to do Jndi lookups with user supplied data could be such and awful idea. Early reports claimed a recent version of Java and some environment variables would mitigate the vulnerability, but they were mistaken. Check out this Blue Team Cheatsheet for links to advisories.
• Pixel prevented me from calling 911. When you give up control of a core function like dialing to third party apps, in this case Microsoft Teams, bad things can happen.
• Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. You can now submit drivers directly to Microsoft with details about how they are vulnerable or malicious.
• Cobalt Strike 4.5: Fork&Run – you’re "history". "We dedicated a significant portion of this release to improving controls around product licensing." When your tool is used in nearly all ransomware events, I suspect HelpSystems got a call from someone to put more controls in place. The biggest change in this release for users is the ability to define custom process injection technique as well as increased size limits for sleep mask kit and user reflective loaders. Cobalt Strike continues to innovate and adapt to the changing offensive security landscape - the reason why it is the go to tool in the space.

Techniques

• CVE-2021-42287/CVE-2021-42278 Weaponisation. With all the log4j hype, this one may have slipped by. Don't let it, as it allows any domain user with the ability to add computer accounts (default 10 per user), can get a ticket as a DC to arbitrary services which allows dcsyncing. Patch is out, but given the season and log4j, this one might have legs into 2022. Be sure to also checkout more sAMAccountName Impersonation. The switches needed for this attack are now in Rubeus.
• A phishing document signed by Microsoft – part 1. The masters of maldocs are back at it. This time using an Excel add-in (XLAM) with modified contents but "valid" Microsoft signature to deliver malicious vbs. Amazing work as always.
• Getting root on Ubuntu through wishful thinking. Exploits are hard, even when you get root sometimes you aren't sure why. Adding a sleep to allow the ability to attach a debugger when the process did eventually crash was clever. Full PoC here.
• MiTM Cobalt Strike Network Traffic. This relies on having the beacon private keys, but once in hand, network defenders or those in privileged network positions could inject commands into Cobalt Strike traffic.
• Kernel Karnage – Part 6 (Last Call). This series has been great thus far. Let's seen what kernel driver loading tricks they come up with in future posts!

Tools and Exploits

• CVE Trends is a dashboard for expensive threat intel monitoring twitter without having to learn about tweetdeck. This is a really nice site check for the latest log4j RCE or to put up in your NOC.
• Podman Desktop is the Docker desktop replacement you may be looking for now that Docker Desktop is no longer free for most companies.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• AFLTriage is a tool to triage crashing input files using a debugger. It is designed to be portable and not require any run-time dependencies, besides libc and an external debugger. It supports triaging crashes generated by any program, not just AFL, but recognizes AFL directories specially, hence the name.
• KingHamlet is a simple tool, which allows you to perform a Process Ghosting Attack.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.