News

• EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline. Congrats to Patrick Gray; they finally released the hounds!
• Infosec skills gap widens in all regions bar Asia-Pacific – report. "(ISC)² now estimates the global infosec skills gap to stand at around 2.7 million unfilled positions worldwide... The underlying issue isn’t just that demand is growing, it is that the jobs market consistently can’t attract enough people into cybersecurity careers to service demand."
• Pixel 6: Setting a new standard for mobile security. The flagship phone from Google comes with 5 years of security updates (matching iPhones), as well as a feature that looks like a built in Android version of iVerify.
• March 2019 FBI CAST Cellular Analysis & Geo-Location Field Resource Guide. Well this is interesting. Note: this document was acquired legally via a public record act request.
• New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts. Is this the first confirmed case of a US person being hacked with NSO exploit presumably by a Saudi-linked operator (Jeff Bezos hack-and-leak had weak attribution)? Are the "gloves off" now? Artifacts go back as late as 2018.

Techniques

• Using Kerberos for Authentication Relay Attacks. The great James Forshaw is back with a tome on Kerberos for relaying.
• Windows Exploitation Tricks: Relaying DCOM Authentication. Kerberos wasn't enough, so DCOM got the James Forshaw treatment too.
• Car hijacking swapping a single bit. These physical attacks are always cool to me. The same basic principle of exploitation applies to them: to exploit a system, you often must totally understanding it - sometimes better than the designers.
• Don't Ruck Us Too Hard - Owning Ruckus AP devices. This research involved a cool setup of Ghidra and dockerized QEMU emulation. Any IoT or embedded researchers should read this.
• Double spending bug in Polygon’s Plasma bridge. This bug was awarded a $2 million USD bounty. Perhaps it's time to switch focus to cryptocurrencies and smart contracts.
• AlphaGolang | A Step-by-Step Go Malware Reversing Methodology for IDA Pro. If you've ever had to reverse Go programs, you know it's a mess. AlphaGolang aims to help the analysis with IDA Pro with a series of helpful scripts.
• Servers are overrated – Bypassing corporate proxies (ab)using serverless for fun and profit.. This post comes complete with a "bug not a vuln" which lets you register subdomains of azurewebsites.net that includes reserved words like "microsoft."
• Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses. Woah.
• Formalized Curiosity. This post is a good look at a process for conducting research.
• Driver Buddy Reloaded. Use this on your hunt for Windows driver vulns!

Tools and Exploits

• ProfSvcLPE is an currently unpatched local privilege escalation that shares the same root cause as CVE-2021-34484, but wasn't properly patched. The repo contains a word doc with a writeup as well.
• ZipExec is a unique technique to execute binaries from a password protected zip on Windows.
• Phishious is an open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers. This is the coolest tool I've seen in a while.
• FakeAMSI. Have you ever persisted by pretending to e an antivirus product?
• SharpSelfDelete is a C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs.
• CallbackHell is an exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)
• DLL_Imports_BOF is a BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• cloudspec is an open source tool for validating your resources in your cloud providers using a logical language.
• jimi is an automation first no-code platform designed and developed originally for Security Orchestration and Response. Since its launch jimi has developed into a fully fledged IT automation platform which effortlessly integrates with your existing tools unlocking the potential for autonomous IT and Security operations.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Firefox Suggest lands in the US, bringing ads to the browser search bar. Add this to the list of check boxes to uncheck on new Firefox installs. Settings -> Privacy & Security -> Address Bar — Firefox Suggest -> Contextual suggestions.
• Cheat Maker Is Not Afraid of Call of Duty’s New Kernel-Level Anti-Cheat. This is the second major video game maker to move to the kernel. As these drivers will be allow listed by AV, any vulnerability in them could prove valuable to red teamers.
• Governor Wants to Prosecute Journalist Who Clicked ‘View Source’ on Government Site. This is the level of computer literacy in government. RCVS-hack contains this 31337 darkweb 0day. 🤦
• Moving the U.S. Government Towards Zero Trust Cybersecurity Principles. The US government isn't totally hopeless and this push to use hardware tokens to prevent phishing from the White House is a great move!
• The Shenanigans of Jonathan Villareal. The fake iOS 0days were absent from this curated blog (you're welcome), but they show how easily manipulated the "infosec community" can be. This post breaks down the "RCE" and shows industry expert reactions.
• L0phtCrack is Now Open Source. Perhaps the oldest password "audit" tool is now open source. The GPU supply shortage and other factors caused Terahash to default on the terms of the sale of L0phtCrack and thus it was repossessed and open sourced.
• Sysmon For Linux. Breaking: temperature in Hell nearing freezing, hogs show signs they may be capable of flight.
• Windows Print Spooler Spoofing Vulnerability - CVE-2021-36970. This PrintNightmare may never end.

Techniques

• House of IO - Heap Reuse. This new modification to the House of Io even has some example code so you can follow along.
• Azure Privilege Escalation via Service Principal Abuse. Despite well defined password policy safeguards, Application Administrators can often elevate to Global Administrators if the application has Global Admin service principle. "Azure admins can prevent this attack path by auditing roles held by service principals and comparing those roles to the other identities with control of apps."
• Finding gadgets like it's 2015: part 1. This article explains the CommonCollection 1 and 7 gadget chains to help understand the new chain found in the Mojarra library.
• Resource Based Constrained Delegation. RBCD is one of the more complicated Active Directory attack paths. This article shows practical, step-by-step exploitation of this path which should help drive home the process.
• Countering threats from Iran. Interested in what an actual APT phishing campaign and infrastructure looks like? Look no further.
• Creating a Malicious Azure AD OAuth2 Application. Emulate those OAuth2 APTs (see above) with this practical guide from trustedsec.
• Exploiting Redis Through SSRF Attack. This post shows different ways the Redis key-value store can be exploited using SSRF.
• How a simple Linux kernel memory corruption bug can lead to complete system compromise. This post is unique in that the mitigations sections is three times as long as the vulnerability/PoC walk through.
• Microsoft Windows Antimalware Scan Interface Bypasses. AMSI bypasses have been around for a few years, and this post shows the internal workings of how the memory patches work.

Tools and Exploits

• Cobalt Strike Sleep Python Bridge. Rejoice! You no longer need to write sleep (a Java/Perl hybrid) to interact with Cobalt Strike. Lots of cool examples of how it can be used in the post. It's only a matter of time before someone writes a nice web GUI for cobalt strike, or writes an integration for Mythic. For prior art, check out pycobalt.
• The ESF Playground will let you view events from the Apple Endpoint Security Framework on your mac. This is particularly useful when trying to write detections and see how different processes are behaving.
• ScareCrow v3.0 released. This popular shellcode loader has been updated with more EDR bypass tricks and some bug fixes.
• Introducing Snowcat: World’s First Dedicated Security Scanner for Istio. Istio is a popular service mesh and Snowcat is a tool to audit it.
• nosferatu is an lsass NTLM authentication backdoor DLL that is injected into lsass and provides a skeleton key password for all accounts. On domain joined machines SMB, WinRM, and WMI are functional with the skeleton key password, on non-domain joined machines authentication via RDP, runas, and the lock screen also accepts the skeleton key password.
• AnyDesk Escalation of Privilege (CVE-2021-40854). You've got love a privesc that involves a classic Open dialog -> run cmd.exe path that results in SYSTEM in 2021.
• LDAPmonitor monitors creation, deletion and changes to LDAP objects live during your pentest or system administration!
• Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted. Probably want to review the code before use (same goes for all tools).
• WPBT-Builder is a simple UEFI application to create a Windows Platform Binary Table (WPBT) from the UEFI shell. This is a PoC for Everyone Gets a Rootkit.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• EDRHunt scans Windows services, drivers, processes, registry for installed EDRs (Endpoint Detection And Response). Read more about EDRHunt here.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Windows 11 available on October 5. I suppose it's better than having another cryptic Windows 10 version? The difference between 1507 and 21H1 is pretty big and lots of people are on "Windows 10" versions that are not being updated without realizing it.
• European Parliament backs ban on remote biometric surveillance. Not law yet, but a move in the right direction.
• Announcing osquery 5: Now with EndpointSecurity on macOS. The amazing osquery tool has been updated to use the latest Endpoint Security framework/API that Apple has been pushing recently after depreciating kernel extensions.

Techniques

• Analyzing and Detecting a VMTools Persistence Technique. VMware tools binaries/services are commonly found on VMs and can be leveraged for persistence on power state changes. Unsure of how useful this would be in practice, as most legitimate target VMs would be in a datacenter somewhere powered on all the time?
• Bindiff and POC for the IOMFB vulnerability, iOS 15.0.2. An "in the wild" exploit of IOMobileFrameBuffer is cited in the iOS 15.0.2 patch notes, and this bindiff and PoC is incredibly quick. In the end a reliable crash with arbitrary data is achieved. Update those iOS devices (and/or save your SHSH2 blobs ;). What's amazing is this analysis/PoC was completed and published in under 2 hours of the patch being released. Very impressive.
• gcpHound: A Swiss Army Knife Offensive Toolkit for Google Cloud Platform (GCP). This is a perfect tool to run after you land on a developer's machine with GCP credentials. Currently only available in the docker image desijarvis/gcphound:v1.1-beta and the tool is written in python at /root/gcpHound.
• Environmental Disaster - a LaunchServices Tale. The ability to control environment variables when launching a process from an app sandbox on macOS leads to a few different kinds of sandbox escapes, with more likely lurking thanks to popular applications/frameworks and their use of environment variables that are not block-listed by Apple.
• Backdoor .NET assemblies with… dnSpy 🤔. Everyone loves a good backdoor for persistence, data exfiltration, or even privilege escalation. .NET assesmblies can be modified to run arbitrary code with dnSpy, and if exposed to the internet, could even be triggerable!

Tools and Exploits

• HandleKatz is a position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump(). The tool does not allocate any more executable memory and can therefore efficiently be combined with concepts such as (Phantom)DLL-Hollowing (unlike Donut, sRDI, etc).
• SharpCalendar is a tool that uses Microsoft.Office.Interop.Excel to retrieve Outlook Calendar details in operator defined one month chunks. Sometimes its nice to know if/when someone will be out of office!
• Ninja_UUID_Dropper is a loader that uses module stomping, no new thread, HellsGate syscaller, and UUID encoding for x64 Windows 10. The technique of encoding shellcode in UUIDs was first seen in Lazarus malware.
• covert-tube is a program to control systems remotely by uploading videos to Youtube using Python to create the videos and the listener. It creates videos with frames formed of simple text, QR codes with cleartext, or QR codes using AES encryption. It may be easier to use youtube comments/video descriptions with encrypted text instead of reading data out of the videos themselves?
• weakpass_3a is the latest weakpass wordlist. 107.77 GB of plaintext password goodness to feed your GPU cluster.
• hermes is a Swift 5 Mythic payload for macOS. It currently supports Mythic 2.2.8 and will update as necessary.
• SuspendedThreadInjection is a meterpreter injection technique using C# that attempts to bypass Defender.
• DInvoke_rs brings the popular DInvoke/direct syscall technique to Rust! I'm excited to see more rust tooling for red teams.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Viper is a graphical penetration tool that wraps metasploit in a nice, multi-user web-gui.
• Clash is a rule-based tunnel daemon in Go that supports many protocols like VMess, Shadowsocks, Trojan, etc.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Understanding How Facebook Disappeared from the Internet. Facebook had five hours of outage which is $9,806,639 of revenue based on 2020 numbers. A BGP issue took DNS down, and without DNS nothing worked. Bonus points if you have abandoned facebook and facebook owned services so much you didn't really notice. Facebook has issued their own details about the October 4 outage.
• Unauthorized Access to Your Coinbase Account. Add this to the list of why SMS two factor is not real two factor, although it isn't clear if Coinbase or mobile carriers were the ultimate culprit. Either way, hardware security tokens are the answer.
• Company That Routes Billions of Text Messages Quietly Says It Was Hacked. Don your tin foil hat and conjecture if this is related to the previous story - probably not, this feels like good old fashion espionage.
• Introducing the Secure Open Source Pilot Program. Bug bounty for preventative security improvements is a great idea, but the ambiguity of the categories is even worse than normal bug bounty. Good luck to whomever has to "triage" these reports, but kudos to Google for trying something.
• Twitch Hack of 135 GB of Data Includes How Much Its Biggest Streamers Make. There are 6,000+ git repos as well. An interesting look behind the curtain of a major tech company.
• Unicorn2. Unicorn, the popular CPU emulation framework is over 6 years old now and the second major version has been build from scratch on top of Qemu 5. It also adds PowerPC and RISCV emulation.

Techniques

• Life is Pane: Persistence via Preview Handlers. Windows explorer previews are generated by DLLs that are registered for each file extension. Attackers can register their own handlers or take over existing extensions for persistence when a user opens an explorer window containing a file with that extension. This is sneaky, and probably not detected by many EDR vendors... yet.
• Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings. The auth endpoint calculated the password hash of the plaintext supplied by the user by calling a one line python script from Go and passing the plaintext as an argument. Why not calculate the hash in the Go binary? Less RCE that way I suppose...
• Crucial’s MOD Utility LPE – CVE-2021-41285. More "gaming" drivers, more LPEs. If you need system, target gaming drivers!
• Reverse engineering and decrypting CyberArk vault credential files. This post is a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. The author discovered it was possible to reverse engineer the encryption and key generation algorithms and decrypt the encrypted vault password
• Abusing Weak ACL on Certificate Templates. This is a walkthrough of the ESC4 attack described in Certified Pre-Owned.
• Single Step Encryption/Decryption. Decrypt and run shellcode one instruction (or 16 byte block) at a time. This should help against memory forensics, but may be unstable with complex shellcode.

Tools and Exploits

• OffensiveRust is a series of experiments in weaponizing Rust for implant development and general offensive operations.
• Apache HTTP Server 2.4 vulnerabilities. This is a path traversal vulnerability that can lead to RCE. PoC: curl --data "A=|id>>/tmp/x;uname$IFS-a>>/tmp/x" 'http://[IP]:[PORT]/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' -vv (credit to @hackerfantastic). Note that this only affects 2.4.49 (released 2021-09-15) due to this commit from August 2021. Test it out in the CVE-2021-41773 Playground.
• DCOM_AV_EXEC allows for "diskless" lateral movement to a target on the same network via DCOM. The AV_Bypass_Framework_V3 creates a .NET shellcode runner (output as DLL) which can be used with the DCOM_AV_EXEC tool to bypass antivirus solutions like Microsoft Defender as all shellcode is AES encrypted and executed in memory.
• kenzer performs automated web assets enumeration & scanning.
• PHP 7.0-8.0 disable_functions bypass [user_filter] is a 10 year old bug to get around disabled_functions set in php.ini and execute shell commands on the target webserver.
• DonPAPI dumps DPAPI credentials remotely.
• aad-sso-enum-brute-spray A PoC for the vulnerability that would, in theory, allow one to perform brute force or password spraying attacks against one or more AAD accounts without causing account lockout or generating log data, thereby making the attack invisible.

-FindUncommonShares is a Python equivalent of PowerView's Invoke-ShareFinder.ps1 which finds uncommon SMB shares on remote machines.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• shottr is a great screenshot tool for macOS. It can do on-device text extraction, blurring, measurements, cropping, etc. The only outbound network traffic is to google analytics (unlike some other screenshot apps).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program. Criticism of Apple's bug bounty program has been growing, and it's pretty clear there is a problem. For a company with as much cash on hand as Apple (nearly 200 billion USD), the bad press from this can't be worth it, right? Another researched joined in the 0day releases with Rotten-Apples.
• macOS Control Bypasses - New course for 2021. It's great to see macOS get attention from training vendors. This course is only available in a subscription model which is an interesting pricing strategy from a vendor known for its relatively affordable a la cart training.
• Announcement: VMware Fusion for Apple silicon Public Tech Preview Now Available. It only support Arm Linux virtual machines, no Arm Windows builds for now (as there is no way to legally license them for VM use).

Techniques

• Financially motivated actor breaks certificate parsing to avoid detection. By using End of Content markers in fixed length encoding, adware distributers were able to trick non-OpenSSL based products (i.e. Windows) to believe an invalid PE signature is actually valid. This is a neat trick, and I'm a bit surprised to see it burned on adware. Who else was aware/using it too?
• XSS to RCE: Covert Target Websites into Payload Landing Pages. I really like this idea for delivering payloads for a red teaming phish, assuming the customer site is vulnerable to XSS that is otherwise not very valuable in terms of the assessment objectives.
• Chrome in-the-wild bug analysis: CVE-2021-30632. Dig into the internals of the V8 JIT engine with GitHub as they analyzed this browser bug. PoC here.
• Apache Dubbo: All roads lead to RCE. More GitHub technical content, this time a great article that goes from target identification to RCE using CodeQL. Be sure to check this out if you aren't using CodeQL for source code analysis/bug hunting.
• Resetting Expired Passwords Remotely. Some great techniques to get past expired or must-be-reset passwords found on a Windows network.
• IAM Vulnerable - Assessing the AWS Assessment Tools. This is a great test of the four major open source AWS IAM misconfiguration assessment tools. I wonder if the IAM Vulnerable project could be used with CI/CD for these tools to show "live" coverage of the test cases as they improve.
• An Intro to Fuzzing (AKA Fuzz Testing). Just what the title says. One of the best intro articles that covers the basics.
• Beyond the good ol' LaunchAgents - 20 - Terminal Preferences. Wild that this series is already up to 20. This one would only work against technical targets, as they have to open the terminal application to run your persistence.
• Pwn2Own 2021: Parallels Desktop Guest to Host Escape. "Many evenings it is easier for me to read other people’s research, but I won’t find vulnerabilities reading blog posts. You find them by trying to do your own research." Damn, got me there. I've got some original research cooking (slow cooking, but still cooking).
• New Azure Active Directory password brute-forcing flaw has no fix. The Azure Active Directory Seamless Single Sign-On has been good for user enumeration since 2019 but this new discovery allows brute forcing (via a web endpoint, so it will be slow) without even logging anywhere. Wild. A successful login will generate a log, but you can spray all day without alerting any organization that users pass-through authentication.
• Everyone Gets a Rootkit. On Windows since Windows 8 the Windows Platform Binary Table has a weakness that can allow an attacker to run malicious code with kernel privileges when a device boots up. WPBT is a feature that allows OEMs to modify the host operating system during boot to include vendor-specific drivers, applications, and content. Compromising this process can enable an attacker to install a rootkit compromising the integrity of the device.
• FinSpy: unseen findings. What's better than a rootkit? A bootkit of course. FinSpy has been busy since it was last reported on in 2018 with some seriously advanced malware.

Tools and Exploits

• injectEtwBypass is a CobaltStrike BOF that injects an ETW bypass into a remote process via syscalls using HellsGate/HalosGate. This BOF contains some excellent assembly primitives for finding syscalls dynamically.
• PPLDump_BOF is a fully-fledged BOF to dump an arbitrary protected process.
• Needle_Sift_BOF is a file search bof to find strings within files without downloading the file from target. It uses strstr to do the search, and is case sensitive (no strcasestr function in Windows).
• Dragonfly: your next generation malware sandbox. A new sandbox with rules engine. Details are light but it looks like this sandbox uses binary emulation vs running samples in an instrumented virtual machine. Sign up for the Alpha here.
• ThreadStackSpoofer is a PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
• gitoops is Bloodhound for GitHub organizations by abusing CI/CD pipelines and GitHub access controls.
• SyscallNumberExtractor exports all ntdll.dll syscalls to syscalls.txt. Useful for hard coding direct syscalls if not using a *gate technique.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Google is partnering with Open Source Technology Improvement Fund, Inc to sponsor security reviews of critical open source software.. Google is funding the review of eight libraries, frameworks, and apps including Git, lodash, and Laverel.
• Kali Linux 2021.3 Release. The most popular offensive security Linux distribution gets its third release of the year, with minor tweaks to better support VMs, old TLS versions, new tools, and updates throughout the OS.

Techniques

• NSA Meeting Proposal for ProxyShell. By combining the "NSA Metting" and "ProxyShell" exploits for Exchange, a unique RCE chain can be created that may not otherwise be detected. Code here.
• Defeating macOS Malware Anti-Analysis Tricks with Radare2. Working around anti-debug measures is critical to dynamic analysis. This post shows how r2 can be used to manipulate execution and bypass checks.
• Microsoft Teams Spoofing Attacks. This post contains a message request approval bypass, attachment spoofing, and link spoofing techniques. If you phish via Teams, this is a must read.
• AMD Chipset Driver Information Disclosure Vulnerability. Two vulnerabilities exist across modern AMD chipsets that allow for information disclosure via reading uninitialized physical memory pages.
• All Your (d)Base Are Belong To Us, Part 1: Code Execution in Apache OpenOffice (CVE-2021–33035). Top tier exploit write up, from fuzzing to code execution.
• Beginners Guide to 0day/CVE AppSec Research. I'm not sure how this guy sleeps with the consistency of long form content and code he produces. This post has a walk through of how to setup and instrument a PHP app for testing.
• Full-Spectrum Cobalt Strike Detection. This report is a technical profile of the commercial post-exploitation framework Cobalt Strike. It contains details on the capabilities of the framework, observed threat actor use, host-based and network-based detections, and SOAR strategies for detection and response. This report is intended for security operations audiences who focus on detection engineering.
• VSCode BOF Development Trick. Set your compiler to mingw32-gcc and Intellisense will help you out!

Tools and Exploits

• OMIGOD

  • “Secret” Agent Exposes Azure Customers To Unauthorized Code Execution. This is the post the started it all. Another Azure find from Wiz. Simply removing the authorization header allowed for RCE as root. Amazing that is a thing in 2021.
  • Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions. The official Microsoft response.
  • OMIcheck is a set of scripts from Microsoft to check and upgrade your omi agents.
  • CVE-2021-38647 is a nice wrapper for the PoC in the Wiz post.
  • Azure OMI RCE Attempt shows a small sample of "in the wild" exploitation.

• goblin is a phishing tool that can host sites and display notices if uses click call to action buttons. This won't replace GoPhish any time soon.
• fapro is a multi-protocol honey pot with ELK logging support. Looks like no source code is available (yet?).
• PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets.
• CVE-2021-40444--CABless. Your favorite Word RCE, now with no CAB and a single line of javascript.
• CFG_Allowed_Functions is a pykd version-independent tool that finds and dump functions allowed by Control Flow Guard (CFG).
• Zerotier - Multiple Vulnerabilities. An attacker may chain Zerotier root-server identity overwriting, insecure identity verification and various information leakage vulnerabilities to gain unauthorized access to private Zerotier networks. To exploit, see ZTCrack.
• Umbra is an experimental remotely controllable LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that can spawn reverse shells to remote hosts, launch malware remotely and much more.
• Rosplant Pis a proof of concept to leverage Roslyn for post-exploitation (Roslyn + Implant = Rosplant). It comes in two parts, the server and client. Raw C# is entered into the server's console by the attacker, which is sent to the client (via TCP for the PoC). The client uses Roslyn to evaluate the code and sends the results back to the attacker.
• SharpExfiltrate is a tiny but modular C# framework to exfiltrate loot over secure and trusted channels. It supports both single-files and full-directory paths (recursively), file extension filtering, and file size filtering. Exfiltrated data will be compressed and encrypted before being uploaded. While exfiltrating a large amount of data will require the output stream to be cached on disk, smaller exfiltration operations can be done all in memory with the "memoryonly" option.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Smersh is a pentest oriented collaborative tool used to track the progress of your company's missions and generate rapport.
• Obfuscating Malicious, Macro-Enabled Word Docs. Missed this one last week, but some great tips on macro-obfuscation techniques for when that Word RCE stops being useful.
• be-a-hacker. This is a road map to being a self-taught hacker.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Introducing Android’s Private Compute Services. Google is aiming to put the Private Compute Core from Android in the cloud and they're vouching to do 3rd party validation via audits.
• VMware denies allegations it leaked Confluence RCE exploit. Bug bounty drama as a payload sent to VMware as part of a bounty was later added to the Nuclei scanner by a researcher who claimed they found it via "Pastebin scraping" and could not produce the source URL to the paste. Bug bounties rely on trust, and these types of incidents underscore that.
• FORCEDENTRY NSO Group iMessage Zero-Click Exploit Captured in the Wild. If your threat model includes nation states with massive war chests willing to burn 0days to get on your device, I think any stock OS is going to be insufficient to protect you. Perhaps the best way to fight against this type of exploitation is to capture and expose the exploits fast enough to make it economically unfeasible to use them against activists? Props to Citizen Lab for doing the work here.
• U.S. Company Sold Zero-Click Hacking Tool to UAE Spy Operation. Three members of the RAVEN crew pled guilty in exchange for a three-year deferred prosecution agreement and fines. Interesting that the CFAA wasn't used in this case, as it is typically the hammer for anything computer related. How much taxpayer money did the US spend investigating and prosecuting these three? Imagine if the US Government instead paid competitive salaries so their own hackers didn't travel to the Middle East and hack for other governments...
• Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds.. Self host that CI/CD, that way the mistakes are your own.

Techniques

• Burp Suite RCE. The built-in Chrome browser in Burp Suite 2.0 is an old Chrome version, which can be combined with the "Use dynamic analysis techniques" feature to trigger RCE on an assessors Windows machine by simply browsing a site via the embedded Chrome browser. Is this ultimate WAF? Ransomware any Burp Suite users that browse your site?
• Hacking CloudKit - How I accidentally deleted your Apple Shortcuts. Even the big companies are not immune to misconfigured access controls. In this case the result was an assessor was able to delete all shared "shortcuts" links for iOS.
• Tickling VMProtect with LLVM: Part 1. This series gets into the weeds of using LLVM as a software based deobfuscation framework that initially targets binaries protected with VMProtect.
• Analysis of a Parallels Desktop Stack Clash Vulnerability and Variant Hunting using Binary Ninja. Supporting macOS back to 10.13 had the effect of silently dripping stack protections, and the author uses the Binary Ninja Python API to help automate bug finding.
• Change home directory and bypass TCC aka CVE-2020-27937. By planting your own TCC database you can bypass the whole user TCC (Desktop, Documents, Address Book, Camera, Microphone, Photos and more).
• Hook Heaps and Live Free. Ecnrypted heap allocations. Now that is some legit tradecraft! This post is a gold mine of information about "in memory evasion" and practical examples of how to implement it with Cobalt Strike. Example code (for the first basic example) here. If you liked this post be sure to check out SleepyCrypt: Encrypting a running PE image while it sleeps which also dropped last week.
• CVE-2021-3437 | HP OMEN Gaming Hub Privilege Escalation Bug Hits Millions of Gaming Devices. Perhaps its time to download any gaming related drivers and do a vulnerability hunt... 🤔

Tools and Exploits

• Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-40444. This was the big news of last week. RCE from simply opening a Word doc, thanks to old friends - directory traversal, IE, and ActiveX.

  • Demo of an RTF variant working in the explorer preview
  • KQL query
  • Malicious docx generator
  • Windows MSHTML zero-day defenses bypassed as new info emerges
  • CVE-2021-40444 Analysis/Exploit - This is the best analysis/walkthrough I have come across.
  • Microsoft Defender Attack Surface Reduction recommendations - Old but gold. "Block all Office applications from creating child processes" is what you want for this vulnerability specifically.

• BOF-Adios is a BOF that will zero, then delete your beacon's executable on exit! Useful if you are dropping a loader to disk as part of a phishing campaign.
• NimHollow is a Nim implementation of Process Hollowing using syscalls with some nice features like shellcode encryption, sandbox detection, and AMSI patching.
• iam-vulnerable - Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground. More details on the BishopFox blog.
• Toggle_Token_Privileges_BOF is an (almost) syscall-only BOF file intended to either add or remove token privileges within the context of your current process.
• SharpSystemTriggers is a collection of remote authentication triggers coded in C# using MIDL compiler for avoiding 3rd party dependencies.
• azureOutlookC2 - Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP: Use Microsoft Graph API for C2 Operations.
• ImpulsiveDLLHijack is a C# tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• wwwgrep is a rapid search “grepping” mechanism that examines HTML elements by type and permits focused (single), multiple (file based URLs) and recursive (with respect to root domain or not) searches to be performed.
• AppInitHook is a global user-mode hooking framework, based on AppInit_DLLs. The goal is to allow you to rapidly develop hooks to inject in an arbitrary process. Developed to reverse engineer and customize random applications, it has broad implications for read teaming.
• ElusiveMice is a Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Illinois Bought Invasive Phone Location Data From Banned Broker Safegraph. I've read my cell phone and internet provider terms of service, but the issue is all the major providers have the same clauses where they can sell your data. There's no alternative that provides the same level of service while respecting customer data. I worry that since this data is "anonomyized" even measures like GDPR wouldn't be effective.
• How Data Brokers Sell Access to the Backbone of the Internet. More privacy nightmare fuel. Every connection to and from public IP addresses is being recorded, sold, aggregated, and analyzed. There are now full on private SIGINT systems.
• Hackers Leak Videos of Iranian Prison. This looks like a classic hacker movie scene - the screens go black then display the hacker's message full screen.
• Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature. "On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key." Luckily it only affected customers with the Jupyter Notebook feature enabled. For more information check out ChaosDB.
• From Pearl to Pegasus Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits. More 0-click iOS exploit nightmare fuel.
• SolarWinds and the Holiday Bear Campaign: A Case Study for the Classroom. This detailed-but-accessible case study of the Russian cyber espionage campaign that targeted SolarWinds is from the free Cybersecurity Law, Policy, and Institutions (version 3.1).
• ProtonMail deletes 'we don't log your IP' boast from website after French climate activist reportedly arrested. Assume your IP is being recorded by not only the site you access, but every device/government/data broker in between. Act accordingly if any of those are in your threat model.

Techniques

• Operational Mental Models. After releasing the EDR Sensor Evasion Flowchart, @Jackson_T is back with another meta-assessment post about the frameworks and models for offensive research and development.
• ZDI-21-1053: Bypassing Windows Lock Screen. The ease of access on screen reader is used once again to execute binaries on a USB and execute code even with the screen of a Windows 10 computer locked. PoC video here.
• From RpcView to PetitPotam. In this post, we will see how the information provided by this tool can be used to create a basic RPC client application in C/C++. Then, we will see how we can reproduce the trick used in the PetitPotam tool.
• Introducing Process Hiving & RunPE. "This blog introduces innovative techniques and is a must have tool for the red team arsenal. RunPE is a .NET assembly that uses a technique called Process Hiving to manually load an unmanaged executable into memory along with all its dependencies, run that executable with arguments passed at runtime, including capturing any output, before cleaning up and restoring memory to hide any trace that it was run." A solid PE runner is a must-have in ever red team toolkit. Code here.
• %appdata% is a mistake – Introducing Invoke-DLLClone. DLL hijacking isn't new but darn if it isn't effective still. The new Invoke-DLLClone is worth a look!
• Obsidian, Taming a Collective Consciousness. Red team knowledge management is a topic I am all too familiar with (imagine the data that powers this blog...). This post shows a "flat" markdown note based approach that uses Obsidian.
• Widespread credential phishing campaign abuses open redirector links. Most commercial email providers scan links for reputation and can prevent phishing links from being opened. Attackers are now using open redirects on "trusted" sites to bypass these protections and deliver their payloads/load their pages. These are also combined with reCAPTCHA protections to prevent automated scanning.
• Backdoor Office 365 and Active Directory - Golden SAML. This quick post shows the 8 steps to generate a golden SAML token as well as some detections.
• Blinding EDR On Windows. This is a great post that brings together a lot of information about AV/EDR as well as kernel drivers, driver signing, and how to use kernel drivers against EDRs.

Tools and Exploits

• Quick Tunnels: Anytime, Anywhere. Cloudflare tunnels are available without an account. They use 4x HTTPS connections to Cloudflare IPs to tunnel traffic to anything the cloudflared binary can reach. Consider this a more trusted version of ngrok. "Unless you delete them, Tunnels can live for months." Defenders, look for update.argotunnel.com, h2.cftunnel.com, and trycloudflare.com based on my testing.
• RCE-0-day-for-GhostScript-9.50. This 0-day exploit affects the ImageMagick with the default settings from Ubuntu repository (tested with default settings of ImageMagick on Ubuntu 20.04). More info here.
• LiquidSnake is a program aimed at performing lateral movement against Windows systems without touching the disk. The tool relies on WMI Event Subscription in order to execute a .NET assembly in memory, the .NET assembly will listen for a shellcode on a named pipe and then execute it using a variation of the thread hijacking shellcode injection.
• NSGenCS is an extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows. More information at The Birth of NSGenCS.
• AWS ReadOnlyAccess: Not Even Once. ReadOnlyAccess sounds secure, but it can cause a false sense of security and is usually too broad for whatever is actually needed.
• OpenBMC: remote code execution in netipmid. IPMI is a very powerful interface with tons of bugs. Add this RCE to your next internal assessment bag of tricks.
• iHide is a utility for hiding jailbreaks from iOS applications. This can be a huge help when doing security assessments on applications with pesky jailbreak detection. See the blog post for more info.
• PR0CESS has a few projects for interesting PE loading techniques.
• CVE-2021-33909 is a Linux LPE for Sequoia.
• laurel is a tool to transform Linux Audit logs into JSON for SIEM usage.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• packetsifterTool is a tool/script that is designed to aid analysts in sifting through a packet capture (pcap) to find noteworthy traffic. Packetsifter accepts a pcap as an argument and outputs several files.
• zuthaka is a collaborative free open-source Command & Control integration framework that allows developers to concentrate on the core function and goal of their C2.
• JadedWraith is a powerful backdoor capable of either listening on a TCP port or sniffing packets for a "magic" ICMP packet instructing the backdoor to either callback or listen.
• beacon_health_check is an aggressor script that uses a beacon's note field to indicate the health status of a beacon.
• Khepri is a post-exploiton tool written in Golang and C++, with architecture and usage like Cobalt Strike. So much like Cobalt Strike that a casual look at the screenshot could confuse the two!
• ockam is a library for end-to-end encryption and mutual authentication for distributed applications.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Apple CSAM fallout:

  • Opinion: We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous. A group from Princeton built a similar system to what Apple has deployed and decided it was too dangerous to put into practice. "Apple is gambling with security, privacy and free speech worldwide."
  • Working Collision? #1. This was the start of the collisions but it quickly snowballed.
  • neural-hash-collider can generate collisions on demand.
  • Had enough of Apple? Look into GrapheneOS, CalyxOS, or even a PinePhone.

• Apple Appeals Corellium Copyright Lawsuit Loss After Settling Other Claims. Last week the news section had a good news story about Apple dropping a case against Corellium. They've appealed the other case they lost. All this while claiming security researchers would be a check against CSAM scanning abuse...
• A Hacker Stole and Then Returned $600 Million. The wild west of finance sees it's largets heist yet (yes, bigger than Mt. Gox). For technical details (facepalm warning) check out rekt.
• Microsoft announces price increase for Office 365 and Microsoft 365. E5 is still crazy expensive.
• Porchetta Industries Launches. "The Information Security Industry doesn't have a direct way to support Offensive & Defensive Open Source Security Tool developers even though it relies on them for a large portion of their services and/or internal capabilities. We're here to change that. Porchetta Industries provides a centralized platform for organizations to fund and support Open Source Security Tools."

Techniques

• 1Password Secret Retrieval — Methodology and Implementation. Password managers are a juicy target for post-exploitation. This post explores the 1password password manager and offers some detection tips. If an attacker is injecting code into processes undetected, it might be too late. Check out 1PasswordSuite for the tools.
• Executing Code In Context Of A Trusted Agent (Part 1) - Windows Defender Antivirus. The only thing better than bypassing AV is running in the context of AV itself. PoC here.
• Introducing GoKart, a Smarter Go Security Scanner. If you've got some Go code to review or are trying to exploit, give gokart a shot.
• Domain Escalation – PrintNightmare. Need a refresher or reference on all the PrintNighmare madness? This post covers remote discovery and exploitation.
• Uncovering Tetris – a Full Surveillance Kit Running in your Browser. A watering hole attack used JSON Hijacking and other methods to attempt to identify users. It even attempted to steal secrets from the user's local machine using websockets!
• Oh, Behave! Figuring Out User Behavior. Once you gain access to a target workstation, how do you determine what the user does day to day? Which applications would be best to backdoor for persistence? This post explores some ways to answer these questions.
• Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent. If you have local admin you can export the AD FS Hybrid Health Agent secret and spam the Azure AD sign-in logs with fake entries.
• Creating the WhereAmI Cobalt Strike BOF. Bobby has been on a roll, churning out BOFs at a rapid pace. It likely took significant extra time to document and write up the process behind whereami which dumps the environment variables without calling the WinAPI, and for that I am grateful!
• Responder's DHCP Poisoner. Responder 3.0.7.0 comes with a new DHCP module! Learn about it in this post.
• Razer Windows LPE. Simply attaching a Razer mouse (or a spoofed one) will run a UI as SYSTEM that you can use to open a file dialog and spawn a prompt with. I don't believe this has been weaponized without physical access or desktop interaction yet.
• Integer Overflow to RCE — ManageEngine Asset Explorer Agent (CVE-2021–20082). This is a great in-depth post on the productization of an integer overflow into RCE.

Tools and Exploits

• Added EfsRpc method (aka PetitPotam). SweetPotato gets a PetitPotam upgrade so if you have SeImpersonatePrivilege on a fully patched windows 10 machine, you can get SYSTEM.
• ServiceMove-BOF is a new lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution. Note that is work on Windows 10 1809 or above only.
• BOF-ForeignLsass dumps lsass memory by opening a handle to a process that already has a handle open to lsass, with the hopes of looking less suspicious by stealing this "legitimate" handle.
• kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Microsoft365_devicePhish is a a proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow. Compare to 365-Stealer and TokenTactics.
• Mimikore is a .NET 5 single file application loader for Mimikatz or any Base64 PE.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Apple drops intellectual property lawsuit against maker of security tools. The battle against the virtual iOS device host finally ends with a fizzle. The case was scheduled to start next week. "The terms of the settlement were confidential."
• AI Wrote Better Phishing Emails Than Humans in a Recent Test. This is the dystopian future we were promised.

Techniques

• Having fun with a Use-After-Free in ProFTPd (CVE-2020-9273). This post analyzes the ProFTPd vulnerability and how to exploit it bypassing all the memory exploit mitigations present by default (ASLR, PIE, NX, Full RELRO, Stack Canaries etc). Two different exploits available at CVE-2020-9273.
• How to Hack APIs in 2021. Type confusion, JWTs, undocumented APIs, versioning, rate limiting, race conditions, XXE injection, switching content types, HTTP methods, injection vulnerabilities, and more are covered in this great post.
• Comparison of reverse image searching in popular search engines [OSINT hints]. TLDR: consider Yandex next time you need to reverse search an image.
• TeamServer.prop. Have you been wondering what those TeamServer.prop warnings were in Cobalt Strike 4.4? It turns out you can tweak the screenshot and keylog callback data settings to customize how the team server handles potentially DoS-able data.
• Spoofing File Extensions Using Google Drive and OneDrive. The tricks in this post may be helpful when/if you deliver payloads via email.
• Playing Detection with a Full Deck. If you've ever done any Purple teaming, this post will hit home. Understanding the full context of a system (i.e. how are services created) is critical to good detection rules.
• Phishing for NetNTLM Hashes. There are many ways to leak NTLM hashes but this post shows the results of testing and Security Zones are treated by web clients. Once you have NTLM and network access, this relay page has amazing charts for what is possible.
• Going for the Gold: Penetration Testing Tools Exploit Golden SAML. Golden SAML hit the headlines after the SolarWinds breach, and this post breaks down how powerful it can be. The three custom tools they mention are not public.
• Tools, Techniques, and Grimmie?: Experimenting w/ Offensive ADSI. Did you know there was a built in AD enumeration tool as far back as Windows 7 called adsisearcher?
• SAML is insecure by design. SAML is bad and should feel bad. Lots of good ammo in here for your next web assessment that uses SAML.
• [EX007] How playing CS: GO helped you bypass security products. The use of a vulnerable driver allows reading process memory from a userland helper to dump lsass while EDR watches helplessly.
• Fingerprinting Windows versions, AV, wireless cards over the network—all without authentication. Rumble uses DCE/RPC UUIDs to fingerprint AV, EDR, and other software agents remotely and unauthenticated. This could be very useful for advanced red teams attempting to avoid detection.

Tools and Exploits

• CobaltStrikeReflectiveLoader is perhaps the first public User-Defined Reflective Loader for Cobalt Strike 4.4. If you are writing your own, be ready to write a lot of assembly...
• ProxyShell is the Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write) patched in April and May of 2021 (but not published in an advisory until July 2021). Also check out proxyshell-poc. See here for the technique break down: My Steps of Reproducing ProxyShell.
• MiniDump is a C# implementation of mimikatz/pypykatz minidump functionality to get credentials from LSASS dumps.
• LazySign creates fake certs for binaries using windows binaries and the power of bat files. If you're on Linux try Limelighter.
• CobaltSpam is a tool based on CobaltStrikeParser from SentinelOne which can be used to spam a CobaltStrike server with fake beacons.
• COM-Hijacking is an example of COM hijacking using a proxy DLL.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• raivo-otp / ios-application. A native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP! Why switch from my current OTP app? See here.
• reko is a decompiler for machine code binaries. If Ghidra or redare2/Rizin aren't your thing, give reko a shot.
• SysmonTools contains the following: Sysmon View: an off-line Sysmon log visualization tool, Sysmon Shell: a Sysmon configuration utility, and Sysmon Box: a Sysmon and Network capture logging utility.
• RmiTaste allows security professionals to detect, enumerate, interact and exploit RMI services by calling remote methods with gadgets from ysoserial.
• REW-sploit can get a shellcode/DLL/EXE, emulate the execution, and give you a set of information to help you in understanding what is going on. Example of extracted information are: API calls, encryption keys used by MSF payloads, decrypted 2nd stage coming from MSF, and Cobalt-Strike configurations (if CobaltStrikeParser is installed).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• WireGuardNT, a high-performance WireGuard implementation for the Windows kernel. The WireGuard team continues to impress with a Windows kernel driver to increase speed (up to 5x speedup) and decrease battery usage. It's currently experimental and can be enabled with reg add HKLMSoftwareWireGuard /v ExperimentalKernelDriver /t REG_DWORD /d 1 /f.
• Apple's Plan to "Think Different" About Encryption Opens a Backdoor to Your Private Life. The company that once said, "What happens on your iPhone stays on your iPhone," and famously refused to unlock a terrorist's iPhone is rolling out software that will scan images on an iPhone. This type of client-side scanning breaks end to end encryption, and while it is being used initially to combat child exploitation, how difficult would it be to use the same system to censor or report on iPhone users that share images such as "tank man?"

• Cobalt Strike News

  • Cobalt Strike 4.4: The One with the Reconnect Button. In addition to some nice to have features, 4.4 comes with some major OPSEC changes. Users can now define their own reflective loader and sleep obfuscation technique. This should make it much more difficult to statically signature Cobalt Strike in memory. A good primer for the sleep mask functionality is Sleeping with a Mask On. For the customer loader this blog post is a good starting place for creating a DLL injector BOF.
  • Cobalt Strike DoS Vulnerability (CVE-2021-36798). "Hotcobalt" was an issue with screenshot processing on the Cobalt Strike teamserver that allowed a "malicious" beacon to crash the teamserver. More details on the SentinelOne blog.
  • Introducing Cobalt Strike Community Kit. The Community Kit is a great place to find community additions to the popular C2 framework. Be sure to vet anything before using it live!

• Kubernetes Hardening Guidance. The NSA and CISA drop 59 pages of Kubernetes hardening guidance. Just because you can push code to a cluster in one command doesn't mean you can forget about the security implications of doing so.
• The Conti ransomware gang (aka Hermes aka Ryuk) had some of their "affilaite" training material leak last week. Here is a roughly translated PDF if you are interested in their tradecraft.

Techniques

• You're Doing IoT RNG. "Basically, every IoT device with a hardware random number generator (RNG) contains a serious vulnerability whereby it fails to properly generate random numbers, which undermines security for any upstream use."
• A New Attack Surface on MS Exchange Part 1 - ProxyLogon! and A New Attack Surface on MS Exchange Part 2 - ProxyOracle!. The master Orange Tsai is back to shell Exchange some more. This variant is dubbed "ProxyShell" and despite being patched in April a good number of Exchange servers on the internet appear to be vulnerable. Double check those patches and grab the web_exchange_proxyshell.yml Sigma rule.
• HTTP/2: The Sequel is Always Worse. There are some tricky issues with HTTP/2, especially in an environment of load balancers, front and back end request processors, and the like. Web app assessors or bug bounty folks should pay special attention to this one.
• Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass). Some bugs don't die on the first patch. NCC Group takes a swing at Pulse Secure and develops a patch bypass for an authenticated remote code execution vulnerability.
• Snapcraft Packages Come With Extra Baggage: Exploiting Ubuntu's Snapcraft Apps with CVE-2020-27348. A crash while launching docker led to a "DLL sideloading" type issue against the snap container engine in Ubuntu. While the bug was patched in March of 2021, this is a great writeup.
• Bypassing Windows Hello Without Masks or Plastic Surgery. By spoofing an external USB camera, researchers were able to bypass Windows Hello authentication. It does require an IR photo of the victim, but otherwise becomes a quick USB skeleton key to the targeted Windows computer.
• Multi-Stage Offensive Operations with Mythic. Modular toolkits, varied C2 mechanisims, but a unified back end are the future of offensive operations.
• Admin’s Nightmare: Combining HiveNightmare/SeriousSAM and AD CS Attack Path’s for Profit. With all the Windows issues recently, it was only a matter of time until someone made a combo attack walkthrough.
• Relaying NTLM authentication over RPC again…. "Due to the absence of global integrity verification requirements for the RPC protocol, a man-in-the-middle attacker can relay his victim’s NTLM authentication to a target of his choice over the RPC protocol." No code released yet.
• CVE-2021-0090: Intel Driver & Support Assistant (DSA) Elevation of Privilege (EoP). "Intel Driver & Support Assistant (DSA) is a driver and software update utility for Intel components. DSA version 20.8.30.6 (and likely prior) is vulnerable to a local privilege escalation reparse point bug. An unprivileged user has nominal control over configuration settings within the web-based interface. This includes the ability to configure the folder location for downloads and data (e.g. installers and log files). An unprivileged user can change the folder location, coerce a privileged file copy operation to a “protected” directory through a reparse point, and deliver a payload such as a DLL loading technique to execute unintended code."

Tools and Exploits

• DeployPrinterNightmare is a C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
• whoc is a container image that extracts the underlying container runtime and sends it to a remote server. Poke at the underlying container runtime of your favorite CSP container platform!
• Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS). This is the toolset promised with the release of Certified Pre-Owned: Abusing Active Directory Certificate Services in June of 2021. A recent post covered the attacks in more practical terms.
• EyeWitnessTheFitness is a combination of EyeWitness (web screenshot OSINT tool) and fireprox (IP rotation proxy via AWS API gateway) that only uses one fireprox API for all EyeWitness targets.
• SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys, etc) without invalidating or breaking the existing signature. This looks particularly nasty and is used by APT 10.
• SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion. This tool was released along side the talk Operation Bypass Catch My Payload If You Can.
• BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity. Check out IsBeaconProcess to make sure your beacon wouldn't get picked up.
• concealed_position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Specifically, Concealed Position (CP) uses the as designed package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with known vulnerabilities which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.
• haklistgen is a tool that turns any junk text into a usable wordlist for brute-forcing (subdomains, words in HTTP response, etc).

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• RegExp is a replacement for the Windows built-in Regedit.exe tool. Improvements over that tool includes many enhanced features.
• reverse-ssh is a A statically-linked ssh server with a reverse connection feature for simple yet powerful remote access.
• dnsmonster is a passive DNS collection and monitoring built with Golang, Clickhouse and Grafana. This is a scalable solution to do enterprise DNS monitoring.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.