News

• log4j logging framework vulnerable to RCE (10.0 CVSS3). Who knew that the ability to do Jndi lookups with user supplied data could be such and awful idea. Early reports claimed a recent version of Java and some environment variables would mitigate the vulnerability, but they were mistaken. Check out this Blue Team Cheatsheet for links to advisories.
• Pixel prevented me from calling 911. When you give up control of a core function like dialing to third party apps, in this case Microsoft Teams, bad things can happen.
• Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. You can now submit drivers directly to Microsoft with details about how they are vulnerable or malicious.
• Cobalt Strike 4.5: Fork&Run – you’re "history". "We dedicated a significant portion of this release to improving controls around product licensing." When your tool is used in nearly all ransomware events, I suspect HelpSystems got a call from someone to put more controls in place. The biggest change in this release for users is the ability to define custom process injection technique as well as increased size limits for sleep mask kit and user reflective loaders. Cobalt Strike continues to innovate and adapt to the changing offensive security landscape - the reason why it is the go to tool in the space.

Techniques

• CVE-2021-42287/CVE-2021-42278 Weaponisation. With all the log4j hype, this one may have slipped by. Don't let it, as it allows any domain user with the ability to add computer accounts (default 10 per user), can get a ticket as a DC to arbitrary services which allows dcsyncing. Patch is out, but given the season and log4j, this one might have legs into 2022. Be sure to also checkout more sAMAccountName Impersonation. The switches needed for this attack are now in Rubeus.
• A phishing document signed by Microsoft – part 1. The masters of maldocs are back at it. This time using an Excel add-in (XLAM) with modified contents but "valid" Microsoft signature to deliver malicious vbs. Amazing work as always.
• Getting root on Ubuntu through wishful thinking. Exploits are hard, even when you get root sometimes you aren't sure why. Adding a sleep to allow the ability to attach a debugger when the process did eventually crash was clever. Full PoC here.
• MiTM Cobalt Strike Network Traffic. This relies on having the beacon private keys, but once in hand, network defenders or those in privileged network positions could inject commands into Cobalt Strike traffic.
• Kernel Karnage – Part 6 (Last Call). This series has been great thus far. Let's seen what kernel driver loading tricks they come up with in future posts!

Tools and Exploits

• CVE Trends is a dashboard for expensive threat intel monitoring twitter without having to learn about tweetdeck. This is a really nice site check for the latest log4j RCE or to put up in your NOC.
• Podman Desktop is the Docker desktop replacement you may be looking for now that Docker Desktop is no longer free for most companies.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• AFLTriage is a tool to triage crashing input files using a debugger. It is designed to be portable and not require any run-time dependencies, besides libc and an external debugger. It supports triaging crashes generated by any program, not just AFL, but recognizes AFL directories specially, hence the name.
• KingHamlet is a simple tool, which allows you to perform a Process Ghosting Attack.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• US military's hacking unit publicly acknowledges taking offensive action to disrupt ransomware operations. Consider the hounds released.
• Former Employee Of Technology Company Charged With Stealing Confidential Data And Extorting Company For Ransom While Posing As Anonymous Attacker. The Ubiquiti hack/breach/whatever from last year was actually an insider who demanded 50 bitcoin as ransom during the attack. He now faces up to 37 years in prison.
• Introducing Buy now, pay later in Microsoft Edge. Predatory lending coming to a browser near you by default!
• GoDaddy Announces Security Incident Affecting Managed WordPress Service. GoDaddy has been riding the high of its first mover advantage for about two decades now. Don't worry breach bingo players, "GoDaddy leadership and employees take our responsibility to protect our customers’ data very seriously."
• US State Department Employees Targeted with NSO Group Malware. After being heavily sanctioned, details about US based attacks are coming out. NSO groups woes continue to mount with Apple suing them.
• Is “KAX17” performing de-anonymization Attacks against Tor Users?. Someone spend a fair amount of money to run a lot of Tor middle nodes, but have since been subject to a mass rejection of relays. Tin foil hats on to guess who may be behind this.

Techniques

• Carrying the Tortellini's golf sticks - Using Caddy to spin up fast and reliable C2 redirectors. While Apache and Nginx are the most common redirectors, Caddy is a light weight web server that can be used as a redirector as well. This post details some helpful configuration options you should look into if you go down this route. Be care of the more unique JA3S hash though. Since caddy is written in Go and open source, this can be changed (with something like this for the server side).
• Windows 10 RCE: The exploit is in the link. Fabian and Lukas found that the default handler for ms-officecmd: URIs allows argument injection. Typical bug bounty payment shenanigans followed. There are great details about the process of finding the bug and exploiting it in this post - don't skip it.
• Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm. Much like JA3 and JA3S, TLS metadata about certificates can be extremely useful for detecting anomalies.
• TrickBot Leverages Zoom Work from Home Interview Malspam, Heaven’s Gate and… Spamhaus?. Trickbot is back with a nifty LNK+loader campaign. Threat emulator take note.
• Exploring Container Security: A Storage Vulnerability Deep Dive. Containers are taking over the DevOps world, best learn how to exploit them.
• USB Over Ethernet | Multiple Vulnerabilities in AWS and Other Major Cloud Services. Some base libraries used in many remote desktop services has a vulnerability that can be triggered from sandboxes (i.e. web browsers).
• Go away BitLocker, you´re drunk. You've read some stories about leaking bitlocker keys, but they lacked memes and snark. I believe this is the third bitlocker hardware hack post on LWiS. Have you added a second factor to your bitlocker deployment yet?
• Halo's Gate Evolves -> Tartarus' Gate. This new "gate" adds a check for a different type of hook used by an EDR vendor. Code here.
• Azure Privilege Escalation via Azure API Permissions Abuse. At this point I'm convinced that each "cloud" is it's own entire security research domain.
• The hidden side of Seclogon part 2: Abusing leaked handles to dump LSASS memory. This is a fresh take on credential dumping with a PoC available: MalSeclogon.

Tools and Exploits

• InstallerFileTakeOver is a Windows LPE 0day for all supported Windows version. RIP.
• cracken is a fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in pure safe Rust.
• Exploiting CVE-2021-43267. This is a walkthrough and full exploit for Linux TIPC vulnerabilitiy that affects kernels between 5.10-rc1 and 5.15.
• EDRSandblast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
• SSHClient is a small SSH client written in C#. May be useful for pivoting from Windows to Linux.
• EntitlementCheck is a Python3 script for macOS to recursively check /Applications and also check /usr/local/bin, /usr/bin, and /usr/sbin for binaries with problematic/interesting entitlements. Also checks for hardened runtime enablement.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• DetectionLabELK is a fork of DetectionLab with ELK stack instead of Splunk.
• GoMapEnum is a user enumeration (Linkedin) and password bruteforcer for Azure, ADFS, OWA, O365, and Teams.
• redherd-framework is a collaborative and serverless framework for orchestrating a geographically distributed group of assets capable of simulating complex offensive cyberspace operations.
• ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and based on Flask that automates the entire analysis process starting from the extraction of the observables from the header and the body of an email to the elaboration of a verdict which is final in most cases.
• BOF2shellcode is a POC tool to convert CobaltStrike BOF files to raw shellcode.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• GitHub’s commitment to npm ecosystem security. Dependancy package security is a hard problem to solve, but it seems NPM has gotten a lot of flak recently. Mandatory 2FA and other measures may help. "But I use rust," you say? Read on...
• Backdooring Rust crates for fun and profit. Running other people's code easily is a bedrock feature of any software dependency or library manager. It's quite difficult to make sure that code isn't malicious.
• An in-depth look at hacking back, active defense, and cyber letters of marque. Interesting conclusion (government should be in control) for a guy who prevented a malware outbreak with "active defense" as a civilian. Perhaps that gives more weight to his argument, having "seen the other side?" I have yet to read any opinion pieces by current or former government offensive security professionals on the matter - aside from Jake Williams of course.
• Emotet, once the world's most dangerous malware, is back. What is dead my never die? Keep track of the threat here.
• NUCLEUS:13. The IoT/OT/embedded OS from Siemens, Nucleus RTOS, had flaws in its TCP/IP stack including a buffer overflow in the FTP USER command. The project-memoria-detector can help identify the TCP/IP stack of a device if you think you may have some Nucleus systems in your environment.

Techniques

• AFL++ on Android with QEMU support. Ever wanted to fuzz close-source libraries directly on your Android phone? Now you can!
• Nanodump: A Red Team Approach to Minidumps. The tool has been out for a while, but this post explains the motivation and technical details.
• Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver. Some interesting bugs found in the NPU driver accessible from the untrusted app sandbox on (presumably) lots of Android devices.
• When You sysWhisper Loud Enough for AV to Hear You. Static syscalls have their signatures. This post explores some work arounds, but some *Gate (Hell's, Heaven's, etc) would prevent these artifacts in your code at all (but introduce others).
• An Illustrated Guide to Elliptic Curve Cryptography Validation. Elliptic curves are becoming the standard way to perform asymmetric cryptography, but how do they actually work? This post can serve as a refresher for that college cryptography class you took or didn't take.
• Active Directory Attack Paths — “Is it always this bad?”. From experience: yes. This post is mostly an ad for Bloodhound Enterprise, but that's ok.
• Some notes about Microsoft Exchange Deserialization RCE (CVE-2021–42321). After ProxyShell, Exchange got some serious attention and to no one's surprise more RCE fell out of it. This one affected Exchange 2016 CU21/22 and 2019 CU10/1 but he post goes into technical detail and stops just short of a PoC.
• HackSys Extreme Vulnerable Driver — Arbitrary Write NULL (New Solution). This is a very detailed post on a cool privilege escalation against a vulnerable by design driver.
• Abusing Google Drive's Email File Functionality. This is a great way to abuse legitimate services to deliver phishing emails. Very tricky!
• ExternalC2.NET. This is the post that explains the tool released last week.
• Pentest tale - Dumping cleartext credentials from antivirus. Sometimes memory dumps and findstr is all it takes to find credentials of value.
• Picky PPID Spoofing. This post has some good example code to help find svchost processes with your integrity level to allow them to be used as a PPID for your process.
• No Logs? No Problem! Incident Response without Windows Event Logs. You can also read this as, "All the things you need to clean up to help stay undetected."
• Using CVE-2021-40531 for RCE with Sketch. "This post covers a vulnerability in Sketch that I discovered back in July — CVE-2021-40531. In its simplest form, it is a macOS quarantine bypass, but in context it can be used for remote code execution."

Tools and Exploits

• tldraw is a tiny little drawing app. Check it out at tldraw.com.
• msticpy. Ever wonder how Microsoft's MSTIC threat hunt group finds evil? msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks with many data analysis features.
• fileless-xec is a stealth dropper executing remote binaries without dropping them on disk.
• TPM sniffing. With $49 of hardware you too can read a bitlocker key as it leaves the TPM of a laptop. TPM 2.0 has support to encrypt this value, but until then/even after consider adding a second factor to your laptop's decryption routine (PIN, hardware key, etc).
• CheckCert A small utility to request the SSL certificate from a public or private web application implemented in C# and as a BOF.
• SQLRecon is a C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
• Oh365UserFinde is used for identifying valid o365 accounts and domains without the risk of account lockouts. The tool parses responses to identify the "IfExistsResult" flag is null or not, and responds appropriately if the user is valid.
• Visual-Studio-BOF-template is a baseline template that can be reused to develop BOFs with Visual Studio without having to worry about dynamic function resolution syntax, stripping symbols, compiler configurations, C++ name mangling, or unexpected runtime errors.
• GPUSleep moves the beacon image to GPU memory before the beacon sleeps, and move it back to main memory after sleeping. Check out the blog post here.
• MultiPotato is another "potato" to get SYSTEM via SeImpersonate privileges, but this one is different since tt doesn't contain any SYSTEM auth trigger for weaponization so the code can be used to integrate your favorite trigger by yourself. Also, tt's not only using CreateProcessWithTokenW to spawn a new process. Instead you can choose between CreateProcessWithTokenW, CreateProcessAsUserW, CreateUser and BindShell.
• DumpNParse is a Combination LSASS Dumper and LSASS Parser adapted from other projects.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• digital-forensics-lab is a free hands-on digital forensics labs for students and faculty. Note that on windows it actually drops the binary to disk and runs it, going against the very name of the project...

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Hoax Email Blast Abused Poor Coding in FBI Website. A series of blunders allowed a hacker to send tens of thousands of emails from an FBI mail server to arbitrary addresses with arbitrary content. Not a good look for the FBI.
• CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces. Another unauthenticated RCE as root in a gateway device. Thankfully this "only" affects older PAN-OS 8.1-8.1.17 devices. The interesting bit is how this was found by a red team and used privately for ~8 months before disclosure. Their rationale is here (official) and here (reddit). Technical details will be released 2021-12-10.
• ClusterFuzzLite: Continuous fuzzing for all. After the success of OSS-fuzz, Google is releasing an "easy to use" fuzzing workflow: "ClusterFuzzLite is a continuous fuzzing solution that runs as part of Continuous Integration (CI) workflows to find vulnerabilities faster than ever before. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed."

Techniques

• Windows Security Updates for Hackers. This is the one stop shop for all information related to Windows releases, updates, and tools to find missing patches. Bookmark it.
• Becoming A Super Admin In Someone Else's Gsuite Organization And Taking It Over With a few edited requests in Google Domains you could add yourself to arbitrary GSuite customers as a Super Admin. Great find! PoC video here.
• Analyzing a watering hole campaign using macOS exploits. macOS is making gains in the consumer market, and thus is getting attention from threat actors. The targets and geography leave little to imagination in terms of attributions. More and more 0days are being used to target activists these days, how dystopian. For more details check out SentielOne's analysis of macOS.Macma.
• Malware Analysis: Syscalls. These malware analysis posts should serve to enlighten the reader as to how their own tools may look from the "other side."
• Kernel Karnage – Part 3 (Challenge Accepted). To fight kernel driver EDR, you must be come kernel driver EDR?
• Golden Certificate. DCShadow and Golden Tickets getting too popular/detectable? If the environment is running Active Directory Certification Services (AD CS) you can mint a "Golden Certificate" instead.
• Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications. This post is an exemplar of how to think more about a technique is uses and design detections around it vs an easily bypassed signature.
• AutoPoC - Validating the Lack of Validation in PoCs. From HoneyPoC to AutoPoC, Andy has exposed more "threat intelligence" scripts "products" and "professionals" than anyone. It's pretty crazy to see the amount of trust some people have in random GitHub projects.
• Implementing Shellcode Retrieval. The inceptor framework can now abstract how shellcode is delivered to the loader so it can be store in arbitrary formats like UUIDs.

Tools and Exploits

• lsarelayx is system wide NTLM relay tool designed to relay incoming NTLM based authentication to the host it is running on. lsarelayx will relay any incoming authentication request which includes SMB. The original application still gets its authentication and there are no errors for the user. This is the next generation of NTLM relaying - with the important caveat of loading into lsass.
• ExternalC2.NET is a .NET implementation of Cobalt Strike's External C2 Spec. This could be the basis for your own C2 channel written in C# that uses any medium you can interface with via C# - think services like Slack, Google Drive, Twitter, etc.
• Living Off Trusted Sites (LOTS) Project. Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. This is a list of websites that allow attackers to use their domain or subdomain to host content that may be used as a C2 channel, phishing site, file host, or data exfiltration destination.
• blacksmith is a next-gen Rowhammer fuzzer that uses non-uniform, frequency-based patterns. Read this blog post for more information. Bypassing password logic for sudo in ~5-30 minutes is pretty impressive.
• rpcfirewall is a firewall for Windows RPC that can be used for research, attack detection, and attack prevention.
• Spray365 makes spraying Microsoft accounts (Office 365 / Azure AD) easy through its customizable two-step password spraying approach. The built-in execution plan features options that attempt to bypass Azure Smart Lockout and insecure conditional access policies.
• bloodyAD is an Active Directory Privilege Escalation Framework that can perform specific LDAP/SAMR calls to a domain controller in order to perform AD privesc. It supports authentication using password, NTLM hashes or Kerberos.
• skweez spiders web pages and extracts words for wordlist generation.
• LocalDllParse checks all loaded Dlls in the current process for a version resource. Useful for identifying EDRs on a system without making calls out of the current process and avoids all commonly monitored API calls.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• kerbmon pulls the current state of the Service Principal Name (SPN) records and sAMAccounts that have the property 'Do not require Kerberos pre-authentication' set (UF_DONT_REQUIRE_PREAUTH). It stores these results in a SQLite3 database.
• NSGenCS is an extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Reward Offers for Information to Bring DarkSide Ransomware Variant Co-Conspirators to Justice. $10M USD for conviction of "individual(s) who hold(s) a key leadership position in the DarkSide" group. I think the goal of this is to sow distrust within DarkSide, and a potential $10M payout to snitch will certainly do that.
• Pwn2Own Austin 2021 - Schedule and Live Results. It's always cool to see how many and what types of devices fall at Pwn2Own.
• Introducing Firefox’s new Site Isolation Security Architecture. Great news for the underdog browser. However, it may be too little too late.
• Cisco Policy Suite Static SSH Keys Vulnerability. Cisco is the king of 9.0+ CVSS scores in critical networking hardware. This time it's SSH in the Policy Suite software and its Catalyst Passive Optical Network (PON) switches that could allow and attacker to log in a root.
• Iraqi PM Safe After Drone Attack on Residence, Military Says. Explosive laden assassination drones. "The future dystopia is already here — it’s just not very evenly distributed."
• Phishing emails seemingly coming from a Kaspersky email address. A better title might be, "oops someone used one of our AWS SES tokens to phish."

Techniques

• Master of Puppets Part II – How to tamper the EDR?. Tons of great ideas for how to disable EDR, even if it has a kernel driver. Great work.
• Using Microsoft CES/CEP for Linux Workstation Certificate Enrollment with Kerberos Workstation Authentication. While not a "red team" post, this shows how to set up CES/CEP with Linux which will give you an understanding to how that all works, and ideas for how it can be leveraged if you find yourself on a domain joined Linux machine.
• Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3. If you're using for Cobalt Strike for serious operations, you're asking for trouble. Security through obscurity is a legitimate part of a larger security model.
• Kerberoast with OpSec. Kerberoasting remains a powerful attack, but it's time to clean up how you go about searching for kerberoastable accounts.
• CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution. Interesting bug and walk through (CodeQL again...). No PoC yet.
• This is how I bypassed almost every EDR!. Userland unhooking and direct syscalls aren't novel, but the use of the PEB to find the clean functions in NTDLL without syscalls is a nice twist.
• PGSharp: Analysis of a Cheating App for PokemonGO. This is an in-depth analysis of an Android cheat engine. Tons of good stuff if you are an android "tool" developer.
• CVE-2021-22205 Rapid7 Analysis. Lots of Gitlab instances were used in a DDoS attack last week. This is how. Note that this was patched back in April 2021.
• Pwn2Own to Xxe2Rce. XXE to RCE on an ICS controller - nice!
• Newly discovered #lolbin "C:WindowsSystem32Cmdl32.exe". Download files with a Microsoft signed binary. So long certutil.exe, hello cmdl32.exe!

Tools and Exploits

• DLL-Hijack-Search-Order-BOF is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest), that will traverse the SafeSearch order of DLL resolution. Optionally, this will also attempt to ascertain a HANDLE to the provided file (if found), and alert the operator of its mutability (WRITE access).
• DLL-Exports-Extraction-BOF is a BOF for DLL export extraction with optional NTFS transactions.
• blint is a Binary Linter to check the security properties, and capabilities in your executables.
• braktooth_esp32_bluetooth_classic_attacks is a series of baseband & LMP exploits against Bluetooth classic controllers.
• CVE-2021-34886 is a Linux kernel eBPF map type confusion that leads to EoP and affects Linux kernel 5.8 to 5.13.13. Writeup (CN) here.
• elfloader is an architecture-agnostic ELF file flattener for shellcode written in Rust.
• socksdll isa a loadable socks5 proxy via CGo/C bridge.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• pyWhat easily lets you identify emails, IP addresses, and more. Feed it a .pcap file or some text and it'll tell you what it is! 🧙
• ThreatMapper is used to identify vulnerabilities in running containers, images, hosts and repositories and helps you to monitor and secure your running applications, in Cloud, Kubernetes, Docker, and Fargate Serverless.
• AssemblyLine is a C library and binary for generating machine code of x86_64 assembly language and executing on the fly without invoking another compiler, assembler or linker. Could you build this into your RAT to execute shellcode modules without suspicious API calls?

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Trick & Treat! 🎃 Paying Leets and Sweets for Linux Kernel privescs and k8s escapes. Exploit a k8s environment to earn $31,337-$50,337 USD! More details here.
• Protecting your device information with Private Set Membership. This cryptographic process could be useful for all kinds of sensitive data lookups (i.e. is my password in a breach?).
• MalAPI.io launches. MalAPI.io can be used when developing malware (for legal purposes of course) or when analyzing the source code of malware. It's a MITRE ATT&CK matrix for Windows APIs.
• Announcing the DEF CON 30 Call For Contests & Events!. Start planning early!
• Google Docs in a clean-room browser. Just an example of how much duct tape and glue

Techniques

• Neat SIP bypass for macOS. system_installd executes a zsh shell and has an entitlement to bypass SIP. Microsoft found a way to leverage this to run commands with the same entitlement with /etc/zshenv. How many more ways are there? Full Microsoft post: Shrootless.
• Create a proxy DLL with artifact kit. DLL proxying is a great way to persist and in some cases elevate privileges. This post shows how to use the official artifact kit to turn a Cobalt Strike DLL into a "function proxy."
• Lateral Movement 101. The old favorites are here, but perhaps there are details you've missed? Rasta also dropped new C# related projects today: D/Invoke Baguette.
• Kernel Karnage – Part 2 (Back to Basics). EDRs are moving to the kernel, and drivers can provide great local privilege escalation opportunities. This post explores the ability to hook other driver's (EDR) functions. Want to start debugging the windows kernel? This 101 post was released yesterday.
• Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833). These types of archive extraction arbitrary file writes can be great for phishing and even local privilege escalation (if a program accepts an archive and extracts it at a higher privilege level). Fixed in 12.0.1.
• CVE-2021-30920 - CVE-2021-1784 strikes back - TCC bypass via mounting. macOS 12 has a regression that allows users to mount over ~/Library and this the TCC database. Yikes! Fixed in 12.0.1.
• Tortellini in Brodobuf. Serializing data just adds a layer of unpacking, not security. This post goes from manual decode and exploitation proof to writing a sqlmap tamper script to automate it.
• Understanding SysCalls Manipulation. Direct syscalls have been around for a while, but this technique makes sure they jmp back to memory space of NTDLL.DLL to avoid suspicious of the kernel returning to program memory space it should't (i.e. the location of your direct syscall). Sneaky! PoC here.

Tools and Exploits

• quiet-riot is an enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, root e-mail addresses, users, and roles. Check out the blog post here.
• DInvoke is a library to dynamically invoke arbitrary unmanaged code from managed code without P/Invoke. Fork of D/Invoke by TheWover, but refactored to .NET Standard 2.0 and split into individual NuGet packages.
• Metsubushi is a Go project to generate droppers with encrypted payloads automatically.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• melting-cobalt scans for Cobalt Strike teamservers, grabs beacons that allow staging, and stores their configs. No reason to leave staging enabled these days...
• dockerized-android is a container-based framework to enable the integration of mobile components in security training platforms.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline. Congrats to Patrick Gray; they finally released the hounds!
• Infosec skills gap widens in all regions bar Asia-Pacific – report. "(ISC)² now estimates the global infosec skills gap to stand at around 2.7 million unfilled positions worldwide... The underlying issue isn’t just that demand is growing, it is that the jobs market consistently can’t attract enough people into cybersecurity careers to service demand."
• Pixel 6: Setting a new standard for mobile security. The flagship phone from Google comes with 5 years of security updates (matching iPhones), as well as a feature that looks like a built in Android version of iVerify.
• March 2019 FBI CAST Cellular Analysis & Geo-Location Field Resource Guide. Well this is interesting. Note: this document was acquired legally via a public record act request.
• New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts. Is this the first confirmed case of a US person being hacked with NSO exploit presumably by a Saudi-linked operator (Jeff Bezos hack-and-leak had weak attribution)? Are the "gloves off" now? Artifacts go back as late as 2018.

Techniques

• Using Kerberos for Authentication Relay Attacks. The great James Forshaw is back with a tome on Kerberos for relaying.
• Windows Exploitation Tricks: Relaying DCOM Authentication. Kerberos wasn't enough, so DCOM got the James Forshaw treatment too.
• Car hijacking swapping a single bit. These physical attacks are always cool to me. The same basic principle of exploitation applies to them: to exploit a system, you often must totally understanding it - sometimes better than the designers.
• Don't Ruck Us Too Hard - Owning Ruckus AP devices. This research involved a cool setup of Ghidra and dockerized QEMU emulation. Any IoT or embedded researchers should read this.
• Double spending bug in Polygon’s Plasma bridge. This bug was awarded a $2 million USD bounty. Perhaps it's time to switch focus to cryptocurrencies and smart contracts.
• AlphaGolang | A Step-by-Step Go Malware Reversing Methodology for IDA Pro. If you've ever had to reverse Go programs, you know it's a mess. AlphaGolang aims to help the analysis with IDA Pro with a series of helpful scripts.
• Servers are overrated – Bypassing corporate proxies (ab)using serverless for fun and profit.. This post comes complete with a "bug not a vuln" which lets you register subdomains of azurewebsites.net that includes reserved words like "microsoft."
• Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses. Woah.
• Formalized Curiosity. This post is a good look at a process for conducting research.
• Driver Buddy Reloaded. Use this on your hunt for Windows driver vulns!

Tools and Exploits

• ProfSvcLPE is an currently unpatched local privilege escalation that shares the same root cause as CVE-2021-34484, but wasn't properly patched. The repo contains a word doc with a writeup as well.
• ZipExec is a unique technique to execute binaries from a password protected zip on Windows.
• Phishious is an open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers. This is the coolest tool I've seen in a while.
• FakeAMSI. Have you ever persisted by pretending to e an antivirus product?
• SharpSelfDelete is a C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs.
• CallbackHell is an exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)
• DLL_Imports_BOF is a BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• cloudspec is an open source tool for validating your resources in your cloud providers using a logical language.
• jimi is an automation first no-code platform designed and developed originally for Security Orchestration and Response. Since its launch jimi has developed into a fully fledged IT automation platform which effortlessly integrates with your existing tools unlocking the potential for autonomous IT and Security operations.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Firefox Suggest lands in the US, bringing ads to the browser search bar. Add this to the list of check boxes to uncheck on new Firefox installs. Settings -> Privacy & Security -> Address Bar — Firefox Suggest -> Contextual suggestions.
• Cheat Maker Is Not Afraid of Call of Duty’s New Kernel-Level Anti-Cheat. This is the second major video game maker to move to the kernel. As these drivers will be allow listed by AV, any vulnerability in them could prove valuable to red teamers.
• Governor Wants to Prosecute Journalist Who Clicked ‘View Source’ on Government Site. This is the level of computer literacy in government. RCVS-hack contains this 31337 darkweb 0day. 🤦
• Moving the U.S. Government Towards Zero Trust Cybersecurity Principles. The US government isn't totally hopeless and this push to use hardware tokens to prevent phishing from the White House is a great move!
• The Shenanigans of Jonathan Villareal. The fake iOS 0days were absent from this curated blog (you're welcome), but they show how easily manipulated the "infosec community" can be. This post breaks down the "RCE" and shows industry expert reactions.
• L0phtCrack is Now Open Source. Perhaps the oldest password "audit" tool is now open source. The GPU supply shortage and other factors caused Terahash to default on the terms of the sale of L0phtCrack and thus it was repossessed and open sourced.
• Sysmon For Linux. Breaking: temperature in Hell nearing freezing, hogs show signs they may be capable of flight.
• Windows Print Spooler Spoofing Vulnerability - CVE-2021-36970. This PrintNightmare may never end.

Techniques

• House of IO - Heap Reuse. This new modification to the House of Io even has some example code so you can follow along.
• Azure Privilege Escalation via Service Principal Abuse. Despite well defined password policy safeguards, Application Administrators can often elevate to Global Administrators if the application has Global Admin service principle. "Azure admins can prevent this attack path by auditing roles held by service principals and comparing those roles to the other identities with control of apps."
• Finding gadgets like it's 2015: part 1. This article explains the CommonCollection 1 and 7 gadget chains to help understand the new chain found in the Mojarra library.
• Resource Based Constrained Delegation. RBCD is one of the more complicated Active Directory attack paths. This article shows practical, step-by-step exploitation of this path which should help drive home the process.
• Countering threats from Iran. Interested in what an actual APT phishing campaign and infrastructure looks like? Look no further.
• Creating a Malicious Azure AD OAuth2 Application. Emulate those OAuth2 APTs (see above) with this practical guide from trustedsec.
• Exploiting Redis Through SSRF Attack. This post shows different ways the Redis key-value store can be exploited using SSRF.
• How a simple Linux kernel memory corruption bug can lead to complete system compromise. This post is unique in that the mitigations sections is three times as long as the vulnerability/PoC walk through.
• Microsoft Windows Antimalware Scan Interface Bypasses. AMSI bypasses have been around for a few years, and this post shows the internal workings of how the memory patches work.

Tools and Exploits

• Cobalt Strike Sleep Python Bridge. Rejoice! You no longer need to write sleep (a Java/Perl hybrid) to interact with Cobalt Strike. Lots of cool examples of how it can be used in the post. It's only a matter of time before someone writes a nice web GUI for cobalt strike, or writes an integration for Mythic. For prior art, check out pycobalt.
• The ESF Playground will let you view events from the Apple Endpoint Security Framework on your mac. This is particularly useful when trying to write detections and see how different processes are behaving.
• ScareCrow v3.0 released. This popular shellcode loader has been updated with more EDR bypass tricks and some bug fixes.
• Introducing Snowcat: World’s First Dedicated Security Scanner for Istio. Istio is a popular service mesh and Snowcat is a tool to audit it.
• nosferatu is an lsass NTLM authentication backdoor DLL that is injected into lsass and provides a skeleton key password for all accounts. On domain joined machines SMB, WinRM, and WMI are functional with the skeleton key password, on non-domain joined machines authentication via RDP, runas, and the lock screen also accepts the skeleton key password.
• AnyDesk Escalation of Privilege (CVE-2021-40854). You've got love a privesc that involves a classic Open dialog -> run cmd.exe path that results in SYSTEM in 2021.
• LDAPmonitor monitors creation, deletion and changes to LDAP objects live during your pentest or system administration!
• Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted. Probably want to review the code before use (same goes for all tools).
• WPBT-Builder is a simple UEFI application to create a Windows Platform Binary Table (WPBT) from the UEFI shell. This is a PoC for Everyone Gets a Rootkit.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• EDRHunt scans Windows services, drivers, processes, registry for installed EDRs (Endpoint Detection And Response). Read more about EDRHunt here.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Windows 11 available on October 5. I suppose it's better than having another cryptic Windows 10 version? The difference between 1507 and 21H1 is pretty big and lots of people are on "Windows 10" versions that are not being updated without realizing it.
• European Parliament backs ban on remote biometric surveillance. Not law yet, but a move in the right direction.
• Announcing osquery 5: Now with EndpointSecurity on macOS. The amazing osquery tool has been updated to use the latest Endpoint Security framework/API that Apple has been pushing recently after depreciating kernel extensions.

Techniques

• Analyzing and Detecting a VMTools Persistence Technique. VMware tools binaries/services are commonly found on VMs and can be leveraged for persistence on power state changes. Unsure of how useful this would be in practice, as most legitimate target VMs would be in a datacenter somewhere powered on all the time?
• Bindiff and POC for the IOMFB vulnerability, iOS 15.0.2. An "in the wild" exploit of IOMobileFrameBuffer is cited in the iOS 15.0.2 patch notes, and this bindiff and PoC is incredibly quick. In the end a reliable crash with arbitrary data is achieved. Update those iOS devices (and/or save your SHSH2 blobs ;). What's amazing is this analysis/PoC was completed and published in under 2 hours of the patch being released. Very impressive.
• gcpHound: A Swiss Army Knife Offensive Toolkit for Google Cloud Platform (GCP). This is a perfect tool to run after you land on a developer's machine with GCP credentials. Currently only available in the docker image desijarvis/gcphound:v1.1-beta and the tool is written in python at /root/gcpHound.
• Environmental Disaster - a LaunchServices Tale. The ability to control environment variables when launching a process from an app sandbox on macOS leads to a few different kinds of sandbox escapes, with more likely lurking thanks to popular applications/frameworks and their use of environment variables that are not block-listed by Apple.
• Backdoor .NET assemblies with… dnSpy 🤔. Everyone loves a good backdoor for persistence, data exfiltration, or even privilege escalation. .NET assesmblies can be modified to run arbitrary code with dnSpy, and if exposed to the internet, could even be triggerable!

Tools and Exploits

• HandleKatz is a position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump(). The tool does not allocate any more executable memory and can therefore efficiently be combined with concepts such as (Phantom)DLL-Hollowing (unlike Donut, sRDI, etc).
• SharpCalendar is a tool that uses Microsoft.Office.Interop.Excel to retrieve Outlook Calendar details in operator defined one month chunks. Sometimes its nice to know if/when someone will be out of office!
• Ninja_UUID_Dropper is a loader that uses module stomping, no new thread, HellsGate syscaller, and UUID encoding for x64 Windows 10. The technique of encoding shellcode in UUIDs was first seen in Lazarus malware.
• covert-tube is a program to control systems remotely by uploading videos to Youtube using Python to create the videos and the listener. It creates videos with frames formed of simple text, QR codes with cleartext, or QR codes using AES encryption. It may be easier to use youtube comments/video descriptions with encrypted text instead of reading data out of the videos themselves?
• weakpass_3a is the latest weakpass wordlist. 107.77 GB of plaintext password goodness to feed your GPU cluster.
• hermes is a Swift 5 Mythic payload for macOS. It currently supports Mythic 2.2.8 and will update as necessary.
• SuspendedThreadInjection is a meterpreter injection technique using C# that attempts to bypass Defender.
• DInvoke_rs brings the popular DInvoke/direct syscall technique to Rust! I'm excited to see more rust tooling for red teams.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Viper is a graphical penetration tool that wraps metasploit in a nice, multi-user web-gui.
• Clash is a rule-based tunnel daemon in Go that supports many protocols like VMess, Shadowsocks, Trojan, etc.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Understanding How Facebook Disappeared from the Internet. Facebook had five hours of outage which is $9,806,639 of revenue based on 2020 numbers. A BGP issue took DNS down, and without DNS nothing worked. Bonus points if you have abandoned facebook and facebook owned services so much you didn't really notice. Facebook has issued their own details about the October 4 outage.
• Unauthorized Access to Your Coinbase Account. Add this to the list of why SMS two factor is not real two factor, although it isn't clear if Coinbase or mobile carriers were the ultimate culprit. Either way, hardware security tokens are the answer.
• Company That Routes Billions of Text Messages Quietly Says It Was Hacked. Don your tin foil hat and conjecture if this is related to the previous story - probably not, this feels like good old fashion espionage.
• Introducing the Secure Open Source Pilot Program. Bug bounty for preventative security improvements is a great idea, but the ambiguity of the categories is even worse than normal bug bounty. Good luck to whomever has to "triage" these reports, but kudos to Google for trying something.
• Twitch Hack of 135 GB of Data Includes How Much Its Biggest Streamers Make. There are 6,000+ git repos as well. An interesting look behind the curtain of a major tech company.
• Unicorn2. Unicorn, the popular CPU emulation framework is over 6 years old now and the second major version has been build from scratch on top of Qemu 5. It also adds PowerPC and RISCV emulation.

Techniques

• Life is Pane: Persistence via Preview Handlers. Windows explorer previews are generated by DLLs that are registered for each file extension. Attackers can register their own handlers or take over existing extensions for persistence when a user opens an explorer window containing a file with that extension. This is sneaky, and probably not detected by many EDR vendors... yet.
• Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings. The auth endpoint calculated the password hash of the plaintext supplied by the user by calling a one line python script from Go and passing the plaintext as an argument. Why not calculate the hash in the Go binary? Less RCE that way I suppose...
• Crucial’s MOD Utility LPE – CVE-2021-41285. More "gaming" drivers, more LPEs. If you need system, target gaming drivers!
• Reverse engineering and decrypting CyberArk vault credential files. This post is a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. The author discovered it was possible to reverse engineer the encryption and key generation algorithms and decrypt the encrypted vault password
• Abusing Weak ACL on Certificate Templates. This is a walkthrough of the ESC4 attack described in Certified Pre-Owned.
• Single Step Encryption/Decryption. Decrypt and run shellcode one instruction (or 16 byte block) at a time. This should help against memory forensics, but may be unstable with complex shellcode.

Tools and Exploits

• OffensiveRust is a series of experiments in weaponizing Rust for implant development and general offensive operations.
• Apache HTTP Server 2.4 vulnerabilities. This is a path traversal vulnerability that can lead to RCE. PoC: curl --data "A=|id>>/tmp/x;uname$IFS-a>>/tmp/x" 'http://[IP]:[PORT]/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' -vv (credit to @hackerfantastic). Note that this only affects 2.4.49 (released 2021-09-15) due to this commit from August 2021. Test it out in the CVE-2021-41773 Playground.
• DCOM_AV_EXEC allows for "diskless" lateral movement to a target on the same network via DCOM. The AV_Bypass_Framework_V3 creates a .NET shellcode runner (output as DLL) which can be used with the DCOM_AV_EXEC tool to bypass antivirus solutions like Microsoft Defender as all shellcode is AES encrypted and executed in memory.
• kenzer performs automated web assets enumeration & scanning.
• PHP 7.0-8.0 disable_functions bypass [user_filter] is a 10 year old bug to get around disabled_functions set in php.ini and execute shell commands on the target webserver.
• DonPAPI dumps DPAPI credentials remotely.
• aad-sso-enum-brute-spray A PoC for the vulnerability that would, in theory, allow one to perform brute force or password spraying attacks against one or more AAD accounts without causing account lockout or generating log data, thereby making the attack invisible.

-FindUncommonShares is a Python equivalent of PowerView's Invoke-ShareFinder.ps1 which finds uncommon SMB shares on remote machines.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• shottr is a great screenshot tool for macOS. It can do on-device text extraction, blurring, measurements, cropping, etc. The only outbound network traffic is to google analytics (unlike some other screenshot apps).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program. Criticism of Apple's bug bounty program has been growing, and it's pretty clear there is a problem. For a company with as much cash on hand as Apple (nearly 200 billion USD), the bad press from this can't be worth it, right? Another researched joined in the 0day releases with Rotten-Apples.
• macOS Control Bypasses - New course for 2021. It's great to see macOS get attention from training vendors. This course is only available in a subscription model which is an interesting pricing strategy from a vendor known for its relatively affordable a la cart training.
• Announcement: VMware Fusion for Apple silicon Public Tech Preview Now Available. It only support Arm Linux virtual machines, no Arm Windows builds for now (as there is no way to legally license them for VM use).

Techniques

• Financially motivated actor breaks certificate parsing to avoid detection. By using End of Content markers in fixed length encoding, adware distributers were able to trick non-OpenSSL based products (i.e. Windows) to believe an invalid PE signature is actually valid. This is a neat trick, and I'm a bit surprised to see it burned on adware. Who else was aware/using it too?
• XSS to RCE: Covert Target Websites into Payload Landing Pages. I really like this idea for delivering payloads for a red teaming phish, assuming the customer site is vulnerable to XSS that is otherwise not very valuable in terms of the assessment objectives.
• Chrome in-the-wild bug analysis: CVE-2021-30632. Dig into the internals of the V8 JIT engine with GitHub as they analyzed this browser bug. PoC here.
• Apache Dubbo: All roads lead to RCE. More GitHub technical content, this time a great article that goes from target identification to RCE using CodeQL. Be sure to check this out if you aren't using CodeQL for source code analysis/bug hunting.
• Resetting Expired Passwords Remotely. Some great techniques to get past expired or must-be-reset passwords found on a Windows network.
• IAM Vulnerable - Assessing the AWS Assessment Tools. This is a great test of the four major open source AWS IAM misconfiguration assessment tools. I wonder if the IAM Vulnerable project could be used with CI/CD for these tools to show "live" coverage of the test cases as they improve.
• An Intro to Fuzzing (AKA Fuzz Testing). Just what the title says. One of the best intro articles that covers the basics.
• Beyond the good ol' LaunchAgents - 20 - Terminal Preferences. Wild that this series is already up to 20. This one would only work against technical targets, as they have to open the terminal application to run your persistence.
• Pwn2Own 2021: Parallels Desktop Guest to Host Escape. "Many evenings it is easier for me to read other people’s research, but I won’t find vulnerabilities reading blog posts. You find them by trying to do your own research." Damn, got me there. I've got some original research cooking (slow cooking, but still cooking).
• New Azure Active Directory password brute-forcing flaw has no fix. The Azure Active Directory Seamless Single Sign-On has been good for user enumeration since 2019 but this new discovery allows brute forcing (via a web endpoint, so it will be slow) without even logging anywhere. Wild. A successful login will generate a log, but you can spray all day without alerting any organization that users pass-through authentication.
• Everyone Gets a Rootkit. On Windows since Windows 8 the Windows Platform Binary Table has a weakness that can allow an attacker to run malicious code with kernel privileges when a device boots up. WPBT is a feature that allows OEMs to modify the host operating system during boot to include vendor-specific drivers, applications, and content. Compromising this process can enable an attacker to install a rootkit compromising the integrity of the device.
• FinSpy: unseen findings. What's better than a rootkit? A bootkit of course. FinSpy has been busy since it was last reported on in 2018 with some seriously advanced malware.

Tools and Exploits

• injectEtwBypass is a CobaltStrike BOF that injects an ETW bypass into a remote process via syscalls using HellsGate/HalosGate. This BOF contains some excellent assembly primitives for finding syscalls dynamically.
• PPLDump_BOF is a fully-fledged BOF to dump an arbitrary protected process.
• Needle_Sift_BOF is a file search bof to find strings within files without downloading the file from target. It uses strstr to do the search, and is case sensitive (no strcasestr function in Windows).
• Dragonfly: your next generation malware sandbox. A new sandbox with rules engine. Details are light but it looks like this sandbox uses binary emulation vs running samples in an instrumented virtual machine. Sign up for the Alpha here.
• ThreadStackSpoofer is a PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
• gitoops is Bloodhound for GitHub organizations by abusing CI/CD pipelines and GitHub access controls.
• SyscallNumberExtractor exports all ntdll.dll syscalls to syscalls.txt. Useful for hard coding direct syscalls if not using a *gate technique.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Google is partnering with Open Source Technology Improvement Fund, Inc to sponsor security reviews of critical open source software.. Google is funding the review of eight libraries, frameworks, and apps including Git, lodash, and Laverel.
• Kali Linux 2021.3 Release. The most popular offensive security Linux distribution gets its third release of the year, with minor tweaks to better support VMs, old TLS versions, new tools, and updates throughout the OS.

Techniques

• NSA Meeting Proposal for ProxyShell. By combining the "NSA Metting" and "ProxyShell" exploits for Exchange, a unique RCE chain can be created that may not otherwise be detected. Code here.
• Defeating macOS Malware Anti-Analysis Tricks with Radare2. Working around anti-debug measures is critical to dynamic analysis. This post shows how r2 can be used to manipulate execution and bypass checks.
• Microsoft Teams Spoofing Attacks. This post contains a message request approval bypass, attachment spoofing, and link spoofing techniques. If you phish via Teams, this is a must read.
• AMD Chipset Driver Information Disclosure Vulnerability. Two vulnerabilities exist across modern AMD chipsets that allow for information disclosure via reading uninitialized physical memory pages.
• All Your (d)Base Are Belong To Us, Part 1: Code Execution in Apache OpenOffice (CVE-2021–33035). Top tier exploit write up, from fuzzing to code execution.
• Beginners Guide to 0day/CVE AppSec Research. I'm not sure how this guy sleeps with the consistency of long form content and code he produces. This post has a walk through of how to setup and instrument a PHP app for testing.
• Full-Spectrum Cobalt Strike Detection. This report is a technical profile of the commercial post-exploitation framework Cobalt Strike. It contains details on the capabilities of the framework, observed threat actor use, host-based and network-based detections, and SOAR strategies for detection and response. This report is intended for security operations audiences who focus on detection engineering.
• VSCode BOF Development Trick. Set your compiler to mingw32-gcc and Intellisense will help you out!

Tools and Exploits

• OMIGOD

  • “Secret” Agent Exposes Azure Customers To Unauthorized Code Execution. This is the post the started it all. Another Azure find from Wiz. Simply removing the authorization header allowed for RCE as root. Amazing that is a thing in 2021.
  • Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions. The official Microsoft response.
  • OMIcheck is a set of scripts from Microsoft to check and upgrade your omi agents.
  • CVE-2021-38647 is a nice wrapper for the PoC in the Wiz post.
  • Azure OMI RCE Attempt shows a small sample of "in the wild" exploitation.

• goblin is a phishing tool that can host sites and display notices if uses click call to action buttons. This won't replace GoPhish any time soon.
• fapro is a multi-protocol honey pot with ELK logging support. Looks like no source code is available (yet?).
• PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets.
• CVE-2021-40444--CABless. Your favorite Word RCE, now with no CAB and a single line of javascript.
• CFG_Allowed_Functions is a pykd version-independent tool that finds and dump functions allowed by Control Flow Guard (CFG).
• Zerotier - Multiple Vulnerabilities. An attacker may chain Zerotier root-server identity overwriting, insecure identity verification and various information leakage vulnerabilities to gain unauthorized access to private Zerotier networks. To exploit, see ZTCrack.
• Umbra is an experimental remotely controllable LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that can spawn reverse shells to remote hosts, launch malware remotely and much more.
• Rosplant Pis a proof of concept to leverage Roslyn for post-exploitation (Roslyn + Implant = Rosplant). It comes in two parts, the server and client. Raw C# is entered into the server's console by the attacker, which is sent to the client (via TCP for the PoC). The client uses Roslyn to evaluate the code and sends the results back to the attacker.
• SharpExfiltrate is a tiny but modular C# framework to exfiltrate loot over secure and trusted channels. It supports both single-files and full-directory paths (recursively), file extension filtering, and file size filtering. Exfiltrated data will be compressed and encrypted before being uploaded. While exfiltrating a large amount of data will require the output stream to be cached on disk, smaller exfiltration operations can be done all in memory with the "memoryonly" option.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Smersh is a pentest oriented collaborative tool used to track the progress of your company's missions and generate rapport.
• Obfuscating Malicious, Macro-Enabled Word Docs. Missed this one last week, but some great tips on macro-obfuscation techniques for when that Word RCE stops being useful.
• be-a-hacker. This is a road map to being a self-taught hacker.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Introducing Android’s Private Compute Services. Google is aiming to put the Private Compute Core from Android in the cloud and they're vouching to do 3rd party validation via audits.
• VMware denies allegations it leaked Confluence RCE exploit. Bug bounty drama as a payload sent to VMware as part of a bounty was later added to the Nuclei scanner by a researcher who claimed they found it via "Pastebin scraping" and could not produce the source URL to the paste. Bug bounties rely on trust, and these types of incidents underscore that.
• FORCEDENTRY NSO Group iMessage Zero-Click Exploit Captured in the Wild. If your threat model includes nation states with massive war chests willing to burn 0days to get on your device, I think any stock OS is going to be insufficient to protect you. Perhaps the best way to fight against this type of exploitation is to capture and expose the exploits fast enough to make it economically unfeasible to use them against activists? Props to Citizen Lab for doing the work here.
• U.S. Company Sold Zero-Click Hacking Tool to UAE Spy Operation. Three members of the RAVEN crew pled guilty in exchange for a three-year deferred prosecution agreement and fines. Interesting that the CFAA wasn't used in this case, as it is typically the hammer for anything computer related. How much taxpayer money did the US spend investigating and prosecuting these three? Imagine if the US Government instead paid competitive salaries so their own hackers didn't travel to the Middle East and hack for other governments...
• Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds.. Self host that CI/CD, that way the mistakes are your own.

Techniques

• Burp Suite RCE. The built-in Chrome browser in Burp Suite 2.0 is an old Chrome version, which can be combined with the "Use dynamic analysis techniques" feature to trigger RCE on an assessors Windows machine by simply browsing a site via the embedded Chrome browser. Is this ultimate WAF? Ransomware any Burp Suite users that browse your site?
• Hacking CloudKit - How I accidentally deleted your Apple Shortcuts. Even the big companies are not immune to misconfigured access controls. In this case the result was an assessor was able to delete all shared "shortcuts" links for iOS.
• Tickling VMProtect with LLVM: Part 1. This series gets into the weeds of using LLVM as a software based deobfuscation framework that initially targets binaries protected with VMProtect.
• Analysis of a Parallels Desktop Stack Clash Vulnerability and Variant Hunting using Binary Ninja. Supporting macOS back to 10.13 had the effect of silently dripping stack protections, and the author uses the Binary Ninja Python API to help automate bug finding.
• Change home directory and bypass TCC aka CVE-2020-27937. By planting your own TCC database you can bypass the whole user TCC (Desktop, Documents, Address Book, Camera, Microphone, Photos and more).
• Hook Heaps and Live Free. Ecnrypted heap allocations. Now that is some legit tradecraft! This post is a gold mine of information about "in memory evasion" and practical examples of how to implement it with Cobalt Strike. Example code (for the first basic example) here. If you liked this post be sure to check out SleepyCrypt: Encrypting a running PE image while it sleeps which also dropped last week.
• CVE-2021-3437 | HP OMEN Gaming Hub Privilege Escalation Bug Hits Millions of Gaming Devices. Perhaps its time to download any gaming related drivers and do a vulnerability hunt... 🤔

Tools and Exploits

• Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-40444. This was the big news of last week. RCE from simply opening a Word doc, thanks to old friends - directory traversal, IE, and ActiveX.

  • Demo of an RTF variant working in the explorer preview
  • KQL query
  • Malicious docx generator
  • Windows MSHTML zero-day defenses bypassed as new info emerges
  • CVE-2021-40444 Analysis/Exploit - This is the best analysis/walkthrough I have come across.
  • Microsoft Defender Attack Surface Reduction recommendations - Old but gold. "Block all Office applications from creating child processes" is what you want for this vulnerability specifically.

• BOF-Adios is a BOF that will zero, then delete your beacon's executable on exit! Useful if you are dropping a loader to disk as part of a phishing campaign.
• NimHollow is a Nim implementation of Process Hollowing using syscalls with some nice features like shellcode encryption, sandbox detection, and AMSI patching.
• iam-vulnerable - Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground. More details on the BishopFox blog.
• Toggle_Token_Privileges_BOF is an (almost) syscall-only BOF file intended to either add or remove token privileges within the context of your current process.
• SharpSystemTriggers is a collection of remote authentication triggers coded in C# using MIDL compiler for avoiding 3rd party dependencies.
• azureOutlookC2 - Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP: Use Microsoft Graph API for C2 Operations.
• ImpulsiveDLLHijack is a C# tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• wwwgrep is a rapid search “grepping” mechanism that examines HTML elements by type and permits focused (single), multiple (file based URLs) and recursive (with respect to root domain or not) searches to be performed.
• AppInitHook is a global user-mode hooking framework, based on AppInit_DLLs. The goal is to allow you to rapidly develop hooks to inject in an arbitrary process. Developed to reverse engineer and customize random applications, it has broad implications for read teaming.
• ElusiveMice is a Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Illinois Bought Invasive Phone Location Data From Banned Broker Safegraph. I've read my cell phone and internet provider terms of service, but the issue is all the major providers have the same clauses where they can sell your data. There's no alternative that provides the same level of service while respecting customer data. I worry that since this data is "anonomyized" even measures like GDPR wouldn't be effective.
• How Data Brokers Sell Access to the Backbone of the Internet. More privacy nightmare fuel. Every connection to and from public IP addresses is being recorded, sold, aggregated, and analyzed. There are now full on private SIGINT systems.
• Hackers Leak Videos of Iranian Prison. This looks like a classic hacker movie scene - the screens go black then display the hacker's message full screen.
• Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature. "On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key." Luckily it only affected customers with the Jupyter Notebook feature enabled. For more information check out ChaosDB.
• From Pearl to Pegasus Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits. More 0-click iOS exploit nightmare fuel.
• SolarWinds and the Holiday Bear Campaign: A Case Study for the Classroom. This detailed-but-accessible case study of the Russian cyber espionage campaign that targeted SolarWinds is from the free Cybersecurity Law, Policy, and Institutions (version 3.1).
• ProtonMail deletes 'we don't log your IP' boast from website after French climate activist reportedly arrested. Assume your IP is being recorded by not only the site you access, but every device/government/data broker in between. Act accordingly if any of those are in your threat model.

Techniques

• Operational Mental Models. After releasing the EDR Sensor Evasion Flowchart, @Jackson_T is back with another meta-assessment post about the frameworks and models for offensive research and development.
• ZDI-21-1053: Bypassing Windows Lock Screen. The ease of access on screen reader is used once again to execute binaries on a USB and execute code even with the screen of a Windows 10 computer locked. PoC video here.
• From RpcView to PetitPotam. In this post, we will see how the information provided by this tool can be used to create a basic RPC client application in C/C++. Then, we will see how we can reproduce the trick used in the PetitPotam tool.
• Introducing Process Hiving & RunPE. "This blog introduces innovative techniques and is a must have tool for the red team arsenal. RunPE is a .NET assembly that uses a technique called Process Hiving to manually load an unmanaged executable into memory along with all its dependencies, run that executable with arguments passed at runtime, including capturing any output, before cleaning up and restoring memory to hide any trace that it was run." A solid PE runner is a must-have in ever red team toolkit. Code here.
• %appdata% is a mistake – Introducing Invoke-DLLClone. DLL hijacking isn't new but darn if it isn't effective still. The new Invoke-DLLClone is worth a look!
• Obsidian, Taming a Collective Consciousness. Red team knowledge management is a topic I am all too familiar with (imagine the data that powers this blog...). This post shows a "flat" markdown note based approach that uses Obsidian.
• Widespread credential phishing campaign abuses open redirector links. Most commercial email providers scan links for reputation and can prevent phishing links from being opened. Attackers are now using open redirects on "trusted" sites to bypass these protections and deliver their payloads/load their pages. These are also combined with reCAPTCHA protections to prevent automated scanning.
• Backdoor Office 365 and Active Directory - Golden SAML. This quick post shows the 8 steps to generate a golden SAML token as well as some detections.
• Blinding EDR On Windows. This is a great post that brings together a lot of information about AV/EDR as well as kernel drivers, driver signing, and how to use kernel drivers against EDRs.

Tools and Exploits

• Quick Tunnels: Anytime, Anywhere. Cloudflare tunnels are available without an account. They use 4x HTTPS connections to Cloudflare IPs to tunnel traffic to anything the cloudflared binary can reach. Consider this a more trusted version of ngrok. "Unless you delete them, Tunnels can live for months." Defenders, look for update.argotunnel.com, h2.cftunnel.com, and trycloudflare.com based on my testing.
• RCE-0-day-for-GhostScript-9.50. This 0-day exploit affects the ImageMagick with the default settings from Ubuntu repository (tested with default settings of ImageMagick on Ubuntu 20.04). More info here.
• LiquidSnake is a program aimed at performing lateral movement against Windows systems without touching the disk. The tool relies on WMI Event Subscription in order to execute a .NET assembly in memory, the .NET assembly will listen for a shellcode on a named pipe and then execute it using a variation of the thread hijacking shellcode injection.
• NSGenCS is an extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows. More information at The Birth of NSGenCS.
• AWS ReadOnlyAccess: Not Even Once. ReadOnlyAccess sounds secure, but it can cause a false sense of security and is usually too broad for whatever is actually needed.
• OpenBMC: remote code execution in netipmid. IPMI is a very powerful interface with tons of bugs. Add this RCE to your next internal assessment bag of tricks.
• iHide is a utility for hiding jailbreaks from iOS applications. This can be a huge help when doing security assessments on applications with pesky jailbreak detection. See the blog post for more info.
• PR0CESS has a few projects for interesting PE loading techniques.
• CVE-2021-33909 is a Linux LPE for Sequoia.
• laurel is a tool to transform Linux Audit logs into JSON for SIEM usage.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• packetsifterTool is a tool/script that is designed to aid analysts in sifting through a packet capture (pcap) to find noteworthy traffic. Packetsifter accepts a pcap as an argument and outputs several files.
• zuthaka is a collaborative free open-source Command & Control integration framework that allows developers to concentrate on the core function and goal of their C2.
• JadedWraith is a powerful backdoor capable of either listening on a TCP port or sniffing packets for a "magic" ICMP packet instructing the backdoor to either callback or listen.
• beacon_health_check is an aggressor script that uses a beacon's note field to indicate the health status of a beacon.
• Khepri is a post-exploiton tool written in Golang and C++, with architecture and usage like Cobalt Strike. So much like Cobalt Strike that a casual look at the screenshot could confuse the two!
• ockam is a library for end-to-end encryption and mutual authentication for distributed applications.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Apple CSAM fallout:

  • Opinion: We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous. A group from Princeton built a similar system to what Apple has deployed and decided it was too dangerous to put into practice. "Apple is gambling with security, privacy and free speech worldwide."
  • Working Collision? #1. This was the start of the collisions but it quickly snowballed.
  • neural-hash-collider can generate collisions on demand.
  • Had enough of Apple? Look into GrapheneOS, CalyxOS, or even a PinePhone.

• Apple Appeals Corellium Copyright Lawsuit Loss After Settling Other Claims. Last week the news section had a good news story about Apple dropping a case against Corellium. They've appealed the other case they lost. All this while claiming security researchers would be a check against CSAM scanning abuse...
• A Hacker Stole and Then Returned $600 Million. The wild west of finance sees it's largets heist yet (yes, bigger than Mt. Gox). For technical details (facepalm warning) check out rekt.
• Microsoft announces price increase for Office 365 and Microsoft 365. E5 is still crazy expensive.
• Porchetta Industries Launches. "The Information Security Industry doesn't have a direct way to support Offensive & Defensive Open Source Security Tool developers even though it relies on them for a large portion of their services and/or internal capabilities. We're here to change that. Porchetta Industries provides a centralized platform for organizations to fund and support Open Source Security Tools."

Techniques

• 1Password Secret Retrieval — Methodology and Implementation. Password managers are a juicy target for post-exploitation. This post explores the 1password password manager and offers some detection tips. If an attacker is injecting code into processes undetected, it might be too late. Check out 1PasswordSuite for the tools.
• Executing Code In Context Of A Trusted Agent (Part 1) - Windows Defender Antivirus. The only thing better than bypassing AV is running in the context of AV itself. PoC here.
• Introducing GoKart, a Smarter Go Security Scanner. If you've got some Go code to review or are trying to exploit, give gokart a shot.
• Domain Escalation – PrintNightmare. Need a refresher or reference on all the PrintNighmare madness? This post covers remote discovery and exploitation.
• Uncovering Tetris – a Full Surveillance Kit Running in your Browser. A watering hole attack used JSON Hijacking and other methods to attempt to identify users. It even attempted to steal secrets from the user's local machine using websockets!
• Oh, Behave! Figuring Out User Behavior. Once you gain access to a target workstation, how do you determine what the user does day to day? Which applications would be best to backdoor for persistence? This post explores some ways to answer these questions.
• Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent. If you have local admin you can export the AD FS Hybrid Health Agent secret and spam the Azure AD sign-in logs with fake entries.
• Creating the WhereAmI Cobalt Strike BOF. Bobby has been on a roll, churning out BOFs at a rapid pace. It likely took significant extra time to document and write up the process behind whereami which dumps the environment variables without calling the WinAPI, and for that I am grateful!
• Responder's DHCP Poisoner. Responder 3.0.7.0 comes with a new DHCP module! Learn about it in this post.
• Razer Windows LPE. Simply attaching a Razer mouse (or a spoofed one) will run a UI as SYSTEM that you can use to open a file dialog and spawn a prompt with. I don't believe this has been weaponized without physical access or desktop interaction yet.
• Integer Overflow to RCE — ManageEngine Asset Explorer Agent (CVE-2021–20082). This is a great in-depth post on the productization of an integer overflow into RCE.

Tools and Exploits

• Added EfsRpc method (aka PetitPotam). SweetPotato gets a PetitPotam upgrade so if you have SeImpersonatePrivilege on a fully patched windows 10 machine, you can get SYSTEM.
• ServiceMove-BOF is a new lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution. Note that is work on Windows 10 1809 or above only.
• BOF-ForeignLsass dumps lsass memory by opening a handle to a process that already has a handle open to lsass, with the hopes of looking less suspicious by stealing this "legitimate" handle.
• kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Microsoft365_devicePhish is a a proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow. Compare to 365-Stealer and TokenTactics.
• Mimikore is a .NET 5 single file application loader for Mimikatz or any Base64 PE.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Apple drops intellectual property lawsuit against maker of security tools. The battle against the virtual iOS device host finally ends with a fizzle. The case was scheduled to start next week. "The terms of the settlement were confidential."
• AI Wrote Better Phishing Emails Than Humans in a Recent Test. This is the dystopian future we were promised.

Techniques

• Having fun with a Use-After-Free in ProFTPd (CVE-2020-9273). This post analyzes the ProFTPd vulnerability and how to exploit it bypassing all the memory exploit mitigations present by default (ASLR, PIE, NX, Full RELRO, Stack Canaries etc). Two different exploits available at CVE-2020-9273.
• How to Hack APIs in 2021. Type confusion, JWTs, undocumented APIs, versioning, rate limiting, race conditions, XXE injection, switching content types, HTTP methods, injection vulnerabilities, and more are covered in this great post.
• Comparison of reverse image searching in popular search engines [OSINT hints]. TLDR: consider Yandex next time you need to reverse search an image.
• TeamServer.prop. Have you been wondering what those TeamServer.prop warnings were in Cobalt Strike 4.4? It turns out you can tweak the screenshot and keylog callback data settings to customize how the team server handles potentially DoS-able data.
• Spoofing File Extensions Using Google Drive and OneDrive. The tricks in this post may be helpful when/if you deliver payloads via email.
• Playing Detection with a Full Deck. If you've ever done any Purple teaming, this post will hit home. Understanding the full context of a system (i.e. how are services created) is critical to good detection rules.
• Phishing for NetNTLM Hashes. There are many ways to leak NTLM hashes but this post shows the results of testing and Security Zones are treated by web clients. Once you have NTLM and network access, this relay page has amazing charts for what is possible.
• Going for the Gold: Penetration Testing Tools Exploit Golden SAML. Golden SAML hit the headlines after the SolarWinds breach, and this post breaks down how powerful it can be. The three custom tools they mention are not public.
• Tools, Techniques, and Grimmie?: Experimenting w/ Offensive ADSI. Did you know there was a built in AD enumeration tool as far back as Windows 7 called adsisearcher?
• SAML is insecure by design. SAML is bad and should feel bad. Lots of good ammo in here for your next web assessment that uses SAML.
• [EX007] How playing CS: GO helped you bypass security products. The use of a vulnerable driver allows reading process memory from a userland helper to dump lsass while EDR watches helplessly.
• Fingerprinting Windows versions, AV, wireless cards over the network—all without authentication. Rumble uses DCE/RPC UUIDs to fingerprint AV, EDR, and other software agents remotely and unauthenticated. This could be very useful for advanced red teams attempting to avoid detection.

Tools and Exploits

• CobaltStrikeReflectiveLoader is perhaps the first public User-Defined Reflective Loader for Cobalt Strike 4.4. If you are writing your own, be ready to write a lot of assembly...
• ProxyShell is the Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write) patched in April and May of 2021 (but not published in an advisory until July 2021). Also check out proxyshell-poc. See here for the technique break down: My Steps of Reproducing ProxyShell.
• MiniDump is a C# implementation of mimikatz/pypykatz minidump functionality to get credentials from LSASS dumps.
• LazySign creates fake certs for binaries using windows binaries and the power of bat files. If you're on Linux try Limelighter.
• CobaltSpam is a tool based on CobaltStrikeParser from SentinelOne which can be used to spam a CobaltStrike server with fake beacons.
• COM-Hijacking is an example of COM hijacking using a proxy DLL.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• raivo-otp / ios-application. A native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP! Why switch from my current OTP app? See here.
• reko is a decompiler for machine code binaries. If Ghidra or redare2/Rizin aren't your thing, give reko a shot.
• SysmonTools contains the following: Sysmon View: an off-line Sysmon log visualization tool, Sysmon Shell: a Sysmon configuration utility, and Sysmon Box: a Sysmon and Network capture logging utility.
• RmiTaste allows security professionals to detect, enumerate, interact and exploit RMI services by calling remote methods with gadgets from ysoserial.
• REW-sploit can get a shellcode/DLL/EXE, emulate the execution, and give you a set of information to help you in understanding what is going on. Example of extracted information are: API calls, encryption keys used by MSF payloads, decrypted 2nd stage coming from MSF, and Cobalt-Strike configurations (if CobaltStrikeParser is installed).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.