Normal view

There are new articles available, click to refresh the page.
Before yesterdayBad Sector Labs Blog

Last Week in Security (LWiS) - 2020-09-28

By: Erik
29 September 2020 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-09-21 to 2020-09-28.

News

Techniques

  • The Return of Raining SYSTEM Shells with Citrix Workspace app. The MSI transform feature is not widely known, but probably can be used malicious as shown here in many more cases. This is another great example of not giving up on a bug just because it was "patched." CCob also released PwnyForm, a tool that can take an MSI input and generate an MSI transform that can be used for arbitrary command execution via custom actions.
  • Unquoted paths. They’re not just for services anymore. Unqouted service paths are an all too common issues on Windows machines, especially with third party software. This post discusses how the same issue can affect Scheduled Tasks, and how a standard Microsoft task was vulnerable. Add this to your list of things to check for potential privilege escalation on a Windows machine.
  • Local Privilege Escalation in FortinetSSL VPN client for Linux. Local Privilege Escalation (LPE) comes for Linux via the FortinetSSL VPN client which is SUID and blindly trusts argv[0] to be the path to its install location. This advisory contains a PoC which affects (at least) FortinetSSL Linux VPN client versions 4.0-2281 and 4.4-2336.
  • ZeroLogon(CVE-2020-1472) - Attacking & Defending. As the dust settles from the ZeroLogon announcement, this post goes into the technical details of both the exploit (but no work on repairing the DC after exploit) and various detection strategies.
  • A different way of abusing Zerologon (CVE-2020-1472). Dirk-jan is one of the researchers on the forefront of Windows/AD knowledge (along with Will Schroeder [@harmj0y] and Benjamin Delpy [@gentilkiwi]) and this post proves it. Dirk-jan manages to modify impacket to use Zerologon to relay a machine authentication solicited with SpoolSample from one DC to another, preventing the machine account password reset in the normal Zerologon attack flow that causes major issues.
  • Samba Unauthenticated domain takeover via netlogon ("ZeroLogon"). If you are running Samba <= 4.7 as a domain controller, you are vulnerable to ZeroLogon. This bug isn't just for Windows!
  • Abusing Group Policy Caching. A standard domain user can perform, via the “gpsvc” service, arbitrary file overwrite with SYSTEM privileges by altering behavior of “Group Policy Caching”. This can be used to elevate from a standard user to SYSTEM, however it has since been patched (CVE-2020-1317) by making the group policy folders readonly for standard users.
  • Phishing Your Password Manager. Feeling smug about credential harvesting because your password manager recognizes when sites don't match? Curtis Brazzell shows that some auth providers allow custom login pages which can be implanted with form capture so the domain does match, and your password manager likely will fill in creds. Manually verify those domains, every time!
  • Hacking Punkbuster. Punkbuster is an anti-cheat system for PC video games that has some very malware like properties (ability to take screenshots). This post shows how the Punkbuster server is vulnerable to a path traversal in the screenshot name. Unfortunately, "for security reasons we will only give a high level description of the vulnerability and won’t dive deep into the actual reverse engineering process." I'm guessing they used Firda?
  • Bypassing Android MDM using Electromagnetic Fault Injection by a Gas Lighter for $1.5. We've talked about hardware glitching before (LWiS 2020-08-31), but this is a low cost, low complexity attack to glitch an Android phone into sysdump which allows for the System on a Chip (SoC) recovery port to be used to flash new firmware, bypassing the very locked down system. Physical access is always root access, sometimes it just takes a bit more work.
  • Azure Account Hijacking using mimikatz’s lsadump::setntlm. Have Domain Admin but need to access data as a user with a password hash that won't crack? Wait for them to go home, then use lsadump::changentlm and lsadump::setntlm to change their password to something you do know, and put it back to their NTLM hash before they return in the morning.
  • Exploiting Tiny Tiny RSS. This is a deep dive into webapp source code review and hacking. The authors pull together a very impressive single click exploit that backdoor's a user's TT-RSS server. There are some great advanced techniques in this post - and the classic gopher:// trick as well.
  • Kernel exploitation: weaponizing CVE-2020-17382 MSI Ambient Link driver. If you have any interest in kernel or driver exploitation, this blog is a must read.
  • Smaller C Payloads on Window shows how to get an 8-12x reduction in binary size by removing the Visual C++ runtime from Windows binaries, and only including the functionality your program actually needs. Note that this limits some of the comfort features of C/C++.

Tools and Exploits

  • mitra is a python tool to generate binary polygots (one file that can be parsed as two different formats like a PNG and a DICOM). This could be useful to bypass file upload restrictions or generally mess with file parsers.
  • Gopher is a C# tool to search for credentials from all types of applications on Windows.
  • SharpDirLister is a .NET 4.0 tool for super fast directory listings.
  • RegSave is a .NET 3.5 tool for dumping the SAM, SYSTEM, and SECURITY registry keys.
  • CVE-2020-3433 is a collection of 3 vulnerabilities in the Cisco AnyConnect client for Windows, one of which is a local privilege escalation (sound familiar? CVE-2020-3153 was exploited by the same researcher - @AntoineGoichot after being found by @yorickkoster).
  • Offensive Terraform Modules provide automated multi-step offensive attack modules using Infrastructure as Code (IAC).
  • duf is a clean disk usage utility for Linux, FreeBSD, and macOS. It even outputs in JSON!
  • mikrot8over a rework of the Mikrotik RouterOS (<= 6.38.4) exploit with multithreaded scan capability.
  • UrbanBishopLocal is a port of FuzzySecurity's UrbanBishop project for inline shellcode execution.
  • Introducing “YAYA”, a New Threat Hunting Tool From EFF Threat Lab. YAYA is a new open source tool to help researchers manage multiple YARA rule repositories. YAYA starts by importing a set of high-quality YARA rules and then lets researchers add their own rules, disable specific rulesets, and run scans of files.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • IBM QRadar Wincollect Escalation of Privilege (CVE-2020-4485 & CVE-2020-4486). I missed this one last week, but arbitrary file delete leads to elevation of privilege using the IBM QRadar Wincollect installer.
  • crowdsec is a lightweight Go agent to detect and respond to bad behaviors. It also automatically benefits from our global community-wide IP reputation database (can be disabled with apimode: false). If fail2ban is too simple, this may be what you are looking for.
  • Macrome is an Excel macro document reader and writer for red teamers and analysts. It uses Excel 4.0 macros and the BIFF8 (Excel 97-2003 Binary) XLS format which will likely bypass many detections. Details here.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-10-05

By: Erik
6 October 2020 at 03:20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-09-28 to 2020-10-05.

News

  • UHS hospitals hit by reported country-wide Ryuk ransomware attack. Two weeks ago was the first possible death related to ransomware. There are at least three being reported due to this. Of note, while many ransomware crews stated they would not target hospitals when the pandemic started, Ryuk remained silent.
  • Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. Cybersecurity firms now need to register as money services to legally make ransomware payments, and "payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial."
  • OST Map from Intezer connects threat actors with the tools they use. This is an interesting resource for adversary emulation purposes. If you enjoy this you may also like the CyberWar Map.
  • Sectigo to Be Acquired by GI Partners. The Root CA shell game continues (Sectigo used to be Comodo). This will trigger another round of compliance checks.
  • Escaping strings in Bash using !:q. A quick tip for bash users.
  • Code scanning is now available!. GitHub code scanning attempts to find vulnerabilities in your code via static analysis before it gets deployed. They are using the acquisition of Semmle to push CodeQL even further. This proactive approach is a good thing for security.

Techniques

Tools and Exploits

  • SIEGMA aims to automate the creation of SIEM rule consumables by leveraging a pre-defined set of configurations/mappings and by utilizing the sigma rule format and engine.
  • DecryptRDCManager is a .NET port of Decrypt-RDCMan.ps1 which was written by Ben Turner and Rich Hicks. This tool will decrypt credentials from Remote Desktop Manager by using the functionality from the RDCMan.DLL.
  • Fork-n-Run. This is great raw C# material for building into your own tools (PPID spoofing, BlockDLLs, argument spoofing, comms via pipes).
  • MFASweep is a PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled. Depending on how conditional access policies and other multi-factor authentication settings are configured some protocols may end up being left single factor. It also has an additional check for ADFS configurations and can attempt to log in to the on-prem ADFS server if detected. Be warned, this will attempt 7 authentications, so be sure to use a correct password or possibly get locked out! Blog post here.
  • AggressiveGadgetToJScript is a Cobalt Strike Aggressor script to generate GadgetToJScript payloads. It uses the QueueUserAPC injection method and injects into notepad.exe (you should change this).
  • bitleaker is a complete physical attack tool (bootable USB) that leverages CVE-2018-6622 (BIOS sleep TPM bug) and the new CVE-2020-0526 to enable the mounting of Bitlocker encrypted drives without the user's password which is normally required. If devices are out of your physical control (work from home, travel) this bug/exploit applies to you. Update your systems to the latest BIOS firmware, disable sleep in the BIOS, or use BitLocker with a PIN to mitigate this.
  • GLORP is a command line HTTP intercept proxy. The idea is to provide a CLI based tool for when you wanna-look-at-this-thing-real-quick and not fire up yet another full-fat container/vm/whatever with Burp and so forth. Looking for more GUI? Read on...
  • hetty is an HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty community. Currently in the early stages, this is an interesting project to watch.
  • Raccine is a simple ransomware vaccine that kills the process tree that invokes vssadmin or wmic calls to delete volume shadow copies by registering as a debugger for vssadmin and wmic. This is a neat trick that will likely work against many ransomware variants.
  • elsa is a minimal, fast and secure runtime for Javascript and Typescript written in Go. This could be used to create an embedded scripting environment in your Go malware a la gscript.
  • sploit is a Go package that aids in binary analysis and exploitation. Think of it as the start of a Go version of pwntools.
  • feroxbuster is a fast, simple, recursive content discovery tool written in Rust.
  • CSharp-CmdLineHelper-Parser is a "no frills" 1 class-only, C# .NET command line parser with support for - and / args, switches only, and Name : Values. This will be useful for small C# projects.
  • checksec.py is a complete checksec tool in python with rich terminal output. It supports PE and ELF files and there is an exe in the Github release.
  • Docker-eyeOS runs iOS (xnu-arm64) in a Docker container! Supports KVM + iOS kernel debugging (GDB)! It's like having your own local Corellium.
  • A New Tool for Password Spraying Emulation. Spray at scale using GCP/AWS with this new tool from Praetorian. Code here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Vulmap is an online local vulnerability scanner. It's aimed at organizations to do vulnerability scanning across their fleets, but it can also be used for one off checks to see what is available to privesc.
  • grinder is a python framework to automatically discover and enumerate hosts from different back-end systems (Shodan, Censys). Add this to your enumeration pipeline.
  • GHunt is a tool to investigate Google Accounts given only an email.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-10-12

By: Erik
13 October 2020 at 03:20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-05 to 2020-10-12.

News

  • Python 3.9 is out which brings new features like dictionary merging (dict1 | dict2), dictionary updates (dict1 |= dict2) , type hinting, and a new parser.
  • ESXi on Arm Fling is LIVE!. Teased at VMworld Europe 2018, the ARM variant of ESXi is finally here. It can run on a Raspberry Pi 4 (8GB highly recommended) and can act as a vSAN witness in a two node cluster (not officially supported).
  • Enter the Vault: Authentication Issues in HashiCorp Vault. Two vulnerabilities in HashiCorp Vault could allow an attacker to bypass authentication checks in Amazon Web Services (AWS) and Google Cloud Platform (GCP) configurations.
  • Report: U.S. Cyber Command Behind Trickbot Tricks. Some entity was sending Trickbot configs with a new C2 address of 127.0.0.1 as well as spamming the bot registration endpoints to flood Trickbot operators with bad data. This article claims it was USCYBERCOM.
  • We Hacked Apple for 3 Months: Here’s What We Found. @samwcyo and friends spent a few months tearing through everything Apple dropping criticals along the way. This write up is very well done, and is worth the read. They will likely cross $500,000 in bounties once all are paid.

Techniques

Tools and Exploits

  • TinyAFL is a fuzzer designed for macOS usermode applications even if source code is not available.
  • UAC-SilentClean implements a DLL planting technique to bypass UAC Always Notify and execute code in a high integrity process. The SilentCleanup technique has been known for quite some time, and Microsoft has made no attempt to fix it, so this will likely continue to work until the scheduled task is changed for some other reason unrelated to security.
  • BOF-RegSave will acquire the necessary privileges and dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction.
  • jwt-secrets is a collection of many public-available JWT secrets from code samples that may be used in production. It is the list used in the new Burp app jwt-heartbreaker (more details here).
  • gitjacker downloads git repositories and extracts their contents from sites where the .git directory has been mistakenly uploaded. It will still manage to recover a significant portion of a repository even where directory listings are disabled.
  • CSRFER is a tool to generate csrf payloads based on vulnerable requests.
  • screego server allows you to share your screen with good quality and low latency. Screego is an addition to existing software and only helps to share your screen. This is useful for code reviews where the quality of Teams/Meet/Zoom doesn't cut it.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • FavFreak matches favicon hashes to their services using a large fingerprint dictionary. This can be a quick win when identifying web technologies on a large attack surface.
  • pwndoc is similar to Ghostwriter allowing multiple users to collaborate on assessment or vulnerability reports and generate a customized Docx report.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-10-19

By: Erik
20 October 2020 at 03:40

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-12 to 2020-10-19.

News

  • Microsoft Uses Trademark Law to Disrupt Trickbot Botnet. Just days after Trickbot was disrupted by USCYBERCOM (allegedly), Microsoft uses a unique legal trick to shut down additional C2 infrastructure by forcing hosting providers and telecom companies to block access to the C2 infrastructure.
  • German police raid tech firm FinFisher over spyware allegations. FinFisher is accused of selling surveillance software, to oppressive regimes around the world (Turkey, Ethiopia, Bahrain, the UAE, and Egypt). FinFisher was spectacularly breached back in 2014 when it was owned by UK based Gamma Group (writeup).
  • Java deserialization vulnerability in QRadar RemoteJavaScript Servlet. Nothing quite as face-palm-able as having RCE in your security product. The RCE is authenticated, but still not a good look.
  • CVE-2020-16898 Windows TCP/IP Remote Code Execution Vulnerability. Patch Tuesday reveals a critical unauthenticated potential RCE in the Windows TCP/IP stack when it handles ICMPv6 Router Advertisement packets. While this is bad, the protections in tcpip.sys will make a RCE PoC difficult. Patch or apply the workaround regardless. More details here.
  • International Statement: End-To-End Encryption and Public Safety. Five Eyes (FVEY) intel alliance countries of Australia, Canada, New Zealand, the UK, and US were joined by India and Japan in calling for tech firms to “enable law enforcement access to content” upon production of a warrant, in the name of public safety. This same strategy was attempted in the 90s. However, end-to-end encryption is easy to implement now, and mathematics/cryptography cannot be banned. If implemented, bad actors will continue to use end-to-end encryption while citizen's privacy is destroyed.
  • SonicWall VPN Portal Critical Flaw (CVE-2020-5135). Nearly 800,000 SonicWall VPNs are vulnerable to new remote code execution bug. The bug is in the SSLVPN, which is exposed to the internet as part of its functionality. Tripwire VERT says that a "code execution exploit is likely feasible."
  • Plug'nPwn - Connect to Jailbreak. The recent T2 security chip jailbreak has been productized and is now as easy as connecting a special cable/device to an Apple laptop. I expect this to be productize further into a full tool with additional features like a keylogger. Demo here.

Techniques

Tools and Exploits

  • stegbrute is a fast steganography bruteforce tool written in Rust (useful for CTFs).
  • CVE-2020-16938 Windows Kernel Information Disclosure Vulnerability. Normally I wouldn't put a link to a Microsoft Advisory, but this one is so trivial to exploit, that 7zip can read any file on a Windows disk (if Bitlocker is not in use) by directly opening the physical device.
  • Alaris is a protective and Low Level Shellcode Loader the defeats modern EDR systems with direct syscalls, DLL blocking, PPID spoofing, and shellcode encryption. Well written blog describing the tool here.
  • CobaltStrike-BOF are DCOM and WMI lateral movement BOFs for Cobalt Strike.
  • MacC2 is a python-based macOS C2 that uses internal API calls instead of command line utilities.
  • InSync is a macOS Finder persistence technique. Code is 3 months old but only made public 2020-10-19.
  • CalendarPersist is a JXA script to allow programmatic persistence via macOS Calendar.app alerts. Blog post here. It's a big week for macOS tools!

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • PrismX is a Cloud Security Dashboard, providing a single source of truth for cloud security issues based on AWS CIS Security Benchmarks. The dashboard provides a high-level overview for executives as well as actionable data for individual contributors with built-in JIRA integration.
  • RmiTaste allows security professionals to detect, enumerate, interact and exploit RMI services by calling remote methods with gadgets from ysoserial.
  • HackBrowserData is a cross platform Go tool to decrypt passwords for most browser.
  • SharpBuster is a C# implementation of a directory brute forcing tool. It's designed to be used via Cobalt Strike's execute-assembly and similar tools, when running a similar tool over a SOCKS proxy is not feasible.
  • SharpCrashEventLog crashes the Windows event log 3 times which keeps it down for 24 hours. Blog post here.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-10-26

By: Erik
26 October 2020 at 23:30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-19 to 2020-10-26.

News

  • US charges Russian hackers behind NotPetya, KillDisk, OlympicDestroyer attacks. This indictment isn't groundbreaking for its attribution of the 3 attacks to Russian hackers (that was widely assumed), it is however very interesting to see the evidence for such attribution. Clearly, the US government has a lot of access to some of the backends used by the hackers. Bravo. For excerpts, see this twitter thread.
  • Multiple vulnerabilities in VMware ESXi. No PoCs yet but this is a potential unauthenticated remote code execution vulnerability in the OpenSLP service on ESXi (port 427).
  • Apple Approved Malware. Malware is being deployed using binaries that are notarized (signed) by Apple after passing their review process. This wouldn't be as bad if the signed samples weren't known malware! Additionally, after reporting one sample, the actors simply updated their campaign with a freshly signed sample of the same thing. Clearly, the actors involved have the notarization process figured out and automated. This is a bad look for Apple who tout this notarization feature as a big security selling point.
  • Recent and upcoming changes to the Nano projects. Popular ad blocker NanoCore was recently sold to a Turkish developer who immediately changed the privacy policy and modified the code. Browser extensions command great power, and should be carefully scrutinized.
  • 1Password for Linux beta is now open. One of the more popular password managers is now available on linux (in beta). For an open source alternative that is available on linux today, check out Bitwarden.
  • YouTube-DL Removed From GitHub After DMCA Notice. This is an incredibly useful tool with a wide range of legitimate uses. The complaint says the code can be used to download copyrighted works. This sets a precedent that makes posting software or tools that can be used for malicious acts (nearly everything in every LWiS) potentially subject to take down as well (for ToS violations not DCMA). Looks like people are already using a GitHub "feature" to attach a commit of youtube-dl to the DCMA repo (and of course forks like yt-dlc exist).

Techniques

Tools and Exploits

  • Wraith is a native loader designed to pave the way for the arrival of a Stage-1/Beaconing implant or Stage-2/Post-Ex implant in-memory securely and stealthily. Specially designed to operate in heavily-monitored environments, it is designed with AV Evasion as its primary goal.
  • PEzor v2 — New Output Formats and Cobalt Strike Integration. PEzor was already a great tool, and v2 includes new features like a nice cna script to make in-memory execute of nearly any binary a single command. If you haven't checked this out before v2, it is even more valuable now.
  • Hot Manchego is a new tool for creating macro-enabled Excel workbooks that use the .NET library EPPlus to bypass many AV solutions.
  • Secret fragments: Remote code execution on Symfony based websites. The _fragment endpoint used by Symofny (and therefore lots of PHP based web apps/CMSs) uses an HMAC to verify commands. Unfortunately, lots of sites are using default keys to generate the HMAC, and are therefore vulnerable to RCE. PoC here.
  • RegistryStrikesBack allows a red team operator to export valid .reg files for portions of the Windows Registry via a .NET assembly that should run as a standard user. See Segmentation Vault in Techniques for example usage.
  • CloneVault allows a red team operator to export and import entries including attributes from Windows Credential Manager. This allows for more complex stored credentials to be exfiltrated and used on an operator system. See Segmentation Vault in Techniques for example usage.
  • Announcing PyRDP 1.0. The advanced RDP python library gains features as it reaches 1.0 including CredSSP, Clipboard file carving, headless player support, dynamic certificate cloning, and a new conversion tool to output mp4 videos of RDP sessions from PyRDP captures or even PCAPs.
  • CVE-2020-15906 is an authentication bypass for TikiWiki CMS 16.x-21.1. This wiki software is often used internally by dev shops, so this vulnerability could prove very useful on internal engagements. Demo here.
  • wsb-detect enables you to detect if you are running in Windows Sandbox ("WSB"). The sandbox is used by Windows Defender for dynamic analysis, and commonly manually by security analysts and alike.
  • setsidmapping is a tool to use LsaManageSidNameMapping get LSA to add or remove SID to name mappings. It requires SeTcbPrivilege as well as some other caveats. Not sure what advantages this provides right now, but I'm sure James is cooking up something with this tool.
  • procrustes is a bash script that automates the exfiltration of data over dns in case you have blind command execution on a server where all outbound connections except DNS are blocked.
  • WSuspicious is a proof of concept program to escalate privileges on a Windows host by abusing WSUS. Details in this blog post.
  • Local Privilege Escalation Vulnerability Discovered in VMware Fusion. A nice macOS privilege escalation using VMware Fusion. The bug was patched in September but the PoC is fresh. Code here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • NTLMRawUnHide is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The following binary network packet capture formats are supported: *.pcap *.pcapng *.cap *.etl.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-11-02

By: Erik
3 November 2020 at 04:50

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-26 to 2020-11-02.

News

Techniques

  • Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped. This can be used to bypass some (most?) AVs and some file integrity monitoring solutions depending on when and how the perform their checks of files on disk. It can fool Windows Defender into thinking mimikatz is "signed" as well.
  • Hacking in an epistolary way: implementing kerberoast in pure VBA. What if you did every stage of your attack via phishing payloads? VBA is technically Turing complete, so it is technically possible. This post explores how to Kerberoast in pure VBA. Half amazing, half insane.
  • Fuzzing for eBPF JIT bugs in the Linux kernel. This post shows how a a writeup lead a researcher to conduct his own research and in doing so found a new vulnerability in the patch! This local privilege escalation vulnerability affects Linux kernels with the "patched" eBPF verifier before 5.8.15 (starting at 5.6.1, 5.5.14, and 5.4.29). No public PoC yet.
  • What would you risk for free Honey?. Browser extensions don't often get the attention they deserve from security professionals. This post exposes some serious issues with the popular "Honey" extension, in this case four different ways the Honey server could run arbitrary code on any website you visit while it is installed.
  • MalDoc Fu - Some Ideas for Malicious Document Delivery. Maldocs (macro enable malicious documents) are a favorite of phishing engagements, but as people and technologies slowly get better, they are becoming less successful. This post explores some new advanced forms of Maldocs to hide your malicious payloads and bypass current AV. Well done!
  • Remote Desktop Services Shadowing – Beyond the Shadowed Session. RDP Shadowing is the process of connecting to an already open RDP session. This is useful for legitimate purposes, and could be very useful for red team purposes as well. With some registry changes, it can be made silent and red teamers can effectively spy on legitimate RDP sessions.
  • UAC bypasses from COMAutoApprovalList details the two newest additions to UACME that use the Windows COM object model classes with enabled elevation.
  • Using and detecting C2 printer pivoting explores a very interesting "esoteric C2 channel" of using print jobs to communicate on a Windows network.
  • NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim's NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website. The fastest-spreading virus author is back with more great research. This abuses SIP Application Layer Gateway (maybe enabled by default) and bad packet fragmentation handling to allow browsers to generate what (bad) routers think are arbitrary packets. This allows all kinds of things like opening ports to other internal devices by just having a user run some javascript by browsing a website. Very cool, but possibly limited to sketchy defaults and poor packet fragmentation handling.

Tools and Exploits

  • MaliciousClickOnceMSBuild is a C# Project that will take an MSBuild payload and run it with MSBuild via ClickOnce. Be aware that without a valid certificate it will trigger a smartscreen warning.
  • BOF.NET is a small native BOF object combined with the BOF.NET managed runtime that enables the development of Cobalt Strike BOFs directly in .NET. BOF.NET removes the complexity of native compilation along with the headaches of manually importing native API. Now you can write your BOFs in .NET instead of C!
  • HoneyCreds is a network credential injection tool to detect responder and other network poisoners. Set this up with a legitimate looking username and easy to crack password and trigger on any use of the account in your environment.
  • CVE-2020-14882. Oh boy, a single GET gets unauthenticated remote code execution against Oracle Web Logic. The patch is amazingly poor as well.
  • MalwareMultiScan is a self-hosted VirusTotal / MetaDefender wannabe with API, demo UI and Scanners running in Docker. Like other self-hosted AV scanners, it only runs Linux based AVs (and Windows Defender). This joins malice, saferwall, and MultiAV-Extended for self hosted AV scanning solutions.
  • UltimateWDACBypassList is a centralized resource for previously documented WDAC/Device Guard/UMCI bypass techniques.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • dendron is a local-first, markdown based, hierarchical note-taking application built on top of VSCode and friends. Similar to Obsidian or Roam, but open source and free.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-11-09

By: Erik
10 November 2020 at 20:30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-02 to 2020-11-09.

News

  • Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945. Linux based APTs don't get much attention, and APTs that target Solaris, even less - until now. Mandiant exposes all the tricks of an APT group that used a Solaris SSH 0day for initial access, and deployed quite a suite of tools (including an entire QEMU VM) once in the network.
  • Raspberry Pi 400 launched. This new Raspberry Pi introduces a new form factor, the computer-as-a-keyboard. A new board incorporates the Raspberry Pi 4 (4GB) into a small keyboard. One notable change is a slightly updated processor with a 1.8 GHz quad-core ARMv8 chip (vs 1.5 GHz in the standard 4), and a massive heatsink to keep it from overheating. With its ability to run dual 4k displays, this portable computer could be perfect for students or anyone who needs a basic computing environment. I am also interested to see it being used as a thin client device.
  • Chrome Root Program. Chrome will start shipping its own root Certification Authorities (CA) store instead of relying on the operating system's CA store. Mozilla already does this in Firefox, and it will present challenges to enterprises that deploy their own root CAs for HTTPS interception or other purposes.
  • Cyber ActorsTarget Misconfigured SonarQube Instances to Access Proprietary Source Code of US Government Agencies and Businesses. The FBI reveals that threat actors have stolen private and US Government source code due to misconfigurations in SonarQube instances. This is a great example of why having a government backdoor "only for the good guys" is a terrible idea.
  • Cobalt Strike 4.2 – Everything but the kitchen sink details the improvements in the most recent release of the commercial red team tool. Many are welcome quality of life additions (better key logging and screenshot support), but there is also good low level improvements for in-memory evasion and templates for artifacts the the named-pipe beacon uses to communicate with post-exploitation jobs. ThreatExpress has the latest malleable C2 additions documented nicely.

Techniques

Tools and Exploits

  • AggressiveProxy is a combination of a .NET 3.5 binary (LetMeOutSharp) and a Cobalt Strike aggressor script (AggressiveProxy.cna). Once LetMeOutSharp is executed on a workstation, it will try to enumerate all available proxy configurations and try to communicate with the Cobalt Strike server over HTTP(s) using the identified proxy configurations. The story behind the tool can be found here.
  • Shellycoat is a utility designed to aid in bypassing User-Mode hooks utilized by AV/NGAV/EDR/Sandboxes/DLP etc. to gain visibility into potentially suspicious actions. It is a DLL or PIC shellcode blob that can be injected into a process and will "clean" that processes ntdll using direct syscalls to remove any hooks. Use this with a custom loader before executing your malicious payload to bypass AV.
  • StandIn is a "small" AD post-compromise toolkit. It allows for all kinds of enumeration including LDAP objects, ASREP, SPNs, Unconstrained/constrained delegation, DC's, Groups Operations, and Machine Object Operations.
  • 1768 K is a tool to decode and dump the configuration of Cobalt Strike beacons from memory from the great Didier Stevens (1768 Kelvin is the melting point of Cobalt).
  • red-kube is a red team cheat sheet based on kubectl commands. As more things get containerized, it's good to know how to break k8s.
  • APKProxyHelper patches an apk for proxying and repacks back to an apk. For iOS the author has a tweak called SSLBypass that does what it says on the tin.
  • SCShell now comes with a Cobalt Strike BOF. Fileless lateral movement was never as easy!
  • Git Large File Storage / Git LFS (git-lfs) - Remote Code Execution (RCE). It's been a while since we heard from Dawid Golunski (3 years?), but he is back with a RCE that can be triggered by a git clone command. Demo here.
  • xpcspy implements bidirectional XPC message interception for iOS and macOS.
  • gsocket is an end-to-end encrypted relay network that allows for advanced features beyond simple TCP and SFTP, like mounting a remote file system. As of now, self-hosting a relay is not an option and all traffic goes through gs.thc.org. Perhaps it's an elaborate honey pot?!
  • Coldfire is a Go malware development framework that includes a lot of the basic functions all good malware needs, from logging to sandbox detection.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • gosecretsdump. Impacket is great, but sometimes it can be really slow. When your NTDS.dit file is measured in GBs, it's time to break out the Go for significant speed boost. Also works on SAM/SYSTEM backups, or even local SAM/SYSTEM if run as SYSTEM.
  • gron transforms JSON into discrete assignments to make it easier to grep for what you want and see the absolute 'path' to it. It eases the exploration of APIs that return large blobs of JSON but have terrible documentation. It may fill gaps that jq can't in your workflow.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-11-16

By: Erik
17 November 2020 at 04:30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-09 to 2020-11-16.

News

  • SO-CON 2020 is a conference by SpecterOps and has great talks lined up for 2020-11-20!
  • What's new in macOS 11, Big Sur!. Apple's latest OS was released last Thursday, and one of the best sources for what's new is the hackintosh subreddit.
  • Apple Silicon M1 Emulating x86 is Still Faster Than Every Other Mac in Single Core Benchmark. Apple released their in house ARM-based chips last week for the 13" MacBook Pro, MacBook Air, and Mac mini. They said it was fast, but this benchmark really shows it. Even emulating x86, a Macbook Air scored higher on single-core performance than a 2020 iMac with an Intel i9-10910 (10 cores at 3.6 GHz). Seriously impressive. In multicore benchmarks, the Mac mini with M1 is surprisingly high on the all time benchmarks list.
  • Can't open apps on macOS: an OCSP disaster waiting to happen. While Apple was making amazing strides with its new silicon, it was also being dragged through the mud for its Gatekeeper implementation. This post is the most honest (spoiler: Apple isn't collecting executable hashes every time you launch them), and discusses the missteps of the implementation. There is a place for this type of security mechanism, but it should be designed with privacy first - especially from a company that plays the privacy card as hard as Apple does. Apple has issued a statement (bottom) with vague promises. At this point, Linux distros are the last OSs left without telemetry baked in (and some distros have it).
  • Big Sur allows apps to bypass firewalls. Apple news again, and this is impressively poor showing. How this got past all the meetings and approvals it must have taken is beyond me. Apple has exempted many Apple applications from being routed through new frameworks on Big Sur that Apple requires 3rd party firewalls to use (no more kexts). I guess Apple was convinced it would help with their mission to have things "just work," but if a user is installing a 3rd party firewall, they probably know what they are doing...
  • Windows 20H2 changes is a comparison of Windows 10 2004 and Windows 10 20H2 installations. Could be a menu of new things to look into for vulnerabilities, or just new legitimate service names to hide your persistence.

Techniques

Tools and Exploits

  • Apollo and Mythic: A Myth Worth Retelling. Apollo was in last weeks edition of this blog, but this post digs into some of the features it has. Apollo + Mythic is a powerful combination.
  • Windows RpcEptMapper Service Insecure Registry Permissions EoP. While only effective against Windows 7, this local privilege escalation vulnerability is a classic case of seeing something strange and digging into it, reading the docs, and coming away with an interesting result.
  • HppDLL enables local password dumping using MsvpPasswordValidate hooks. Explanation here.
  • openedr is free and open source platform allows you to analyze what’s happening across your entire environment at base-security-event level. The repo is a little light on details for now, but this is one to watch.
  • Issue 2075: Windows: Local Spooler CVE-2020-1337 Bypass. Microsoft finally actually patched the local spooler local privilege escalation vulnerability in Windows 10. This issue has a PoC if you come across any machines that don't have the November 2020 patch.
  • COM_Mapper is a tool to create COM class/interface relationships in neo4j. Like BloodHound for COM!
  • aix53l-libc.c. If you are unfortunate enough to gain access to an AIX machine, you can root it easily now with this 0day that exploits a buffer overflow in the handling of locale environment variables.
  • ghinja is a plugin to embed Ghidra Decompiler into Binary Ninja.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • 22120 is a tool to self-host the Internet with an offline archive. Similar to ArchiveBox, SingleFile and WebMemex.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-11-23

By: Erik
23 November 2020 at 23:30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-16 to 2020-11-23.

News

  • SO-CON 2020 was last Friday and had a ton of good talks. Recordings are available on the conference site for 30 days, and YouTube after that.
  • Airbnb Executive Resigned Last Year Over Chinese Request for More Data Sharing. AirBnB is sharing booking data from the moment a reservation is made with China. This gives a lot of lead time to "set up" an apartment or house for surveillance. Any large tech company will soon have to face this decision of what to do about Chinese requests. We have seen how anyone who is unwilling to cooperate is blocked, and then an internal Chinese only copy is propped up.
  • Firefox 83 introduces HTTPS-Only Mode. Long time users of the HTTPS Everywhere extension from the EFF will be happy to have this feature available in the browser itself. This feature attempts to load all pages and resources via HTTPS first, instead of the usual HTTP request, 304 redirect, and HTTPS request flow normally seen. There may also be a speed up as one less request/response has to be processed. Chrome has no plans to implement a similar feature.
  • Standing up for developers: youtube-dl is back. I didn't expect this. Github/Microsoft has reinstated youtube-dl forks that remove the tests using copyright protected material. They have also changed their DCMA takedown process and created a developer defense fund. This is probably the best response I could have hoped for, and while I'm still leery of Microsoft's ultimate intentions with GitHub, for now at least it is a positive relationship.
  • Kali Linux 2020.4 Release. ZSH is now the default shell, a few new tools and version bumps, but the coolest feature is the private partnership with @byt3bl33d3r of the amazing CrackMapExec exclusive to Kali and GitHub sponsors for 30 days after each release.
  • ARM-based macOS can run iOS apps + network traffic/cert store is tied to macOS = perfect for iOS app hacking. This isn't really a new capability, since you could proxy web traffic through Burp on a macOS already. Having it all one one machine makes things slightly easier I suppose.
  • ZeroSSL offers free TLS certificates. Just like Let'sEncrypt, ZeroSSL now offers free 90 days certificates via the ACME protocol, including wildcard certificates.

Techniques

Tools and Exploits

  • Assetnote Wordlists. When performing security testing against an asset, it is vital to have high quality wordlists for content and subdomain discovery. This website provides you with wordlists that are up to date and effective against the most popular technologies on the internet, generated fresh each month!
  • IAMFinder enumerates and finds users and IAM roles in a target AWS account. With only the AWS account number of the targeted account, IAMFinder is able to identify users and roles in that environment. Upon successfully identifying an IAM role, IAMFinder can also check if this role can be assumed anonymously. The tool was developed during a red team exercise and it implemented the technique described in this blog.
  • Ghostwriter v2.0 Release. Ghostwritter is becoming a serious red team management tool. If you haven't looked into it before, it has some great new features that may help your team's workflow. There are adaptors for CobaltStrike and other tools like CobaltStrikeToGhostWriter.
  • BloodHound 4.0 - Azurehound. This is a major feature release for BloodHound, including support for Azure attack primitives in the attack graph with new nodes and edges. There is a nice cheatsheet for the new Azure functionality.
  • SwiftSpy is a macOS keylogger, clipboard monitor, and screenshotter written in Swift. Be aware it will cause TCC (Transparency, Control, and Consent) popups!
  • DInvisibleRegistry is an implementation of the null byte Run key persistence technique implemented in C# with direct syscalls via D/invoke.
  • VDM is a library to manipulate drivers exposing a physical memory read/write primitive to allow the user to call any function in the kernel. Currently the project is using gdrv.sys but can be adapted to use any driver that allows for physical memory read and write by writing 4 wrapper functions.
  • HeapsOfFun, an AMSI VBA bypass via the heap, gets an update for x64. Details here.
  • reg_hunter is a blueteam operational triage registry hunting/forensic tool written in Rust.
  • MachoDecrypt will decrypt mach-o binaries on iOS. Requires a jailbroken iPhone.
  • exclude-cdn a tool to filter out CDN hosts from a list consisting of IP's, URL's, and Domains passed via stdin. Useful for bug bounties or external penetration tests.
  • Kaspersky_Safe_Money_LPE is an 0day in the Kaspersky "Safe Money" protected browser. Pure AV schadenfreude. Demo here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • screenity. The most powerful screen recorder & annotation tool for Chrome. It can record your desktop as well, and output to gif. Perfect for those PoC gifs!
  • rehex is a cross-platform (Windows, Linux, Mac) hex editor for reverse engineering, and everything else.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-11-30

By: Erik
1 December 2020 at 04:50

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-23 to 2020-11-30.

News

Techniques

Tools and Exploits

  • mythic-deploy automates the deployment and configuration of a Mythic server with Terraform and Ansible. Adapt it to meet your red team's needs.
  • grab_beacon_config is a nmap NSE script to parse beacon payloads from cobalt strike servers to show their configurations. Use against your own infrastructure to see what others can tell about your beacons.
  • TinyCheck is a network IOC scanner for smartphones with a self-contained wifi man in the middle capture ability. Currently it alerts on known stalkerware indicators as well as plain text data exfiltration so don't count on it to find that NSO Group rootkit.
  • Set-RBCDBytes will set the msds-allowedtoactonbehalfofotheridentity property on the target with the security descriptor for a supplied user or machine that has an SPN. Where would this be useful? Consider an overprovisioned help desk (or similar) account that has GenericAll over every object in the domain and you want to quickly set the msds-allowedtoactonbehalfofotheridentity property on a specific target without importing all of PowerView. This is the script you need! SharpAllowedToAct is the C# variant, and more information on the technique can be found here.
  • clean_wordlist.sh is great for cleaning up some of the noise from last week's AssetNote's wordlists.
  • s3_objects_check is a script to check S3 object permissions in order to identify publicly accessible objects. The script requires two accounts, one with read access to S3 and one with no access to S3.
  • cloudquery transforms your cloud infrastructure into queryable SQL tables for easy monitoring, governance and security. Think osquery for the cloud.
  • Neurax. Redcode labs keeps the Go based malware libraries coming with Neurax, library for constructing self-spreading binaries.
  • NetworkSniffer will log ALL traffic for any iOS application. This includes WKWebView and UIWebView, and no certificate pinning bypass is required! Requires a jailbroken iPhone.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Tigard is a one-stop-shop for all your hardware hacking needs.
  • DbgShell is a PowerShell front-end for the Windows debugger engine.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-12-07

By: Erik
8 December 2020 at 02:30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-30 to 2020-12-07.

News

Techniques

  • A Modern Exploration of Windows Memory Corruption Exploits - Part I: Stack Overflows. Forrest Orr (@_ForrestOrr) puts together a great primer on stack overflow exploits, and unlike nearly every other resource, he uses Windows as the target OS which brings its own set of challenges. This is a great resource for any aspiring exploit developer. Source code to follow along is here.
  • Multiple (RCE) Vulnerabilities in Micro Focus Operations Bridge Manager. Who watches the watchers? OBM is a product to monitor and identify IT infrastructure problems, but comes with its own set of security issues - including the classic Java deserialization.
  • CVE-2020-14418: madCodeHook Library Local Privilege Escalation. 'Tis the season of Windows local privilege escalation vulnerabilities in drivers. The Cisco ExPrevDriver.sys module, formally known as MorphiDriver32.sys has a time-of-check-time-of-use (TOCTOU) vulnerabilities that allows for arbitrary DLL loading.
  • The Unprotect Project is a MITRE ATT&CK like collection of specific, technical techniques malware uses from @fr0gger_ and @DarkCoderSc. Excited to see where this goes!
  • Bypass cobaltstrike beacon config scan. This post discusses the recent (last week's LWiS) Cobalt Strike beacon configuration scanners/parsers that connect to a Cobalt Strike that is configured for staged payloads (default) and dumps their configuration. By reversing Cobalt Strike itself, Zero Team was able to modify the static stage encryption key (a single byte XOR) and repack Cobalt Strike. Blue teams should brute force this key (256 possibilities) when attempting to parse a staged payload from a suspected Cobalt Strike server.
  • Building C2 Implants in C++: A Primer goes through the process of designing a C2 infrastucture, listening post, implant, tasking, and a CLI client.
  • D/Invokify PPID Spoofy & BlockDLLs. RastaMouse keeps the hits coming with this post on D/Invoke (direct syscalls) and PPID spoofing. This should help anyone developing their own C# tools to bypass API hooks and some AV detection.
  • How to Find Someone's U.S. Court and Property Records. If your target(s) are in the US, this post has lots of good resources to potentially uncover great phishing pretext.
  • APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique. There are some interesting, and some sloppy, techniques in this post. The initial execution and file swap is a great trick that is likely to be effective against many macOS users. Consider implementing it on your next macOS targeted phishing engagement.
  • Weaponizing Windows Sandbox To Bypass Defender. This is an interesting technique that uses the Windows Sandbox to hide malicious activity. Malware has done similar things by shipping an entire VM and Virtualbox to a target to run ransomware without detection, but the built in Windows Sandbox is in place on Windows 10 Pro and Enterprise, and can be launched with a .wsb file (phishing potential?).
  • Leaking Browser URL/Protocol Handlers. Fortinet has some good research (and a CVE) on fingerprinting installed applications using URL/protocol handlers, aka shortlinks. Different responses to these shortlinks indicated if an application was installed or not. The vendor response is along party lines: Mozilla issues a CVE and quickly fixes, Microsoft says it's not a security issue, and Google basically says they'll get around to it when they get a chance.

Tools and Exploits

  • writehat is a reporting tool which removes Microsoft Word from the reporting process. Markdown --> HTML --> PDF. Created by penetration testers, for penetration testers - but can be used to generate any kind of report. Written in Django (Python 3). This and Ghostwriter (also written with Django) are interesting options for reporting.
  • DecryptAutoLogon is a command line tool (C#) to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon.
  • SharpMapExec is a C# version of CrackMapExec and is able to both scan for access, identify vulnerable configurations, and exfiltrate data using Kerberos or NTLM authentication. CME is one of my favorite Windows tools, so a C# version is very exciting.
  • GetOSVersion.h is a useful function for developing direct syscall solutions that uses the kuser data structure to pull version information, avoiding any API calls before using the correct direct syscalls.
  • APOLLO v1.4 - Now with 'Gather' Function from iOS/macOS and updates to iOS14 and macOS 11 modules. Apple Pattern Of Life Lazy Outputter (APOLLO) is a great tool for macOS and iOS forensics, and it just got a big update for the latest operating systems.
  • Carnivore is a tool for assessing on-premises Microsoft servers such as ADFS, Skype, Exchange, and RDWeb. NCC group has a blog post about the tool, as well as a DEF CON 28 presentation (slides).
  • Depix is a tool for recovering passwords from pixelized screenshots. Use black boxes to redact and ensure they are not removable objects!
  • Nero. Now this is a cool application of machine learning. "Neural Reverse Engineering of Stripped Binaries using Augmented Control Flow Graphs" is the title of the paper. Who wants to implement this as a Ghidra plugin?!
  • tc2 is a repo of example C2 stacks, fronted using Traefik to avoid JARM signature detection.
  • slipstream is a Go implementation of the NAT Slipstream attack from 2020-11-02's LWiS. The benefit is a single binary for client and server to check if your router is vulnerable.
  • fibratus is a modern tool for the Windows kernel exploration and tracing written in Go. It uses Event Tracing for Windows (ETW), so if that is being bypassed, this tool will be unable to pick it up. This could be a good addition to a blue team toolkit.
  • ELFPatch is an x86/64 Python library to manipulate and patch ELFs with dynamically sized patches. This could be super useful for exploit development.
  • cloudlist is a multi-cloud tool for getting Assets (Hostnames, IP Addresses) from Cloud Providers. This is intended to be used by the blue team to augment Attack Surface Management efforts by maintaining a centralized list of assets across multiple clouds with very little configuration efforts. This tool requires an access token for each cloud service to enumerate the assets, making it much more of a blue team tool than red.
  • SharpLigolo is a C# wrapper of the Go tool ligolo which is a simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection using TLS certificate for security. It is comparable to Meterpreter with Autoroute + Socks4a, but more stable and faster, and now wrapped in C#!
  • Sharp-HackBrowserData is a C# wrapper of the Go tool HackBrowserData which can decrypt passwords, bookmarks, cookies and history from every browser except Internet Explorer and Safari across all three major OSs.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • ripgrep-all is a line-oriented search tool that allows you to look for a regex in a multitude of file types. rga wraps the awesome ripgrep and enables it to search in pdf, docx, sqlite, jpg, movie subtitles (mkv, mp4), etc. Useful for everyday use, or to find credentials and other interesting data on a target machine.
  • ImHex is a Hex Editor for Reverse Engineers, Programmers and people that value their eye sight when working at 3 AM.
  • vast, or Visibility Across Space and Time, is a network telemetry engine for data-driven security investigations with sub-second response times over the entire zeek/suricata/json/csv imported data lake, thanks to multi-level bitmap indexing and actor model concurrency.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-12-14

By: Erik
15 December 2020 at 04:50

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-12-07 to 2020-12-14.

News

  • Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. This is the first good example of some proper hacking we've seen in a long time. The past few years have seen reporters and cybersecurity companies slap the "Advanced Persistent Threat" (APT) label on any group capable of getting a shell in a corporate environment which has weakened the term. This analysis took a village, and it shows. Excellent technical detail that exposes the lengths this actor went to prevent detection. Last week started as a PR disaster for FireEye, but the fact they were seemingly the only affected organization to detect this activity may end up actually being a big PR win. If you only read one thing this week, it should be this technical report. Lots of good tradecraft within. For defenders, load up the sunburst_countermeasures and get to hunting. Krebs has an overview of the potential scope of the compromise here.
  • Unauthorized Access of FireEye Red Team Tools. The big news story of the week was the compromise of FireEye by an advanced adversary - until the SolarWinds news broke. The loss of their Red Team tools feels like a red herring; you wouldn't use your Ocean's Eleven level crew/tools to steal lock picks from an Amazon warehouse. There were no 0days, and most tools appeared to be based on open source tools. The real target is likely access to the hardware/software supply chain - FireEye has lots of network devices in interesting places - as well as the Red Team report data. Why spend a lot of time finding vulnerabilities when you can pinch the reports? BishopFox has analysis on the tools based on the countermeasures FireEye released.
  • Suspected Russian hackers spied on U.S. Treasury emails. The software supply chain is an underrated attack vector. Compromise of a supplier and the ability to backdoor updates could give an attacker access to hundreds of high value networks in a single move. This is fallout from the SolarWinds news, and shows just how many organizations were affected.
  • CentOS Project shifts focus to CentOS Stream. "Shifts focus" is a polite way to say "abandons commitment to stability." CentOS 8 is now EOL 2021-12-31 instead of the previously stated 2029-05-31 - a casual 7.5 year change. rocky-linux looks poised to take up the "100% bug-for-bug compatible with RHEL" cause and is backed by the CentOS founder. IBM's acquisition of Red Hat is not getting off to a good start.
  • ms-teams-rce. This is a great example of the potential dangers of Electron. An XSS bug lead to cross platform RCE. Unfortunately, Microsoft gave this the lowest severity rating and also said that Electron apps (like Teams) are out of scope. Not a good look. Simply viewing a chat could trigger the RCE. The bugs were patched in October 2020.
  • rizin is a new fork of radare2 that states its purpose is to focus on stability and inclusiveness. They also brought the team behind Cutter which is a nice cross-platform C++ GUI frontend. Will be interesting to see how this fork goes.
  • Improving DNS Privacy with Oblivious DoH in 1.1.1.1. This is a good step toward private DNS lookups. It is basically a limited and fast Tor network for DNS-over-HTTPS queries with proxies that can't see content and resolvers that only see requests from proxies. I hope it is adopted into the cloudflared stub resolver soon.
  • Good-bye ESNI, hello ECH!. As someone very interested in ESNI this is a great progress! The new advances like the HTTPS resource record type and Hybrid Public Key Encryption address the issues with ESNI. ECH and Oblivious DoH give me hope for some privacy in the otherwise surveillance ridden dystopian cyberpunk future.
  • Use Secure LDAP to log into macOS with Google credentials. Google has had this ability via the Google credential provider for Windows for some time, but this is new to macOS (without using Jamf Connect). This should be useful to Google Workspace centric shops.

Techniques

  • Alternative ways to Pass the Hash (PtH). Pass-the-Hash is one of the classic lateral movement techniques for Windows environments. @n00py1 shows some lesser known methods such as WinRM, RDP, smbclient, LDAP, Pass-the-Ticket, mount, SSH, and resource based constrained delegation.
  • ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again. Containers prove to be a weak security boundary again (the UAC of linux!?). This post dives into the inner workings of containerd-shim to pull out a nice vulnerability. Exploit drops 2021-01-11.
  • State of the art of network pivoting in 2019. Don't be fooled by the title, the post is a fresh translation of a blog post from last year with lots of good content.
  • Adventures in Dynamic Evasion. This is a forward-looking post that describes how to profile and dynamically evade user mode API hooking with a two staged implant. The first stage just detects the hooks and reports back, and the C2 delivers a custom second stage that has direct syscalls in place of the hooked functions. SHAPESHIFTER is the PoC, and the Demo is here.
  • Red Teamer Plays with JARM. SalesForce's JARM was a interesting addition to the Blue Team toolkit, and in this post Mudge shows that the CobaltStrike JARM fingerprint is infact the Java 11 TLS stack's fingerprint. But if you're reading this, you have all your teamservers behind redirectors anyway, right?
  • Microsoft on-premises to the cloud using Seamless Single Sign-On. If you can execute code on a machine where a user is logged into Azure-AD, you can extract the ticket granting ticket of the user and the HTTP ticket granting service ticket. With these two tickets and a local policy change on your attacker VM you can load these tickets into memory with mimikatz and log into Azure or Microsoft 365 as the user! Thalpius' tool Kerberos now includes this as an option!
  • AS_REP Roasting vs Kerberoasting is a good post if you need a quick refresher on either AS_REP or kerberoasting with practical command examples and brief mitigations.
  • Tutorial of ARM Stack Overflow Exploit against SETUID Root Program. There are lots of stack overflow walkthroughs for x86 and even x86_64 but not as many for ARM. This is a good one that includes partial RELO (ASLR) and NX. As more IoT (and Apple computers!) move to ARM, this flavor of exploit will grow in popularity. Grab a raspberry pi and follow along!
  • 4 Free Easy Wins That Make Red Teams Harder. This has some good quick wins for blue teams, and also should make red teams think about evolving their tradecraft to include things that aren't covered by these four easy wins.
  • Watchcom discovers new Cisco Jabber vulnerabilities. This should sound familiar (LWiS 2020-09-07) as this company found the previous RCE bug in Cisco Jabber. It looks like the patch was a bandaid because when they did a verification audit the root cause remained and three new CVEs fell out. Another reminder that a patch is not always the death of a bug.
  • CVE-2020-17049: Kerberos Bronze Bit Attack – Practical Exploitation. This one is a bit complicated (Kerberos always is) but if you have access to a domain machine, the password hash of a service account, and that service account is allowed to perform constrained delegation to another service, you're in luck! You can use this vulnerability to authenticate to the second service as any user.

Tools and Exploits

  • HTTPSignatures is a Burp Suite extension implementing the Signing HTTP Messages draft protocol. This allows Burp Suite users to seamlessly test applications that require HTTP Signatures. More details in this blog post.
  • Windows Cloud Filter Arbitrary File Creation EoP. James Forshaw drops a nice little Windows LPE that abuses the Cloud Filter driver used in mounting cloud file systems like OneDrive to create arbitrary files in protected directories. A simple PoC is included, but getting it to LPE is an exercise left for the reader. The vulnerability was patched 2020-12-08.
  • PsExec Local Privilege Escalation. This one requires an attacker to create the PSEXECSVC named pipe before the PsExecSvc starts, which gives them write access to it. Since the service blindly accepts commands via that pipe, the attacker is able to execute programs as SYSTEM. Code here.
  • VTgrepGHIDRA is a non official VirusTotal plugin for Ghidra which integrates VTGrep into Ghidra, facilitating the searching for similar code, strings, or sequences of bytes.
  • SirepRAT was just updated to support Python3. This tool exploits the Sirep Test Service that’s built into the Windows IoT Core image.
  • WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands to be used against Windows/AD environments. It's like GTFOBins or LOLBAS for Windows/AD exploitation.
  • VBA Macro to detect EDR Hooks is exactly that.
  • DoppelGate is designed to provide a method of extracting syscalls dynamically directly from on-disk ntdll. It's named DoppelGate due to the borrowing of ideas/techniques used in Process Doppelganging and the Hell's Gate technique.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Maltiverse is a (currently) free IOC search engine.
  • SnitchDNS is a database driven DNS Server with a Web UI, written in Python and Twisted, that makes DNS administration easier with all configuration changed applied instantly without restarting any system services. One of its main features is the logging of all DNS queries allowing the discovery of network traffic endpoints, and it can also be used to implement canary tokens as it supports notifications via e-mail, web push, Slack, and Teams.
  • xcyclopedia project attempts to document all executable binaries (and eventually scripts) that reside on a typical operating system. It provides a web page to view the data as well as a machine-readable format (JSON and CSV) that can be immediately usable in other systems such as SIEMs to enrich observed executions with contextual data.
  • Twake is a collaborative platform which improves teamwork. A self-hosted slack with video chat and collaborate document editing.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-01-04

By: Erik
4 January 2021 at 05:01

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-12-14 to 2021-01-04.

News

Techniques

  • Excel-Phish - Phish protected Excel-file passwords. Sometimes the easiest way to crack the password of Excel documents is to ask for them. The trusted location allowing macros without warnings was key to pulling this off. Code here.
  • Warcodes II - The Desko Case. Barcode programming has been demonstrated before but any traveler likely has direct experience with these Desko scanners. Imagine what would happen if you reprogrammed a scanner to accept the next person in line regardless of ticket status.
  • Hands in the Cookie Jar: Dumping Cookies with Chromium’s Remote Debugger Port. Cookie dumping is a very useful technique for modern red teams. As the use of multi-factor authentication increases, the ability to dump a cookie and browse to a site already authenticated is an attractive technique for adversaries. This new tool is based on some older research. I personally use SharpChromium, but this new cross platform solution is a welcome addition!
  • CVE-2020-25695 Privilege Escalation in Postgresql. This is a great post as it shows the full process from looking at the source code to working exploit, and everything in between. The exploit is for PostgreSQL 11.9 to 13.0 and allows an unprivileged Postgres user to elevate to superuser within PostgreSQL.
  • Automating Blind Sql Injection is a basic post on how to automate a basic blind SQLi in the popular Damn Vulnerable Web App (DVWA). Lots of testers will throw SQLMap without fully understanding how it works under the hood. This post is a good way to understand the basics before using more advanced tools.
  • AIR-FI: Generating Covert Wi-Fi Signals fromAir-Gapped Computers. I can't see myself ever needing to use this technique but dang is it cool. An attacker can control RAM to emit 2.4 GHz signals that can be picked up by nearby WiFi enabled devices. Demo here.
  • Fastly and Fronting. Domain fronting is not a new technique, and while it has suffered from dropped support by the big CDNs, it still works with Azure, Fastly, and others. This post shows you how to set it up from registering a service to testing the front. For a list of frontable domains, check out FindFrontableDomains or try this Censys query (credit to EX on the BloodHoundGang Slack for the query).
  • Dumping LAPS Passwords from Linux. Using a little bit of python (and the ldap3 module) or ldapsearch a Linux machine that can communicate with a DC and a user that has credentials to see the "Local Admin Password Solution" (LAPS) attribute in the DC (by default just domain admins) can dump all local admin passwords. Issue arise when misconfigurations allow non-DAs to see this attribute (help desk, etc) and their account is compromised.
  • An iOS hacker tries Android. Brandon Azad drops one last gem before moving from Google's Project Zero to Apple. In this low level post, he shows his work as he exploits an Android Neural Processing Unit bug. At the end he provides unique insight into the differences and similarities between Android and iOS kernel exploitation that he is uniquely qualified to present.
  • A tale of .NET assemblies, cobalt strike size constraints, and reflection.. With Cobalt Strike's 1MB limit for execute-assembly, the ability to load dependancies at runtime and add them to the current AppDomain vs having to weave them into the binary allows you to remain under the 1MB limit. Rasta Mouse has a post on the same subject here
  • Microsoft Exchange Remote Code Execution - CVE-2020-16875. September saw this Exchange RCE patched, and now it is once again patched in December 2020. Say it again for the people in the back, "a patch is not always the death of a bug!"
  • Exploiting BGInfo to Infiltrate a Corporate Network. This is a really cool technique that exploits the program that generates the information overlays on Windows desktop backgrounds.
  • Direct Syscalls in Beacon Object Files. The OGs of direct syscalls are back with direct syscalls in Cobalt Strike BOFs. They drop WdToggle and a helper tool InlineWhispers which can help add direct syscalls to your BOFs. Another new project SyscallsInject builds on this by reading the syscalls from on disk ntdll vs statically compiled into the BOF which I am calling "diet Hell's Gate" (true Hell's Gate would read the syscalls from memory).
  • Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. This is a round up of most (all?) of the ways to bypass user-mode hooks and use direct syscalls on Windows. Lots of good info here, and a new method I was unfamiliar with as well - FreshyCalls.
  • Bypassing Windows protection mechanisms & Playing with OffensiveNim. The offensive use of Nim is really heating up and this post walks through taking a template for C# loading in Nim and productizing it with Rubeus as well as using it to bypass Constrained Language mode for Powershell.
  • The worst of the two worlds: Excel meets Outlook. Ever wanted to drop a VBA script from Excel that will be run by Outlook to keylog a target? Well now you can! The VBA tricks from @TheXC3LL have been very impressive, and this is no exception.
  • Pentest - Everything SMTP demystifies the basics of SMTP and some simple commands you can use to try to spoof messages and enumerate users. Defenses against these techniques are also included.
  • State of Pentesting 2020 gives a good overview of some common techniques and methods used on internal pentests and how to defend against them.
  • Forging malicious DOC, undetected by all VirusTotal static engines. Breaking CRCs or inserting false headers cause all kinds of issues with parsers, and parsing is the first step most AV take with modern Office doucments.

Tools and Exploits

  • ExecuteAssembly is one of the best tool drops in recent memory. ExecuteAssembly is an alternative of CS execute-assembly, built with C/C++ and it can be used to Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR Modules/AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs via superfasthash hashing algorithm. This has all the building blocks to incorporate into your own tools or use directly in Cobalt Strike. The only thing missing from making this perfect is Hell's Gate for dynamically resolving the syscalls vs statically embedding them.
  • winaflpet is a web user interface dedicated to WinAFL remote management via an agent running as a system service on fuzzing machines. The purpose of this project is to allow easy monitoring of fuzzing jobs running on several remote machines. This is a great project for anyone running a fuzzing farm against Windows software.
  • pexphide is a PoC for hiding PE exports so that dumpbin /exports shows no exports for the DLL. No blog post or further information that I could find, so dig into the code for the details.
  • solarflare is a credential dumping tool for SolarWinds Orion. With the recent news, now you can see what the attackers may have had access to in your environment. Lots more details an a full conference talk here
  • DetectCobaltStomp when module stomping is enabled with module_x86/x64 in a malleable C2 profile, this tool can detect the remnants left in memory. Also works against Module Stomping in C#.
  • SharpZipRunner executes position independent shellcode from an encrypted zip on disk. Modify this to ether pull the zip file via HTTPS or embed it and keep it all in memory for extra stealth.
  • KeyDecoder is a mobile app (Android only currently) created for pentesters and security enthusiasts. From the picture of a key, one can measure its bitting easily. The picture must be of the target key on an ISO/CEI 7810 ID-1 sized card like a credit card for the computer vision magic to work properly. Available on Google Play.
  • Vulnerable-Kext is a work-in progress "Vulnerable by Design" kext for iOS/macOS to play/learn with *OS kernel exploitation.
  • PcapMonkey is a project that will provide an easy way to analyze pcap using the latest version of Suricata and Zeek. It can also save Suricata and Zeek logs in Elasticsearch using the new Elasticsearch Common Schema or the original field names. More details here.
  • Oh, so you have an antivirus... name every bug. Some :fire: Windows local privilege escalation exploits in this post. Proof of concepts available on GitHub.
  • NoMSBuild uses the Microsoft.Build.Evaluation C# namespace to load and build a project without executing MSbuild.exe. Comes with a sample project that uses D/Invoke to inject shellcode.
  • Azure Reporting Tools
    • CRT is the CrowdStrike Reporting Tool for Azure. This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard to find permissions and configuration settings in order to assist organizations in securing these environments.
    • Sparrow was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment. The tool is intended for use by incident responders, and focuses on the narrow scope of user and application activity endemic to identity and authentication based attacks seen recently in multiple sectors.
  • Issue 2096: Windows: splWOW64 Elevation of Privilege. This is an 0day (might be patched 2021-01-12?) that is a new way to exploit the same bug as CVE-2020-0986. Only a basic PoC exists thus far (a proof of write-what-where), but if you are in need of such a primitive for Windows, today is your lucky day!
  • ADFS-Info is a small project to get the private key and token-signing certificate from an AD FS server to create forged tokens that won't be detected by Microsoft Defender for Identity.
  • CVE-2020-27194. The proof of concept exploit for CVE-2020-27194 (Ubuntu 20.10 eBPF local privilege escalation) has been released. Write up here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • log is a simple command line log book for offensive operations. It makes it easy to timestamp important events and screenshots and organize them by target.
  • ghidra-dark provides a simple to use installer to install the FlatLaf dark theme, custom colors for disassembly/decompilation in Ghidra, and some other helpful settings. The installer supports all public builds through version 9.2 on Windows, Linux, and macOS.
  • αcτµαlly pδrταblε εxεcµταblε is truly some black magic that allows gcc to take in pure C to output a binary that can run on every Linux distro in addition to macOS, Windows, FreeBSD, and OpenBSD too. The implications for a platform independent stager are obvious. More information here.
  • aegis is a library that allows you detect if your software is being debugged or not on Linux, FreeBSD, NetBSD, OpenBSD and Windows. You can use it natively from C or use the Go bind.
  • arsenal is just a quick inventory, reminder and launcher for pentest commands. This project written by pentesters for pentesters simplify the use of all the hard-to-remember commands. Reminds me of tealdeer for pentesters.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-01-11

By: Erik
12 January 2021 at 02:20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-01-04 to 2021-01-11.

News

Techniques

Tools and Exploits

  • SharpHandler. AV's really don't like when random programs open handles to lsass (i.e. mimikatz) so this project instead duplicate an already existing handle to lsass. It's in beta, and has to enumerate every userland process to find the lsass handle, so it will need some tuning before its production ready, but this is a great start!
  • BurpCustomizer. Burp Suite 2020.12 replaced the old Look and Feel classes with FlatLaf, an open source Look and Feel class which also supports 3rd party themes developed for the IntelliJ Platform. This extension allows you to use these themes in Burp Suite, and includes a number of bundled themes to try.
  • Getting root on a 4G LTE mobile hotspot. This was a fun journey from "I wonder how that works" to writing raw SCSI commands to the device to enable the root shell. Good use of Ghidra and debugging to figure things out.
  • tamperchrome (really Tamper Dev) is a browser extension that acts a lot like Burp Proxy. It can intercept and modify HTTP/HTTPS requests and responses directly in the browser. This should be a big help for people getting started with web app testing as it simplifies the process (no certificate to install). It should also work with sites that use certificate pinning, although those are rare outside of mobile apps.
  • s3viewer is a free tool for security researchers that lists the content of a publicly open s3 bucket and helps to identify leaking data. The tool allows you to view all the files on a given aws s3 bucket and download selected files and directories. The goal is to identify the owner of the bucket as quickly as possible in order to report that data is leaking from it.
  • cThreadHijack is a Beacon Object File (BOF) for remote process injection, via thread hijacking, without spawning a remote thread. cThreadHijack works by injecting raw Beacon shellcode, generated via a user-supplied listener argument, into a remote process, defined by the user-supplied PID argument, via VirtualAllocEx and WriteProcessMemory. A very detailed write up is available here.
  • FindObjects-BOF is a Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles. Can be useful for finding processes with the CLR loaded for future spawnto when doing execute-assembly, or for finding a process that has process handle in use (i.e. to lsass.exe).
  • OutlookParasite is a method that misuses Outlook Add-in functionality to obtain (unprivileged) persistence using Outlook (or other Office programs). This method also bypasses the "ClickOnce" install pop-up that you'd normally get when installing an unsigned Outlook Add-in and doesn't show up in AutoRuns.
  • DefaultCreds-cheat-sheet is the one place for all the default credentials to assist the pentesters during an engagement. This document has a several products default credentials that are gathered from several sources. This looks to be quite a good list of default credentials.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • SysWhispers2 is a new release of the direct system call library, but this time it avoids static syscall numbers in favor of pulling them out of ntdll.dll.
  • intrigue-core is an open framework for discovering and enumerating the attack surface of organizations. It can be used with a human-in-the-loop running individual tasks, or fully automated through the use of machine files. With a flexible entity model and deep enrichment system, it is the most full-featured open source framework for discovering attack surface. Backed by a commercial company, this is one to watch. Release blog post here.
  • opencve is a platform that alerts you about new vulnerabilities related to the CVE list powered by the NIST JSON feed. More details at the hosted version.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-01-18

By: Erik
19 January 2021 at 04:50

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-01-11 to 2021-01-18.

News

Techniques

  • Finding 0day to hack Apple. A CMS 0day lead to shells on a few Apple systems. This is a detailed walk through of how the vulnerabilities were found and chained, as well as the web application firewall (WAF) issues and bypasses.
  • Making Clouds Rain :: Remote Code Execution in Microsoft Office 365. This exchange RCE bug doesn't want to die, as this is now the third patch bypass. As it stands it requires some administrative rights to an on-premise Exchange server (the post says DLP rights, but other sources say that is not required).
  • Sailing Past Security Measures In AD. This post covers my favorite technique in red teaming: "glue." There are so many good tools and techniques out there, if you can glue a few together or modify them slightly, you can create some effective "custom" tooling. Part of the reason I write this blog is to bring these building blocks to light for myself and others to "glue" together.
  • Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures. A 1x1 pixel image in the signature of a user's outlook client, which does not require elevated permissions or GUI access, can yield NTLM hashes from anyone who opens a message. Sigwhatever automates this whole process and cleanup too!
  • BitLocker Lockscreen bypass. This was patched on 2020-07-14, but is quite the trick none the less. By inserting a specially crafted USB stick and using a DLL hijack for the narrator, an attacker is able to get SYSTEM account code execution on a locked Windows 10 machine. This disclosure likely made many evil maids very upset.
  • Escaping VirtualBox 6.1: Part 1. If the 6 month old lockscreen bypass was too old news for you, secret club delivers a fresh 0day VirtualBox escape on Windows. A demo and PoC are available.
  • Local Privilege Escalation in VMware vRealize Automation (vRA) Guest Agent Service. This reads like a CTF challenge with the use of sloppy scripting and bad permissions. 3rd party services are the source of many local privilege escalation vulnerabilities on Windows.
  • Pushing back on userland hooks with Cobalt Strike. With all the direct syscall development recently, it was only a matter of time before Cobalt Strike got in on the fun. Mudge's unhook-bof adds a beacon command which will "refresh" the DLLs of the beacon process with unhooked variants.
  • Hijacking connections without injections: a ShadowMoving approach to the art of pivoting. Have you ever wanted to use a legitimate process to send out your command and control traffic? By reusing existing network connections via the ancillary function driver that can be duplicated the ShadowMove authors are able to send and receive messages over an existing socket without process injection or any special privileges.
  • Divide and Conquer - A technique to bypass NextGen AV. Behavioral "netgen" antivirus and endpoint detection software often gives a process a maliciousness score based on how many "bad" actions it takes. The idea behind divide and conquer (and the earlier malWASH) is to have different processes do each step of the malicious activity so no one process crosses the detection threshold of the AV/EDR product.
  • Breaking The Browser – A tale of IPC, credentials and backdoors. As everyone and everything moves to a single sign on web app, the browsers have become the gatekeepers to valuable information. By injecting into Chrome, all kinds of tricks can be pulled - from credential stealing to a full implant stager.

Tools and Exploits

  • StaticSyscallsDump is a Beacon Object File (BOF) for Cobalt Strike that unhooks the NtReadVirtualMemory function and uses it do create a minidump of a process (i.e. lsass). This should be able to bypass many AV/EDR solutions, and works on a wide range of Windows versions unlike other syscall memory dumpers (i.e. SharpMiniDump)
  • abstractshimmer, the PoC for CVE-2020-15257 (containerd host network breakout from LWiS 2020-12-14) is out now. This could be a great breakout if you land on a somewhat privileged container.
  • CSSG is an aggressor and python script used to more easily generate and format beacon shellcode. Generates beacon stageless shellcode with exposed exit method, additional formatting, encryption, encoding, compression, multiline output, etc.
  • Denim makes compiling nim code for windows with obfuscator-llvm easy!
  • printjacker is a post-exploitation tool that creates a persistence mechanism by overwriting Printconfig.dll with a shellcode injector. The persistence mechanism can be invoked via executing wmic printer list command with any user. The shellcode will be executed with SYSTEM privileges. More details here.
  • UnhookMe is a universal Windows API resolver & unhooker addressing problem of invoking unmonitored system calls from within of your Red Teams malware.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-01-25

By: Erik
26 January 2021 at 04:50

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-01-18 to 2021-01-25.

News

  • Urgent Security Notice: Probable SMA 100 Series Vulnerability. SonicWall, and its customers, had a bad weekend after the hardware VPN vendor announced there was a probably 0day being actively exploited in the wild and the only mitigation was to allowlist known good clients. Today the update the statement to indicate that besides the NetExtender product, all SonicWall products may be affected. To add insult to injury, @_darrenmartyn dropped the "0day" (patched in 2015) that Phineas Fisher used to completely dismantle Hacking Team and Cayman Trust Bank. The code is on github and exploits the ancient shellshock vulnerability.
  • Meet Raspberry Silicon: Raspberry Pi Pico now on sale at $4. Raspberry Pi drops their own custom microcontroller chip, a dual core Cortex-M0+ with 264kb of RAM. They also brought in partners to help with software and support MicroPython and TensorFlow Lite Micro. Full datasheet here, and SDK documentation is available as well (C/C++, and Python). Want other languages? It won't be long; Rust has already been ported and more are sure to follow.
  • Snort 3 officially released. This release brings claims of greater speeds, more efficient rules, a new plugin system, and more. This post has a breakdown of the differences between Snort 2 and Snort 3.
  • Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop. Microsoft details the link between the Solar Winds backdoor and multiple Cobalt Strike loaders used for hands-on-keyboard exploitation activities. The use of "commodity" red team tools after such a well executed backdooring is a bit strange. Either one group handed off access to a less advanced group for "effects" on targets or perhaps the threat actors hoped the discovery of Cobalt Strike would not trigger an in depth incident response that would burn the Solar Winds backdoor.
  • New campaign targeting security researchers. This one feels close to home. A threat actor has been baiting security researchers with fake PoCs (I even linked one of the fake YouTube demos last week) and getting them to open malicious Visual Studio projects that infect their systems when built. Even more scary, there are reports of fully patched Windows 10 and Chrome visitors to the honeypot "exploit research blog" getting infected as well. If you read this blog, it might be worth checking your machine for the IOCs at the end of this article.
  • Linux is now completely usable on the Mac mini M1. This is a huge step, and perhaps one day all the performance optimizations in the M1 will be available to Linux. Code here. There is also the Asashi Linux project which is aiming to make Linux usable on Apple Silicon.
  • Linux Lockscreen Bypass News

Techniques

  • Shellcode Injection using Nim and Syscalls. Nim is the latest language to be embraced by the offensive security community, and as it gains popularity more advanced and low level techniques are being ported to Nim. This post uses NimlineWhispers to enable direct syscalls on Windows in Nim.
  • Silencing Microsoft Defender for Endpoint using firewall rules. As more enterprises enable Windows Defender for Endpoint (aka Windows Defender ATP) red teams will need to check for and adjust their post-exploitation activity accordingly. If an attacker has local admin privileges, firewall rules can selectively block the host from communicating with Microsoft cloud endpoints responsible for the advanced reporting in Security Center. Like any other security solution, lack of data should be an indicator.
  • DNS C2 Sandwich: A Novel Approach. By sending a base64 encoded query sandwiched between two legitimate queries in a DNS request, you can fool some (zeek and Suricata < 6) network monitoring tools.
  • When vulnerable library is actually your physical book
  • Malicious VBA Macro’s: Trials and Tribulations. VBA/macros remain a useful phishing tool and this post discusses how to call the Windows API via VBA, the issues involved, and how to get a pure VBA reverse shell and memory dumper down to zero Virus Total detections. While the reverse shell or memory dumper may not be immediately useful, the Windows API use and obfuscation techniques can be applied to other VBA projects.
  • Security Advisory: MSRPC Printer Spooler Relay (CVE-2021-1678). The Windows print spooler is the gift that keeps on giving. This time, the IRemoteWinSpool MSRPC interface is abused in combination with NTLM relaying to install a malicious printer driver and "print" a document to it. A PoC based on impacket is coming soon.
  • MSSQL Lateral Movement. While most MSSQL techniques require xp_cmdshell, this one loads the CLR and then a .NET executable remotely. A tool to help generate a standalone shellcode execution executable with all the requirements (connection string, SHA512 hash, etc) is available here.
  • VM Detection Tricks, Part 1: Physical memory resource maps. This is some cool research that eschews the typical methods of VM detection (cpu cores, memory size, drivers, etc) and instead goes for something much harder to spoof, and much less signatured - Physical memory resource maps. This is a great potential detection you should consider implementing in your next red team tool.
  • Syscalls with D/Invoke. Syscalls are hot. D/Invoke is hot. The combination is even hotter.
  • Windows Exploitation Tricks: Trapping Virtual Memory Access. James Forshaw is one of the grandmasters of unique Windows exploits. This one is low level, but worth the read if you are doing Windows exploit development.
  • Process on a diet: anti-debug using job objects. This one is a bit limiting, as it requires small programs with limited dynamic allocations to work properly, but the use of built in Windows systems to prevent debugging is always fun.
  • The Secret Parameter, LFR, and Potential RCE in NodeJS Apps. This one is for the web app testers and bug bounty hunters out there. The magic/horror of JavaScript allows for some strange behavior and potentially and RCE (if the version of handlebars is old enough and you can upload a template file to then include as a layout). This post reminds me of one of my favorite security conference talks.

Tools and Exploits

  • Appx_Blog is a PoC for a Windows LPE that exists if a drive has multiple partitions. Not very common, but may be useful as it is a 0day. Demo here; there is a short blog post as well.
  • Bughound is a static code analysis tool for Java and PHP based on Elasticsearch. Details here.
  • lsass is a Cobalt Strike Beacon Object File to dump lsass memory but uses a snapshot of lsass memory to do the minidump which may help evade some AV/EDR products.
  • JXA-RemoveQuarantine is a JXA script based on research by Jeff Johnson on leveraging TextEdit to remove quarantine attributes on files. It does create a brief pop up on macOS > 10.13.
  • delete-self-poc is a PoC that shows a way to delete a locked file, or current running executable, on disk in Windows. This is a common tactic on Linux, but it was previously impossible to delete a running binary on Windows.
  • SharpSphere gives red teamers the ability to easily interact with the guest operating systems of virtual machines managed by vCenter. Full blog post here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • CDK is an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency. It comes with penetration tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-02-01

By: Erik
2 February 2021 at 04:06

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-01-25 to 2021-02-01.

News

  • NAT Slipstreaming v2.0: New Attack Variant Can Expose All Internal Network Devices to The Internet. This updated version of Samy Kamkar's work from last fall shows how a new primitive, H.323 ALG, is used to create holes in a NAT device which allow access to arbitrary IPs/ports behind it from the internet. Demo here.
  • International Action Targets Emotet Crimeware. "Operation Ladybird" saw the raiding and arrests at multiple locations across Europe linked to Emotet operators. They even release a video of one such raid.
  • A Look at iMessage in iOS 14. With iMessage being a standard target for 0 or 1 click exploits, Apple has introduced a new "BlastDoor" service and other improvements to make these attacks much more difficult.
  • Top macOS researcher escapes the rat race. Patrick Wardle has been the go-to guy for macOS research and malware analysis. He has given countless conference talks, found just as man 0days, and is now publishing all his macOS utilities as open source under the GPL. This "sponsorship" model of security research is interesting, and I hope it enables more people to focus on interesting problems while also giving back to the community that supports them.
  • What went wrong with America’s $44 million vaccine data system?. I fully admit this is a difficult problem to solve. But is it a $42 million no-bid contract difficult problem? Has America learned nothing from the healthcare.gov fiasco? The sad reality is there is likely a team of overworked developers at Deloitte trying their best to make VAMS work, and they will see almost none of that $42 million.
  • OSWatcher updated and organized into GitHub org. This project captures the changes between operating system versions as git commits, which makes it easy to pinpoint exactly when a file was added to an OS, along with lots of metadata about the files. This is a project that can help both red and blue teams as it provides foundational information about target operating systems.

Techniques

  • A tale of EDR bypass methods. If you only click one link from this week's blog, click this one. It's a full recap of the last two years of EDR bypasses for Windows with detail on each method. Lots of things to explore from this one if you haven't been keeping a close eye on EDR bypasses.
  • Tailoring Cobalt Strike on Target. Cobalt Strike beacons have to be configured before delivery, but in strict environments a wrong user agent can start an investigation and potentially loose access. @_xpn_ shows how red teamers can perform some basic recon on target and then patch a Cobalt Strike beacon to blend in before the first connection to C2 is ever made. Demo here, code here.
  • From N-day exploit to Kerberos EoP in Linux environments. This is textbook advanced adversary emulation. Faced with a fully up to date Red Hat machine, the BlackArrow red team researched and developed a working exploit for an Nday with no public PoC. Their PoC is available on GitHub.
  • Introducing FComm – C2 Lateral Movement. FComm provides an additional communication method for the PoshC2 framework. It provides a way to circumvent certain lateral movement limitations using file-based communications. This is a neat way to communicate in a restricted environment where two machines have common access to files (usually via a file share). This can be slow, but has the advantage of no visible TCP/IP connection to defenders. FComm has been merged into PoshC2.
  • BitLocker touch-device lockscreen bypass. This is the second lockscreen bypass using a similar technique in a short time. Once you get the narrator to jump to the windows behind the lockscreen, an attacker can execute code from a thumb drive fairly easily. Demo here. Do not leave your devices unattended, but especially do not leave your devices powered on an unattended.
  • Customizing an existing evilginx phishlet to work with modern Citrix. This is a great post that shows what really happens on engagements. Find a tool, spin it up, test it out - failure. Troubleshoot, fail, troubleshoot fail, repeat until success. I'm storing this one away for my next use of evilginx2 against a constantly changing login portal.

Tools and Exploits

  • Heap-based buffer overflow in Sudo (CVE-2021-3156). While it sounds similar to CVE-2019-18634 (LWiS 2020-02-10) this vulnerability affects default configurations, and has been around for 9 years. I suspect an exploit for this will become the DirtyCow of 2021. There is a good writeup that uses a fake libnss load to get a shell, and a PoC from a different source. Want to play with different exploits? Grab docker-CVE-2021-3156. Funny enough, while testing this exploit another minor issue in Sudo was discovered.
  • ditto is a tool for IDN homograph attacks and detection. This could make your next phishing engagement really blend in.
  • web-brutator if a fast, modular, web interface bruteforcer. Sometimes you want to throw some credentials at a web login without writing all the boilerplate. This includes modules for many known content management systems and makes it easy to write your own custom brute-forcing module.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • ProcDOT turns thousands of monitored activities into a big behavioral picture - actually a graph - which can be interactively explored making behavioral malware analysis as efficient as it never was before. It takes in Procmon and pcap to generate the graph.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-02-08

By: Erik
9 February 2021 at 02:15

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-02-01 to 2021-02-08.

News

Techniques

  • Endpoint Detection and Response: How Hackers Have Evolved. This blog is so good it has a second part. It goes over user-mode hooking and direct syscalls, but introduces some unique bypasses, side-by-side loading vs process injection, and the use of code signing and spoofed attributes via syso files. The ScareCrow tool that automates all this is well done and even can provide phishing-ready one liners or a macro payload.
  • supercookie uses favicons to assign a unique identifier to website visitors. Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user. The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers. Scary stuff. You set up your tracking instance with the open sourced backend.
  • Microsoft Remote Desktop Web Access Authentication Timing Attack. The combination of returning the Active Directory Domain in an RPC response and a timing attack disclosing valid usernames allows a remote attacker with no knowledge of the target to enumerate valid Active Directory usernames using only RDWeb.
  • Abusing Google Chrome extension syncing for data exfiltration and C&C. The Google Chrome Sync feature allows for a decent amount of data to be exfiltrated from an infected browser. This plus the ability for extensions to snoop on all pages makes Chrome Extensions a natural attack vector (think oath tokens, cookies, etc). This has been happening for years.
  • DynamicWrapperEx – Windows API Invocation from Windows Script Host. This blog post will covers some basics of COM, how to leverage OLE Automation, the x64 standard calling convention, registration-free activation, and some of the limitations and security considerations around the use of a new tool published with the post.
  • Spoofing and Attacking With Skype. Tampering with requests to Skype allows for the creation of some pretty serious social engineering payloads.
  • Injecting Rogue DNS Records Using DHCP. Some environments automatically create DNS entries for DHCP host names which are user controlled. How can this be used? From the post - The first step would be to launch Responder in analysis mode (no poisoning) and listen for hosts broadcasting queries for hosts that they can’t resolve. Next, pick the most common one, inject a DNS record with the method above, and wait for an inbound connection from the querying system. If that account has a weak password, you might be able to crack it or potentially forward it is using NetNTLMRelayX.
  • Getting Started with Exploit Development. This is a good collection of resources as well as introduction to the topic.
  • Recon with Me !!!. Using some really nice "unix philosophy" tools, this post shows how to construct your on continuous monitoring solution for bug bounties or for blue teams to use against themselves.
  • Relaying 101. Need a quick overview of the many ways relaying can be used in a Windows environment? @theluemmel has you covered, with a healthy dose of self-deprecating memes for good measure.
  • In-depth dive into the security features of the Intel/Windows platform secure boot process. If you've ever wondered what really happens when you boot an Intel based Windows computer with SecureBoot enabled, this post will show you in great detail.
  • Reverse engineering Emotet – Our approach to protect GRNET against the trojan. This post is chock full of meaty reverse engineering detail. If you were ever curious how major botnets went from email opens to trojan'd machines without tripping AV/EDR, this post is for you.

Tools and Exploits

  • raptor_infiltrate20 contains multiple exploits (some 0days?) for Solaris 10 and 11. The talk is worth checking out as well. Even modern operating systems have some dumb logic bugs left.
  • PatrowlHears is an advanced and real-time Vulnerability Intelligence platform, including CVE, exploits and threats news. This commercially developed continuous monitoring system is now open source (AGPL)!
  • Forrest_Orr_CVE-2020-0674_32bit.html. This is a Microsoft Internet Explorer 8-11 32-bit Use-After-Free exploit. It targets 32-bit vs the metasploit 64-bit only exploit which is important as IE is 32-bit by default on Windows 7 and 8.1. As with everything Forrest Orr does, it's a work of art and bypasses DEP, ASLR, and EMET 5.5 (EAF, EAF+, stack pivot protection, SimExec, and CallerCheck).
  • squealer scans a local git repository for secrets that are being leaked deep within the commit history using regular expressions. Use it on offensive engagements or as part of your CI to keep secrets out of git repositories.
  • Awesome_Firebase_DomainFront is a repository for a Firebase domain fronting application. This is a demonstration application that uses firebase cloud functions to front traffic. You can use arbitrary *.web.app domains. See the blog post for more information.
  • SharpSMBSpray sprays a hash via smb to check for local administrator access. With SharpMapExec you'd have to specify a list of computer names vs a network range in SharpSMBSpray.
  • rsa_sign2n contains experimental code to calculate RSA public keys based on two known message-signature pairs, code to extract and generate RSA and HMAC signatures for JWTs, and proof-of-concept code to exploit the CVE-2017-11424 key confusion vulnerability in pyJWT, without knowing the public key of the target (all details here).
  • Shield - not new, but with a shiny new EndpointSecurity entitlement from Apple it can be easily installed. More information on this injection attack protection tool here.
  • SharpRelay automates the process of loading the WinDivert driver (signed) and communicate with it to pull of an NTLM relay remotely through a Cobalt Strike beacon. If you don't want to load the driver, InveighZero may do what you need.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • necrobrowser is a browser instrumentation microservice written in NodeJS: it uses the Puppeteer library to control instances of Chrome or Firefox in headless and GUI mode. The idea is to feed NecroBrowser with web sessions harvested during phishing campaigns (see Muraena) to quickly perform actions hijacking the victim session.
  • uroboros is a GNU/Linux monitoring tool focused on single processes. This could be a useful first step for dynamic analysis of a Linux binary.
  • Information Security Reference is a very complete resource for all things Information Security.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-02-15

By: Erik
16 February 2021 at 04:00

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-02-08 to 2021-02-15.

News

Techniques

  • Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies. "From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds." It was only a matter of time before this was exploited on a wide scale. 2021 is shaping up to be the "year of the software supply chain." You can use Confused to find free namespaces for private package names in your own projects, on assessments, or in bug bounty eligible projects.
  • Swarm of Palo Alto PAN-OS vulnerabilities. The authenticated RCEs show some creative ways to inject commands via user forms and XML as well as analysis of how/why they work.
  • CVE-2021-24092: 12 Years in Hiding – A Privilege Escalation Vulnerability in Windows Defender. Hard link based local privilege escalation vulnerabilities are still showing up in Windows after quite some time of hard scrutiny. How many more are left to find?
  • Windows Installer File Read 0day. Using a symlink and legitimate MSI installer, the Windows install process can be abused to allow arbitrary file reads. PoC here.
  • Hooks-On Hoot-Off: Vitaminizing MiniDump. When a minidump of lsass was successful but the resulting file was deleted, @Mari0Bartolome uses a function hook to exfiltrate the file to a waiting server instead of writing it to disk. For a more in-spec implementation of this, see the second section of: Dumping Lsass without Mimikatz with MiniDumpWriteDump. Want it in C#? I've got you covered.
  • The Lone Sharepoint. You may think a Sharepoint server that requires authentication and does not allow outbound traffic (besides related/established HTTPS) would be fairly secure. @acap4z shows how some CVEs, a little knowhow, and a lot of persistence debugging and re-writing webshell proxies can allow such a machine to a gateway into a network. Some proper hacking in this post.
  • Stealthy Process Communication Between Threads on Windows 10. While pipes are the standard method of interprocess communication (IPC) on Windows, @LloydLabs has developed a PoC using ThreadName to communicate between processes without pipes. Add this to your advanced red team implant to keep pipe-aware EDR/AV off your tail. Mudge has a timely article about pipes in Cobalt Strike if you are curious to learn more: Learn Pipe Fitting for all of your Offense Projects.
  • Detecting Manual Syscalls from User Mode. As direct syscalls become more popular, defenders will slowly adapt methods to detect them. One method is to check if the instruction pointer of a kernel to user mode return is in ntdll.dll or wind32u.dll (the legitimate sources of syscalls into the kernel) and alerting if not. This can be done from user mode with a built in framework to instrument all kernel to user mode callbacks called Nirvana. There are good ideas for future work and bypasses at the end of the post and the code is available here. Top notch research.
  • Bypass AV/EDR with Safe Mode?. If you can afford to reboot a machine, you may be able to defeat AV/EDR by booting into safe mode!

Tools and Exploits

  • Dendrobate is a framework that facilitates the development of payloads that hook unmanaged code through managed .NET code. To do this Dendrobate uses EasyHook and packs the injected component, Dendron, using Fody & Costura. This is all done automatically so all you need to do when you compile Dendron is select the appropriate .NET version (only v3.5 and v4.5 are supported!). Don't sleep on the full MFA bypass walkthrough in the second half of the readme, it could be a whole blog post on its own.
  • Perfusion is a "forever-day" (won't be patched) local privilege escalation for Windows 7, 8, Server 2008R2, and 2012. The registry key of the RpcEptMapper and DnsCache (7/2008R2 only) services is configured with weak permissions. Any local user can create a Performance subkey and then leverage the Windows Performance Counters to load an arbitrary DLL in the context of the WMI service as NT AUTHORITYSYSTEM (hence the tool's name). More information in a blog post from last November.
  • hilda is a debugger which combines both the power of LLDB and iPython for easier debugging on a jailbroken iPhone.
  • cicuta_virosa is an iOSiPadOS 14.3 kernel LPE for all devices by @ModernPwner that exploits CVE-2021-1782: A race condition in user_data_get_value() leading to ivac entry uaf. This issue has been actively exploited in the wild with a WebKit exploit. The RCE chain may be released in the future.
  • StaticSyscallsAPCSpawn Executes shellcode on Windows using: NtCreateSection -> NtMapViewOfSection -> NtQueueApcThread -> NtResumeThead. It also uses BeaconSpawnTemporaryProcess to create the target process. You may want to edit the NtCreateSection calls for better opsec (RW local, RX remote).
  • MiniDumpWriteDump is a custom implementation of DbgHelp's MiniDumpWriteDump function. It uses static syscalls to replace low-level functions like NtReadVirtualMemory. Since this is a full custom dumper plus static syscalls, it likely has a long shelf life.
  • github1s - Just add 1s after GitHub in a URL and press Enter in the browser address bar for any repository you want to read in a web version of VSCode. GitHub1s implements a VS Code Extension (includes FileSystemProvider) that uses GitHub's REST API as a filesystem, then serves this as a static site. Very clever!
  • WSAAcceptBackdoor is a POC implementation for a DLL implant that acts as a backdoor for accept Winsock API calls. Once the DLL is injected into the target process, every accept call is intercepted using the Microsoft's detour library and redirected into the BackdooredAccept function. When a socket connection with a pre-defined special source port is established, BackdooredAccept function launches a cmd.exe process and binds the accepted socket to the process STD(OUT/IN) using a named pipe.
  • gopherheaven is a Go implementation of the classic Heaven's Gate technique originally published by roy g biv on VX Heaven in 2009. gopherheaven can be used as an evasion technique to directly call 64-bit code from a 32-bit process. Looking for Hell's Gate instead? That has been around for a little while as BananaPhone.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-02-22

By: Erik
23 February 2021 at 04:58

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-02-15 to 2021-02-22.

News

  • Solo V2 — Safety Net Against Phishing. Everyone knows FIDO2 keys are the best defense against credential phishing, but until now all the solutions have been closed source and expensive. Solokey's Solo V2 looks to change all that with an affordable, NFC capable, open source FIDO2 key. I have no affiliation with Solokey - just a fan of what they are doing. Note: the open source firmware has been audited.
  • Sandworm intrusion set campaign targeting centreon systems. In a three year long campaign, Sandworm used webshells and a Linux backdoor to access information technology providers, including web hosting providers. Based on Sandworm's history of targeting industrial control systems, ransomware, and highly public attacks (2018 winter olympics), perhaps this was just an effort to get free redirectors and payload hosting.
  • Brave Browser leaks your Tor / Onion service requests through DNS. This isn't the first issue with Tor and Brave (CVE-2020-8276), and likely won't be the last. Mixing Tor and a standard browser is a recipe for disaster.
  • Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight. MacOS specific malware, including an arm compiled variant, uses the old favorite malicious pkg installer to infect victims. MalwareBytes claims it has seen the malware on nearly 30,000 endpoints, while the Red Canary team says it has no evidence the malware has conducted any post-exploitation activities.

Techniques

Tools and Exploits

  • CIMplant is a C# port of WMImplant which uses either CIM or WMI to query remote systems. It allows you to gather data about a remote system, execute commands, exfil data, and more. The tool allows connections using Windows Management Instrumentation, WMI, or Common Interface Model, CIM. CIMplant requires local administrator permissions on the target system. More information in this post.
  • endgame is an AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account's resources with a rogue AWS account - or share the resources with the entire internet. Compared to other AWS offensive tools, endgame have a much wider range of supported services (18 vs 11 for the official AWS Access Analyzer). Of note, the "original" repo (salesforce) and the author's repo (kmcquade) have both been taken down. Sadly, Salesforce has a reputation for this kind of thing.
  • pcp is a command line peer-to-peer data transfer tool based on libp2p. It differs from others (like croc) because it uses IPFS instead of a centralized sever.
  • AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile. Any incoming requests that do not share the profiles user-agent, URI paths, headers, and query parameters, will be redirected to a configurable decoy website. More information in the blog post.
  • OffensivePipeline allows you to download, compile (without Visual Studio), and obfuscate C# tools for Red Team exercises.
  • Swift-Attack is the macOS equivalent of atomic red team. It contains unit tests for blue teams to aid with building detections for some common macOS post exploitation methods.
  • SharpLAPS is a C# executable that will retrieve the LAPS password from the Active Directory. It must be executed from either a Domain Administrator or an account with ExtendedRight or Generic All Rights.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode. More information here.
  • horusec s an open source tool that performs static code analysis to identify security flaws during the development process. Currently, the languages for analysis are: C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, and Dart. The tool has options to search for key leaks and security flaws in all files of your project, as well as in Git history.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-03-01

By: Erik
2 March 2021 at 04:50

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-02-22 to 2021-03-01.

News

Techniques

Tools and Exploits

  • spraygen is a password list generator for password spraying - prebaked with goodies like sports team names, seasons, years, etc.
  • BadOutlook is a simple PoC which leverages the Outlook Application Interface (COM Interface) to execute shellcode on a system based on a specific trigger subject line. This can be used to build an Entire C2 Framework that relies on E-Mails as a mean of communication (Where the Implant never speaks to the internet directly).
  • 1u.ms is a small set of zero-configuration DNS utilities for assisting in detection and exploitation of SSRF-related vulnerabilities. It provides easy to use DNS rebinding utility, as well as a way to get resolvable resource records with any given contents. A hosted version is available at 1u.ms. You may want to protect the /last and /log endpoints if self-hosting.
  • Alaris is not technically a new tool (LWiS 2020-10-19), but it has had a major update to use direct syscalls with SysWhispers2, a new builder, and new dynamic encryption primitives.
  • redbean - single-file distributable web server. This is both a zip file that contains all content that is served and a truly cross platform (Windows, Linux, MacOS, and BSD) binary webserver. This may be actual magic.
  • Callback_Shellcode_Injection contains POCs for shellcode injection via callbacks. These uncommon API calls are likely much less monitored than standard methods of shellcode injection (although they still use VirtualAlloc).
  • goc2 is a new macOS post exploitation C2 framework. Pairs with goc2-agent.
  • Omnispray aims to replace tools such as o365spray and provide a modular framework to expand enumeration and spraying beyond just a single target/application.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • pillager is designed to provide a simple means of leveraging Go's strong concurrency model to recursively search directories for sensitive information in files. Once pillager finds files that match the specified pattern, the file is scanned using a series of concurrent workers that each take a line of the file from the job queue and hunt for sensitive pattern matches. The available pattern filters can be defined in a rules.toml file or you can use the default ruleset.
  • LsassSilentProcessExit is a new method of causing WerFault.exe to dump lsass.exe process memory to disk for credentials extraction via silent process exit mechanism without crashing lsass.exe.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-03-08

By: Erik
9 March 2021 at 04:04

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-03-01 to 2021-03-08.

News

  • ProxyLogon. The big news of last week was the unauthenticated remote command execution as SYSTEM on Microsoft Exchange servers that only had port 443 open. This bug chain is impressive, and it was originally found by Orange Tsai of DEVCORE, but exploited by an alleged Chinese APT like crazy in the past few weeks. Two things stand out: 1. Orange Tsai and team went from "Let's look at Exchange" to unauth RCE in 3 months, and 2. Somewhere along the discovery and reporting chain, the bug was likely stolen or leaked. While possible, it is unlikely the APT using this 0day discovered it in parallel with Orange Tsai and then started using it only after it was reported to Microsoft. Further speculation is up to the reader - Krebs has a a basic timeline of the exchange mass-hack.
  • Cobalt Strike 4.3 – Command and CONTROL. Industry's favorite commercial command and control framework got an update with a big focus on DNS beacons. While direct support for DNS over HTTPS wasn't included, it is possible to shim it in using lookups to localhost and cloudflared. Full changes in the release notes.
  • Raphael’s Transition. In other Cobalt Strike news, Raphael Mudge is stepping down after nearly a decade of work on Armitage and Cobalt Strike. It's inspiring to see someone take a good idea dreamt up during a CTF and turn it into a successful business. Enjoy your next adventure Mudge, you've earned it!
  • Fast Factoring Integers by SVP Algorithms. I almost didn't include this as the findings have not been demonstrated let alone proven, but "this destroys the RSA cryptosystem" is one hell of a way to end your paper's abstract. I'll be keeping an eye on this one, but don't bump replacing RSA up on your priority list quite yet. Another researcher has implemented the algorithm, and it isn't the RSA destroyer claimed.
  • Xerox lawyers prevent con talk. Sadly this is still a thing in 2021. The researcher found bugs in Xerox multifunction printers and responsibly disclosed them, only to have Xerox sic their lawyer hounds on him. The bug descriptions (no PoCs) are available at Airbus security lab publications.

Techniques

Tools and Exploits

  • universal - This loader provides a unified Go interface for loading shared libraries from memory on Windows, OSX, and Linux. Also included is a cross-platform Call() implementation that lets you call into exported symbols from those libraries without stress. This is a work of art, a universal loader without any C code, or calls to memfd, that even works on the M1 macs. Bravo.
  • Syscall_PE_Loader.cs is a C# PE cradle with DInvoke Syscalls to avoid hooking and sleeps for the DLL imports. Both trigger a scan, so doing only one won't help. Only needs an amsi.dll patch bypass before using to complete the EDR/AV bypass trifecta. However, apparently simply compiling your own unchanged Cobalt Strike artifact kit is enough to bypass defender.
  • SaltStack API vulnerabilities. Just last week we discussed the local SaltStack Minion Local Privilege Escalation, but this is reprise of the RCE from last year. "It took a few hours total to find these after looking at patches for the last set of vulnerabilities." Patches can be goldmines for finding similar, unpatched bugs!
  • Wubes is like Qubes but for Windows. The idea is to leverage the Windows Sandbox technology to spawn applications in isolation. It currently supports spawning a Windows Sandbox for Firefox.
  • ipv6-df-3.c is a FreeBSD 9 PoC of the SOCK_RAW vulnerability. Why would this matter? The PS4 runs a modified FreeBSD 9 kernel. More information here.
  • CVE-2021-23132 is a Joomla core (<= 3.9.24) vulnerability in com_media allowed paths that are not intended for image uploads which leads to RCE. This is an authenticated RCE that requires an admin account.
  • EDRs contains information about EDRs and the functions they hook in ntdll.dll that can be useful during red team exercise.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • DT_RPATH. On Linux machines, LD_PRELOAD has been the go-to for userland "rootkits" that hook every process. However, the lesser known DT_RPATH can achieve similar results.
  • packetStrider for SSH is a packet forensics tool that aims to provide valuable insight into the nature of SSH traffic, shining a light into the corners of SSH network traffic where golden nuggets of information previously lay in the dark. Point it at a pcap and it can tell you things like if host keys were ignored, command line flag usage, and if a session was automated or interactive. Very cool.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-03-15

By: Erik
16 March 2021 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-03-08 to 2021-03-15.

News

  • Proxylogin fallout
  • Bloodhound Enterprise. From the creators of BloodHound, a SaaS technology that continuously identifies and quantifies the most critical Active Directory choke points. Measurable, practical remediation guidance enables the elimination of millions of attack paths within your existing Active Directory architecture. The product is scheduled for release this summer (2021) and I am excited to see it help organizations lock down their AD environment.
  • OVH data centre destroyed by fire in Strasbourg – all services unavailable. This is your weekly reminder that the cloud is just someone else's computer. Backups still matter!
  • Introducing sigstore: Easy Code Signing & Verification for Supply Chain Integrity. Let's Encrypt but for code signing. Most importantly: "sigstore will be free to use for all developers and software providers, with sigstore’s code and operation tooling being 100% open source." This is a good step that I hope lots of developers use. Imagine being able to subscribe to a monitor service for all the dependancies in your project. The transparency may also provides an OSINT opportunity for red teams. You can monitor the progress of the tools on GitHub.
  • A Hacker Got All My Texts for $16. A layered network of providers eventually allows the complete re-routing of SMS messages, with no verification or notification to the end user (since fixed by the one provider tested). The fact that 3 separate companies were involved means that there are APIs that allow this with no verification. What would it take for an attacker to either find a new provider that does not do verification or create their own to gain access to the APIs? If a services offers app based (or better, hardware key based) multifactor authentication, choose it over SMS every time.
  • Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System. This report on the closed source tracking system (and upcoming AirTags) that will help locate lost devices by using every Apple device with Bluetooth as a global sensor has some flaws. However, it's clear that care was taken in the design to preserve privacy more so than other similar systems (e.g. Tile). Don't want to wait for AirTags? Build your own now using openhaystack. Due to the private design of the Apple system, it will be hard (impossible?) to prevent this kind of third party use.
  • Introducing ThreatFox. ThreatFox is a community driven project from the creator of abuse.ch and MalwareBazaar where security researchers and threat analysts can share indicators of compromise (IOCs) with the infosec community for free, and without the need of a registration.
  • Whitelist Me, Maybe? “Netbounce” Threat Actor Tries A Bold Approach To Evade Detection. Imagine being so confident in your malware, you email it directly to one of the 2 vendors that have marked you malicious in VirusTotal and ask to be whitelisted. No such luck this time, but how many times has it worked?
  • A Spectre proof-of-concept for a Spectre-proof web. It's pretty wild that the Google team managed to get Spectre working via Javascript in a sandboxed browser, but perhaps the most interesting bit of this post is, "in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes."

Techniques

Tools and Exploits

  • git: malicious repositories can execute remote code while cloning. As someone who clones a lot of git repos, this one is personal. From the advisory: On case-insensitive filesystems, with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone. Update your git clients! Windows has LFS enabled by default and is vulnerable (other OSs have to enable LFS). This is also not the first git LFS vulnerability (see CVE-2020-27955).
  • Three distinct vulnerabilities discovered by GRIMM while researching the Linux kernel combine as LPE. A kernel pointer leak plus a heap buffer overflow allows for local privilege escalation on modern Linux (RHEL 8.1-8.3).
  • RunDLL.Net is a project to execute .Net assemblies using Rundll32.exe.
  • FOLIAGE. This is an interesting project that implements a DNS-over-HTTPS persistence stager with memory obfuscation a la gargoyle. This project uses NtContinue as the "gadget" which gets around argument limits to manipulate the return address to NtTestAlert() which allows the code to run the next time it is called.
  • DisablePPLDriverPoc is a custom driver to disable protected process light and dump lsass. The driver is not signed, so it must be loaded via a driver signing bypass to work.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • cosmonim is a simple example to show how can you use cosmopolitan with Nim. Could this be used to write the ultimate cross platform dropper for those cases where an exploit could land you on a Windows or Linux machine?
  • ebpfsnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by opensnitch and Douane but utilizing modern kernel abstractions - without a kernel module.
  • http_bridge is a client that allows for socks5 proxying over standard HTTP verbs (no CONNECT) through a Linux server running PHP. Similar to Cloak.
  • Go-RouterSocks managing multiple chisel sessions can be a pain. This tool exposes a single socks5 proxy port, and allows dynamic routing of networks to specific chisel sessions.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-03-22

By: Erik
23 March 2021 at 02:30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-03-15 to 2021-03-22.

News

Techniques

Tools and Exploits

  • CredBandit. This BOF is the culmination of many great projects, and allows you to dump process memory using direct syscalls and a custom MiniDumpWriteDump adapted from ReactOS, all without having the dump touch disk, transferring it back via a BeaconPrintf hack. Hopefully this kind of workaround won't be required in the next version of Cobalt Strike. It would be great to have a way to send arbitrary data back to a teamserver in a BOF.
  • bloodhound-quickwin is a simple script to extract useful informations from the combo BloodHound + Neo4j. It can help to choose a target for follow on actions.
  • xeuledoc can fetch information about any public Google document (doc, sheet, slide, map, drawing, etc).
  • Lepus3 is a subdomain finder with various API integrations. Learn more in the post: Reviving and Refactoring DNS Enum.
  • Add exploit for CVE-2021-1732. The Windows 10 local privilege escalation vulnerability discovered in the wild is now in metasploit - but nothing is stopping you from modifying this code for use in your own framework/tool.
  • dnsfwd is a DNS forwarder that only forwards queries for the domains you specify to an upstream host. This is useful for things like DNS beacons where you only want to send beacon related traffic to Cobalt Strike.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • grex is a command-line tool and library for generating regular expressions from user-provided test cases. All you do is give it examples of strings to match and it will generate a regular expression that matches all of them. A great tool for getting a good start on a tough regex.
  • CredMaster is a refactored & improved CredKing password spraying tool that uses FireProx APIs (AWS) to rotate IP addresses, stay anonymous, and beat throttling. More details here.
  • SecurityTips is a collection of "HackerScrolls" tips, cheatsheets, and mindmaps.
  • terraformer is a CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-03-29

By: Erik
30 March 2021 at 03:32

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-03-22 to 2021-03-29.

News

Techniques

  • House of Mind - Fastbin Variant in 2021. This post (re)introduces GLibC heap exploitation method that works across all versions of the heap allocator and gives a write-what-where primitive. This is dense exploit development content.
  • APT Encounters of the Third Kind. Easily the best article of the week. Igor goes from noticing a discrepancy between his test setup and production pcap time vs packet counts to uncovering an in-memory only APT backdoor. If you are wondering what a real advanced persistent threat looks like, this is it.
  • SAML XML Injection. If you're testing an app with SSO abilities based on SAML, be sure to read this post.
  • PhishCatch: Detecting password reuse from the inside out. By hashing enterprise passwords and storing them locally, and hashing all passwords to compare, this Chrome extension can detect password reuse without compromising any credentials.
  • Recovering a full PEM Private Key when half of it is redacted. In just a few hours the wizards of the cryptohack Discord server managed to recover a RSA private key from a partially redacted screenshot. "Whether it’s a single bit leaking with Ladder Leak, or pieces of primes for a Coppersmith attack, partial information exposure of cryptographic private keys is often enough to totally break the crypto protocol. If you find something private, keep it that way."
  • Bypassing conditional access by faking device compliance.. This guide shows two different ways to make a device compliant in Microsoft InTune, even if you spoof it as a Commodore64.
  • Dumping LSASS in memory undetected using MirrorDump. Using boo and avoiding the classic dumping technique of calling OpenProcess, MirrorDump instead registers as a "legitimate" authentication provider with Windows and uses a handle to itself (lsass.exe) to do the dumping.

Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • graphtage is a command-line utility and underlying library for semantically comparing and merging tree-like structures, such as JSON, XML, HTML, YAML, plist, and CSS files. This is sure to be useful in a shell script at some point.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-04-05

By: Erik
6 April 2021 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-03-29 to 2021-04-05.

News

  • Phone numbers for 533 million Facebook users leaked on hacking forum. The data is from a 2019 scrape that abused the contact import feature, and has been circulating in private since then. Now however, anyone who knows your name can look up the phone number used to register your facebook account.
  • Whistleblower: Ubiquiti Breach “Catastrophic”. Despite the initially downplayed public statement in January, an insider claims the attacker "gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies." Ubiquiti has since issued a new statement that did not dispute any of the facts and hinted the perpetrator may have been an insider, or "an individual with intricate knowledge of our cloud infrastructure."
  • Our reasoning for Outflank Security Tooling. Outflank, a well known top-tier adversary simulation firm out of the Netherlands, is offering its in-house offensive toolset for a yearly license of €40,000. I agree with their thesis that effective red teams now have to be excellent developers/R&D practitioners and that was not the case 5 or more years ago. Hopefully this business model is sustainable - I think it will be. More details on the product page.
  • Update on campaign targeting security researchers. The North Korean actors that targeted security researchers with malicious project files in January 2021 have stood up a new potential watering hole. In this case, Google's Threat Analysis Group was able to notice before the site could host any malicious content.
  • Google LLC v. Oracle America, Inc.. "The Court ruled that Google's use of the Java APIs was within the bounds of fair use, reversing the Federal Circuit Appeals Court ruling and remanding the case for further hearing." While it isn't a total victory (it didn't rule that APIs couldn't be copyrighted), it's still a win.
  • Community API. Greynoise has been a useful tool for SOCs to determine if the traffic they are seeing is legitimate attacks or just noise like known scanners. Now there is a free to use community API!

Techniques

  • How to execute an object file: Part 2. This post picks up where the last one left off and expands the loader to handle static constant data and global variables.
  • Man in the Terminal. On Linux or macOS targets, PATH variable manipulation can allow your program to be executed before the actual program the user invokes, allowing you to shim it and retrieve credentials and other sensitive information. A proof of concept shim called cliProxy is available. A simple improvement would be for cliProxy to automatically detect the program it is invoked as and search the real PATH for that binary to proxy. That way you could compile once, and deploy for many target binaries.
  • HookDump. By using LoadLibrary and reading the DLL from disk, HookDump can compare the exported functions to detect hooks with low (or no?) false positives. Grab the code on GitHub.
  • Safe code & pitfalls: DLL side-loading, WinAPI and C++. DLL side-loading is a common persistence technique, but it can be difficult to write the "remediation" section of a report that finds usable DLL side-loading on an app assessment. This is the best blog I have found that provides technical details on how to prevent side-loading in C++.
  • Three ways of using MSBuild to beat CrowdStrike. MSBuild has been a favorite LOLBin for years now, and it still is undetected in many cases!
  • The Power of SeImpersonation. Just when you thought there couldn't possibly be any more potato exploit variants another one drops. This new variant focuses on the ability to respond to HTTP requests or named pipe write. The code is available as GenericPotato.
  • This man thought opening a TXT file is fine, he thought wrong. macOS CVE-2019-8761. Textedit is the notepad.exe of macOS and it will render HTML for you without asking. Using some iframedoc and style magic, even without javascript Paulos is able to exfil data. Impressive work! I always run defaults write com.apple.TextEdit RichText -bool false on a new mac to prevent the rich text rendering anyway, now it's a security hardening feature.
  • PageBuster: stealthily dump all the code ever executed. This tool can dump all executable pages from memory which is great for things like analyzing packed malware in a sandbox vs reverse engineering the packer and unpacking it by hand.

Tools and Exploits

  • PMapper is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for privilege escalation and for alternate paths an attacker could take to gain access to a resource or action in AWS.
  • random_c2_profile is a project designed to generate malleable c2 profiles based on the reference profiles here. This makes totally random profiles, so you may want to manually make it less random.
  • WordlistSmith is a tool to quickly scrape a website and generate a wordlist and is multithreading capable.
  • CheeseRDP is a single C# binary that can be run via .NET Reflection and will inject into mstsc.exe to steal RDP credentials. No need to drop a DLL to disk!
  • SharpProxyLogon is a fully featured exploit for ProxyLogon (the Exchange RCE chain) that can either drop a webshell or inject shellcode into svchost.exe as SYSTEM.
  • X-Commander is an easy-to-use python tool for attacking MySQLX or XDevAPI, brute forcing and querying.
  • innernet is a private network system that uses WireGuard under the hood. While WireGuard is awesome, it's just a really good VPN and nothing more. Innernet looks to solve some of the comfort issues with WireGuard. The announcement blog post has the details.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • caronte is a tool to analyze the network flow during capture the flag events of type attack/defense. It reassembles TCP packets captured in pcap files to rebuild TCP connections, and analyzes each connection to find user-defined patterns.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-04-12

By: Erik
13 April 2021 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-04-05 to 2021-04-12.

News

Techniques

  • BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution. Yes, it's as crazy as it sounds. Be sure to check out the demo. These kinds of exploits (zero-click network subsystem exploits) always amaze me.
  • Deanonymizing LinkedIn Users. This is a great OSINT article that shows how you can leverage LinkedIn to discover personal emails for individuals (useful in credential stuffing and phishing targeting). The API is limited to 1,000 requests every two days.
  • Do You Really Know About LSA Protection (RunAsPPL)?. This article dives into the details of Protect Process Light, how it works, how it can be bypassed, and what the different PPL levels mean.
  • HTML Maldoc Remote Macro Injection. Remote macros are useful to bypass mail scanning or other detection techniques that do not "detonate" the document. While it has been shown effective with .docx, this is an interesting use case with HTML documents.
  • Detecting Exposed Cobalt Strike DNS Redirectors. You are (hopefully) using HTTPS redirectors, but what about DNS redirectors to mask your C2 server's fingerprints? dnsfwd (LWiS 2021-03-22) would do nicely.
  • Attack Surface Reduction is a collection of research into Microsoft's Attack Surface Reduction rules. They are implemented in Lua, and the decompiled rules give lots of great information about easy things that instantly get marked "clean."
  • Handling “Open File – Security Warning”. The SEE_MASK_NOZONECHECKS environment variable is a new one to me, and it prevents the security pop up seen on downloaded files ("mark of the web"). While this won't help with your initial payload (that I can think of), it could be useful for follow on actions.
  • DInvoke to defeat EDRs. If aren't using Dinvoke with your C# you are missing out on all kinds of fun. This presentation walks through some of the existing research and packages it up nicely.

Tools and Exploits

  • CVE-2021-24086 is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patched by Microsoft in February 2021. It is triggerable remotely by sending malicious UDP packet over IPv6. If you can reach an unpatched Windows machine with UDP over IPv6, you can bluescreen it. Put this one in the "demonstrate impact" folder and ensure your lawyer has reviewed whatever memo you got signed to allow its use on a customer.
  • chrome "0day". It's really a 1day as the Chromium source has been patched but the patch hasn't been pushed to a release yet. It won't pop calc without the --no-sandbox flag, so bring your own sandbox escape!
  • kiterunner is a "contextual content discovery tool" that uses traditional content discovery (throw a wordlist and look for non-error code responses), as well as more tailored requests with specific methods, headers, and parameters curated from multiple sources. More information at the assetnote blog.
  • TiEtwAgent is a PoC memory injection detection agent based on ETW, for offensive and defensive research purposes. Use this in your lab to see if your fancy tools can defeat kernel-mode detection!
  • dll-exports is a collection of DLL function export forwards for DLL export function proxying. This is great for stealthy Windows persistence.
  • cook is a customizable wordlist and password generator. It allows you to define word parts and patterns and generates all combinations - and the readme has beautiful usage pictures!

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-04-19

By: Erik
20 April 2021 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-04-12 to 2021-04-19.

News

  • PoshC2 – Introducing Native macOS Implants. As more businesses adopt macOS, red teamers have started to build tooling to support engagements against them.
  • NSA says it found new critical vulnerabilities in Microsoft Exchange Server. Like many big bugs, once one is exposed lots of researches take aim. Exchange is the latest target, falling at the recent Pwn2Own and now multiple vulnerabilities being reported by the NSA. How many more remain unreported?
  • FBI Accesses Computers Around Country to Delete Microsoft Exchange Hacks. The warrant and its attachments authorize "the use of remote access techniques to search the electronic media" of the targeted Exchange servers. While it also states that it does not authorize any seizure or copying of content (besides the webshells themselves) and no alteration of functionality, the FBI still had access to your mail server. I suppose it's a good idea to patch to keep everyone out, not just the "bad guys."
  • research-threats is a collection of legal threats against good faith Security Researchers; vulnerability disclosure gone wrong and is a continuation of work started by @attritionorg. Hopefully it will encourage companies to act better toward researchers trying to help them.
  • Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020?. This is an interesting post that also brings up blue team OPSEC. While Virus Total and other similar services are great, what are you telling the world by uploading samples with accounts or information that tie back to your organization?
  • Policy and Disclosure: 2021 Edition. Google Project Zero is often used as an example of how to do responsible disclosure, and they have taken that role seriously. In 2021 they are implementing a "90+30" model that give a 30 day grace period after a bug is fixed within 90 days to allow better patch adoption before technical details are released. As N-day authors get faster and faster, this grace period becomes more important.
  • NAME:WRECK Breaking and fixing DNS implementations. Many IoT and industrial control OS's DNS implementations are bad. So bad, in fact, that you can get remote code execution with a specially crafted DNS response. This exploit requires an attacker to be able to respond to DNS requests - some form of man-in-the-middle.
  • Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack. The year of the supply chain attack is well underway. This one targets a tool developers use to generate code coverage often used in CI. Who is affected? Lots of projects.

Techniques

Tools and Exploits

  • Finding Metasploit & Cobalt Strike URLs. The great forensic tool creator DidierStevens has a new script to find likely metasploit or Cobalt Strike's 8bit checkums. Don't stage your payloads if you are worried about OPSEC. The tool is available here.
  • SSD Advisory – OverlayFS PE. Ubuntu 14.04-20.10 were vulnerable to an issue with file capabilities (think setuid-bit, but slightly different) where an OverlayFS could set arbitrary capabilities on files in an outer namespace/mount. A full exploit is included.
  • MineSweeper is a lightweight (17-18kb) binary for Windows user-land hook manipulation. This will be useful for EDR research.
  • macOS Post-Exploitation
    • JXA_Proc_Tree is a JXA script for enumerating running processes, printed out in a json, parent-child tree. For use with a macOS JXA agent (i.e. Mythic).
    • Add-To-TCC-DB is a JXA script that leverages sqlite3 API calls to add items to the user's TCC (Transparency, Consent, and Control) database.
    • PrintTCCdb is a JXA script for Mythic that prints the TCC.db.
    • Persistent-Swift is a Swift port of some of the original PersistentJXA projects by D00MFist. Original PersistentJXA repo.
  • Invoke-Stealth is a Simple & Powerful PowerShell Script Obfuscator. This tool helps you to automate the obfuscation process of any script written in PowerShell with different techniques. You can use any of them separately, together or all of them sequentially with ease, from Windows or Linux.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • pyMalleableC2 is a python interpreter for Cobalt Strike Malleable C2 Profiles. It allows you to parse, build and modify them programmatically. Unlike other simple parsers, this one actually uses an abstract syntax tree and should handle complex profiles much better.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-04-26

By: Erik
27 April 2021 at 23:25

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-04-19 to 2021-04-26.

News

  • Ill-advised research on Linux kernel lands computer scientists in hot water. Researchers from the University of Minnesota purposely introduced bugs into the Linux Kernel as part of a study on the potential to introduce bugs into open source projects. I'm not sure why this was necessary as plenty of real bugs are already committed to open source projects, including the Linux kernel, that result in exploitable bugs. Linux maintainers responded, appropriately, by banning any contributions from a University of Minnesota email account. The researchers have issued an open letter to the Linux community, but the damage has been done.
  • Security Incident Disclosure (Brew). Due to a way the Brew project's (package manager) GitHub actions were configured, it was possible to hide code from git_diff which would trick the auto-merge action into thinking only the version number was updated. This would allow an attacker to add malicious code to any Brew package without any human review. The issue has been fixed by disabling the automerge action as well as other steps including manual review.
  • Computer security world in mourning over death of Dan Kaminsky, aged 42. A star in the infosec community, Dan most famously worked to fix multiple DNS implementations vulnerable to cache poisoning, gave multiple Blackhat and DEF CON talks, and was generally just a good person. His loss at a young age (due to diabetic ketoacidosis) is a reminder to step away from the keyboard and enjoy life.
  • tmp.0ut Volume 1 is an homage to classic hacker zines packed full of great ELF knowledge.
  • Google Chrome DNS Security Bypass. A Chrome "feature" called Async-DNS will perform DNS lookups to Google's DNS servers regardless of how the host is configured. This post also includes ways to disable this on Windows and macOS (add the --disable-async-dns flag to the command line), as it could prevent DNS based defenses or logging. If you rely on an internal DNS server, blocking UDP 53 outbound on your firewall is a temporary solution until Google starts using DNS-over-HTTPS for this "feature." Switching to Firefox is a permanent solution.
  • REvil gang tries to extort Apple, threatens to sell stolen blueprints. Two interesting pieces of this story: The the stolen blueprints seem to confirm Apple's plans to add more ports and remove touch bar (all power users are happy about this), and the ransom is requested not it Bitcoin but in a much lesser known cryptocurrency called Monero which has true privacy.
  • Project Jengo Redux: Cloudflare’s Prior Art Search Bounty Returns. Patent trolls are a symptom of a broken patent system, but Cloudflare's response to them is fantastic. A $100,000 bounty to invalidate the patents used by the trolls is a solution that can have positive outcome for Cloudflare and generate some publicity about this flaw in the patent system.
  • clickstudios Passwordstate Incident Management Advisory #01. Supply chain attacks are here to stay, and what better software to hijack an update for than a password manager? Any critical systems should be protected by FIDO2 (U2F) hardware tokens. FIDO2 keys are a one-time investment that can save untold amounts of damage later on.
  • Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective. Despite the questionable cryptocurrency moves, Signal proves it still has edge with this shade-ridden post about possibly, maybe, definitely including some Cellebrite parser 0days in a random selection of Signal user's devices. Interesting to see if this plays out in court with evidence rejected as it may have been tampered with or deleted by one of these exploits. Is it enough to cast doubt on any user's Signal data collected with Cellebrite?

Techniques

Tools and Exploits

  • CertStealer is a .NET tool for stealing and importing certificates in the Windows certificate store without touching disk. Useful for red team operations where you need to poach a certificate for pivoting purposes and want to do so with an in-memory post-ex payload.
  • SharpNoPSExec is a fileless lateral movement tool that will query all services and randomly pick one with a start type disable or manual, the current status stopped and with LocalSystem privileges to reuse them. Once it select the service it will save its current state, replace the binary path with the payload of your choice and execute it. After waiting 5 seconds it will restore the service configuration.
  • Meet EDD - He Helps Enumerate Domain Data. EDD is a .NET tool to enumerate Windows domain designed to be similar to the now unmaintained PowerView.
  • PPLdump is a tool that implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) - in this blog post - for dumping the memory of any PPL as an administrator.
  • AsIo3Unlock is a proof-of-concept bypass of pseudo-security caller check implemented in AsIO3, "unlocking" this driver for usage with FULL R/W access.
  • fakemeeting is a tool for creating fake meeting invites. More details here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • STFUEDR. Everyone knows that userland hooks can be defeated, but some EDRs use drivers and kernel hooks. This project uses a driver signing bypass to defeat even those hooks!

This post is cross-posted on SIXGEN's blog.

❌
❌