Normal view
Windows Drivers Reverse Engineering Methodology
With this blog post I’d like to sum up my year-long Windows Drivers research; share and detail my own methodology for reverse engineering (WDM) Windows drivers, finding some possible vulnerable code paths as well as understanding their exploitability. I’ve tried to make it as “noob-friendly” as possible, documenting all the steps I usually perform during […]
The post Windows Drivers Reverse Engineering Methodology appeared first on VoidSec.
What does a SOC analyst do? | Cybersecurity Career Series
Security operations center (SOC) analysts are responsible for analyzing and monitoring network traffic, threats and vulnerabilities within an organization’s IT infrastructure. This includes monitoring, investigating and reporting security events and incidents from security information and event management (SIEM) systems. SOC analysts also monitor firewall, email, web and DNS logs to identify and mitigate intrusion attempts.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– Learn more about the SOC analyst role: https://www.infosecinstitute.com/role-soc-analyst/.
0:00 Intro
1:20 - What is a SOC analyst?
1:58 - Levels of SOC analyst
2:24 - How to become a SOC analyst
2:53 - Certification requirements
3:29 - Skills needed to succeed
4:38 - Tools SOC analysts use
5:32 - Open-source tool familiarity
6:05 - Pivoting from a SOC analyst
6:50 - What can I do right now?
7:32 - Experience for your resume
8:07 - Outro
About Infosec
Infosec believes knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and privacy training to stay cyber-safe at work and home. It’s our mission to equip all organizations and individuals with the know-how and confidence to outsmart cybercrime. Learn more at infosecinstitute.com.
Last Week in Security (LWiS) - 2022-01-18
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-10 to 2022-01-18.
News
- Illegal Activities of members of an organized criminal community stopped (REvil) [Russian, fsb.ru] The FSB claims that due to recent "joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized." You can even see video of the takedowns on YouTube. While 14 individuals were arrested, it's too soon to see if this will impact REvils operations. If it does, what prompted Russia to finally take action? Google translate of the FSB releases says the "basis for the search activities was the appeal of the competent US authorities."
- HTTP Protocol Stack Remote Code Execution Vulnerability. Patch tuesday brought with it an unauthenticated RCE in Window's http.sys drivers for Windows 10 (1809+) and Server (2019+). What looks like a crash PoC is available here, complete with a pointless 17 second sleep.
- Coming Soon: New Security Update Guide Notification System. Microsoft is making it easier to get notifications of changes to security update guides but the biggest news is that this system no longer requires a Live ID. A separate email/password combo can be used for the new system.
- Exploiting IndexedDB API information leaks in Safari 15. "Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session." WebKit is slowly becoming the internet explorer of the modern browsers. PoC code here.
Techniques
- Load nanodump as an SSP. The most advanced lsass dumper BOF was updated to allow you to load it as a Security support provider (SSP) which prevents your process from opening any handles to lsass.exe. More details on SSPs can be found here.
- 10 real-world stories of how we’ve compromised CI/CD pipelines. I like the thesis here that CI/CD pipelines are just "execution engines," and without proper protection can be abused like any other system. This one is worth a read and ponder if your CI/CD pipelines would fall to any of these or similar attacks.
- Creating an Exploit: SolarWinds Vulnerability CVE-2021-35211. This is a great walkthrough of going from CVE to shell.
- Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more. This is incredible research and a serious vulnerability. The smart card demo was particularly impressive. This was patched last Tuesday, but should give pause to using RDP on machines with any high privileged account.
- CyberArk Endpoint Manager Local Privilege Escalation CVE-2021–44049.. Off the high of the last article (written by a CyberArk employee), this one shows that simple permissions issues can lead to LPEs.
- Mixed Messages: Busting Box’s MFA Methods. The use of a valid app-based MFA token for a controlled account allows bypass on a target account when a user only has SMS based MFA. The back end of Box must have been missing some pretty basic checks for this to work, but props for trying it!
- Zooming in on Zero-click Exploits. A deep look at Zoom reveals a buffer overflow and information leak. It's not surprising that the massive code base of Zoom has issues.
- BreadMan Module Stomping & API Unhooking Using Native APIs. This new type of module stomping has some advantages, namely you don't need to load an arbitrary library into our memory space and the starting function call of the thread will point to an address space resolved usually by trusted DLLs such as ntdll.dll. Code here.
Tools and Exploits
- azure-function-proxy is a basic proxy as an azure function serverless app to use *[.]azurewebsites[.]net domain for phishing.
- Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique. This loader has a bunch of nice features and is far beyond the typical loader released on Github.
- ParallelNimcalls is a Nim version of MDSec's Parallel Syscall PoC. Last week it was in C++ and C#, now it's in Nim!
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- vapi is a Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios.
- reFlutter is a Flutter Reverse Engineering Framework for iOS and Android apps. This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2022-01-10
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-03 to 2022-01-10.
News
- RCE in H2 Console. With all the dust kicked up by the JDNI injection log4j RCE, you just knew that someone would find JDNI injection elsewhere. "There are bound to be more packages that are affected by the same root cause as Log4Shell.".
Techniques
- EDR Parallel-asis through Analysis. "During the development of the Nighthawk C2 MDSec stumbled upon what appears to be a new and novel technique for identifying syscall numbers for certain syscalls which may then be used to load a new copy of ntdll into memory, allowing the remaining syscalls to be read successfully without triggering any installed function hooks." Is this whole post a humble-brag/sales pitch for Nighthawk? Maybe. But I'll gladly take high quality research and PoCs to prove how cool Nighthawk is. Want it in C#? say no more.
- Domain Persistence – AdminSDHolder. The special AdminSDHolder ACL is applied to all groups and accounts that are part of that object every hour, enabling permissions to be continuously restored to an account if detected by the blue team.
- Domain Escalation – sAMAccountName Spoofing. The sAMAccountName/noPac attack dropped last month, but this post shows multiple tools/attack methods to exploit it in practice. TrustedSec has a good blog post on detection opportunities.
- A phishing document signed by Microsoft – part 2. Microsoft signed add-ins are back, and have vulnerabilities. A string of bugs/features were used/abused to enable remote XLL loading. At this point I'm not sure anyone outside of Redmond, WA knows more about office document internals than Pieter, Dima, and the team at Outflank.
- Scanning millions of domains and compromising the email supply chain of Australia's most respected institutions. The use a AWS Lambda and DynamoDB for distributed scanning was clever, but the number sites where SPF/DMARC checks passed just with some light EC2 cycling to get proper IPs was frightening. Very cool research!
- Kernel Karnage – Part 8 (Getting Around DSE). This serious has been great so far, and now that real world protections are turned back on it's really getting good. There is no PoC dropped, but enough code to get you pretty far in your own driver loading BOF adventures. Keep up the great work @cerbersec.
- Get expert training on advanced hunting. This is a great collection of MS defender for endpoint and KQL training.
- Random Mosaic – Detecting unauthorized physical access with beans, lentils and colored rice. If you ever need to be really sure no one has intercepted your package, this is a cool option.
- Staging Cobalt Strike with mTLS using Caddy. Staging is a bad idea. But what if you protected your staging endpoint with mTLS? You'd end up with CaddyStager!
Tools and Exploits
- inject-assembly is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly.
- rathole is a lightweight, stable and high-performance reverse proxy for NAT traversal, written in Rust. An alternative to frp and ngrok.
- insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces. More details here.
- SysmonSimulator is a Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.
- PowerRemoteDesktop is a Remote Desktop client entirely coded in PowerShell. This could be useful for restricted environments like virtual desktops.
- Hunt-Sleeping-Beacons is a project to identify beacons which are unpacked at runtime or running in the context of another process.
- defender-detectionhistory-parser is a parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables. First one to write this as a BOF wins.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
- domains is (probably) the world’s single largest Internet domains dataset.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2022-01-03
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-20 to 2022-01-03.
News
- China suspends deal with Alibaba for not sharing Log4j 0-day first with the government. Note this isn't as bad as the headline makes it seems, as China only suspended a "cooperative partnership... regarding cybersecurity threats and information-sharing platforms." Regardless, it sends a clear message. If you find a vulnerability in China, you'd better tell the government about it before anyone else.
- ZeroPeril Deep dive into executable packers & malware unpacking Training Course Announcement. New fully remote training that uses x86/x64dbg. Training is fully remote (Teams).
- How did LastPass master passwords get compromised?. A number of users received emails that their master password had correctly been used from a suspicious location, even after changing it. Is this an email error or something deeper? Either way, not a good look for LastPass, which has already lost credibility.
- In 2022, YYMMDDhhmm formatted times exceed signed int range, breaking Microsoft services. Duct tape and glue. It's all just duct tape and glue.
Techniques
- Android Application Testing Using Windows 11 and Windows Subsystem for Android. You've heard of the Windows subsystem for Linux, but how about the Windows subsystem for Andrid? Now you can use your favorite mobile assessment tools like objection and Burp suite without needing a real android device!
- Hopper Disassembler. This post shows how to use Hopper to bypass simple jailbreak detection by modifying a single jump instruction. Sometimes it is that simple, but the trick is knowing which byte to change.
- MS Teams: 1 feature, 4 vulnerabilities. None of these are severe, but some are simple issues that you wouldn't expect a market leader in connectivity to be making.
- Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation (PDF). System on a Chip (SoC) designs can include multiple wireless technologies with shared components. This overlap can lead to one compromised protocol being able to read or edit data on another medium via the shared resources.
- How to exploit Log4j vulnerabilities in VMWare vCenter. Unauthenticated remote code execution as root against vCenter via Log4j. The post covers good post-exploitation options and even drops the PoC: Log4jCenter.
- Where's the Interpreter!? (CVE-2021-30853). This dead-simple Gatekeeper bypass makes you wonder what other silly tricks are out there. Patrick doesn't stop at the PoC and dives deep into the root cause of this bug. Notably this fix is absent for Catalina (10.15.7), however my very limited testing indicates it may not be vulnerable.
- A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard. If you're interested in what "real" APT malware looks like, this long post covers a lot of tools.
- Remote Process Enumeration with WTS Set of Windows APIs. With the proper privileges you can get a remote process list using standard Windows APIs. This would be a nice tool to avoid machines with EDR or other programs running.
- CVE-2021-31956 vulnerability analysis (Chinese). This post explores CVE-2021-31956, a local privilege escalation within Windows due to a kernel memory corruption bug which was patched within the June 2021 Patch Tuesday and contains actual exploit code.
- HyperGuard – Secure Kernel Patch Guard: Part 1 – SKPG Initialization
- Dumping LSASS with Duplicated Handles. Rastamouse walks through how to use duplicated handles to dump LSASS which builds on his previous post on enumerating and duplicating handles. It still dumps to disk, so a pure in-memory implementation will get you even more evasion points.
- Another Log4j on the fire: Unifi. Another great walkthrough on how to go from login page to backdoored appliance from Nicholas at Sprocket Security. 67,000 exposed instances on shodan... RIP in peace.
- Phishing With Spoofed Cloud Attachments. "Abuse the way O365 Outlook renders cloud attachments to make malicious executable cloud attachments look like harmless files." This is phishing gold. Paired with a nice sandbox aware firewall/redirector it will likely yield success with a simple docuement.pdf.exe payload because the mail looks so good.
- Edition 14: To WAF or not to WAF Effectiveness of WAFs are a hotly debated subject in AppSec circles. This post tries to bring a structure to that discussion.
Tools and Exploits
- KaynLdr is a Reflective Loader written in C / ASM. It uses direct syscalls to allocate virtual memory as RW and changes it to RX. It erases the DOS and NT Headers to make it look less suspicious in memory.
- WMEye is a post exploitation tool that uses WMI Event Filter and MSBuild Execution for lateral movement.
- hayabusa is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs. Reminds me of chainsaw.
- Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches. This loader forces Java agents to be loaded and can inject Java or JVMTI agents into Java processes (Sun/Oracle HotSpot or OpenJ9).
- Invoke-Bof loads any Beacon Object File using Powershell!
- Inject_Dylib is Swift code to programmatically perform dylib injection.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- Pentest Collaboration Framework is an open source, cross-platform, and portable toolkit for automating routine processes when carrying out vulnerability testing.
- Registry-Spy is a cross-platform registry browser for raw Windows registry files written in Python.
- iptable_evil is a very specific backdoor for iptables that allows all packets with the evil bit set, no matter the firewall rules. While this specific implementation is modeled on a joke RFC, the code could easily be modified to be more stealthy/useful.
- Narthex is a modular & minimal dictionary generator for Unix and Unix-like operating system written in C and Shell. It contains autonomous Unix-style programs for the creation of personalized dictionaries that can be used for password recovery & security assessments.
- whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.
- The HatSploit Framework is a modular penetration testing platform that enables you to write, test, and execute exploit code.
- TokenUniverse is an advanced tool for working with access tokens and Windows security policy.
- LACheck is a multithreaded C# .NET assembly local administrative privilege enumeration. That's underselling it though, this has lots of cool enumeration capabilities such as remote EDR driver enumeration.
- Desktop environment in the browser. This is just... wow. Code here: daedalOS.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-12-20
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-14 to 2021-12-20.
News
- Log4j 2.15.0 stills allows for exfiltration of sensitive data. You'll be writing this one up on assessments for years to come. 2.16 was released but also had a DoS-able vulnerability. Third patch is the charm? This whole saga has become the best example of Dependency in recent memory. If you need to exploit Log4j, grab the JNDI-Exploit-Kit. Trying to keep it all straight? This flow chart was up to date when published.
- Updates to the Bug Slayer bug bounty program. If you use CodeQL to find and report bugs, you may be eligible for a bonus bounty.
- Nighthawk 0.1 – New Beginnings. MDSec releases more details about its impressive in-house C2 framework. I'd love to get my hands on it and test it out. DM's open ;).
- REVEN Free Edition - Available as a VM. REVEN is a "Timeless Analysis" system that allows you to triage crashes more effectively. Now it's even easier to try out with a ready made virtual machine.
Techniques
- How I found the Grafana zero-day Path Traversal exploit that gave me access to your logs. A manual source code audit and some fuzzing found this arbitrary file read bug.
- A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution. Wow. NSO used a JBIG2 vulnerability to construct a custom computer architecture they then used to search and modify memory to carry out the next stage of the exploit chain. Talk about weird machines.
- Defeat the Castle - Bypass AV & Advanced XDR solutions.. AV/EDR solutions seem to struggle with the double encryption/encoding used here. Tool available here.
- Yes, fun browser extensions can have vulnerabilities too!. "A one-time visit to a malicious website would have been sufficient to compromise the browser integrity permanently." It's time to start thinking of browsers as OSs and extensions as programs running as root.
- Alternative Process Injection. This processes injects shellcode into the already loaded DLL memory page, which gets around most (but not all) indicators of injection.
- Blackswan Technical Writeup (PDF). Six Windows privescs with beautifully presented write ups? Yes please.
Tools and Exploits
- Cobalt Strike 4.5 Update Specifics:
- Writing Beacon Object Files: Flexible, Stealthy, and Compatible. This post is great as it covers lesser used concepts like syscalls in x86 BOFs.
- Process Injection Update in Cobalt Strike 4.5
- User Defined Reflective Loader (UDRL) Update in Cobalt Strike 4.5
- Sleep Mask Update in Cobalt Strike 4.5
- A Deeper Look Into the Max Retry Strategy Option
- moonwalk helps cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.
- The Hacker Tools is focused on documenting and giving tips & tricks on common infosec tools. This is an awesome initiative and an idea I've had for a while. Happy to see it being executed.
- Cobalt-Clip is clipboard addons for Cobalt Strike to interact with clipboard. With this you can dump, edit and monitor the content of a clipboard.
- intruducer is a Rust crate to load a linux shared library into a target process without using ptrace.
- KernelSharp is an example of how to use NativeAOT to compile C# code to a Windows Kernel Mode driver.
- KernelBypassSharp is a C# Kernel Mode Driver to read and write memory in protected processes.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- awspx is a graph-based tool for visualizing effective access and resource relationships in AWS environments.
- mariana-trench is Facebook's security focused static analysis tool for Android and Java applications.
- adPEAS. Note this is not part of the "official" PEAS toolset. It's a Powershell tool to automate Active Directory enumeration.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-12-14
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-07 to 2021-12-14.
News
- log4j logging framework vulnerable to RCE (10.0 CVSS3). Who knew that the ability to do Jndi lookups with user supplied data could be such and awful idea. Early reports claimed a recent version of Java and some environment variables would mitigate the vulnerability, but they were mistaken. Check out this Blue Team Cheatsheet for links to advisories.
- Pixel prevented me from calling 911. When you give up control of a core function like dialing to third party apps, in this case Microsoft Teams, bad things can happen.
- Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. You can now submit drivers directly to Microsoft with details about how they are vulnerable or malicious.
- Cobalt Strike 4.5: Fork&Run – you’re "history". "We dedicated a significant portion of this release to improving controls around product licensing." When your tool is used in nearly all ransomware events, I suspect HelpSystems got a call from someone to put more controls in place. The biggest change in this release for users is the ability to define custom process injection technique as well as increased size limits for sleep mask kit and user reflective loaders. Cobalt Strike continues to innovate and adapt to the changing offensive security landscape - the reason why it is the go to tool in the space.
Techniques
- CVE-2021-42287/CVE-2021-42278 Weaponisation. With all the log4j hype, this one may have slipped by. Don't let it, as it allows any domain user with the ability to add computer accounts (default 10 per user), can get a ticket as a DC to arbitrary services which allows dcsyncing. Patch is out, but given the season and log4j, this one might have legs into 2022. Be sure to also checkout more sAMAccountName Impersonation. The switches needed for this attack are now in Rubeus.
- A phishing document signed by Microsoft – part 1. The masters of maldocs are back at it. This time using an Excel add-in (XLAM) with modified contents but "valid" Microsoft signature to deliver malicious vbs. Amazing work as always.
- Getting root on Ubuntu through wishful thinking. Exploits are hard, even when you get root sometimes you aren't sure why. Adding a sleep to allow the ability to attach a debugger when the process did eventually crash was clever. Full PoC here.
- MiTM Cobalt Strike Network Traffic. This relies on having the beacon private keys, but once in hand, network defenders or those in privileged network positions could inject commands into Cobalt Strike traffic.
- Kernel Karnage – Part 6 (Last Call). This series has been great thus far. Let's seen what kernel driver loading tricks they come up with in future posts!
Tools and Exploits
- CVE Trends is a dashboard for expensive threat intel monitoring twitter without having to learn about tweetdeck. This is a really nice site check for the latest log4j RCE or to put up in your NOC.
- Podman Desktop is the Docker desktop replacement you may be looking for now that Docker Desktop is no longer free for most companies.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- AFLTriage is a tool to triage crashing input files using a debugger. It is designed to be portable and not require any run-time dependencies, besides libc and an external debugger. It supports triaging crashes generated by any program, not just AFL, but recognizes AFL directories specially, hence the name.
- KingHamlet is a simple tool, which allows you to perform a Process Ghosting Attack.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-12-07
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-22 to 2021-12-07.
News
- US military's hacking unit publicly acknowledges taking offensive action to disrupt ransomware operations. Consider the hounds released.
- Former Employee Of Technology Company Charged With Stealing Confidential Data And Extorting Company For Ransom While Posing As Anonymous Attacker. The Ubiquiti hack/breach/whatever from last year was actually an insider who demanded 50 bitcoin as ransom during the attack. He now faces up to 37 years in prison.
- Introducing Buy now, pay later in Microsoft Edge. Predatory lending coming to a browser near you by default!
- GoDaddy Announces Security Incident Affecting Managed WordPress Service. GoDaddy has been riding the high of its first mover advantage for about two decades now. Don't worry breach bingo players, "GoDaddy leadership and employees take our responsibility to protect our customers’ data very seriously."
- US State Department Employees Targeted with NSO Group Malware. After being heavily sanctioned, details about US based attacks are coming out. NSO groups woes continue to mount with Apple suing them.
- Is “KAX17” performing de-anonymization Attacks against Tor Users?. Someone spend a fair amount of money to run a lot of Tor middle nodes, but have since been subject to a mass rejection of relays. Tin foil hats on to guess who may be behind this.
Techniques
- Carrying the Tortellini's golf sticks - Using Caddy to spin up fast and reliable C2 redirectors. While Apache and Nginx are the most common redirectors, Caddy is a light weight web server that can be used as a redirector as well. This post details some helpful configuration options you should look into if you go down this route. Be care of the more unique JA3S hash though. Since caddy is written in Go and open source, this can be changed (with something like this for the server side).
- Windows 10 RCE: The exploit is in the link. Fabian and Lukas found that the default handler for ms-officecmd: URIs allows argument injection. Typical bug bounty payment shenanigans followed. There are great details about the process of finding the bug and exploiting it in this post - don't skip it.
- Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm. Much like JA3 and JA3S, TLS metadata about certificates can be extremely useful for detecting anomalies.
- TrickBot Leverages Zoom Work from Home Interview Malspam, Heaven’s Gate and… Spamhaus?. Trickbot is back with a nifty LNK+loader campaign. Threat emulator take note.
- Exploring Container Security: A Storage Vulnerability Deep Dive. Containers are taking over the DevOps world, best learn how to exploit them.
- USB Over Ethernet | Multiple Vulnerabilities in AWS and Other Major Cloud Services. Some base libraries used in many remote desktop services has a vulnerability that can be triggered from sandboxes (i.e. web browsers).
- Go away BitLocker, you´re drunk. You've read some stories about leaking bitlocker keys, but they lacked memes and snark. I believe this is the third bitlocker hardware hack post on LWiS. Have you added a second factor to your bitlocker deployment yet?
- Halo's Gate Evolves -> Tartarus' Gate. This new "gate" adds a check for a different type of hook used by an EDR vendor. Code here.
- Azure Privilege Escalation via Azure API Permissions Abuse. At this point I'm convinced that each "cloud" is it's own entire security research domain.
- The hidden side of Seclogon part 2: Abusing leaked handles to dump LSASS memory. This is a fresh take on credential dumping with a PoC available: MalSeclogon.
Tools and Exploits
- InstallerFileTakeOver is a Windows LPE 0day for all supported Windows version. RIP.
- cracken is a fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in pure safe Rust.
- Exploiting CVE-2021-43267. This is a walkthrough and full exploit for Linux TIPC vulnerabilitiy that affects kernels between 5.10-rc1 and 5.15.
- EDRSandblast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
- SSHClient is a small SSH client written in C#. May be useful for pivoting from Windows to Linux.
- EntitlementCheck is a Python3 script for macOS to recursively check /Applications and also check /usr/local/bin, /usr/bin, and /usr/sbin for binaries with problematic/interesting entitlements. Also checks for hardened runtime enablement.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- DetectionLabELK is a fork of DetectionLab with ELK stack instead of Splunk.
- GoMapEnum is a user enumeration (Linkedin) and password bruteforcer for Azure, ADFS, OWA, O365, and Teams.
- redherd-framework is a collaborative and serverless framework for orchestrating a geographically distributed group of assets capable of simulating complex offensive cyberspace operations.
- ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and based on Flask that automates the entire analysis process starting from the extraction of the observables from the header and the body of an email to the elaboration of a verdict which is final in most cases.
- BOF2shellcode is a POC tool to convert CobaltStrike BOF files to raw shellcode.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-11-22
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-16 to 2021-11-22.
News
- GitHub’s commitment to npm ecosystem security. Dependancy package security is a hard problem to solve, but it seems NPM has gotten a lot of flak recently. Mandatory 2FA and other measures may help. "But I use rust," you say? Read on...
- Backdooring Rust crates for fun and profit. Running other people's code easily is a bedrock feature of any software dependency or library manager. It's quite difficult to make sure that code isn't malicious.
- An in-depth look at hacking back, active defense, and cyber letters of marque. Interesting conclusion (government should be in control) for a guy who prevented a malware outbreak with "active defense" as a civilian. Perhaps that gives more weight to his argument, having "seen the other side?" I have yet to read any opinion pieces by current or former government offensive security professionals on the matter - aside from Jake Williams of course.
- Emotet, once the world's most dangerous malware, is back. What is dead my never die? Keep track of the threat here.
- NUCLEUS:13. The IoT/OT/embedded OS from Siemens, Nucleus RTOS, had flaws in its TCP/IP stack including a buffer overflow in the FTP USER command. The project-memoria-detector can help identify the TCP/IP stack of a device if you think you may have some Nucleus systems in your environment.
Techniques
- AFL++ on Android with QEMU support. Ever wanted to fuzz close-source libraries directly on your Android phone? Now you can!
- Nanodump: A Red Team Approach to Minidumps. The tool has been out for a while, but this post explains the motivation and technical details.
- Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver. Some interesting bugs found in the NPU driver accessible from the untrusted app sandbox on (presumably) lots of Android devices.
- When You sysWhisper Loud Enough for AV to Hear You. Static syscalls have their signatures. This post explores some work arounds, but some *Gate (Hell's, Heaven's, etc) would prevent these artifacts in your code at all (but introduce others).
- An Illustrated Guide to Elliptic Curve Cryptography Validation. Elliptic curves are becoming the standard way to perform asymmetric cryptography, but how do they actually work? This post can serve as a refresher for that college cryptography class you took or didn't take.
- Active Directory Attack Paths — “Is it always this bad?”. From experience: yes. This post is mostly an ad for Bloodhound Enterprise, but that's ok.
- Some notes about Microsoft Exchange Deserialization RCE (CVE-2021–42321). After ProxyShell, Exchange got some serious attention and to no one's surprise more RCE fell out of it. This one affected Exchange 2016 CU21/22 and 2019 CU10/1 but he post goes into technical detail and stops just short of a PoC.
- HackSys Extreme Vulnerable Driver — Arbitrary Write NULL (New Solution). This is a very detailed post on a cool privilege escalation against a vulnerable by design driver.
- Abusing Google Drive's Email File Functionality. This is a great way to abuse legitimate services to deliver phishing emails. Very tricky!
- ExternalC2.NET. This is the post that explains the tool released last week.
- Pentest tale - Dumping cleartext credentials from antivirus. Sometimes memory dumps and findstr is all it takes to find credentials of value.
- Picky PPID Spoofing. This post has some good example code to help find svchost processes with your integrity level to allow them to be used as a PPID for your process.
- No Logs? No Problem! Incident Response without Windows Event Logs. You can also read this as, "All the things you need to clean up to help stay undetected."
- Using CVE-2021-40531 for RCE with Sketch. "This post covers a vulnerability in Sketch that I discovered back in July — CVE-2021-40531. In its simplest form, it is a macOS quarantine bypass, but in context it can be used for remote code execution."
Tools and Exploits
- tldraw is a tiny little drawing app. Check it out at tldraw.com.
- msticpy. Ever wonder how Microsoft's MSTIC threat hunt group finds evil? msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks with many data analysis features.
- fileless-xec is a stealth dropper executing remote binaries without dropping them on disk.
- TPM sniffing. With $49 of hardware you too can read a bitlocker key as it leaves the TPM of a laptop. TPM 2.0 has support to encrypt this value, but until then/even after consider adding a second factor to your laptop's decryption routine (PIN, hardware key, etc).
- CheckCert A small utility to request the SSL certificate from a public or private web application implemented in C# and as a BOF.
- SQLRecon is a C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
- Oh365UserFinde is used for identifying valid o365 accounts and domains without the risk of account lockouts. The tool parses responses to identify the "IfExistsResult" flag is null or not, and responds appropriately if the user is valid.
- Visual-Studio-BOF-template is a baseline template that can be reused to develop BOFs with Visual Studio without having to worry about dynamic function resolution syntax, stripping symbols, compiler configurations, C++ name mangling, or unexpected runtime errors.
- GPUSleep moves the beacon image to GPU memory before the beacon sleeps, and move it back to main memory after sleeping. Check out the blog post here.
- MultiPotato is another "potato" to get SYSTEM via SeImpersonate privileges, but this one is different since tt doesn't contain any SYSTEM auth trigger for weaponization so the code can be used to integrate your favorite trigger by yourself. Also, tt's not only using CreateProcessWithTokenW to spawn a new process. Instead you can choose between CreateProcessWithTokenW, CreateProcessAsUserW, CreateUser and BindShell.
- DumpNParse is a Combination LSASS Dumper and LSASS Parser adapted from other projects.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- digital-forensics-lab is a free hands-on digital forensics labs for students and faculty. Note that on windows it actually drops the binary to disk and runs it, going against the very name of the project...
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-11-16
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-08 to 2021-11-16.
News
- Hoax Email Blast Abused Poor Coding in FBI Website. A series of blunders allowed a hacker to send tens of thousands of emails from an FBI mail server to arbitrary addresses with arbitrary content. Not a good look for the FBI.
- CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces. Another unauthenticated RCE as root in a gateway device. Thankfully this "only" affects older PAN-OS 8.1-8.1.17 devices. The interesting bit is how this was found by a red team and used privately for ~8 months before disclosure. Their rationale is here (official) and here (reddit). Technical details will be released 2021-12-10.
- ClusterFuzzLite: Continuous fuzzing for all. After the success of OSS-fuzz, Google is releasing an "easy to use" fuzzing workflow: "ClusterFuzzLite is a continuous fuzzing solution that runs as part of Continuous Integration (CI) workflows to find vulnerabilities faster than ever before. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed."
Techniques
- Windows Security Updates for Hackers. This is the one stop shop for all information related to Windows releases, updates, and tools to find missing patches. Bookmark it.
- Becoming A Super Admin In Someone Else's Gsuite Organization And Taking It Over With a few edited requests in Google Domains you could add yourself to arbitrary GSuite customers as a Super Admin. Great find! PoC video here.
- Analyzing a watering hole campaign using macOS exploits. macOS is making gains in the consumer market, and thus is getting attention from threat actors. The targets and geography leave little to imagination in terms of attributions. More and more 0days are being used to target activists these days, how dystopian. For more details check out SentielOne's analysis of macOS.Macma.
- Malware Analysis: Syscalls. These malware analysis posts should serve to enlighten the reader as to how their own tools may look from the "other side."
- Kernel Karnage – Part 3 (Challenge Accepted). To fight kernel driver EDR, you must be come kernel driver EDR?
- Golden Certificate. DCShadow and Golden Tickets getting too popular/detectable? If the environment is running Active Directory Certification Services (AD CS) you can mint a "Golden Certificate" instead.
- Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications. This post is an exemplar of how to think more about a technique is uses and design detections around it vs an easily bypassed signature.
- AutoPoC - Validating the Lack of Validation in PoCs. From HoneyPoC to AutoPoC, Andy has exposed more "threat intelligence" scripts "products" and "professionals" than anyone. It's pretty crazy to see the amount of trust some people have in random GitHub projects.
- Implementing Shellcode Retrieval. The inceptor framework can now abstract how shellcode is delivered to the loader so it can be store in arbitrary formats like UUIDs.
Tools and Exploits
- lsarelayx is system wide NTLM relay tool designed to relay incoming NTLM based authentication to the host it is running on. lsarelayx will relay any incoming authentication request which includes SMB. The original application still gets its authentication and there are no errors for the user. This is the next generation of NTLM relaying - with the important caveat of loading into lsass.
- ExternalC2.NET is a .NET implementation of Cobalt Strike's External C2 Spec. This could be the basis for your own C2 channel written in C# that uses any medium you can interface with via C# - think services like Slack, Google Drive, Twitter, etc.
- Living Off Trusted Sites (LOTS) Project. Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. This is a list of websites that allow attackers to use their domain or subdomain to host content that may be used as a C2 channel, phishing site, file host, or data exfiltration destination.
- blacksmith is a next-gen Rowhammer fuzzer that uses non-uniform, frequency-based patterns. Read this blog post for more information. Bypassing password logic for sudo in ~5-30 minutes is pretty impressive.
- rpcfirewall is a firewall for Windows RPC that can be used for research, attack detection, and attack prevention.
- Spray365 makes spraying Microsoft accounts (Office 365 / Azure AD) easy through its customizable two-step password spraying approach. The built-in execution plan features options that attempt to bypass Azure Smart Lockout and insecure conditional access policies.
- bloodyAD is an Active Directory Privilege Escalation Framework that can perform specific LDAP/SAMR calls to a domain controller in order to perform AD privesc. It supports authentication using password, NTLM hashes or Kerberos.
- skweez spiders web pages and extracts words for wordlist generation.
- LocalDllParse checks all loaded Dlls in the current process for a version resource. Useful for identifying EDRs on a system without making calls out of the current process and avoids all commonly monitored API calls.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- kerbmon pulls the current state of the Service Principal Name (SPN) records and sAMAccounts that have the property 'Do not require Kerberos pre-authentication' set (UF_DONT_REQUIRE_PREAUTH). It stores these results in a SQLite3 database.
- NSGenCS is an extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-11-08
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-01 to 2021-11-08.
News
- Reward Offers for Information to Bring DarkSide Ransomware Variant Co-Conspirators to Justice. $10M USD for conviction of "individual(s) who hold(s) a key leadership position in the DarkSide" group. I think the goal of this is to sow distrust within DarkSide, and a potential $10M payout to snitch will certainly do that.
- Pwn2Own Austin 2021 - Schedule and Live Results. It's always cool to see how many and what types of devices fall at Pwn2Own.
- Introducing Firefox’s new Site Isolation Security Architecture. Great news for the underdog browser. However, it may be too little too late.
- Cisco Policy Suite Static SSH Keys Vulnerability. Cisco is the king of 9.0+ CVSS scores in critical networking hardware. This time it's SSH in the Policy Suite software and its Catalyst Passive Optical Network (PON) switches that could allow and attacker to log in a root.
- Iraqi PM Safe After Drone Attack on Residence, Military Says. Explosive laden assassination drones. "The future dystopia is already here — it’s just not very evenly distributed."
- Phishing emails seemingly coming from a Kaspersky email address. A better title might be, "oops someone used one of our AWS SES tokens to phish."
Techniques
- Master of Puppets Part II – How to tamper the EDR?. Tons of great ideas for how to disable EDR, even if it has a kernel driver. Great work.
- Using Microsoft CES/CEP for Linux Workstation Certificate Enrollment with Kerberos Workstation Authentication. While not a "red team" post, this shows how to set up CES/CEP with Linux which will give you an understanding to how that all works, and ideas for how it can be leveraged if you find yourself on a domain joined Linux machine.
- Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3. If you're using for Cobalt Strike for serious operations, you're asking for trouble. Security through obscurity is a legitimate part of a larger security model.
- Kerberoast with OpSec. Kerberoasting remains a powerful attack, but it's time to clean up how you go about searching for kerberoastable accounts.
- CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution. Interesting bug and walk through (CodeQL again...). No PoC yet.
- This is how I bypassed almost every EDR!. Userland unhooking and direct syscalls aren't novel, but the use of the PEB to find the clean functions in NTDLL without syscalls is a nice twist.
- PGSharp: Analysis of a Cheating App for PokemonGO. This is an in-depth analysis of an Android cheat engine. Tons of good stuff if you are an android "tool" developer.
- CVE-2021-22205 Rapid7 Analysis. Lots of Gitlab instances were used in a DDoS attack last week. This is how. Note that this was patched back in April 2021.
- Pwn2Own to Xxe2Rce. XXE to RCE on an ICS controller - nice!
- Newly discovered #lolbin "C:WindowsSystem32Cmdl32.exe". Download files with a Microsoft signed binary. So long certutil.exe, hello cmdl32.exe!
Tools and Exploits
- DLL-Hijack-Search-Order-BOF is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest), that will traverse the SafeSearch order of DLL resolution. Optionally, this will also attempt to ascertain a HANDLE to the provided file (if found), and alert the operator of its mutability (WRITE access).
- DLL-Exports-Extraction-BOF is a BOF for DLL export extraction with optional NTFS transactions.
- blint is a Binary Linter to check the security properties, and capabilities in your executables.
- braktooth_esp32_bluetooth_classic_attacks is a series of baseband & LMP exploits against Bluetooth classic controllers.
- CVE-2021-34886 is a Linux kernel eBPF map type confusion that leads to EoP and affects Linux kernel 5.8 to 5.13.13. Writeup (CN) here.
- elfloader is an architecture-agnostic ELF file flattener for shellcode written in Rust.
- socksdll isa a loadable socks5 proxy via CGo/C bridge.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- pyWhat easily lets you identify emails, IP addresses, and more. Feed it a .pcap file or some text and it'll tell you what it is! 🧙
- ThreatMapper is used to identify vulnerabilities in running containers, images, hosts and repositories and helps you to monitor and secure your running applications, in Cloud, Kubernetes, Docker, and Fargate Serverless.
- AssemblyLine is a C library and binary for generating machine code of x86_64 assembly language and executing on the fly without invoking another compiler, assembler or linker. Could you build this into your RAT to execute shellcode modules without suspicious API calls?
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-11-01
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-26 to 2021-11-01.
News
- Trick & Treat! 🎃 Paying Leets and Sweets for Linux Kernel privescs and k8s escapes. Exploit a k8s environment to earn $31,337-$50,337 USD! More details here.
- Protecting your device information with Private Set Membership. This cryptographic process could be useful for all kinds of sensitive data lookups (i.e. is my password in a breach?).
- MalAPI.io launches. MalAPI.io can be used when developing malware (for legal purposes of course) or when analyzing the source code of malware. It's a MITRE ATT&CK matrix for Windows APIs.
- Announcing the DEF CON 30 Call For Contests & Events!. Start planning early!
- Google Docs in a clean-room browser. Just an example of how much duct tape and glue
Techniques
- Neat SIP bypass for macOS. system_installd executes a zsh shell and has an entitlement to bypass SIP. Microsoft found a way to leverage this to run commands with the same entitlement with /etc/zshenv. How many more ways are there? Full Microsoft post: Shrootless.
- Create a proxy DLL with artifact kit. DLL proxying is a great way to persist and in some cases elevate privileges. This post shows how to use the official artifact kit to turn a Cobalt Strike DLL into a "function proxy."
- Lateral Movement 101. The old favorites are here, but perhaps there are details you've missed? Rasta also dropped new C# related projects today: D/Invoke Baguette.
- Kernel Karnage – Part 2 (Back to Basics). EDRs are moving to the kernel, and drivers can provide great local privilege escalation opportunities. This post explores the ability to hook other driver's (EDR) functions. Want to start debugging the windows kernel? This 101 post was released yesterday.
- Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833). These types of archive extraction arbitrary file writes can be great for phishing and even local privilege escalation (if a program accepts an archive and extracts it at a higher privilege level). Fixed in 12.0.1.
- CVE-2021-30920 - CVE-2021-1784 strikes back - TCC bypass via mounting. macOS 12 has a regression that allows users to mount over ~/Library and this the TCC database. Yikes! Fixed in 12.0.1.
- Tortellini in Brodobuf. Serializing data just adds a layer of unpacking, not security. This post goes from manual decode and exploitation proof to writing a sqlmap tamper script to automate it.
- Understanding SysCalls Manipulation. Direct syscalls have been around for a while, but this technique makes sure they jmp back to memory space of NTDLL.DLL to avoid suspicious of the kernel returning to program memory space it should't (i.e. the location of your direct syscall). Sneaky! PoC here.
Tools and Exploits
- quiet-riot is an enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, root e-mail addresses, users, and roles. Check out the blog post here.
- DInvoke is a library to dynamically invoke arbitrary unmanaged code from managed code without P/Invoke. Fork of D/Invoke by TheWover, but refactored to .NET Standard 2.0 and split into individual NuGet packages.
- Metsubushi is a Go project to generate droppers with encrypted payloads automatically.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- melting-cobalt scans for Cobalt Strike teamservers, grabs beacons that allow staging, and stores their configs. No reason to leave staging enabled these days...
- dockerized-android is a container-based framework to enable the integration of mobile components in security training platforms.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-10-27
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-19 to 2021-10-27.
News
- EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline. Congrats to Patrick Gray; they finally released the hounds!
- Infosec skills gap widens in all regions bar Asia-Pacific – report. "(ISC)² now estimates the global infosec skills gap to stand at around 2.7 million unfilled positions worldwide... The underlying issue isn’t just that demand is growing, it is that the jobs market consistently can’t attract enough people into cybersecurity careers to service demand."
- Pixel 6: Setting a new standard for mobile security. The flagship phone from Google comes with 5 years of security updates (matching iPhones), as well as a feature that looks like a built in Android version of iVerify.
- March 2019 FBI CAST Cellular Analysis & Geo-Location Field Resource Guide. Well this is interesting. Note: this document was acquired legally via a public record act request.
- New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts. Is this the first confirmed case of a US person being hacked with NSO exploit presumably by a Saudi-linked operator (Jeff Bezos hack-and-leak had weak attribution)? Are the "gloves off" now? Artifacts go back as late as 2018.
Techniques
- Using Kerberos for Authentication Relay Attacks. The great James Forshaw is back with a tome on Kerberos for relaying.
- Windows Exploitation Tricks: Relaying DCOM Authentication. Kerberos wasn't enough, so DCOM got the James Forshaw treatment too.
- Car hijacking swapping a single bit. These physical attacks are always cool to me. The same basic principle of exploitation applies to them: to exploit a system, you often must totally understanding it - sometimes better than the designers.
- Don't Ruck Us Too Hard - Owning Ruckus AP devices. This research involved a cool setup of Ghidra and dockerized QEMU emulation. Any IoT or embedded researchers should read this.
- Double spending bug in Polygon’s Plasma bridge. This bug was awarded a $2 million USD bounty. Perhaps it's time to switch focus to cryptocurrencies and smart contracts.
- AlphaGolang | A Step-by-Step Go Malware Reversing Methodology for IDA Pro. If you've ever had to reverse Go programs, you know it's a mess. AlphaGolang aims to help the analysis with IDA Pro with a series of helpful scripts.
- Servers are overrated – Bypassing corporate proxies (ab)using serverless for fun and profit.. This post comes complete with a "bug not a vuln" which lets you register subdomains of azurewebsites.net that includes reserved words like "microsoft."
- Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses. Woah.
- Formalized Curiosity. This post is a good look at a process for conducting research.
- Driver Buddy Reloaded. Use this on your hunt for Windows driver vulns!
Tools and Exploits
- ProfSvcLPE is an currently unpatched local privilege escalation that shares the same root cause as CVE-2021-34484, but wasn't properly patched. The repo contains a word doc with a writeup as well.
- ZipExec is a unique technique to execute binaries from a password protected zip on Windows.
- Phishious is an open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers. This is the coolest tool I've seen in a while.
- FakeAMSI. Have you ever persisted by pretending to e an antivirus product?
- SharpSelfDelete is a C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs.
- CallbackHell is an exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)
- DLL_Imports_BOF is a BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- cloudspec is an open source tool for validating your resources in your cloud providers using a logical language.
- jimi is an automation first no-code platform designed and developed originally for Security Orchestration and Response. Since its launch jimi has developed into a fully fledged IT automation platform which effortlessly integrates with your existing tools unlocking the potential for autonomous IT and Security operations.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-10-19
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-11 to 2021-10-19.
News
- Firefox Suggest lands in the US, bringing ads to the browser search bar. Add this to the list of check boxes to uncheck on new Firefox installs. Settings -> Privacy & Security -> Address Bar — Firefox Suggest -> Contextual suggestions.
- Cheat Maker Is Not Afraid of Call of Duty’s New Kernel-Level Anti-Cheat. This is the second major video game maker to move to the kernel. As these drivers will be allow listed by AV, any vulnerability in them could prove valuable to red teamers.
- Governor Wants to Prosecute Journalist Who Clicked ‘View Source’ on Government Site. This is the level of computer literacy in government. RCVS-hack contains this 31337 darkweb 0day. 🤦
- Moving the U.S. Government Towards Zero Trust Cybersecurity Principles. The US government isn't totally hopeless and this push to use hardware tokens to prevent phishing from the White House is a great move!
- The Shenanigans of Jonathan Villareal. The fake iOS 0days were absent from this curated blog (you're welcome), but they show how easily manipulated the "infosec community" can be. This post breaks down the "RCE" and shows industry expert reactions.
- L0phtCrack is Now Open Source. Perhaps the oldest password "audit" tool is now open source. The GPU supply shortage and other factors caused Terahash to default on the terms of the sale of L0phtCrack and thus it was repossessed and open sourced.
- Sysmon For Linux. Breaking: temperature in Hell nearing freezing, hogs show signs they may be capable of flight.
- Windows Print Spooler Spoofing Vulnerability - CVE-2021-36970. This PrintNightmare may never end.
Techniques
- House of IO - Heap Reuse. This new modification to the House of Io even has some example code so you can follow along.
- Azure Privilege Escalation via Service Principal Abuse. Despite well defined password policy safeguards, Application Administrators can often elevate to Global Administrators if the application has Global Admin service principle. "Azure admins can prevent this attack path by auditing roles held by service principals and comparing those roles to the other identities with control of apps."
- Finding gadgets like it's 2015: part 1. This article explains the CommonCollection 1 and 7 gadget chains to help understand the new chain found in the Mojarra library.
- Resource Based Constrained Delegation. RBCD is one of the more complicated Active Directory attack paths. This article shows practical, step-by-step exploitation of this path which should help drive home the process.
- Countering threats from Iran. Interested in what an actual APT phishing campaign and infrastructure looks like? Look no further.
- Creating a Malicious Azure AD OAuth2 Application. Emulate those OAuth2 APTs (see above) with this practical guide from trustedsec.
- Exploiting Redis Through SSRF Attack. This post shows different ways the Redis key-value store can be exploited using SSRF.
- How a simple Linux kernel memory corruption bug can lead to complete system compromise. This post is unique in that the mitigations sections is three times as long as the vulnerability/PoC walk through.
- Microsoft Windows Antimalware Scan Interface Bypasses. AMSI bypasses have been around for a few years, and this post shows the internal workings of how the memory patches work.
Tools and Exploits
- Cobalt Strike Sleep Python Bridge. Rejoice! You no longer need to write sleep (a Java/Perl hybrid) to interact with Cobalt Strike. Lots of cool examples of how it can be used in the post. It's only a matter of time before someone writes a nice web GUI for cobalt strike, or writes an integration for Mythic. For prior art, check out pycobalt.
- The ESF Playground will let you view events from the Apple Endpoint Security Framework on your mac. This is particularly useful when trying to write detections and see how different processes are behaving.
- ScareCrow v3.0 released. This popular shellcode loader has been updated with more EDR bypass tricks and some bug fixes.
- Introducing Snowcat: World’s First Dedicated Security Scanner for Istio. Istio is a popular service mesh and Snowcat is a tool to audit it.
- nosferatu is an lsass NTLM authentication backdoor DLL that is injected into lsass and provides a skeleton key password for all accounts. On domain joined machines SMB, WinRM, and WMI are functional with the skeleton key password, on non-domain joined machines authentication via RDP, runas, and the lock screen also accepts the skeleton key password.
- AnyDesk Escalation of Privilege (CVE-2021-40854). You've got love a privesc that involves a classic Open dialog -> run cmd.exe path that results in SYSTEM in 2021.
- LDAPmonitor monitors creation, deletion and changes to LDAP objects live during your pentest or system administration!
- Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted. Probably want to review the code before use (same goes for all tools).
- WPBT-Builder is a simple UEFI application to create a Windows Platform Binary Table (WPBT) from the UEFI shell. This is a PoC for Everyone Gets a Rootkit.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- EDRHunt scans Windows services, drivers, processes, registry for installed EDRs (Endpoint Detection And Response). Read more about EDRHunt here.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-10-11
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-06 to 2021-10-11.
News
- Windows 11 available on October 5. I suppose it's better than having another cryptic Windows 10 version? The difference between 1507 and 21H1 is pretty big and lots of people are on "Windows 10" versions that are not being updated without realizing it.
- European Parliament backs ban on remote biometric surveillance. Not law yet, but a move in the right direction.
- Announcing osquery 5: Now with EndpointSecurity on macOS. The amazing osquery tool has been updated to use the latest Endpoint Security framework/API that Apple has been pushing recently after depreciating kernel extensions.
Techniques
- Analyzing and Detecting a VMTools Persistence Technique. VMware tools binaries/services are commonly found on VMs and can be leveraged for persistence on power state changes. Unsure of how useful this would be in practice, as most legitimate target VMs would be in a datacenter somewhere powered on all the time?
- Bindiff and POC for the IOMFB vulnerability, iOS 15.0.2. An "in the wild" exploit of IOMobileFrameBuffer is cited in the iOS 15.0.2 patch notes, and this bindiff and PoC is incredibly quick. In the end a reliable crash with arbitrary data is achieved. Update those iOS devices (and/or save your SHSH2 blobs ;). What's amazing is this analysis/PoC was completed and published in under 2 hours of the patch being released. Very impressive.
- gcpHound: A Swiss Army Knife Offensive Toolkit for Google Cloud Platform (GCP). This is a perfect tool to run after you land on a developer's machine with GCP credentials. Currently only available in the docker image desijarvis/gcphound:v1.1-beta and the tool is written in python at /root/gcpHound.
- Environmental Disaster - a LaunchServices Tale. The ability to control environment variables when launching a process from an app sandbox on macOS leads to a few different kinds of sandbox escapes, with more likely lurking thanks to popular applications/frameworks and their use of environment variables that are not block-listed by Apple.
- Backdoor .NET assemblies with… dnSpy 🤔. Everyone loves a good backdoor for persistence, data exfiltration, or even privilege escalation. .NET assesmblies can be modified to run arbitrary code with dnSpy, and if exposed to the internet, could even be triggerable!
Tools and Exploits
- HandleKatz is a position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump(). The tool does not allocate any more executable memory and can therefore efficiently be combined with concepts such as (Phantom)DLL-Hollowing (unlike Donut, sRDI, etc).
- SharpCalendar is a tool that uses Microsoft.Office.Interop.Excel to retrieve Outlook Calendar details in operator defined one month chunks. Sometimes its nice to know if/when someone will be out of office!
- Ninja_UUID_Dropper is a loader that uses module stomping, no new thread, HellsGate syscaller, and UUID encoding for x64 Windows 10. The technique of encoding shellcode in UUIDs was first seen in Lazarus malware.
- covert-tube is a program to control systems remotely by uploading videos to Youtube using Python to create the videos and the listener. It creates videos with frames formed of simple text, QR codes with cleartext, or QR codes using AES encryption. It may be easier to use youtube comments/video descriptions with encrypted text instead of reading data out of the videos themselves?
- weakpass_3a is the latest weakpass wordlist. 107.77 GB of plaintext password goodness to feed your GPU cluster.
- hermes is a Swift 5 Mythic payload for macOS. It currently supports Mythic 2.2.8 and will update as necessary.
- SuspendedThreadInjection is a meterpreter injection technique using C# that attempts to bypass Defender.
- DInvoke_rs brings the popular DInvoke/direct syscall technique to Rust! I'm excited to see more rust tooling for red teams.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- Viper is a graphical penetration tool that wraps metasploit in a nice, multi-user web-gui.
- Clash is a rule-based tunnel daemon in Go that supports many protocols like VMess, Shadowsocks, Trojan, etc.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-10-06
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-09-28 to 2021-10-06.
News
- Understanding How Facebook Disappeared from the Internet. Facebook had five hours of outage which is $9,806,639 of revenue based on 2020 numbers. A BGP issue took DNS down, and without DNS nothing worked. Bonus points if you have abandoned facebook and facebook owned services so much you didn't really notice. Facebook has issued their own details about the October 4 outage.
- Unauthorized Access to Your Coinbase Account. Add this to the list of why SMS two factor is not real two factor, although it isn't clear if Coinbase or mobile carriers were the ultimate culprit. Either way, hardware security tokens are the answer.
- Company That Routes Billions of Text Messages Quietly Says It Was Hacked. Don your tin foil hat and conjecture if this is related to the previous story - probably not, this feels like good old fashion espionage.
- Introducing the Secure Open Source Pilot Program. Bug bounty for preventative security improvements is a great idea, but the ambiguity of the categories is even worse than normal bug bounty. Good luck to whomever has to "triage" these reports, but kudos to Google for trying something.
- Twitch Hack of 135 GB of Data Includes How Much Its Biggest Streamers Make. There are 6,000+ git repos as well. An interesting look behind the curtain of a major tech company.
- Unicorn2. Unicorn, the popular CPU emulation framework is over 6 years old now and the second major version has been build from scratch on top of Qemu 5. It also adds PowerPC and RISCV emulation.
Techniques
- Life is Pane: Persistence via Preview Handlers. Windows explorer previews are generated by DLLs that are registered for each file extension. Attackers can register their own handlers or take over existing extensions for persistence when a user opens an explorer window containing a file with that extension. This is sneaky, and probably not detected by many EDR vendors... yet.
- Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings. The auth endpoint calculated the password hash of the plaintext supplied by the user by calling a one line python script from Go and passing the plaintext as an argument. Why not calculate the hash in the Go binary? Less RCE that way I suppose...
- Crucial’s MOD Utility LPE – CVE-2021-41285. More "gaming" drivers, more LPEs. If you need system, target gaming drivers!
- Reverse engineering and decrypting CyberArk vault credential files. This post is a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. The author discovered it was possible to reverse engineer the encryption and key generation algorithms and decrypt the encrypted vault password
- Abusing Weak ACL on Certificate Templates. This is a walkthrough of the ESC4 attack described in Certified Pre-Owned.
- Single Step Encryption/Decryption. Decrypt and run shellcode one instruction (or 16 byte block) at a time. This should help against memory forensics, but may be unstable with complex shellcode.
Tools and Exploits
- OffensiveRust is a series of experiments in weaponizing Rust for implant development and general offensive operations.
- Apache HTTP Server 2.4 vulnerabilities. This is a path traversal vulnerability that can lead to RCE. PoC: curl --data "A=|id>>/tmp/x;uname$IFS-a>>/tmp/x" 'http://[IP]:[PORT]/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' -vv (credit to @hackerfantastic). Note that this only affects 2.4.49 (released 2021-09-15) due to this commit from August 2021. Test it out in the CVE-2021-41773 Playground.
- DCOM_AV_EXEC allows for "diskless" lateral movement to a target on the same network via DCOM. The AV_Bypass_Framework_V3 creates a .NET shellcode runner (output as DLL) which can be used with the DCOM_AV_EXEC tool to bypass antivirus solutions like Microsoft Defender as all shellcode is AES encrypted and executed in memory.
- kenzer performs automated web assets enumeration & scanning.
- PHP 7.0-8.0 disable_functions bypass [user_filter] is a 10 year old bug to get around disabled_functions set in php.ini and execute shell commands on the target webserver.
- DonPAPI dumps DPAPI credentials remotely.
- aad-sso-enum-brute-spray A PoC for the vulnerability that would, in theory, allow one to perform brute force or password spraying attacks against one or more AAD accounts without causing account lockout or generating log data, thereby making the attack invisible.
-FindUncommonShares is a Python equivalent of PowerView's Invoke-ShareFinder.ps1 which finds uncommon SMB shares on remote machines.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- shottr is a great screenshot tool for macOS. It can do on-device text extraction, blurring, measurements, cropping, etc. The only outbound network traffic is to google analytics (unlike some other screenshot apps).
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-09-28
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-09-20 to 2021-09-28.
News
- Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program. Criticism of Apple's bug bounty program has been growing, and it's pretty clear there is a problem. For a company with as much cash on hand as Apple (nearly 200 billion USD), the bad press from this can't be worth it, right? Another researched joined in the 0day releases with Rotten-Apples.
- macOS Control Bypasses - New course for 2021. It's great to see macOS get attention from training vendors. This course is only available in a subscription model which is an interesting pricing strategy from a vendor known for its relatively affordable a la cart training.
- Announcement: VMware Fusion for Apple silicon Public Tech Preview Now Available. It only support Arm Linux virtual machines, no Arm Windows builds for now (as there is no way to legally license them for VM use).
Techniques
- Financially motivated actor breaks certificate parsing to avoid detection. By using End of Content markers in fixed length encoding, adware distributers were able to trick non-OpenSSL based products (i.e. Windows) to believe an invalid PE signature is actually valid. This is a neat trick, and I'm a bit surprised to see it burned on adware. Who else was aware/using it too?
- XSS to RCE: Covert Target Websites into Payload Landing Pages. I really like this idea for delivering payloads for a red teaming phish, assuming the customer site is vulnerable to XSS that is otherwise not very valuable in terms of the assessment objectives.
- Chrome in-the-wild bug analysis: CVE-2021-30632. Dig into the internals of the V8 JIT engine with GitHub as they analyzed this browser bug. PoC here.
- Apache Dubbo: All roads lead to RCE. More GitHub technical content, this time a great article that goes from target identification to RCE using CodeQL. Be sure to check this out if you aren't using CodeQL for source code analysis/bug hunting.
- Resetting Expired Passwords Remotely. Some great techniques to get past expired or must-be-reset passwords found on a Windows network.
- IAM Vulnerable - Assessing the AWS Assessment Tools. This is a great test of the four major open source AWS IAM misconfiguration assessment tools. I wonder if the IAM Vulnerable project could be used with CI/CD for these tools to show "live" coverage of the test cases as they improve.
- An Intro to Fuzzing (AKA Fuzz Testing). Just what the title says. One of the best intro articles that covers the basics.
- Beyond the good ol' LaunchAgents - 20 - Terminal Preferences. Wild that this series is already up to 20. This one would only work against technical targets, as they have to open the terminal application to run your persistence.
- Pwn2Own 2021: Parallels Desktop Guest to Host Escape. "Many evenings it is easier for me to read other people’s research, but I won’t find vulnerabilities reading blog posts. You find them by trying to do your own research." Damn, got me there. I've got some original research cooking (slow cooking, but still cooking).
- New Azure Active Directory password brute-forcing flaw has no fix. The Azure Active Directory Seamless Single Sign-On has been good for user enumeration since 2019 but this new discovery allows brute forcing (via a web endpoint, so it will be slow) without even logging anywhere. Wild. A successful login will generate a log, but you can spray all day without alerting any organization that users pass-through authentication.
- Everyone Gets a Rootkit. On Windows since Windows 8 the Windows Platform Binary Table has a weakness that can allow an attacker to run malicious code with kernel privileges when a device boots up. WPBT is a feature that allows OEMs to modify the host operating system during boot to include vendor-specific drivers, applications, and content. Compromising this process can enable an attacker to install a rootkit compromising the integrity of the device.
- FinSpy: unseen findings. What's better than a rootkit? A bootkit of course. FinSpy has been busy since it was last reported on in 2018 with some seriously advanced malware.
Tools and Exploits
- injectEtwBypass is a CobaltStrike BOF that injects an ETW bypass into a remote process via syscalls using HellsGate/HalosGate. This BOF contains some excellent assembly primitives for finding syscalls dynamically.
- PPLDump_BOF is a fully-fledged BOF to dump an arbitrary protected process.
- Needle_Sift_BOF is a file search bof to find strings within files without downloading the file from target. It uses strstr to do the search, and is case sensitive (no strcasestr function in Windows).
- Dragonfly: your next generation malware sandbox. A new sandbox with rules engine. Details are light but it looks like this sandbox uses binary emulation vs running samples in an instrumented virtual machine. Sign up for the Alpha here.
- ThreadStackSpoofer is a PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
- gitoops is Bloodhound for GitHub organizations by abusing CI/CD pipelines and GitHub access controls.
- SyscallNumberExtractor exports all ntdll.dll syscalls to syscalls.txt. Useful for hard coding direct syscalls if not using a *gate technique.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-09-20
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-09-14 to 2021-09-20.
News
- Google is partnering with Open Source Technology Improvement Fund, Inc to sponsor security reviews of critical open source software.. Google is funding the review of eight libraries, frameworks, and apps including Git, lodash, and Laverel.
- Kali Linux 2021.3 Release. The most popular offensive security Linux distribution gets its third release of the year, with minor tweaks to better support VMs, old TLS versions, new tools, and updates throughout the OS.
Techniques
- NSA Meeting Proposal for ProxyShell. By combining the "NSA Metting" and "ProxyShell" exploits for Exchange, a unique RCE chain can be created that may not otherwise be detected. Code here.
- Defeating macOS Malware Anti-Analysis Tricks with Radare2. Working around anti-debug measures is critical to dynamic analysis. This post shows how r2 can be used to manipulate execution and bypass checks.
- Microsoft Teams Spoofing Attacks. This post contains a message request approval bypass, attachment spoofing, and link spoofing techniques. If you phish via Teams, this is a must read.
- AMD Chipset Driver Information Disclosure Vulnerability. Two vulnerabilities exist across modern AMD chipsets that allow for information disclosure via reading uninitialized physical memory pages.
- All Your (d)Base Are Belong To Us, Part 1: Code Execution in Apache OpenOffice (CVE-2021–33035). Top tier exploit write up, from fuzzing to code execution.
- Beginners Guide to 0day/CVE AppSec Research. I'm not sure how this guy sleeps with the consistency of long form content and code he produces. This post has a walk through of how to setup and instrument a PHP app for testing.
- Full-Spectrum Cobalt Strike Detection. This report is a technical profile of the commercial post-exploitation framework Cobalt Strike. It contains details on the capabilities of the framework, observed threat actor use, host-based and network-based detections, and SOAR strategies for detection and response. This report is intended for security operations audiences who focus on detection engineering.
- VSCode BOF Development Trick. Set your compiler to mingw32-gcc and Intellisense will help you out!
Tools and Exploits
- OMIGOD
- “Secret” Agent Exposes Azure Customers To Unauthorized Code Execution. This is the post the started it all. Another Azure find from Wiz. Simply removing the authorization header allowed for RCE as root. Amazing that is a thing in 2021.
- Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions. The official Microsoft response.
- OMIcheck is a set of scripts from Microsoft to check and upgrade your omi agents.
- CVE-2021-38647 is a nice wrapper for the PoC in the Wiz post.
- Azure OMI RCE Attempt shows a small sample of "in the wild" exploitation.
- goblin is a phishing tool that can host sites and display notices if uses click call to action buttons. This won't replace GoPhish any time soon.
- fapro is a multi-protocol honey pot with ELK logging support. Looks like no source code is available (yet?).
- PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets.
- CVE-2021-40444--CABless. Your favorite Word RCE, now with no CAB and a single line of javascript.
- CFG_Allowed_Functions is a pykd version-independent tool that finds and dump functions allowed by Control Flow Guard (CFG).
- Zerotier - Multiple Vulnerabilities. An attacker may chain Zerotier root-server identity overwriting, insecure identity verification and various information leakage vulnerabilities to gain unauthorized access to private Zerotier networks. To exploit, see ZTCrack.
- Umbra is an experimental remotely controllable LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that can spawn reverse shells to remote hosts, launch malware remotely and much more.
- Rosplant Pis a proof of concept to leverage Roslyn for post-exploitation (Roslyn + Implant = Rosplant). It comes in two parts, the server and client. Raw C# is entered into the server's console by the attacker, which is sent to the client (via TCP for the PoC). The client uses Roslyn to evaluate the code and sends the results back to the attacker.
- SharpExfiltrate is a tiny but modular C# framework to exfiltrate loot over secure and trusted channels. It supports both single-files and full-directory paths (recursively), file extension filtering, and file size filtering. Exfiltrated data will be compressed and encrypted before being uploaded. While exfiltrating a large amount of data will require the output stream to be cached on disk, smaller exfiltration operations can be done all in memory with the "memoryonly" option.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- Smersh is a pentest oriented collaborative tool used to track the progress of your company's missions and generate rapport.
- Obfuscating Malicious, Macro-Enabled Word Docs. Missed this one last week, but some great tips on macro-obfuscation techniques for when that Word RCE stops being useful.
- be-a-hacker. This is a road map to being a self-taught hacker.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-09-14
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-09-07 to 2021-09-14 (bonus day!).
News
- Introducing Android’s Private Compute Services. Google is aiming to put the Private Compute Core from Android in the cloud and they're vouching to do 3rd party validation via audits.
- VMware denies allegations it leaked Confluence RCE exploit. Bug bounty drama as a payload sent to VMware as part of a bounty was later added to the Nuclei scanner by a researcher who claimed they found it via "Pastebin scraping" and could not produce the source URL to the paste. Bug bounties rely on trust, and these types of incidents underscore that.
- FORCEDENTRY NSO Group iMessage Zero-Click Exploit Captured in the Wild. If your threat model includes nation states with massive war chests willing to burn 0days to get on your device, I think any stock OS is going to be insufficient to protect you. Perhaps the best way to fight against this type of exploitation is to capture and expose the exploits fast enough to make it economically unfeasible to use them against activists? Props to Citizen Lab for doing the work here.
- U.S. Company Sold Zero-Click Hacking Tool to UAE Spy Operation. Three members of the RAVEN crew pled guilty in exchange for a three-year deferred prosecution agreement and fines. Interesting that the CFAA wasn't used in this case, as it is typically the hammer for anything computer related. How much taxpayer money did the US spend investigating and prosecuting these three? Imagine if the US Government instead paid competitive salaries so their own hackers didn't travel to the Middle East and hack for other governments...
- Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds.. Self host that CI/CD, that way the mistakes are your own.
Techniques
- Burp Suite RCE. The built-in Chrome browser in Burp Suite 2.0 is an old Chrome version, which can be combined with the "Use dynamic analysis techniques" feature to trigger RCE on an assessors Windows machine by simply browsing a site via the embedded Chrome browser. Is this ultimate WAF? Ransomware any Burp Suite users that browse your site?
- Hacking CloudKit - How I accidentally deleted your Apple Shortcuts. Even the big companies are not immune to misconfigured access controls. In this case the result was an assessor was able to delete all shared "shortcuts" links for iOS.
- Tickling VMProtect with LLVM: Part 1. This series gets into the weeds of using LLVM as a software based deobfuscation framework that initially targets binaries protected with VMProtect.
- Analysis of a Parallels Desktop Stack Clash Vulnerability and Variant Hunting using Binary Ninja. Supporting macOS back to 10.13 had the effect of silently dripping stack protections, and the author uses the Binary Ninja Python API to help automate bug finding.
- Change home directory and bypass TCC aka CVE-2020-27937. By planting your own TCC database you can bypass the whole user TCC (Desktop, Documents, Address Book, Camera, Microphone, Photos and more).
- Hook Heaps and Live Free. Ecnrypted heap allocations. Now that is some legit tradecraft! This post is a gold mine of information about "in memory evasion" and practical examples of how to implement it with Cobalt Strike. Example code (for the first basic example) here. If you liked this post be sure to check out SleepyCrypt: Encrypting a running PE image while it sleeps which also dropped last week.
- CVE-2021-3437 | HP OMEN Gaming Hub Privilege Escalation Bug Hits Millions of Gaming Devices. Perhaps its time to download any gaming related drivers and do a vulnerability hunt... 🤔
Tools and Exploits
- Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-40444. This was the big news of last week. RCE from simply opening a Word doc, thanks to old friends - directory traversal, IE, and ActiveX.
- Demo of an RTF variant working in the explorer preview
- KQL query
- Malicious docx generator
- Windows MSHTML zero-day defenses bypassed as new info emerges
- CVE-2021-40444 Analysis/Exploit - This is the best analysis/walkthrough I have come across.
- Microsoft Defender Attack Surface Reduction recommendations - Old but gold. "Block all Office applications from creating child processes" is what you want for this vulnerability specifically.
- BOF-Adios is a BOF that will zero, then delete your beacon's executable on exit! Useful if you are dropping a loader to disk as part of a phishing campaign.
- NimHollow is a Nim implementation of Process Hollowing using syscalls with some nice features like shellcode encryption, sandbox detection, and AMSI patching.
- iam-vulnerable - Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground. More details on the BishopFox blog.
- Toggle_Token_Privileges_BOF is an (almost) syscall-only BOF file intended to either add or remove token privileges within the context of your current process.
- SharpSystemTriggers is a collection of remote authentication triggers coded in C# using MIDL compiler for avoiding 3rd party dependencies.
- azureOutlookC2 - Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP: Use Microsoft Graph API for C2 Operations.
- ImpulsiveDLLHijack is a C# tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- wwwgrep is a rapid search “grepping” mechanism that examines HTML elements by type and permits focused (single), multiple (file based URLs) and recursive (with respect to root domain or not) searches to be performed.
- AppInitHook is a global user-mode hooking framework, based on AppInit_DLLs. The goal is to allow you to rapidly develop hooks to inject in an arbitrary process. Developed to reverse engineer and customize random applications, it has broad implications for read teaming.
- ElusiveMice is a Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-09-07
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-08-23 to 2021-09-07.
News
- Illinois Bought Invasive Phone Location Data From Banned Broker Safegraph. I've read my cell phone and internet provider terms of service, but the issue is all the major providers have the same clauses where they can sell your data. There's no alternative that provides the same level of service while respecting customer data. I worry that since this data is "anonomyized" even measures like GDPR wouldn't be effective.
- How Data Brokers Sell Access to the Backbone of the Internet. More privacy nightmare fuel. Every connection to and from public IP addresses is being recorded, sold, aggregated, and analyzed. There are now full on private SIGINT systems.
- Hackers Leak Videos of Iranian Prison. This looks like a classic hacker movie scene - the screens go black then display the hacker's message full screen.
- Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature. "On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key." Luckily it only affected customers with the Jupyter Notebook feature enabled. For more information check out ChaosDB.
- From Pearl to Pegasus Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits. More 0-click iOS exploit nightmare fuel.
- SolarWinds and the Holiday Bear Campaign: A Case Study for the Classroom. This detailed-but-accessible case study of the Russian cyber espionage campaign that targeted SolarWinds is from the free Cybersecurity Law, Policy, and Institutions (version 3.1).
- ProtonMail deletes 'we don't log your IP' boast from website after French climate activist reportedly arrested. Assume your IP is being recorded by not only the site you access, but every device/government/data broker in between. Act accordingly if any of those are in your threat model.
Techniques
- Operational Mental Models. After releasing the EDR Sensor Evasion Flowchart, @Jackson_T is back with another meta-assessment post about the frameworks and models for offensive research and development.
- ZDI-21-1053: Bypassing Windows Lock Screen. The ease of access on screen reader is used once again to execute binaries on a USB and execute code even with the screen of a Windows 10 computer locked. PoC video here.
- From RpcView to PetitPotam. In this post, we will see how the information provided by this tool can be used to create a basic RPC client application in C/C++. Then, we will see how we can reproduce the trick used in the PetitPotam tool.
- Introducing Process Hiving & RunPE. "This blog introduces innovative techniques and is a must have tool for the red team arsenal. RunPE is a .NET assembly that uses a technique called Process Hiving to manually load an unmanaged executable into memory along with all its dependencies, run that executable with arguments passed at runtime, including capturing any output, before cleaning up and restoring memory to hide any trace that it was run." A solid PE runner is a must-have in ever red team toolkit. Code here.
- %appdata% is a mistake – Introducing Invoke-DLLClone. DLL hijacking isn't new but darn if it isn't effective still. The new Invoke-DLLClone is worth a look!
- Obsidian, Taming a Collective Consciousness. Red team knowledge management is a topic I am all too familiar with (imagine the data that powers this blog...). This post shows a "flat" markdown note based approach that uses Obsidian.
- Widespread credential phishing campaign abuses open redirector links. Most commercial email providers scan links for reputation and can prevent phishing links from being opened. Attackers are now using open redirects on "trusted" sites to bypass these protections and deliver their payloads/load their pages. These are also combined with reCAPTCHA protections to prevent automated scanning.
- Backdoor Office 365 and Active Directory - Golden SAML. This quick post shows the 8 steps to generate a golden SAML token as well as some detections.
- Blinding EDR On Windows. This is a great post that brings together a lot of information about AV/EDR as well as kernel drivers, driver signing, and how to use kernel drivers against EDRs.
Tools and Exploits
- Quick Tunnels: Anytime, Anywhere. Cloudflare tunnels are available without an account. They use 4x HTTPS connections to Cloudflare IPs to tunnel traffic to anything the cloudflared binary can reach. Consider this a more trusted version of ngrok. "Unless you delete them, Tunnels can live for months." Defenders, look for update.argotunnel.com, h2.cftunnel.com, and trycloudflare.com based on my testing.
- RCE-0-day-for-GhostScript-9.50. This 0-day exploit affects the ImageMagick with the default settings from Ubuntu repository (tested with default settings of ImageMagick on Ubuntu 20.04). More info here.
- LiquidSnake is a program aimed at performing lateral movement against Windows systems without touching the disk. The tool relies on WMI Event Subscription in order to execute a .NET assembly in memory, the .NET assembly will listen for a shellcode on a named pipe and then execute it using a variation of the thread hijacking shellcode injection.
- NSGenCS is an extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows. More information at The Birth of NSGenCS.
- AWS ReadOnlyAccess: Not Even Once. ReadOnlyAccess sounds secure, but it can cause a false sense of security and is usually too broad for whatever is actually needed.
- OpenBMC: remote code execution in netipmid. IPMI is a very powerful interface with tons of bugs. Add this RCE to your next internal assessment bag of tricks.
- iHide is a utility for hiding jailbreaks from iOS applications. This can be a huge help when doing security assessments on applications with pesky jailbreak detection. See the blog post for more info.
- PR0CESS has a few projects for interesting PE loading techniques.
- CVE-2021-33909 is a Linux LPE for Sequoia.
- laurel is a tool to transform Linux Audit logs into JSON for SIEM usage.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- packetsifterTool is a tool/script that is designed to aid analysts in sifting through a packet capture (pcap) to find noteworthy traffic. Packetsifter accepts a pcap as an argument and outputs several files.
- zuthaka is a collaborative free open-source Command & Control integration framework that allows developers to concentrate on the core function and goal of their C2.
- JadedWraith is a powerful backdoor capable of either listening on a TCP port or sniffing packets for a "magic" ICMP packet instructing the backdoor to either callback or listen.
- beacon_health_check is an aggressor script that uses a beacon's note field to indicate the health status of a beacon.
- Khepri is a post-exploiton tool written in Golang and C++, with architecture and usage like Cobalt Strike. So much like Cobalt Strike that a casual look at the screenshot could confuse the two!
- ockam is a library for end-to-end encryption and mutual authentication for distributed applications.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-08-23
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-08-16 to 2021-08-23.
News
- Apple CSAM fallout:
- Opinion: We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous. A group from Princeton built a similar system to what Apple has deployed and decided it was too dangerous to put into practice. "Apple is gambling with security, privacy and free speech worldwide."
- Working Collision? #1. This was the start of the collisions but it quickly snowballed.
- neural-hash-collider can generate collisions on demand.
- Had enough of Apple? Look into GrapheneOS, CalyxOS, or even a PinePhone.
- Apple Appeals Corellium Copyright Lawsuit Loss After Settling Other Claims. Last week the news section had a good news story about Apple dropping a case against Corellium. They've appealed the other case they lost. All this while claiming security researchers would be a check against CSAM scanning abuse...
- A Hacker Stole and Then Returned $600 Million. The wild west of finance sees it's largets heist yet (yes, bigger than Mt. Gox). For technical details (facepalm warning) check out rekt.
- Microsoft announces price increase for Office 365 and Microsoft 365. E5 is still crazy expensive.
- Porchetta Industries Launches. "The Information Security Industry doesn't have a direct way to support Offensive & Defensive Open Source Security Tool developers even though it relies on them for a large portion of their services and/or internal capabilities. We're here to change that. Porchetta Industries provides a centralized platform for organizations to fund and support Open Source Security Tools."
Techniques
- 1Password Secret Retrieval — Methodology and Implementation. Password managers are a juicy target for post-exploitation. This post explores the 1password password manager and offers some detection tips. If an attacker is injecting code into processes undetected, it might be too late. Check out 1PasswordSuite for the tools.
- Executing Code In Context Of A Trusted Agent (Part 1) - Windows Defender Antivirus. The only thing better than bypassing AV is running in the context of AV itself. PoC here.
- Introducing GoKart, a Smarter Go Security Scanner. If you've got some Go code to review or are trying to exploit, give gokart a shot.
- Domain Escalation – PrintNightmare. Need a refresher or reference on all the PrintNighmare madness? This post covers remote discovery and exploitation.
- Uncovering Tetris – a Full Surveillance Kit Running in your Browser. A watering hole attack used JSON Hijacking and other methods to attempt to identify users. It even attempted to steal secrets from the user's local machine using websockets!
- Oh, Behave! Figuring Out User Behavior. Once you gain access to a target workstation, how do you determine what the user does day to day? Which applications would be best to backdoor for persistence? This post explores some ways to answer these questions.
- Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent. If you have local admin you can export the AD FS Hybrid Health Agent secret and spam the Azure AD sign-in logs with fake entries.
- Creating the WhereAmI Cobalt Strike BOF. Bobby has been on a roll, churning out BOFs at a rapid pace. It likely took significant extra time to document and write up the process behind whereami which dumps the environment variables without calling the WinAPI, and for that I am grateful!
- Responder's DHCP Poisoner. Responder 3.0.7.0 comes with a new DHCP module! Learn about it in this post.
- Razer Windows LPE. Simply attaching a Razer mouse (or a spoofed one) will run a UI as SYSTEM that you can use to open a file dialog and spawn a prompt with. I don't believe this has been weaponized without physical access or desktop interaction yet.
- Integer Overflow to RCE — ManageEngine Asset Explorer Agent (CVE-2021–20082). This is a great in-depth post on the productization of an integer overflow into RCE.
Tools and Exploits
- Added EfsRpc method (aka PetitPotam). SweetPotato gets a PetitPotam upgrade so if you have SeImpersonatePrivilege on a fully patched windows 10 machine, you can get SYSTEM.
- ServiceMove-BOF is a new lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution. Note that is work on Windows 10 1809 or above only.
- BOF-ForeignLsass dumps lsass memory by opening a handle to a process that already has a handle open to lsass, with the hopes of looking less suspicious by stealing this "legitimate" handle.
- kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- Microsoft365_devicePhish is a a proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow. Compare to 365-Stealer and TokenTactics.
- Mimikore is a .NET 5 single file application loader for Mimikatz or any Base64 PE.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-08-16
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-08-09 to 2021-08-16.
News
- Apple drops intellectual property lawsuit against maker of security tools. The battle against the virtual iOS device host finally ends with a fizzle. The case was scheduled to start next week. "The terms of the settlement were confidential."
- AI Wrote Better Phishing Emails Than Humans in a Recent Test. This is the dystopian future we were promised.
Techniques
- Having fun with a Use-After-Free in ProFTPd (CVE-2020-9273). This post analyzes the ProFTPd vulnerability and how to exploit it bypassing all the memory exploit mitigations present by default (ASLR, PIE, NX, Full RELRO, Stack Canaries etc). Two different exploits available at CVE-2020-9273.
- How to Hack APIs in 2021. Type confusion, JWTs, undocumented APIs, versioning, rate limiting, race conditions, XXE injection, switching content types, HTTP methods, injection vulnerabilities, and more are covered in this great post.
- Comparison of reverse image searching in popular search engines [OSINT hints]. TLDR: consider Yandex next time you need to reverse search an image.
- TeamServer.prop. Have you been wondering what those TeamServer.prop warnings were in Cobalt Strike 4.4? It turns out you can tweak the screenshot and keylog callback data settings to customize how the team server handles potentially DoS-able data.
- Spoofing File Extensions Using Google Drive and OneDrive. The tricks in this post may be helpful when/if you deliver payloads via email.
- Playing Detection with a Full Deck. If you've ever done any Purple teaming, this post will hit home. Understanding the full context of a system (i.e. how are services created) is critical to good detection rules.
- Phishing for NetNTLM Hashes. There are many ways to leak NTLM hashes but this post shows the results of testing and Security Zones are treated by web clients. Once you have NTLM and network access, this relay page has amazing charts for what is possible.
- Going for the Gold: Penetration Testing Tools Exploit Golden SAML. Golden SAML hit the headlines after the SolarWinds breach, and this post breaks down how powerful it can be. The three custom tools they mention are not public.
- Tools, Techniques, and Grimmie?: Experimenting w/ Offensive ADSI. Did you know there was a built in AD enumeration tool as far back as Windows 7 called adsisearcher?
- SAML is insecure by design. SAML is bad and should feel bad. Lots of good ammo in here for your next web assessment that uses SAML.
- [EX007] How playing CS: GO helped you bypass security products. The use of a vulnerable driver allows reading process memory from a userland helper to dump lsass while EDR watches helplessly.
- Fingerprinting Windows versions, AV, wireless cards over the network—all without authentication. Rumble uses DCE/RPC UUIDs to fingerprint AV, EDR, and other software agents remotely and unauthenticated. This could be very useful for advanced red teams attempting to avoid detection.
Tools and Exploits
- CobaltStrikeReflectiveLoader is perhaps the first public User-Defined Reflective Loader for Cobalt Strike 4.4. If you are writing your own, be ready to write a lot of assembly...
- ProxyShell is the Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write) patched in April and May of 2021 (but not published in an advisory until July 2021). Also check out proxyshell-poc. See here for the technique break down: My Steps of Reproducing ProxyShell.
- MiniDump is a C# implementation of mimikatz/pypykatz minidump functionality to get credentials from LSASS dumps.
- LazySign creates fake certs for binaries using windows binaries and the power of bat files. If you're on Linux try Limelighter.
- CobaltSpam is a tool based on CobaltStrikeParser from SentinelOne which can be used to spam a CobaltStrike server with fake beacons.
- COM-Hijacking is an example of COM hijacking using a proxy DLL.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- raivo-otp / ios-application. A native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP! Why switch from my current OTP app? See here.
- reko is a decompiler for machine code binaries. If Ghidra or redare2/Rizin aren't your thing, give reko a shot.
- SysmonTools contains the following: Sysmon View: an off-line Sysmon log visualization tool, Sysmon Shell: a Sysmon configuration utility, and Sysmon Box: a Sysmon and Network capture logging utility.
- RmiTaste allows security professionals to detect, enumerate, interact and exploit RMI services by calling remote methods with gadgets from ysoserial.
- REW-sploit can get a shellcode/DLL/EXE, emulate the execution, and give you a set of information to help you in understanding what is going on. Example of extracted information are: API calls, encryption keys used by MSF payloads, decrypted 2nd stage coming from MSF, and Cobalt-Strike configurations (if CobaltStrikeParser is installed).
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-08-09
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-08-02 to 2021-08-09.
News
- WireGuardNT, a high-performance WireGuard implementation for the Windows kernel. The WireGuard team continues to impress with a Windows kernel driver to increase speed (up to 5x speedup) and decrease battery usage. It's currently experimental and can be enabled with reg add HKLMSoftwareWireGuard /v ExperimentalKernelDriver /t REG_DWORD /d 1 /f.
- Apple's Plan to "Think Different" About Encryption Opens a Backdoor to Your Private Life. The company that once said, "What happens on your iPhone stays on your iPhone," and famously refused to unlock a terrorist's iPhone is rolling out software that will scan images on an iPhone. This type of client-side scanning breaks end to end encryption, and while it is being used initially to combat child exploitation, how difficult would it be to use the same system to censor or report on iPhone users that share images such as "tank man?"
- Cobalt Strike News
- Cobalt Strike 4.4: The One with the Reconnect Button. In addition to some nice to have features, 4.4 comes with some major OPSEC changes. Users can now define their own reflective loader and sleep obfuscation technique. This should make it much more difficult to statically signature Cobalt Strike in memory. A good primer for the sleep mask functionality is Sleeping with a Mask On. For the customer loader this blog post is a good starting place for creating a DLL injector BOF.
- Cobalt Strike DoS Vulnerability (CVE-2021-36798). "Hotcobalt" was an issue with screenshot processing on the Cobalt Strike teamserver that allowed a "malicious" beacon to crash the teamserver. More details on the SentinelOne blog.
- Introducing Cobalt Strike Community Kit. The Community Kit is a great place to find community additions to the popular C2 framework. Be sure to vet anything before using it live!
- Kubernetes Hardening Guidance. The NSA and CISA drop 59 pages of Kubernetes hardening guidance. Just because you can push code to a cluster in one command doesn't mean you can forget about the security implications of doing so.
- The Conti ransomware gang (aka Hermes aka Ryuk) had some of their "affilaite" training material leak last week. Here is a roughly translated PDF if you are interested in their tradecraft.
Techniques
- You're Doing IoT RNG. "Basically, every IoT device with a hardware random number generator (RNG) contains a serious vulnerability whereby it fails to properly generate random numbers, which undermines security for any upstream use."
- A New Attack Surface on MS Exchange Part 1 - ProxyLogon! and A New Attack Surface on MS Exchange Part 2 - ProxyOracle!. The master Orange Tsai is back to shell Exchange some more. This variant is dubbed "ProxyShell" and despite being patched in April a good number of Exchange servers on the internet appear to be vulnerable. Double check those patches and grab the web_exchange_proxyshell.yml Sigma rule.
- HTTP/2: The Sequel is Always Worse. There are some tricky issues with HTTP/2, especially in an environment of load balancers, front and back end request processors, and the like. Web app assessors or bug bounty folks should pay special attention to this one.
- Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass). Some bugs don't die on the first patch. NCC Group takes a swing at Pulse Secure and develops a patch bypass for an authenticated remote code execution vulnerability.
- Snapcraft Packages Come With Extra Baggage: Exploiting Ubuntu's Snapcraft Apps with CVE-2020-27348. A crash while launching docker led to a "DLL sideloading" type issue against the snap container engine in Ubuntu. While the bug was patched in March of 2021, this is a great writeup.
- Bypassing Windows Hello Without Masks or Plastic Surgery. By spoofing an external USB camera, researchers were able to bypass Windows Hello authentication. It does require an IR photo of the victim, but otherwise becomes a quick USB skeleton key to the targeted Windows computer.
- Multi-Stage Offensive Operations with Mythic. Modular toolkits, varied C2 mechanisims, but a unified back end are the future of offensive operations.
- Admin’s Nightmare: Combining HiveNightmare/SeriousSAM and AD CS Attack Path’s for Profit. With all the Windows issues recently, it was only a matter of time until someone made a combo attack walkthrough.
- Relaying NTLM authentication over RPC again…. "Due to the absence of global integrity verification requirements for the RPC protocol, a man-in-the-middle attacker can relay his victim’s NTLM authentication to a target of his choice over the RPC protocol." No code released yet.
- CVE-2021-0090: Intel Driver & Support Assistant (DSA) Elevation of Privilege (EoP). "Intel Driver & Support Assistant (DSA) is a driver and software update utility for Intel components. DSA version 20.8.30.6 (and likely prior) is vulnerable to a local privilege escalation reparse point bug. An unprivileged user has nominal control over configuration settings within the web-based interface. This includes the ability to configure the folder location for downloads and data (e.g. installers and log files). An unprivileged user can change the folder location, coerce a privileged file copy operation to a “protected” directory through a reparse point, and deliver a payload such as a DLL loading technique to execute unintended code."
Tools and Exploits
- DeployPrinterNightmare is a C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
- whoc is a container image that extracts the underlying container runtime and sends it to a remote server. Poke at the underlying container runtime of your favorite CSP container platform!
- Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS). This is the toolset promised with the release of Certified Pre-Owned: Abusing Active Directory Certificate Services in June of 2021. A recent post covered the attacks in more practical terms.
- EyeWitnessTheFitness is a combination of EyeWitness (web screenshot OSINT tool) and fireprox (IP rotation proxy via AWS API gateway) that only uses one fireprox API for all EyeWitness targets.
- SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys, etc) without invalidating or breaking the existing signature. This looks particularly nasty and is used by APT 10.
- SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion. This tool was released along side the talk Operation Bypass Catch My Payload If You Can.
- BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity. Check out IsBeaconProcess to make sure your beacon wouldn't get picked up.
- concealed_position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Specifically, Concealed Position (CP) uses the as designed package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with known vulnerabilities which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.
- haklistgen is a tool that turns any junk text into a usable wordlist for brute-forcing (subdomains, words in HTTP response, etc).
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- RegExp is a replacement for the Windows built-in Regedit.exe tool. Improvements over that tool includes many enhanced features.
- reverse-ssh is a A statically-linked ssh server with a reverse connection feature for simple yet powerful remote access.
- dnsmonster is a passive DNS collection and monitoring built with Golang, Clickhouse and Grafana. This is a scalable solution to do enterprise DNS monitoring.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-08-02
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-07-26 to 2021-08-02.
News
- Welcome to Bug Hunter University. Google launches their own educational content aimed at bug hunters that are working on Google products. Don't expect technique walkthroughs, this is more of a detailed guide on how to bug hunt against Google (i.e. what is in scope, what is considered auth bypass, etc).
- CISA Announces New Vulnerability Disclosure Policy (VDP) Platform. The US federal government is getting into the bug bounty game with the help of BugCrowd. The Department of Homeland Security (DHS), the Department of Labor (DoL), and the Department of Interior (DoI) are among the agencies planning to leverage this platform at the onset.
- Amazon hit by record $887 million EU privacy fine. The EU says Amazon processed personal data in ways that violated GDPR requirements, Amazon said the decision was "without merit." Looks like the real winners in this case will be the lawyers.
- MDSec pushes Nighthawk C2 framework PR via Twitter. The upcoming commercial C2 from MDSec looks like it has some pretty interesting features: hot swappable C2 profiles, in memory encryption for evasion, BOF compatibility, etc. "Coming soon."
- Introducing BloodHound Enterprise: Attack Path Management for Everyone. The enterprise version of the extremely popular BloodHound tool is out now! If you have a massive AD environment, it is likely worth the cost to get what amounts to a top tier AD penetration test with helpful interactive remediation and retesting.
- PortSwigger launches Burp Suite Certified Practitioner. All the training material and even a practice exam are available for free, and the cost is very reasonable at $99. The certification expires after five years with no word on if you have to pay to "maintain" it beyond that time.
Techniques
- NTLM relaying to AD CS - On certificates, printers and a little hippo. The AD GOAT is back to lay it down on NTLM relaying, and even add a little bit of his own twist with PKINITtools. If you only read one post about the latest AD CS relaying and PetitPotam, read this one. Want to use Cobalt Strike for this? Read NTLM Relaying via Cobalt Strike.
- Developing an exploit for the Jira Data Center Ehcache RCE (CVE-2020-36239). I love this kind of post. It walks through every step from reading a bug advisory to RCE and all the struggles, blog posts, and different attempts along the way.
- From Stolen Laptop to Inside the Company Network. Think your BitLocker encrypted laptop is safe from a determined adversary? Think again. The trusted platform module (TPM) sends the BitLocker encryption key via Serial Peripheral Interface (SPI) in plaintext. A bit of research and a quick hookup with Saleae spill the beans. The SSD was then extracted and decrypted. Because the target had a "pre-logon" VPN tunnel setup, the assessors were able to build a test VM and connect to internal file shares. Very nice work against a hardened laptop. Enable that pre-boot authentication!
- Stealing Tokens In Kernel Mode With A Malicious Driver. This post walks through building a simple driver to copy access tokens between PIDs to allow user spoofing or privilege escalation. Bypassing driver signing is another topic all together, but the basics of kernel development and userspace to kernel communication are covered here nicely.
- Root Cause Analysis of a Printer’s Drivers Vulnerability CVE-2021-3438. Last week's SSPORT.sys printer driver vulnerability may have been oversold! VoidSec breaks down the root cause and describes why it can be, at best, a denial of service exploit.
- WebContent->EL1 LPE: OOBR in AppleCLCD / IOMobileFrameBuffer. If nothing else, this is good proof of "parallel discovery" even against a "hard target" like iOS. The POC is available, but without the arbitrary read/write needed to finish it.
- Fuzzing Windows RPC with RpcView introduces the process to enumerate RPC servers with RpCView. Expect some good stuff from itm4n as a result of this.
- The path to code execution in the era of EDR, Next-Gen AVs, and AMSI introduces inceptor, a template-based PE packer for Windows, designed to help penetration testers and red teamers to bypass common AV and EDR solutions. Inceptor has been designed with a focus on usability, and to allow extensive user customization. Inceptor is a framework that wraps many other useful tools, sgn, sRDI, donut, DInvoke, Syswhispers, ConfuserEx, Chameleon, LLVM-Obfuscator, and others to create an easy to use tool chain to wrap, compile, and obfuscate input shellcode or PE files. This could be a very useful base to extend with private templates and incorporate into your own workflow.
- Universal Privilege Escalation and Persistence – Printer. The PrintNightmare saga may have cooled off, but this post explores how to set up your own rogue printer for that double-click to system privilege escalation.
Tools and Exploits
- byeintegrity8-uac is a Windows 7 to Windows 11 compatible "Always Notify" UAC bypass. It's also been implemented in UACME as technique #69.
- Issue 2186: Exchange: AD Schema Misconfiguration Elevation of Privilege. Installing Exchange in an AD environment modified the AD schema in a way that allowed computer accounts to create arbitrary AD objects as children (users, etc). This was patched in the Exchange cumulative updates release on 2021-06-29 but is worth checking for on your next assessment.
- Introducing Mimikatz Kit. HelpSystems has decoupled Mimikatz from CobaltStrike releases with Mimikatz Kit. With the rapid rate of new features in Mimikatz recently this is a welcome change.
- raider is a framework designed to test authentication for web applications. While web proxies like ZAProxy and Burpsuite allow authenticated tests, they don't provide features to test the authentication process itself, i.e. manipulating the relevant input fields to identify broken authentication. Most authentication bugs in the wild have been found by manually testing it or writing custom scripts that replicate the behaviour. Raider aims to make testing easier, by providing the interface to interact with all important elements found in modern authentication systems. It uses a Lisp like configuration language to control the authentication flows.
- ADCSPwn is a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts (Petitpotam) and relaying to the certificate service. This is your easy button for PetitPotam + ESC8 exploitation.
- NinjaC2 V2.1 : New webshell agent, more features and updated AV bypass. The update adds a webshell and a few other AV bypass features.
- Linux_LPE_eBPF_CVE-2021-3490 is an LPE exploit for CVE-2021-3490. Tested on Ubuntu 20.10 (Groovy Gorilla) kernels 5.8.0-25.26 through 5.8.0-52.58. and Ubuntu 21.04 (Hirsute Hippo) 5.11.0-16.17. Full details in Kernel Pwning with eBPF: a Love Story.
- pywhisker is a Python equivalent of the original Whisker made by Elad Shamir and written in C#. This tool allows users to manipulate the msDS-KeyCredentialLink attribute of a target user/computer to obtain full control over that object. It's based on Impacket and on our Python equivalent of Michael Grafnetter's DSInternals called PyDSInternals. This tool, along with Dirk-jan's PKINITtools allow for a complete primitive exploitation on UNIX-based systems only.
- targetedKerberoast is a Python script that can, like many others (e.g. GetUserSPNs.py), print "kerberoast" hashes for user accounts that have a SPN set. This tool brings the following additional feature: for each user without SPNs, it tries to set one (abuse of a write permission on the servicePrincipalName attribute), print the "kerberoast" hash, and delete the temporary SPN set for that operation. This is called targeted Kerberoasting. This tool can be used against all users of a domain, or supplied in a list, or one user supplied in the CLI.
- scarecrow_wrapper is wrapper payload for Mythic that wraps any agent shellcode with the ScareCrow loader. This wrapper currently supports CPL, EXE, and DLL payload types from ScareCrow.
- MicrosoftWontFixList. Are you lost in all the "Won't fix" vulnerabilities released or discovered in July? This page has them all summarized for you.
- spawn is a Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.
- hallucinate is a one-stop TLS traffic inspection and manipulation using dynamic instrumentation. For more information check out the introductory blog post.
- ligolo-ng is an advanced, yet simple, tunneling/pivoting tool that uses a TUN interface. Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using Gvisor.
- revealin is a tool to uncover the full name of a target on Linkedin by taking advantage of the autocomplete feature.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-07-26
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-07-19 to 2021-07-26.
News
- Updates Regarding VSA Security Incident. Kaseya got their hands on a universal decrpytor for the randomsware that hit thousands of their customers on the Friday before the July 4th holiday in the US. They state that, "in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor." This leaves two possibilities: Someone found a flaw in the encryption scheme a professional ransomware crew with years of experience was using, or someone acquired the universal decryptor key without paying for it (leak, hack, deal to not get arrested by the FSB, etc). If there was a flaw in the encryption, have researchers been sitting on it like the allies allowed ships to be sunk after breaking the Enigma cypher in WWII? Was the Kaseya incident big enough to "burn" the technique? With the disappearance of REvil's public infrastructure, I suspect the FSB came knocking, demanded the key, and told them to take a nice vacation on the Black Sea while things cool off.
- OpenVPN Security Improvements and Changes. Two Ukrainian Windscribe VPN servers were seized and since they were unencrypted and had persistent disks, the authorities got hold of the OpenVPN private keys. In the age of ubiquitous HTTPS and HSTS preloading VPNs are effective against a very specific threat model, and are probably unnecessary for most people (despite what the YouTube ads will tell you).
- CVE-2021-36934 aka HiveNightmare aka SeriousSAM. For some reason, Windows 10 starting with 1909 and Server 2019 modified the SAM database access control lists to allow regular users to read the contents. While the files are locked by lsass normally, if the system has volume shadow copies (VSS), they will be available there. Check out CVE-2021-36934 to check for shadow copies and read them all in memory, and this Velociraptor query to hunt for it.
Techniques
- PetitPotam. While this was in last week's Tool/Exploits section, it has hit the news this week. Besides the classic Unconstrained Delegation method, there was talk of the following ways to leverage PetitPotam.
- Active Directory Certificate Services (ADCS - PKI) domain admin vulnerability. SANS covers the PetitPotam + ADCS + Impaket + Rebeus route.
- WebDAV + NTLM is also an option
- Find a computer with a path to AD and SMB relay
- Mimikatz + Kekeo + Impacket
- Microsoft's response: Won't fix
- CVE-2021-3438: 16 Years In Hiding – Millions of Printers Worldwide Vulnerable. A sloppy strncopy with a size parameter controlled by the user in this driver from 2005 can lead an unprivileged user to SYSTEM. Look for the SSPORT.sys driver on your next engagement.
- Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909). A size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems (3.16 through 5.13.x before 5.13.4). Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration. You can use cve-2021-33909-crasher.c to test if the vulnerability exists on systems, but a user to root PoC isn't in the wild yet. This could be the Dirty COW of 2021.
- fail2ban – Remote Code Execution. While not exploitable without MiTM or the ability to set whois information, the ~! feature of the mail binary can be abused to inject commands to any program that passes attacker controlled input to mail.
- Exfiltrating a victim's exact location (to within 5m). This is a great example of getting inside the mind of the defender to speculate what they did to "fix" a vulnerability, and then exploiting that "fix."
- Windows Command-Line Obfuscation. "Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due to the number of variations. This post shows how more than 40 often-used, built-in Windows applications are vulnerable to forms of command-line obfuscation, and presents a tool for analyzing other executables." Check out windows-command-line-obfuscation for the scripts and raw data.
- All Your Base Are [Still] Belong To Us: Fuzzing Modern UDP Game Protocols With Snapshot-based Fuzzers. Ever wanted to discover a potential RCE against a AAA multiplayer game without all that hardcore reverse engineering? Hit it with a well tuned fuzzer and let the vulnerabilities fall out!
- On Disk, The Devil’s In The Details. When persisting, or otherwise dropping files to disk, professionals will do the extra work to make their exes and dlls blend in. You should too! One tool not mentioned that I find useful: PeFixup.
- Guide to Named Pipes and Hunting for Cobalt Strike Pipes. It's probably worth going through your profiles to ensure your pipe names aren't in the table of default and common profile pipe names.
- OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux). This is a nice post on how to extract private keys from the memory space of OpenSSH after the introduction of "shielded private keys."
Tools and Exploits
- Beaconator is an aggressor script for Cobalt Strike used to generate a raw stageless shellcode and packing the generated shellcode using PEzor.
- smartbrute is a smart password spraying and bruteforcing tool for Active Directory Domain Services. Supports NTML over SMB or LDAP as well as Kerberos pre-authentication bruteforcing. It can also intelligently bruteforce a domain to prevent user lockouts.
- inno-shellcode-example is an InnoSetup template to that runs shellcode! How easy is it to convince a user they need to install Zoom, Adobe Reader XYZ, or whatever-app to join your meeting, read your document, etc? Now you can have a legit installer with some extra shellcode injection!
- Medusa is a cross-platform C2 agent compatible with Python 2.7 and 3.8, compatible with Mythic. This new agent has some nice features, but does require Python (just a base install) on the target to run.
- LittleCorporal is a C# automated maldoc generator. It uses a two step process to first self-inject into Word via an AutoOpen macro, and then inject the real payload from word into a running process. The use of InlineShape and automated building is just the cherry on top.
- ppmap is a scanner/exploitation tool written in Go, which leverages Prototype Pollution to XSS by exploiting known gadgets. Use this on your next web app assessment or bug bounty.
- dock-droid is dockerized android. Run QEMU Android x86 and Android ARM in a Docker with X11 Forwarding. This could be useful for CI/CD for Android or for poking at Android apps "live."
- BadAssMacros is an automated malicious macro generator written in C# with capabilities like VBA purging, sandbox detections, and shellcode obfuscation.
- RemotePotato0 Cross Session Activation. Version 1.1 drops the requirement for the victim to be in session 0. Now you can coerce and relay NTLM authentication from any user in any session!
- Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will return a list of detected API hooks or let the operator know no hooks were detected. This can be useful knowledge to have before performing certain post-exploitation actions.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- git-split-diffs brings GitHub style split diffs to your terminal.
- dorothy is a tool to test security monitoring and detection for Okta environments.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-07-19
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-07-12 to 2021-07-19.
News
- Revealed: leak uncovers global abuse of cyber-surveillance weapon. The latest model of iPhone on the latest version of iOS appears to be vulnerable to a 0click remote code execution exploit developed by NSO group and used to target political enemies and human rights activists around the world. While it isn't persistent, exploitation is reliable enough to simply re-exploit target devices. If you are an Android user feeling smug, rest assured there is a 0click RCE out there for your device as well. Stay updated and reboot your phones often! NSO group has denied any wrongdoing while releasing contradictory statements. Details and IOCs here, and a tool for analysis of backups or filesystem dumps here.
- Hooking Candiru Another Mercenary Spyware Vendor Comes into Focus. More shady Israeli "cybersecurity" firms selling 0days that end up being used against political enemies. You've got to hand it to the "startup nation," it's been churning out more 0day vendors (likely unit 8200 "graduates") than any other country.
- How we protect users from 0-day attacks. This post details three campaigns: emailed links, Office documents that loaded web content in IE, and LinkedIn messages with links to exploit 0days in Chrome and IE.
- Rewards for Justice – Reward Offer for Information on Foreign Malicious Cyber Activity Against U.S. Critical Infrastructure. The US government is offering rewards for tips that lead to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure. They are running a SecureDrop instance on Tor as well. Maybe it is already working? An interesting note: "Reward payments may include payments in cryptocurrency." This is the first time, to my knowledge, the US federal government has offered to transact in cryptocurrency in any capacity.
- Advancing email security for Gmail and beyond with BIMI. The new Brand Indicators for Message Identification (BIMI) is a standard for hosting images to be included as logos for emails. It requires a SPF, DKIM, a good DMARC policy, a special type of SVG, a special DNS entry, and for verification: the logo be trademarked, and then a "verified mark certificate" (VMC) must be purchased and hosted with the SVG. Hopefully Let's Encrypt will be a VMC issuer soon?
- Windows Print Spooler Elevation of Privilege Vulnerability. PrintNightmare refuses to die. Benjamin Delpy has been keeping the PoCs rolling, even creating a "privesc as a service" hosting two printers that will write to System32 as SYSTEM. Don't worry, it works against non-domain joined Windows 11 machines too. If you wrap buggy code from 1994 in virtualization based security, it's still buggy code. Confused on how this all works? Read this: Windows Print Spooler Elevation of Privilege vulnerability (CVE-2021-1675) explained.
- The new #OpenSecurityTraining2 site has been launched at ost2.fyi!. Anyone can now sign up for the public betas of the first classes (with more to come soon!).
- [DEVELOPING] Windows 10 feature upgrades leave SAM and SYSTEM hive readable by any user. This has been seen on Windows 11 and fully up to date Windows 10.
Techniques
- Aruba in Chains: Chaining Vulnerabilities for Fun and Profit. Finding "smaller" bugs and then chaining them together leads to full unauthenticated remote code execution against an Aruba router running Aruba Instant. PoC here.
- Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits, Part 2. Connor is back with another banger. Another full walk through with detailed steps, screenshots, and full code. If you are interested in exploit development for windows, this is a must read.
- Remote code execution in cdnjs of Cloudflare. A vulnerability in the way Cloudflare automatically updated its JavaScript CDN allowed for RCE. Props to Cloudflare for the near instant incident response and remediation - impressive.
- Evade Sandboxes With a Single Bit – the Trap Flag. A relatively simple check can be used to determine if you are in a VM or on an actual host.
- Fetching SharpHound data entirely in-memory (no dropped ZIP or JSON files) using BOF.NET and Cobalt Strike. This is so good I had to test and implement it in my tooling the same day. Stop dropping files to target (even encrypted), and pull them straight back via BOF.NET. Be sure to check out this commit to CredBandit if you are interested in implementing this in your own BOFs (or just use the new BOF.NET). @spotheplanet has an updated section on dumping to memory as well.
- Gotta Catch 'Em All: Frida & jailbreak detection. If you have any interest in iOS security or jailbreak detection, this post is full of great details.
Tools and Exploits
- CVE-2021-3492 is an exploit in the shiftfs driver in Ubuntu that was introduced in April 2019, affecting at least 20.04 and 20.10. It was used in Pwn2Own successfully, with the full details released this week in a blog post.
- SharpImpersonation is a token impersonation tool written in C#. Lots of details in this blog post.
- SharpExcelibur is a tool to read Excel spreadsheets (XLS/XLSX) using Cobalt Strike's execute-assembly functionality.
- injectAmsiBypass is a Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.
- PetitPotam is a PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function. Disabling the EFS service seems not to mitigate the "feature".
- CheeseSQL is Command Exec / Lateral Movement via MSSQL Trust. This tool has been developed to overcome some of the limitations given by already existing tools like ESC, mostly regarding MSSQL impersonation. Moreover, CheeseSQL has been specifically modified to run from Covenant (via reflective loading), and to automate the most important phases of MSSQL trust abuse.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- CVE-2020-1020-Exploit is the type1 font pool overflow LPE exploit. Supported OS: Windows 7,8,8.1 x64.
- kerlab A Rust implementation of Kerberos for fun and detection. Implements a few Kerberos features from Rubeus as well as credential spraying and offline brute forcing.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-07-12
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-07-06 to 2021-07-12.
News
- Multiple U.S. States Sue Google for Violating Antitrust Laws With Play Store Fees. Last year Google said that all app developers would be required to use the Google Play Store payment system for in-app billing, which comes with a 30% cut to Google. What this means for Apple, who had a trail in May against Epic Games for the same issue (decision pending) remains to be seen.
- New privacy policy is completely unacceptable!. Audacity was bought by Muse Group (which owns Ultimate Guitar and MuseScore as well) and predictably want telemetry on the user base of their new toy or their lawyers slapped the boilerplate on it to cover all eventualities. Either way, there is now tenacity.
- Biden Sets Up Tech Showdown With ‘Right-to-Repair’ Rules for FTC. This battle has been brewing for a while as companies push harder against consumers actually owning, well, anything really. With pressure from the top, perhaps a set of FTC rules could give power back to the people and ensure that you do actually own what you buy and are free to modify and repair it on your own.
- DIVD-2021-00011 - Kaseya VSA Limited Disclosure. The Dutch CERT found and warned Kaseya about multiple vulnerabilities in April. Was the REvil exploit a case of parallel discovery, or perhaps a compromise of the Kaseya ticketing system?
- Microsoft Bug Bounty Programs Year in Review: $13.6M in Rewards. While that is a big number, the bug bounty community, and Microsoft specifically have been at the center of some bug bounty drama. Hopefully it encourages more researches to responsibly report vulnerabilities, and other companies to enact their own bug bounty programs.
Techniques
- Old dog, same tricks. Old "enterprise" software can be a gold mine for bugs. In this post a remote code execution vulnerability in Beagle Software’s ClockWatch is found and exploited. The vendor has declined to update, and thus this PoC should work forever (if you ever find ClockWatch in the wild).
- CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict. After login, the site creation process leads to deserialization of untrusted user data and the ability to run arbitrary OS commands. This was patched in May 2021.
- Issue 2189: mpengine: asprotect embedded runtime dll memory corruption. An old, obscure packer format (asprotect) was emulated by executing an embedded DLL without signature checks. By creating a special asprotect DLL, RCE as SYSTEM on file scan is achievable. How many more obscure format unpackers lie in wait inside defender and similar products?
- Adding a native sniffer to your implants: decomposing and recomposing PktMon. Following the "write your own tools" mantra, this post explores PktMon and how to write your own packet sniffer using the built in "Packet Monitor" (Win 10/2019 1809+).
- Filesec.io. Stay up-to-date with the latest file extensions being used by attackers. It's the LOLBins or GTFObins of file extensions.
- Printnightmare Network Analysis. This is the kind of analysis that "open source tools" (OSTs) enable. This is a great post on how to break down pcaps to generate network signatures for new techniques/tools.
- Patching DoublePulsar to Exploit Windows Embedded Machines. This is a great example of not giving up on the first error, trying harder, and digging into issues to find solutions. Although an Windows Embedded support wasn't added to metasploit, the author got a shell and was able to continue the assessment.
- Process Creation is Dead, Long Live Process Creation — Adding BOFs Support to PEzor. This is the coolest tool of the last week. Run arbitrary executables as BOFs with a single command in Cobalt Strike. We have reached full BOF weaponization.
Tools and Exploits
- TokenTactics is an Azure JSON Web Token (JWT) manipulation toolset. Based on the work at AAD Internals, it adds the ability to pivot between token types, requiring (in certain setups) only one device code phish for wide access into Azure, Teams, Outlook, etc. The target inputs a code into a legitimate Microsoft page, but the codes are only good for 15 minutes.
- InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module. InlineExecute-Assembly will execute any assembly with the entry point of Main(string[] args) or Main(). This should allow you to run most released tooling without any prior modification needed. More information in the blog post.
- TeamsUserEnum will determine if an email is registered on teams or not. More details on immunIT's blog.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- rustpad is an efficient and minimal collaborative code editor, self-hosted, no database required. Consider this where you would have used Etherpad in the past.
- reconmap. This looks like a great tool to help operators collaborate on an external penetration test or red team engagement.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
Last Week in Security (LWiS) - 2021-07-06
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-06-28 to 2021-07-06.
News
- A New Kind of Ransomware Tsunami Hits Hundreds of Companies. REvil used certutil and MsMpEng.exe sideloading to great effect after compromising a popular managed service software provider.
- Telco injects ads into Google SMS 2FA Messages. If you needed any more ammo for why SMS 2FA is the worst kind of 2FA (but still much better than no 2FA!) here it is.
- How a Docker footgun led to a vandal deleting NewsBlur's MongoDB database. As someone who has dealt with UFW and Docker issues as well as a NewsBlur user I feel this post. TLDR: Docker will bypass UFW and its really hard to get them to work together.
- Windows 11 LPE tweeted. First blood?
- NSA, Partners Release Cybersecurity Advisory on Brute Force Global Cyber Campaign. Looks like the GRU is brute forcing public logins. This is your weekly reminder to force 2FA for all users.
Techniques
- Kaspersky Password Manager: All your passwords are belong to us. The silly UX prevented this poorly seeded password generator that causes every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second from being caught earlier. Or dons tinfoil hat maybe something else did...
- Taking over Uber accounts through voicemail. This is an attack enabled by the fact Uber will deliver OTP codes via audio to voicemail, and the fact that voicemail boxes are usually very easy to compromise. Ensure your scoping document allows for this type of attack before attempting, as multiple parties are involved.
- A Red Team Operation Leveraging a zero-day vulnerability in Zoom. Unpacking and adding payloads to legitimate installers is a nifty trick. Without complete verification of all files in an MSI this is possible, and the best part is these applications are likely allow-listed by AV/EDR or the SOC.
- An EPYC escape: Case-study of a KVM breakout. This post describes a vulnerability in KVM’s AMD-specific code and discuss how this bug can be turned into a full virtual machine escape. This is the first public writeup of a KVM guest-to-host breakout that does not rely on bugs in user space components such as QEMU.
- GateKeeper - Not a Bypass (Again). macOS' Gatekeeper alerts users when executing files that have been downloaded, but it doesn't alert on notarized dynamic library loads, even if they have the quarantine attribute set. How this be abused? Malicious screen savers, color picker plugins, preference panes etc can be used to execute arbitrary code from the internet without any warnings. Getting the files to the correct locations is an exercise left to the reader.
- BITS Persistence for Script Kiddies. This technique is likely monitored by EDR but is worth having in your tool bag none the less.
- gcp-dhcp-takeover-code-exec. By predicting the seed to the random number generator used by Debian's DHCP client, a malicious user with access to a VM in the same subnet of a rebooting VM can impersonate the metadata service and add a malicious ssh key to the victim VM. The practical implications of this are very limited, but it remains unpatched.
- Hunting for Windows “Features” with Frida: DLL Sideloading. DLL sideloading is an underutilized technique, but as it is hard to detect, advanced adversaries are using it. The new WFH tool uses Frida to identify potentially sideload-able DLLs in programs.
- Abusing Resource-Based Constrained Delegation (RBCD) using Linux. RBCD is a confusing misconfiguration present in some Active Directory environments. This post has both an offensive and defensive walkthrough.
- Merging C# Assemblies using dnMerge. This new C# assembly merge tool is a plugin for MSBuild that plays nicely with dotnet and uses LZMA for more efficient compression than Costura, allowing more tools to stay under the 1MB limit of Cobalt Strike's execute-assembly command.
- Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0. This in depth post digs into how the Sudo LPE works, what vCenter/Photon OS is, and how they adapted the exploit to work against vCenter 7.
- Exploit mitigations: keeping up with evolving and complex software/hardware. This projects aims to answer the question, "does my current environment have mitigation X?"
- How to exploit a vulnerable windows driver. AsRock took RWEverything, slapped some AES encryption (with hardcoded key) on the ioctl calls, and shipped it as a product. A quick overwrite of BeepDeviceControl and you have kernel execution.
Tools and Exploits
- PrintNightmare. The print spooler in Windows has a vulnerability that allows any domain user to install a print driver and achieve remote code execution.
- Also check out the Impacket implementation which also includes a C# variant for local privilege escalation (or there is CVE-2021-1675-LPE).
- Some testing has shown that domain controllers are vulnerable even after the June patch, possibly related to the "Point & Print" feature or perhaps "BuiltinPre-Windows 2000 Compatible Access".
- Confused? Check this flow chart.
- For detection this msp thread is great and there are free micropatches and a collection of resources on GitHub.
- Official Microsoft Response
- ManuFuzzer is an LLVM-based binary, coverage-guided fuzzing framework for macOS . It is simple to integrate coverage-guided fuzzing with ManuFuzzer: just define a special function, update some build flags, and you have instant binary-only, coverage-guided fuzzing (only basic-block coverage). Using ManuFuzzer, you can instrument one or more selected frameworks for coverage and fuzz the target functions/library.
- Injector is a complete arsenal of memory injection and other techniques for red-teaming in Windows written in C#. This is a good base for writing your own loader, or testing EDR detections in a purple team scenario.
- pstf2 is an implementation of an HTTP server capable of passive browser fingerprinting to detect and block security scanning services from accessing hosted payloads.
- RelayRumbler is a proof-of-concept tool that attempts to retrieve the configuration from the memory dump of an F-Secure C3 Relay executable.
- PageTableInjection is a proof-of-concept of the page table injection technique to inject malicious code into the arbitrary user processes. Be sure to read "The Problem" section to understand stability issues.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- shutter. Not sure how I missed this gem. The goal of Shutter is to manage windows network stack communication via Windows Filtering Platform. Management can include blocking or permitting traffic based on IP or an executable that initiates or receives the traffic. This is useful to blackhole event logging, defensive agent communication, or explicitly permit specific executables to communicate if they have been previously restricted by policy and runs totally in memory. How good is that expensive EDR if it can't call home?
- agentstub ssh agent forwarding is a big win for attackers with root on a compromised machine, and this tool illustrates some private key operations that can be done with the ssh-agent like signing files with RSA private keys.
- Vanara is set of .NET libraries for Windows implementing P/Invoke calls to many native Windows APIs with supporting wrappers. Use this to easily add P/Invoke calls to your next C# tool.
- PortBender is a TCP port redirection utility that allows a red team operator to redirect inbound traffic destined for one TCP port (e.g., 445/TCP) to another TCP port (e.g., 8445/TCP). PortBender includes an aggressor script that operators can leverage to integrate the tool with Cobalt Strike. However, because the tool is implemented as a reflective DLL, it can integrate with any C2 framework supporting loading modules through a "ReflectiveLoader" interface. Be aware this loads a driver, WinDivert64.sys.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.