News

• Recapping Developer Week. Cloudflare continues to release new products and make (good) changes to existing products. And yes, they did release an AI product.
• infosec company owned completely by 4chan user. Ouch.
• New ZIP domains spark debate among cybersecurity experts. I don't think there is debate, I think there are people claiming .zip will be a threat, but the only case I can see that being true is with programs that have interpreted .zip as a file since forever and may be fooled now that it can resolve as a URL. The "it looks like a file" argument strikes me as silly, since the anchor tag has been used to "disguise" URLs since the existence of the HTML standard. Oh look here's one now: legit.zip
• Microsoft will take nearly a year to finish patching new 0-day Secure Boot bug. Is this the first case of a disabled by default mitigation being shipped in response to an active, in the wild exploit?
• RFC: Override HTTP response headers locally with DevTools. Now one of the most common use cases for Burp Suite is part of Chrome! For how see: How to Override Response Headers with Chrome DevTools.
• DEF CON 31 Badge Update - SAO support!. This year's DEF CON badges will support an add on "thing" shaped like a cyber punk wedge.
• First Look: Ghidra 10.3 Emulator. Everyone is pumped about native dark mode, but the emulator is pretty sweet.

Techniques and Write-ups

• From DA to EA with ESC5. "There's a new, practical way to escalate from Domain Admin to Enterprise Admin." Sign me up. Another banger from Andy Robbins.
• C2 and the Docker Dance: Mythic 3.0's Marvelous Microservice Moves. I can't say I love the extreme microservice-y architecture of Mythic, but it's the easiest open source C2 to write a totally custom agent for at this point. Perhaps SpecterOps can use some of that Series A to contract a web UI pro to help with the front end. I say this out of love, as I actually use Mythic C2 for production operations.
• The printer goes brrrrr, again!. 2 bytes is all it takes to RCE a Cannon printer.
• Nighthawk 0.2.4 - Taking Out The Trash. The new version supports .NET memory sleep encryption, using a custom allocator to protect and encrypt not only the executed .NET assembly but also any of its allocations during runtime. It also adds reverse port forwards, improvements to hidden desktop, "extra life" exception hooking, and other minor improvements.
• PwnAssistant - Controlling /home's via a Home Assistant RCE. Awesome write up from recon to RCE against the popular home automation software.
• Bypass IIS Authorisation with this One Weird Trick - Three RCEs and Two Auth Bypasses in Sitecore 9.3. Another recon to RCE web app hacking write up.
• Malicious code in PDF Toolbox extension. Browsers are the new OS, but there is zero visibility or "anti-virus" for them. It's like the Windows 98 wild west days.
• Cobalt Strike and YARA: Can I Have Your Signature?. Probably the best article on Cobalt Strike OPSEC that exists. Advanced teams have known about the satic loader signatures and other things for a while, but this post spells it all out and even gives examples of how to get around static detections. We're at a point where to be truly successful as an adversary you need to know assembly pretty well. Seems like the offensive security community has made the defenses better and raised the barrier to entry. Almost like the goal was to... @ImposeCost...
• NixImports a .NET loader using HInvoke. API Hashing in C# makes the dnSpy output a mess. Neat loader!
• CVE-2023-26818 - Bypass TCC with Telegram in macOS. While this is a write up on dylib injection in Telegram, many apps are vulnerable to a similar technique, especially third party apps.
• Introducing CS2BR pt. I - How we enabled Brute Ratel Badgers to run Cobalt Strike BOFs. If you've used BRC4 you know the pain of BOF conversion. Nviso teases a tool to automate it, hopefully it's released soon!
• SQLi - WAF Detection & Bypass Techniques That Still Work in 2023. For the web app assessors out there.
• Avast Anti-Virus privileged arbitrary file create on virus restore (CVE-2023-1586). More Avast privescs!
• CS:GO: From Zero to 0-day. Sure it's a video game exploit, but the writeup is top tier.
• Walking the Tightrope: Maximizing Information Gathering while Avoiding Detection for Red Teams. Finally, a blog on red teaming, not just penetration testing! For anyone looking to get into adversary simulation, this is a good intro.
• FriendlyName Buffer Overflow Vulnerability in Wemo Smart Plug V2. Some solid hardware hacking.
• LOLBINed — Finding “LOLBINs” In AV Uninstallers. AV makes the best traitorware.

Tools and Exploits

• CypherDog - PoSh BloodHound Dog Whisperer.
• buzzer is a fuzzer toolchain that allows to write eBPF fuzzing strategies.
• keepass-password-dumper - Original PoC for CVE-2023-32784 (keepass master password disclosure).
• PPLFaultDumpBOF - Takes the original PPLFault and the original included DumpShellcode and combines it all into a BOF targeting cobalt strike.
• PPEnum - Simple BOF to read the protection level of a process.
• ADCSKiller - An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer.
• Chimera - Automated DLL Sideloading Tool With EDR Evasion Capabilities.
• chromecookiestealer - Steal/Inject Chrome cookies over the DevTools (--remote-debugging-port) protocol.
• GoBelt - Golang programmatically invoking the SwiftBelt-JXA macOS system enumerator project (Golang running SwiftBelt-JXA via cgo).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• avred - Analyse your malware to chirurgicaly obfuscate it.
• smbcrawler is no-nonsense tool that takes credentials and a list of hosts and 'crawls' (or 'spiders') through those shares.
• Goshawk is a static analyze tool to detect memory corruption bugs in C source codes. It utilizes NLP to infer custom memory management functions and uses data flow analysis to abstract their behaviors and then adopts these summaries to enhance bug detection.
• dumpulator - An easy-to-use library for emulating memory dumps. Useful for malware analysis (config extraction, unpacking) and dynamic analysis in general (sandboxing).
• EC2StepShell is an AWS post-exploitation tool for getting high privileges reverse shells in public or private EC2 instances. It works by sending commands to EC2 instances using ssm:SendCommand and then retrieves the output using ssm:ListCommandInvocations or ssm:GetCommandInvocation.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• So long passwords, thanks for all the phish. The passwordless future is much like the year of the Linux desktop - long promised, yet to be delivered. Google's adoption of passkeys is a huge step however, and this kind of authentication "raw material" is much more scoped and secure than the name of your dog your mom uses as a password for every online account.
• Apple Fails to Revive Copyright Case Over iPhone iOS Simulator. "The US Court of Appeals for the Eleventh Circuit on Monday ruled that Corellium's CORSEC simulator is protected by copyright law's fair use doctrine, which allows the duplication of copyrighted work under certain circumstances." With this, the 2019 case should finally be fully settled.
• Senator Asks Big Banks How They're Going to Stop AI Cloned Voices From Breaking Into Accounts. How voice as authentication was ever greenlight will continue to amaze me.
• Mojo🔥. Mojo is a new programming language that bridges the gap between research and production by combining the best of Python syntax with systems programming and metaprogramming. With Mojo, you can write portable code that's faster than C and seamlessly inter-op with the Python ecosystem. Mojo is currently in closed beta.
• FYI: Intel BootGuard OEM private keys leak from MSI cyber heist. BootGuard isn't so secure any more. Check the impacted devices.
• Russian-Linked Malware Targets U.S. Critical Infrastructure. "Since being discovered in March 2022, no known disruptive or destructive attacks leveraging PIPEDREAM have been carried out on ICSs in the U.S."
• The DOJ Detected the SolarWinds Hack 6 Months Earlier Than First Disclosed. Sophisticated attacks are hard to put together from the blue side.
• Palantir AIP | Defense and Military. "Alexa, destroy that enemy tank for me using the best available asset."

Techniques and Write-ups

• [PDF] Hunting Russian Intelligence “Snake” Malware. A very detailed write up from American intelligence on the FSB's "Snake" Windows implant.
• Privilege Escalations through Integrations. Some good "modern" web app testing. And by that I mean YOLOing between auth providers that don't do proper session handoff.
• CVE-2023-28231: RCE in the Microsoft Windows DHCPv6 Service. Good news is that DHCP is limited to a broadcast domain?
• Brewing Hash Cracking Rules with The Twin Cats. Some great hashcat rule analysis and generation. Lots of good tools linked in the post as well.
• A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF…. Quite the web app bug chain, which did require user interaction, but is impressive none the less.
• Leveraging XFG to help with reverse engineering. If you reverse engineer on Windows with extended flow guard, this x64dbg plugin is a must!
• ETWHash - “He who listens, shall receive”. Extract NetNTLMv2 hashes of incoming authentications via SMB, by consuming ETW events from the Microsoft-Windows-SMBServer provider.
• Apache Solr 8.3.1 RCE from exposed administration interface. A good write up on exploring a web app to find RCE.
• Exploring Impersonation through the Named Pipe Filesystem Driver. This post covers file system drivers, specifically the named pipe driver (npfs.sys), as well as shows a proof of concept for calling NtFsControlFile directly to perform named pipe impersonation instead of calling the Win32 API, ImpersonateNamedPipeClient.
• Building a Red Team Infrastructure in 2023. The phishing setup is interesting - specifically the use of postfix to clean mail headers.
• Fantastic Rootkits and Where to Find Them (Part 2). Not much is written about rootkits these days, especially for Windows.
• CVE-2023-25394 - VideoStream Local Privilege Escalation. A great writeup about finding a privesc in a common 3rd party macOS app. The process is well documented from start to finish.

Tools and Exploits

• sccmhunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain. The basic function of the tool is to query LDAP with the find module for potential SCCM related assets.
• exec2shell - Extracts TEXT section of a PE, ELF, or Mach-O executable to shellcode.
• chophound - Some scripts to support with importing large datasets into BloodHound.
• HASH - HASH (HTTP Agnostic Software Honeypot).
• cloudtoolkit - Cloud Penetration Testing Toolkit.
• CVE-2023-0386 - Privilege escalation exploit for Ubuntu 22.04.
• PECheck - A tool to verify and create PE Checksums for Portable Executable (PE) files.
• CustomEntryPoint - Select any exported function in a dll as the new dll's entry point.
• resocks - mTLS-Encrypted Back-Connect SOCKS5 Proxy.
• stealthscraper - A social media scraper that attempts to be stealthy by simulating a user using gui automation.
• Freeze.rs - Freeze.rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• The best laptop deal I have ever seen. If you need a DEF CON burner, this is it ($279 and free shipping at the time of publishing).
• backgroundremover - Background Remover lets you Remove Background from images and video using AI with a simple command line interface that is free and open source.
• Course Review: "Practical Web Application Security and Testing". The course is $1 during May if you are interested.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Triple Threat: NSO Group's Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains. Good thing we have Rapid Security Response?
• Google Authenticator now supports Google Account synchronization. This was a huge downside to using the Goole provided MFA code generation app. Lost, stolen, or simple device upgrades were a struggle. I have been pushing Raivo OTP, an open source MFA app with encrypted seed synicning support because of the drawbacks for Google's own app. They release says that the new sync feature makes MFA codes "more durable by storing them safely in users' Google Account," but does not explicitly say if the seeds will be symetrically encrypted. Does this open a new level of compromise to Google Account takeovers? Can attackers sync the seeds to a device without an authenticator specific password? Like always, FIDO2 keys and Advanced Protection are the answer.
• Mullvad VPN was subject to a search warrant. Customer data not compromised. The feds showed up with a warrant, but left without taking anything. Commercial VPNs have a very narrow use case, and if your threat model warrents one, you probably shouldn't trust any one provider.
• 3CX Breach Was a Double Supply Chain Compromise. Yo dawg, I heard you like supply chain compromises...
• Git security vulnerabilities announced. No surprise that GitHub found some git vulnerabilities. Update your git clients today!
• Zyxel security advisory for OS command injection vulnerability of firewalls. Unauthenticated remote command execution in a firewall... You had one job.
• Microsoft shifts to a new threat actor naming taxonomy. Ah yes... Standards.
• An open letter. The UK's Online Safety Bill could destroy end-to-end encryption in the UK. Privacy is a human right.

Techniques and Write-ups

• Windows secrets extraction: a summary. Excellent overview of the current state of windows credential material extraction.
• I hack, U-Boot. A very detailed and technical post on the most common bootloader in the embedded space.
• Classifying Malware Packers Using Machine Learning. ML models have gotten very good at clasifying images (thanks im part to your capcha clicks), why not covert binaries to images and have the ML classify them?
• Hiding in Plain Sight: Unlinking Malicious DLLs from the PEB. This won't be effective against EDR in the kernel (Defender, Crowdstrike, etc), but could be useful to hide from userspace detections.
• How to Proxy VM Traffic through Burp Suite. A simple trick, but if you weren't aware of the system wide proxy setting in Windows, this is a useful tip.
• Securely Hosting User Data in Modern Web Applications. Ever wonder why domains like githubusercontent.com or googleusercontnet.com exist? For your protection!
• CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution. Always change the default key values! Developers, generate random values on first startup to prevent this.
• PaperCut CVE-2023-27350 Deep Dive and Indicators of Compromise. If only all patch diffs were this simple. Good write up from initial news to full RCE.
• Eating 4 Day Old Sushi - Replicating the SushiSwap Hack. DeFi continues to be the ultimate black hat bug bounty.
• CVE-2023-23525: Get Root via A Fake Installer. Fake installers could use the permission granted by users during install to gain root access. Update to macOS 13.3 to apply the fix.
• Finding XSS in a million websites (cPanel CVE-2023-29489). Good web vulnerability hunting process in this post. If you liked that you'll also enjoy Exploiting an Order of Operations Bug to Achieve RCE in Oracle Opera.
• Never Connect to RDP Servers Over Untrusted Networks. You can collect Net-NTLMv2 without showing a certificate warning (MitM) to the user. Microsoft says this is "by design" and won't fix it.
• Creating an IR Nightmare Drop Box. A good drop box can be crucial to success on a physical engagement. For bonus points, wire this up with LoRa as a Side Channel.
• So you think you can block Macros?. Macros aren't quite dead yet. Turns out it's pretty hard to completely lock down an arbitrary scripting system that enterprises rely on for business.
• Stealing GitHub staff's access token via GitHub Actions. A ten second sleep was all it took to steal some access tokens. Well done!
• NightHawk Memory Obfuscation. What's old is new again. titanldr-ng has a Cobalt Strike compatible variant (check out Obf.c).
• Avast Anti-Virus privileged arbitrary file create on virus quarantine (CVE-2023-1585 and CVE-2023-1587). You either die a hero or...
• Process injection in 2023, evading leading EDRs. Vincent always drops succinct, high quality content.

Tools and Exploits

• Introducing BloodHound 4.3 — Get Global Admin More Often. More Azure and MS Graph features!
• ScareCrow. Not a new tool but a big update to the payload creation framework for v5.0.
• nanodump - Not new, but the recent updates allows for PPL dumping!
• DCVC2 - A Golang Discord C2 unlike any other. DCVC2 uses RTP packets over a voice channel to transmit all data leaving no operational traces in text chats.
• maskcat - Utility tool for Hashcat Masks and Password Cracking.
• mac-monitor - Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to reduce noise.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• highlight - highlight.io: The open source, full-stack monitoring platform. Error monitoring, session replay, logging and more. I haven't seen a self-hostable web session recording system before highlight.
• KeePwn - A python tool to automate KeePass discovery and secret extraction.
• Maintaining this site fucking sucks. This guy needs my blog CI/CD pipeline. When I finish a blog post it's one command to publish it and set up the env for next week. Maybe, just maybe, you don't need all that javascript (hint: there isn't a single line of functional javascript on this site).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Announcing the deps.dev API: critical dependency data for secure supply chains. 5 million packages and more than 50 million versions from the Go, Maven, PyPI, npm, and Cargo ecosystems have been documented by Google and are available via an API for you.
• Much-Hyped Water Plant Hack Wasn't a Hack, Was Actually User Error, Official Says. In this edition of "attribution is hard..." (alternative theory: the attackers were so good the FBI couldn't find any trace, but ya know, Occam's razor).
• Amazon CodeWhisperer. GitHub Copilot X price got you down? Feed your code into a different megacorp Amazon for free and get code completion suggestions from an AI. At least this one tells you the license of the code you're stealing it got inspiration from.
• Birds at (Tail)scale. Now you can one-click deploy a honeypot to your tailscale network. I have yet to see a better signal to noise ratio for any detection technology.
• Are Internet Macros Dead or Alive?. Betteridge never fails. Some good lure/prompt images to borrow for red teaming in this article. The template location lure would work against up to date Word installs.
• Rizin Silhouette Server. The Rizin team is running a public symbol server!
• Rooting a Common-Criteria Certified Printer to Improve OPSEC. Some serious dedication to privacy. But why print the reports in the first place?

Techniques and Write-ups

• Shell in the Ghost: Ghostscript CVE-2023-28879 writeup. "This write-up details how CVE-2023-28879 - an RCE in Ghostscript - was found and exploited. Due to the prevalence of Ghostscript in PostScript processing, this vulnerability may be reachable in many applications that process images or PDF files (e.g. ImageMagick, PIL, etc.), making this an important one to patch and look out for."
• Java Exploitation Restrictions in Modern JDK Times. With lots of enterprise software still being written in Java, the exploitation isn't slowing down, just adapting.
• Extending (and Detecting) PersistAssist: Act II. Write some C# to persist with WMI event subscriptions.
• Introducing AutoFunkt: Automated Cloud Redirector Generation. Cloud functions are very useful for redirecting C2 traffic through high reputation domains, but they can be a pain to set up - until now!
• On self-healing code and the obvious issue. It's like command injection, but you get to write it in plain english.
• Butting Heads with a Threat Actor on an Engagement. Now ask what would happen if the actor cleaned up properly, and then patched the vulnerability (or at least mitigated it). Detection must have layers!
• Stepping Insyde System Management Mode. It's a bit wild that as a result of a code leak Insyde got a free audit and 5 vulnerabilities found.
• D/Invoke v1.0.5. A few new functions to make your C# tooling a bit more ergonomic.
• Multiple vulnerabilities in Aten PE8108 power distribution unit. Even your PDU is trying to get you pwned.
• Simple PHP webshell with php filter chains. In memory PHP webshell!?
• Losing control over Schneider's EcoStruxure Control Expert. Unauthenticated RCE, this time in your SCADA workstation.
• CAN Injection: keyless car theft. Woah. You wouldn't download a car exploit?
• Popping Tags: Exploiting Template Injections in PRTG Network Monitor. Currently an 0day. Careful what links your PRTG admin is clicking.
• Hacking Your Cloud: Tokens Edition 2.0. A great post on Azure/Office tokens and how to pivot them to more access.
• GCP Pentesting Guide. Some Google specific cloud hacking.
• Bypassing Windows Defender (10 Ways). Nothing novel here but a nice collection of techniques.

Tools and Exploits

• PatchlessCLRLoader - .NET assembly loader with patchless AMSI and ETW bypass. Also comes in BOF form: PatchlessInlineExecute-Assembly.
• KillerVuln2 - Files for PoC of vulnerability in Intel Killer Performance Suite
• PowerShell-Obfuscation-Bible - A collection of techniques, examples and a little bit of theory for manually obfuscating PowerShell scripts to achieve AV evasion, compiled for educational purposes. The contents of this repository are the result of personal research, including reading materials online and conducting trial-and-error attempts in labs and pentests.
• 2D-Injector - Hiding unsigned DLL inside a signed DLL.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• scriptkiddi3 - Streamline your recon and vulnerability detection process with SCRIPTKIDDI3, A recon and initial vulnerability detection tool built using shell script and open source tools.
• BackupOperatorToolkit - contains different techniques allowing you to escalate from Backup Operator to Domain Admin
• homebox - Homebox is the inventory and organization system built for the Home User.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• The Cure Tried to Stop Scalpers. Brokers Are Selling Entire Ticketmaster Accounts Instead. That's the thing about hackers, they will find a way around arbitrary restrictions.
• CVE-2023-1671: Critical Pre-Auth Command Injection Vulnerability in Sophos Web Appliance. "A pre-auth command injection vulnerability in the warn-proceed handler allowing execution of arbitrary code."
• Stopping Cybercriminals From Abusing Security Tools. Is this the first time a C2 vendor has taken "proactive" action against hosted copies of its own software?
• Meta Manager Was Hacked With Spyware and Wiretapped in Greece. Unsure of the phone's OS (the capability covers both Android and iOS), but it was an SMS link that appears to be the infection vector (1-click). This is your reminder to reboot your phone often - persistence of Predator was an extra 2.4 million euro add on in 2021.
• 3CX DesktopApp Security Alert. One of hte bigger supply chian attacks since SolarWinds.

Techniques and Write-ups

• Build a secure code mindset with the GitHub Secure Code Game. Learn CodeQL in a fun CTF-style "game." For pointers, be sure to read: CodeQL zero to hero.
• Windows Installer EOP (CVE-2023-21800). "This blog post describes the details and methodology of our research targeting the Windows Installer (MSI) installation technology." Spoiler: "the environment variables set by the unprivileged user were also used in the context of the SYSTEM user invoked by the repair operation."
• In-Memory Disassembly for EDR/AV Unhooking. Have your cake and eat it too. Without using hooked functions, Christopher Vella is able to call unhooked functions without direct syscalls. The code is nicely commented. It's in rust too (and probably written on arch btw).
• Dynamic Linking Injection and LOLBAS Fun. Some very sneaky DLI exploitation using system binaries to drop and run secondary payloads.
• Veeam Backup and Replication CVE-2023-27532 Deep Dive. Unauthenticated access to cleartext credentials? Yikes.
• Obfuscating C2 Traffic with Google Cloud Functions. Tired of the blue team blocking your egress domains? Why not use a high reputation domain like cloudfunctions.net?
• Microsoft Defender for Identity OWIN HTTP Listener. An interesting dive into MS Defender for identity's API (localhost only and cert auth protected). It has some interesting features like the ability to get a handle to the Group Managed Service Account token. Staying tuned for more.
• Bypassing software update package encryption - extracting the Lexmark MC3224i printer firmware. This part 1 is cut off in the opening summary, but part 2 has some great low level exploitation.
• Living Off The Land Drivers. loldirvers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks.
• Pwning Pixel 6 with a leftover patch. Excellent low level android exploitation content.
• Escaping Adobe Sandbox: Exploiting an Integer Overflow in Microsoft Windows Crypto Provider. Some good low level windows Exploitation.
• Shellcode: Entropy Reduction With Base-32 Encoding.. A custom Base-32 encoding can help data appear less random.
• Attacking Visual Studio for Initial Access. It turns out you don't even have to compile a malicious solution, just open it, to get pwned.
• I'd TAP That Pass. Temporary Access Passwords can bypass MFA in some situations to allow pivoting into Azure from a compromised user context.
• Disabling AV With Process Suspension. AV giving you a hard time? Put it on ice while you do your detected actions then bring it back like nothing happened. Be sure to test this as it can cause instability while the AV is suspended.
• BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeover. Wiz has proven again and again they are the undisputed kings of cloud. Always scared/excited when a new technical post drops from Wiz.

Tools and Exploits

• Tool Release - shouganaiyo-loader: A Tool to Force JVM Attaches. Inject your own Java code into processes that have disabled the agent attach API.
• PoC for CVE-2023-28206 - exploit for an out-of-bounds write in the IOSurfaceAccelerator, allowing a malicious actor to execute arbitrary code with kernel privileges on macOS/iOS by utilizing a specially crafted application. Note this is just a kernel panic PoC.
• EPScalate - Exploit for elevation of privilege vulnerability in QuickHeal's Seqrite EPS.
• OffensiveCpp - This repo contains C/C++ snippets that can be handy in specific offensive scenarios.
• Implant execution via PrintBrm.exe - use PrintBrm to extract & execute an implant from an ISO.
• EntropyReducer - Reduce Entropy And Obfuscate Your Payload With Serialized Linked Lists.
• PhoenixC2 - Command & Control-Framework created for collaboration in python3. This looks very alpha.
• HardHatC2 - A C# Command & Control framework. Another alpha C2, but this one has a lot of features in the agent already.
• dir2json - Tool for efficient directory enumeration. Read the blog post.
• DPAPISnoop - A C# tool to output crackable DPAPI hashes from user MasterKeys.
• GodPotato - ImpersonatePrivilege == SYSTEM. At this point I think its just a feature of Windows.
• Chaos-Rootkit - x64 ring0 Rootkit with Process Hiding and Privilege Escalation Capabilities.
• rogue - A barebones template of 'rogue' aka a simple recon and agent deployment I built to communicate over ICMP. Well, without the ICMP code.
• wmiexec-Pro - Lateral movement with WMI using only port 135.
• inline-syscall - Inline syscalls made for MSVC supporting x64 and x86.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• serge - A web interface for chatting with Alpaca through llama.cpp. Fully dockerized, with an easy to use API.
• Game Hacks: Among Us - IL2CPP Walkthrough. The same techniques can be used to locate sensitive data and craft exploits in more serious applications.
• espanso - Cross-platform Text Expander written in Rust.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems. RCE with no user interaction to basically any modern Samsung phone. All you need is the phone number, no user interaction. Wild. Turn off Wifi Calling and VoLTE until you are sure this one is patched.

• AI news

  • LLM + Clean Room: Will LLMs be the death of code copyrights?. Find code you want to use, but isn't licensed right, and just have GPT4 re-write it for you.
  • GPT-4 Hired Unwitting TaskRabbit Worker By Pretending to Be 'Vision-Impaired' Human. Remember, at its core GPT-4 is just a model that predicts what should come next in a sequence. It's just scarily good at that task. If you feed it bad instructions it will do bad things. The "novel" part of the article is that GPT-4 "lied" on purpose. But all it really did was predict (correctly) what it should say next based on the context. What's really going to bake your noodle later on is wondering - are you doing anything different? Daniel Miessler thinks GPT-4 understands.
  • GPT_Vuln-analyzer - Uses ChatGPT API and Python-Nmap module to use the GPT3 model to create vulnerability reports based on Nmap scan data.
  • Dalai - Run LLaMA and Alpaca on your computer.. The the 7B and 13B models are quick and easy to install. Models up to 64B parameters are available.

• The privacy loophole in your doorbell. Ring, like every cloud connected camera/smart speaker is trading security for convenience. People pull out slippery slope arguments about government overreach because governments have a history of collecting as much data as possible and sorting it out later. Plus Ring maybe got hacked recently.

• Kali Purple. The Offensive Security team is taking on defense with the release of Kali Purple.

• Thousands scammed by AI voices mimicking loved ones in emergencies. I called this years ago (LWiS 2021-06-21). Next up: your IT guy or boss telling you to click the link and run the exe.

Techniques and Write-ups

• Parallels Desktop Toolgate Vulnerability. A guest with Parallels tools installed can write crash dumps to the host, and there existed a path traversal vulnerability that allowed an escape and code execution via the shell login script.
• Bypassing PPL in Userland (again). The PPL master delivers yet again: PPLmedic - Dump the memory of any PPL with a Userland exploit chain.
• Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability. Leak NTLM hashes from targets as soon as the Outlook thick client processes an email (they don't even have to open it!). The patch does not prevent UNC paths without dots, so internal assessors can still make use of this on fully patched Outlook clients. PoC here.
• VBA: resolving exports in runtime without NtQueryInformationProcess or GetProcAddress. I once coded an entire personnel intake validation pipeline in Access and VBA. It was painful. Low level programming in VBA is insane.
• Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development. UDRL developmet just got a bit easier.
• External Trusts Are Evil. There is no such thing - in reality - as non-transitive trust. Any domain in a forrest can authenticate and create machine accounts in any other domain in the forrest unless special precautions are taken. Microsoft Active Directory is the ultimate job security for cybersecurity professionals.
• Microsoft Defender for Identity Sensor Identification. Defender for Identity seemingly always opens two uniquely named pipes that can be remotely enumerated.
• Making New Connections - Leveraging Cisco AnyConnect Client to Drop and Run Payloads. This tool was in last LWiS, but this walks thorough it in detail.
• A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM. Intel BIOS bug!
• CVE-2023-26604. Get root on a systemd Linux machine with... less?! Yes.
• Espressif ESP32: Glitching The OTP Data Transfer. Very cool glitching hacks. Hundreds of thousands of trials to find just the right location and power and time!
• Producing a POC for CVE-2022-42475 (Fortinet RCE). A great start to finish walk through of a vulnerability.
• Uncovering Windows Events. How does ETW work? Find out in this post.
• Red vs. Blue: Kerberos Ticket Times, Checksums, and You!. Up your kerberos opsec or detection skills with this post.

Tools and Exploits

• MacOSThreatTrack - Bash tool used for proactive detection of malicious activity on macOS systems.
• Updates to C2-Tool-Collection - Psm: BOF to show detailed information on a specific process ID; ReconAD: BOF that uses ADSI to query Active Directory (AD and GC) objects and attributes.
• Azure-App-Tools - Collection of tools to use with Azure Applications. Just updated with an IPFS dropper.
• ekko-rs - Rusty Ekko - Sleep Obfuscation in Rust.
• PSBits - Windows 10 offline admin creation? 😈 Why not?! Everything happens through built-in offlinelsa and offlinesam DLLs. Official, but not very documented.
• Elevate-System-Trusted-BOF - This BOF can be used to elevate the current beacon to SYSTEM and obtain the TrustedInstaller group privilege. The impersonation is done through the SetThreadToken API.
• Black-Angel-Rootkit - Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.
• bootdoor - An initial proof of concept of a bootkit based on Cr4sh's DMABackdoorBoot.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• ScrapPY is a Python utility for scraping manuals, documents, and other sensitive PDFs to generate wordlists that can be utilized by offensive security tools to perform brute force, forced browsing, and dictionary attacks against targets. The tool dives deep to discover keywords and phrases leading to potential passwords or hidden directories.
• Demystifying Security Research - Part 1. This resonated with me, with a heavy emphasis on blog posts and tweets.
• UPnProxyChain - A tool to create a SOCKS proxy server out of UPnProxy vulnerable device(s).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Cobalt Strike 4.8: (System) Call Me Maybe. Some great new features (multi-byte XOR for DLL loading), and bug fixes including the age old impersonation bug (that would always say "Impersonated <current user>"). Welcome changes in a competitive landscape.
• Mythic 2.3 -> 3.0 Updates. Not to be left behind, Mythic is moving to 3.0 with an all new Go backend.
• Google Trust Services now offers TLS certificates for Google Domains customers. Google Domains customers can now use DNS-01 challenges to get certificates!
• LastPass breach update: The few additional bits of information. The saga continues. A Plex Media Server RCE on a DevOps engineer's home computer led to the theft of all LasPass data. This should have been stopped at a few different levels, and they subtle blame shift to the engineer isn't good. You have to assume that any device you don't control is fully compromised and monitor access from it appropriately (or deny it).
• We're going teetotal: It's goodbye to The Daily Swig. Pour one out for this great news source.
• How I Broke Into a Bank Account With an AI-Generated Voice. I've been warning about this for a while. Even Sneakers (1992) showed how easy voice based authentication was to spoof.
• Highlights from the New U.S. Cybersecurity Strategy. Grab the highlights here or dig into the full PDF.
• Sensitive US military emails spill online. But remember, if you don't use FIPS validated and certified crypto modules, you are putting sensitive information at risk!

Techniques and Write-ups

• CI/CD secrets extraction, tips and tricks Synacktiv drops Nord Stream, a tool that allows you to list the secrets stored inside CI/CD environments and extract them by deploying malicious pipelines. It currently supports Azure DevOps and GitHub. Don't be fooled by "secret" files and "masked" variables. If the pipeline needs it to build, it can be extracted.
• The code that wasn't there: Reading memory on an Android device by accident. These low level exploits are always somewhat magic to me.
• Red Teaming macOS 101. Excellent write-up for those involved in attacking/defending MacOS assets!
• Windows Hotpatching & Process Injection. Did you know the latest Windows insider builds and Azure server ISOs can hotpatch running processes? Expect both malware and EDRs to (ab)use this feature in the future.
• Microsoft Azure Account Takeover via DOM-based XSS in Cosmos DB Explorer. Regex is hard for everyone. In this case, a single unescaped dot led to a 1-click Azure account takeover.
• A New Vector For “Dirty” Arbitrary File Write to RCE. Lax config parsers allow arbitrary data/files to be used to "smuggle" configuration files. This technique was used with Redis a while back.
• OneNote Embedded File Abuse. Not caught up on the latest hotness (.one)? Get with the program!
• From on-prem to Global Admin without password reset. An "On-prem to Global admin" attack path that requires quite a foothold but still good to have in your bag as it might bypass some Conditional Access configurations.
• From CVE-2022-33679 to Unauthenticated Kerberoasting. If you missed the kerberos exploit from 2022-10, this post does a good job of introducing the concept of pre-authentication, explaining the flaw, and how to exploit it.
• Microsoft Word RTF Font Table Heap Corruption. Just a crash PoC, but with a CVSS of 9.8, and Word 2007 to Insider Preview - 2211 Build 15831.20122 CTR affected, expect to see it in the wild soon.
• Maldoc Transfers in the Google Cloud. Host your payloads on a high reputation Google domain (cloudfunctions.net).
• Let's build a Chrome extension that steals everything. Red teamers should have an extension like this ready to deploy as we move to a SaaS world and the browser is the only security control after initial access. Code here.
• Having fun with KeePass2: DLL Hijacking and hooking APIs. Hooking via DLL hijacking is a powerful primitive.
• Introducing Aladdin. A new tool and technique for red teamers to bypass misconfigured Windows Defender Application Control (WDAC) and AppLocker. Aladdin exploits a deserialisation issue over .NET remoting in order to execute code inside addinprocess.exe, bypassing a 2019 patch released by Microsoft in .NET Framework version 4.8.

Tools and Exploits

• MemFiles - A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk.
• Amsi-Killer - a "lifetime AMSI bypass."
• Thunderstorm - Modular framework to exploit UPS devices. Only 2 exploits for now.
• msidump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner.
• lolbin-poc - Small PoC of using a Microsoft signed executable as a lolbin.
• Kraken - a modular multi-language webshell coded by @secu_x11.
• DroppedConnection - Emulates a Cisco ASA Anyconnect VPN service, accepting any credentials (and logging them) before serving VBS to the client that gets executed in the context of the user.
• Timeroast - Scripts that execute timeroasting and trustroasting attack techniques by discovering weak computer or trust passwords within an Active Directory domain.
• AtomLdr - A DLL loader with advanced evasive features.
• bootlicker - A generic UEFI bootkit used to achieve initial usermode execution. It works with modifications.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Locksmith. A tiny tool to identify and remediate common misconfigurations in Active Directory Certificate Services. Quick wins for Sysadmins!
• APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.
• Coercer. A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods. #onetorullethemall
• curl-impersonate - A special build of curl that can impersonate Chrome & Firefox.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• New legal framework for reporting IT vulnerabilities. Belgium's CSIRT can give researchers legal protection granted they meet some conditions when reporting (ethics stuff like acting without intent to harm, no public disclosure without consent, etc). To see this codified in law is awesome. Hack the planet!
• ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions published. HFS+ file parsing could lead to remote code execution. As ClamAV is used in many mail gateways, the potential to get code execution by emailing an HFS+ file is exiting/terrifying.
• telnet-client. The Google Chrome team put a telnet client into Chrome. Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should.
• [Twitter] Activision was breached December 4th, 2022.. How'd they do it? SMS phishing, and you can see the screenshots in the tweet. All it takes is one, however, the attackers appear to have their access from a different location (i.e. no code running on the user's system). Would your systems catch this (impossible travel, etc)?
• GoDaddy says a multi-year breach hijacked customer websites and accounts. Ever since GoDaddy bought and then tried to resell me a domain I searched for on their site in 2012 I have sworn to never touch them. Intuition was right on.

Techniques and Write-ups

• Disabling ClamAV as an Unprivileged User. Socketfile permissions claim another victim. With write access to kick off scans comes the ability to shut down the AV altogether.
• EoP via Arbitrary File Write/Overwite in Group Policy Client “gpsvc” - CVE-2022-37955. Symbolic links on Windows have led to lots of LPEs over the past few years. This one uses a GPO's "Files" windows setting to write arbitrary files as SYSTEM.
• Bypassing Okta MFA Credential Provider for Windows. A little walkthrough on how to flip off MFA for RDP once you have admin on the machine.
• Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers. Attackers in your kernel is a certified "bad thing." How bad? This post shows a few ways to blind ETW from the kernel. Not just theory, there is an example from Lazarus in the post as well.
• What the Vuln: Zimbra. This new post series looks fun! First up: a web app with a path traversal vulnerability.
• Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs. How did this get past the internal security team, static analysis, and external audits? Amazing. Are you kidding me?
• A Practical Tutorial on PCIe for Total Beginners on Windows (Part 1). The amount of high quality free learning on the internet is amazing, and the people that put it together are awesome.
• Abusing Azure App Service Managed Identity Assignments. Azure is a scary place, and fully understanding the connections of services, apps, principles, etc is a constant struggle.
• New headless Chrome has been released and has a near-perfect browser fingerprint. TLDR: --headless=new will make your headless browser look nearly the same as regular chrome.

Tools and Exploits

• CVE-2022-44666 - Write-up for another forgotten Windows vulnerability (0day): Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape, which was not fully fixed as CVE-2022-44666 in the patches released on December, 2022.
• ntqueueapcthreadex-ntdll-gadget-injection - This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.
• Split - Apply a divide and conquer approach to bypass EDRs.
• COFF_With_Exception_handler.c. Make your BOFs safer.
• LsaParser - A shitty (and old) lsass parser. [authors original description]
• NimPlant - A light-weight first-stage C2 implant written in Nim.
• ThreadlessInject-BOF - BOF implementation of @_EthicalChaos_'s ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023.
• graphcat - Generate graphs and charts based on password cracking result.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• OpenSSL Ported to the web browser with WebAssembly. WebAssembly is coming for everything. Chrome/Firefox/Safari are the OSs of the future.
• heap_detective - The simple way to detect heap memory pitfalls in C++ and C. Beta.
• Open Software Supply Chain Attack Reference (OSC&R). Its ATT&CK for releasing software.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• VALL-E - Neural Codec Language Models are Zero-Shot Text to Speech Synthesizers. New research from Mircosoft shows how the new model can clone a voice to a high degree of accuracy with only 3 seconds of sample audio from the target. Previous techniques required at least 30 minutes of audio and had worse results. Think how easy it will soon be to call some, record their voice, and then have "them" say things generated in real time. This will be used for vishing, and it will be extremely effective.
• Truffle Security revealed data collection in XSS Hunster. Infosec Twitter was quick to denounce the data collection and suggest running your own instance.
• About the security content of iOS 16.3.1 and iPadOS 16.3.1. WebKit exploit and "Apple is aware of a report that this issue may have been actively exploited."
• Namcheap/Namecheap's SendGrid account compromised to send phishing emails. Namecheap says its SendGrid, SendGrid hasn't said anything (that I can find).
• Canarytokens.org welcomes Azure Login Certificate Token. Canarytokens are still the best free security tool you aren't using.
• We had a security incident. Here's what we know.. Phish to cloned internal gateway gives an attacker valid credentials and second-factor token. FIDO2/U2F would have made this impossible. Props to the user for self-reporting.
• Announcing Nuclei Cloud. The undisputed champions of the open source attack surface management tooling game are here with their hosted solution. This is not one to dismiss given their incredible history of high quality tool releases.
• Reinventing search with a new AI-powered Microsoft Bing and Edge, your copilot for the web. ChatGPT++ comes to Bing. This actually made me create a Microsoft account and sign up for the waitlist. Well done Microsoft.

Techniques and Write-ups

• Behind the Mask: Spoofing Call Stacks Dynamically with Timers. The Cobalt Strike team is hard at work pushing the boundries of call stack spoofing.
• LocalPotato - When Swapping The Context Leads You To SYSTEM. The Potatos never die! This is the 21st potato in my collection. Patching in 2023-01 (as CVE-2023-21746 ), this potato allows for local privilege escaltion through some tricky SPN manipulation.
• Fearless CORS: a design philosophy for CORS middleware libraries (and a Go implementation). This is the best post on CORS on the internet. DM me anything better. I dare you.
• Offphish - Phishing revisited in 2023. This is a great rundown of modern phishing techniques. Keep in mind the ISO MOTW bypass was patched by Microsoft in November.
• [PDF] POPKORN: Popping Windows Kernel Drivers At Scale. Some interesting work on "large scale" (212 unique singed Windows kernel drivers) driver fuzzing. Unlike seemingly every other interesting paper, they actually published the code!.
• A-Salt: attacking SaltStack. SaltStack is a desired state configruation platform and less popular member of the Ansible, Puppet, SaltStack triad. Unlike Ansible, which is agentless, SaltStack uses an agent-server model and is basically a remote access tool (and potential traitorware!).
• Security Code Review With ChatGPT. The ChatGPT craze is still with us. Stop feeding it your code. I almost daily have it write me things in languages I'm not fully familair with and it does a decent job at getting me started.
• XXE with Auto-Update in install4j. Update attacks are great since they are usually 0-click. This is a great walkthrough of a Java installer XML External Entity (XXE) attack that reads arbitrary file contents in the PoC.
• CVE-2022-22655 - TCC - Location Services Bypass. I had no idea that location access wasn't part of TCC directly, but rather locationd's responsibility.
• Binance Smart Chain Token Bridge Hack. Ever wanted to steal ~$500,000,000 from the comfort of your own home? Thanks to the magic of smart contracts, you can!
• Exploiting a remote heap overflow with a custom TCP stack. "The funkiest part was undoubtedly implementing a custom TCP stack to trigger the bug. This is quite uncommon for an user land and real life (as not in a CTF) exploit, and we hope that was entertaining for the reader." It was!
• Elevation of privileges from Everyone through Avast Sandbox to System AmPPL (CVE-2021-45335, CVE-2021-45336 and CVE-2021-45337). Someting about a local privilege escaltion via an anti-virus sandbox just warms my heart. It's red teaming schadenfreude.
• Azure AD Kerberos Tickets: Pivoting to the Cloud. Domain Admin is cool, but impersonation of any non-MFA account via Azure SSO is cooler.
• How your messenger used for internal communication might compromise your company. Skype for business. Teams. Lync. Take your pick, get your access.
• Learning Semgrep. You've seen the power of Semgrep on this blog before, so why not learn it?

Tools and Exploits

• TeamFiltration V3.5.0 - Improve All the Things!. Lots of new features and improvements to this cross-platform framework for enumerating, spraying, exfiltrating, and backdooring Office 365 Azure AD accounts.
• ThreadlessInject - Threadless Process Injection using remote function hooking.
• LPE via StorSvc - Windows Local Privilege Escalation via StorSvc service (writable SYSTEM path DLL Hijacking).
• FilelessPELoader - Loading Remote AES Encrypted PE in memory, decrypt and run it.
• D1rkSleep - Improved version of EKKO by @5pider that Encrypts only Image Sections.
• HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.
• firefly is an advanced black-box fuzzer and not just a standard asset discovery tool. Firefly provides the advantage of testing a target with a large number of built-in checks to detect behaviors in the target.
• UnhookingPatch - Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime.
• OperatorsKit - Collection of Beacon Object Files (BOF) for Cobalt Strike.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• wildebeest is an ActivityPub and Mastodon-compatible server.
• grepmarx - A source code static analysis platform for AppSec enthusiasts.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Taking the next step: OSS-Fuzz in 2023. Increased bounties for integrating projects into OSS-Fuzz. Nice!
• Dutch Police Read Messages of Encrypted Messenger 'Exclu'. If you messenger is not open source and the server is not self-hosted, someone could be reading your messages. Yes, this includes Signal (what is actually running on the servers?).
• CVE-2023-0045. Speculative execution bugs are going to be with us for a while. "The current implementation of the prctl syscall for speculative control fails to protect the user against attackers executing before the mitigation. The seccomp mitigation also fails in this scenario."
• An important next step on our AI journey. Google's response to ChatGPT is... a blog post and no working product? Meanwhile, I'm out here having GPT-3 write my commit messages.
• Checksum mismatches on .tar.gz files. GitHub temporarily broke a lot of deployments after changing the default compression algorithm for releases. The change has been reverted, but showed how fragile the some software release ecosystems are and how reliant they are on a single third party.

Techniques and Write-ups

• Pre-Auth RCE in Aspera Faspex: Case Guide for Auditing Ruby on Rails. The first of two great posts from Assetnote this week.
• RCE in Avaya Aura Device Services. This is the second post. They're pwning your phone system too...
• 2023-02-05: Solving a VM-based CTF challenge without solving it properly. A neat solve of a hard challenge with using side channels to not "actually" solve it. Hey, a flag is a flag.
• Onenote Malware: Classification and Personal Notes. '.one' based droppers are on the rise. Grab yourself OneNoteAnalyzer, a C# based tool for analyzing malicious OneNote documents, and dig in.
• Rustproofing Linux (Part 1/4 Leaking Addresses). While Rust provides some very nice memory safety, it also has to exist in the real world, where programmers will use 'unsafe' blocks to interact with raw memory and hardware. This series aims to show what can go wrong with 'unsafe' rust. Rust is pretty awesome though, as it can regex search 45 million repos in seconds.
• Hacking into Toyota's global supplier management network. I like these "real world" hacks that don't stop at "oh I can get access," but build on that to show how bad the combination of flaws can be. Bravo. The $0 bounty is rough.

Tools and Exploits

• Spoofy: An Email Domain Spoofing Tool. This is the new gold standard of "can I spoof this domain?" tools.
• GoAnywhere MFT - A Forgotten Bug. Some serious Java web app code review leads to - you guessed it - hard coded keys and a deserialization vulnerability.
• sh1mmer chromebook jailbreak. This is a cool "jailbreak" for Chromebooks that uses a modified Google signed RMA shim to boot into an environment that allows unenrolling Chromebooks from their parent organization.
• PipeViewer - A tool that shows detailed information about named pipes in Windows. For why, read Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation - Part 1.
• RasmanPotato - Abuse Impersonate Privilege from Service to SYSTEM like other potatoes do.
• BypassAV This map lists the essential techniques to bypass anti-virus and EDR.
• AMSI-patches-learned-till-now - all of the AMSI patches that I learned till now.
• AMSI_patch - Patching AmsiOpenSession by forcing an error branching.
• Bloodhound python from @_dirkjan is now integrated to CrackMapExec as a core feature.
• Ghostwriter. Automate those reports!
• ReverseSocks5 - Single executable reverse socks5 proxy written in Golang.
• certsync - Dump NTDS with golden certificates and UnPAC the hash.
• comfortably-run - A CLI tool which can be used to inject JavaScript into arbitrary Chrome origins via the Chrome DevTools Protocol.
• D1rkLrd - Shellcode Loader with Indirect Dynamic syscall Implementation , shellcode in MAC format, API resolving from PEB, Syscall calll and syscall instruction address resolving at run time.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• FirmAE - Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis.
• wa-tunnel -Tunneling Internet traffic over Whatsapp.
• RToolZ - A Stealthy Lsass Dumper - can abuse ProcExp152.sys driver to dump PPL Lsass, no dbghelp.lib calls.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Hackers Demand $10M From Riot Games to Stop Leak of 'League of Legends' Source Code. "It is alarming to know that you can be hacked within a matter of hours by an amateur-level hack." Is it?
• Protecting Against Malicious Use of Remote Monitoring and Management Software. Someone at CISA finally watched my talk on Traitorware?
• U.S. Department of Justice Disrupts Hive Ransomware Variant. Don't do crimes.
• Yandex Services Source Code Leak. No git history, no ML models, but lots of source code.
• The Microsoft Edge team no longer offers VM image downloads for the testing of Microsoft Edge and Internet Explorer.. The go-to source for quick, legitimate test VMs is gone. This on the back of the news that detection lab is not being maintained has opened a hole in the test VM/lab/management area... (stay tuned).

Techniques and Write-ups

• At the Edge of Tier Zero: The Curious Case of the RODC. Just because its read-only doesn't mean it can't lead to domain dominance.
• Operator's Guide to the Meterpreter BOFLoader. BOFs come to Meterpreter - they are truly the cross-C2 primitive of modern red teaming. You can run them from Python3 now with pybof. Hell, I even put them in osquery.
• Exploiting Hardcoded Keys to achieve RCE in Yellowfin BI. Hardcode a private key == hardcode a bad time.
• Password strength explained. This is a good explainer. Dice-chosen word-based passwords are the way to go.
• Abusing Exceptions for Code Execution, Part 2. This one is meaty and really cool. If you though SEH exploitation died in 2008, buckle up.
• Extending PersistAssist: Act I. How to add your own modules and stick around even after a reboot.

• Web Hacking

  • Using 0days to Protect the United Nations. Some web apps are frighteningly bad at security - this is one of them.
  • Froxlor v2.0.6 Remote Command Execution (CVE-2023-0315). A nice authenticated RCE chain.
  • MyBB <= 1.8.31: Remote Code Execution Chain. This is just quality web app hacking.

• Insomni'hack 2023 CTF Teaser - InsoBug. CTF writeups don't usually make the blog, but this one is particularly interesting and Windows based which is extremely rare.
• gaylord M FOCker - ready to pwn your MIFARE tags. If you're getting started in the RFID card space, this post will give you a quick overview of the various attacks.
• Microsoft Defender Vulnerability Management Authenticated Scan Security Risks. Authenticated scans can give attackers hashes when 'Negotiate' is enabled.
• CVE-2023-23504: XNU Heap Underwrite in dlil.c. "This can be triggered by a root user creating 65536 total network interfaces." Seems pretty far fetched, but a physical attack (malicious USB) is a potential vector.
• How to access data secured with BitLocker? Do a system update. BitLocker effectively disables itself during updates.
• Give me a browser, I'll give you a Shell. The javascript to create a browse button was neat.
• Fun with macOS's SIP. A nify trick to "bypass" (but not really) System Integrity Protection on macOS.
• Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks. Loader/AV bypassers take note.

Tools and Exploits

• gato GitHub Self-Hosted Runner Enumeration and Attack Tool. More information in this post.
• starhound-importer - Import data from SharpHound and AzureHound using CLI instead of GUI BloodHound using "BloodHound's code". Detail here.
• azbelt - AAD related enumeration in Nim.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• yaralyzer Visually inspect and force decode YARA and regex matches found in both binary and text data. With Colors.
• Forking Chrome to render in a terminal. Simply amazing.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• how to completely own an airline in 3 easy steps. The US "No fly list" was found on an exposed jenkins server belonging to CommuteAir. 80MB of NOFLY.CSV. Classic.
• Introducing LogSlash and The End of Traditional Logging. An interesting idea so save the "meaning" of a series of logs without all the raw data. I think large firms will still be saving all the raw data as all their detections are built on it, but I like the idea.
• HC-tree. A very non-descriptive title for a really cool feature. HC-tree is a high performance backend for SQLite that enables concurrency, replication, and massive size SQLite DBs. There aren't many small applications that shouldn't be using SQLite today as their DB, but with HC-tree, there will be almost none that need anything but SQLite.
• Visual Studio Spell Checker Preview Now Available. Misspellers of the world, untie! (it won't help in this case... oh well.)
• Pirate Bay Proxy Portal Taken Down by Github. Opinions of The Pirate Bay aside, GitHub took down a page that was hosting links to proxies, not even The Pirate Bay itself. The Tor Project is still on GitHub. Strange to see where the line is drawn sometimes.

Techniques and Write-ups

• CVE-2022-35690: Unauthenticated RCE in Adobe ColdFusion. ColdFusion is not only still a thing, but it's also still full of holes.
• Pwning the all Google phone with a non-Google bug. The bug here is cool, and the patch gap between ARM and Android on a hardware controlled by it's OS maker (Pixel 6) is worrying.
• CVE from 2018 Strikes Again. I've said it before and I'll say it again, just because a vulnerability is patched, doesn't mean its fixed. This is a one such case, albeit a simple one.
• Bitwarden design flaw: Server side iterations. With LastPass's recent issue, many have been searching for a new password manager, and researchers have been taking a look too. Positive change has already taken place because of this, and the open source BitWarden is getting more secure. However, you may want to manually increase your PBKDF2 iteration setting (Vaultwarden is also set at 100,000 by default as of 2023-01-23). The use of a secret key like 1Password has is a feature many would like to see implemented in other password managers. Need more password manager (patched) flaws? Unsandboxed Password Manager has them.
• Client-Side SSRF to Google Cloud Project Takeover [Google VRP]. A combo of Google properties (FeedBurner + VertexAI) combined for a nice Google Cloud takeover. It's not just Google, as Microsoft resolves four SSRF vulnerabilities in Azure cloud services.
• AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass. Why is a CloudTrail bypass a big deal? When you are looking for ways to validate AWS keys without falling victim to a Canary Token finding a method to use them without showing up in CloudTrail is the only way. Speaking of canary tokens they just released new credit card tokens.
• ManageEngine CVE-2022-47966 Technical Deep Dive. A quick run through of the RCE starting with the patch.
• [PDF] Sudoedit bypass in Sudo <= 1.9.12p1 CVE-2023-22809. A simple command injection-style bug in the EDITOR environement variable allowed a user with sudoedit permissions on a single file to write to arbitray files as root. Perhaps not a common setup to have sudoedit enabled, but an easy LPE if it is!
• CrossTalk and Secret Agent: Two Attack Vectors on Okta's Identity Suite. Some excelent creative hacking that will become more important as more things move to SaaS.
• Exploiting null-dereferences in the Linux kernel. Not crashing the kernel and instead "oops"-ing is better, but can have unintended consequences.
• making malware #0. Not sure a public "API" is the best for tooling's long term evasion, but it might help in some cases.

Tools and Exploits

• CVE-2022-42864 - Proof-of-concept for the CVE-2022-42864 IOHIDFamily race condition that was fixed in iOS 16.2 / macOS Ventura 13.1. Read more at Diabolical Cookies.
• Credmaster2. Your favorite credential spraying tool is back with more plugins.
• pdtm - ProjectDiscovery's Open Source Tool Manager.
• Caido - A lightweight web security auditing toolkit. Built from the ground up in Rust, Caido aims to help security professionals and enthusiasts audit web applications with efficiency and ease.
• Silhouette is a POC that mitigates the use of physical memory to dump credentials from LSASS.
• git-sim: Visually simulate Git operations in your own repos. Complex git operations can be scary. They're less scary if you can see a pretty picture of what is happening.
• a.socks.proxy.shellcode is SOCKS4 server in shellcode for armv5, armv7, mipseb, and x64.
• SeeProxy - Golang reverse proxy with CobaltStrike malleable profile validation.
• golddigger is a simple tool used to help quickly discover sensitive information in files recursively.
• APCLdr - Payload Loader With Evasion Features.
• CVE-2023-0179-PoC. This is the Linux CVE from last week where the PoC was pulled. It's out now!

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• git-cliff - A highly customizable Changelog Generator that follows Conventional Commit specifications ⛰️
• sh4d0wup - Signing-key abuse and update exploitation framework. This thing is fully featured and scary!
• ulexecve is a userland execve() implementation which helps you execute arbitrary ELF binaries on Linux from userland without the binaries ever having to touch storage. This is useful for red-teaming and anti-forensics purposes.
• SANS SEC760: Advanced Exploit Development for Penetration Testers - Review. The review isn't the interesting part here, its section 3: Recommendations that are gold.
• infisical ♾ Infisical is an open-source, end-to-end encrypted tool to sync secrets and configs across your team and infrastructure.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Supporting the Use of Rust in the Chromium Project. Rust is coming, and its taking down memory safety bugs/exploits as its spreads.
• Sustaining Digital Certificate Security - TrustCor Certificate Distrust. As previously reported, reporting from the Washington Post has led to questions about TrustCor, and this is the official announcement that Google is dropping them from the Chrome CA root store.
• CircleCI incident report for January 4, 2023 security incident. There is still some detail missing (no detail on how they know "the third party extracted encryption keys from a running process" and no public samples of the malware), but the incident report does shed light on how all of CircleCI was compromised. A single employee had their SSO session cookie stolen, and the production system fell. Now is a good time to tabletop what would happen at your company if your lead engineer had their SSO cookie stolen... In the meantime, follow this IR guide.
• [PDF] [email protected]$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk. People still choose terrible passwords. Arm your users with a password manager and teach them how to use it. Enforce MFA everywhere you can. Hand out hardware tokens and enforce their use. With the rise of passkeys, a passwordless future is possible, but legacy password support will be around for at least the next 25 years.
• Recovering from Attack Surface Reduction rule shortcut deletions. Friday the 13th saw Attack Surface Reduction users get an updated definition that "resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files." This manifested itself with users calling the help desk stating that "all my apps are gone," which sounds a lot like ransomware. Thanks Microsoft. AddShortcuts.ps1 might help recover shortcuts for users.

Techniques and Write-ups

• SCCM Site Takeover via Automatic Client Push Installation. SCCM is perhaps the best lateral movement technique against organizations that use it, but the issue for red teams was compromising the primary server. With this research, it's possible to land a single phish (get any authenticated domain user), and coerce/relay your way to SCCM site takeover, which enables you to push out arbitrary executables or run scripts on every machine managed by SCCM. If ransomware crews aren't already doing this, they soon will be. Protect the MSSQL endpoints that SCCM use!
• Microsoft Defender for Identity Lateral Movement from Forest to Forest without a Forest trust. Using Defender to jump between untrusted forests? Awesome.
• Malware-based attacks on ATMs - A summary. Perhaps not the most relevant article for red/blue teams, but still interesting.
• A LAPS(e) in Judgement. A good overview of the local admin password solution (LAPS) for Windows domains, how to set it up, how to abuse it, and how to detect that abuse.
• T95-H616-Malware. "Pre-Owned" malware in ROM on T95 Android TV Box (AllWinner H616).
• Sliver vs havoc. If you aren't familiar with two of the more popular non-Cobalt Strike C2s that are available, this post breaks them down.
• CVE-2021-31985: Exploiting the Windows Defender AsProtect Heap Overflow Vulnerability. The irony of using Windows Defender to get a SYSTEM shell is delicious.

Tools and Exploits

• secret_handshake - A prototype malware C2 channel using x509 certificates over mTLS.
• phishim is a phishing tool which reduces configuration time and bypasses most types of MFA by running a chrome tab on the server that the user unknowingly interacts with.
• CoffLoader - an implementation of in-house CoffLoader supporting CobaltStrike standard BOF and BSS initialized variables.
• latma - Lateral movement analyzer (LATMA) collects authentication logs from the domain and searches for potential lateral movement attacks and suspicious activity. The tool visualizes the findings with diagrams depicting the lateral movement patterns.
• gophish - GoPhish automation.
• CVE-2023-0179: Linux kernel stack buffer overflow in nftables: PoC and writeup. PoC has been pulled for the time being, but as this effects Linux from ~2019 and later, it could be a pretty widespread LPE and potentially some LAN crashes or RCE.
• LocalPotato is coming soon! - Watch this space.
• Issue 2361: XNU race condition in vm_map_copy_overwrite_unaligned allows writing to read-only mappings. Ian Beer drops his "MacDirtyCow" which is already being used in the jailbreaking scene to do non-persistent tweaks.
• OffensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises. Version 2 just dropped.
• Open Sourcing Incident Management system. The HARP incident management system, designed to help teams quickly and effectively respond to and resolve any incidents that may occur, specifically in the tech industry, is now open source!

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Crassus - Windows privilege escalation discovery tool
• ShellWasp is a tool to help build shellcode that utilizes Windows syscalls, while overcoming the portability problem associated with Windows syscalls. ShellWasp is built for 32-bit, WoW64.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• CircleCI security alert: Rotate any secrets stored in CircleCI (Updated Jan 7). Ouch. If you use any kind of secrets in CI (not bad by itself, depending on your threat model etc), please use canary tokens so you know when you need to drop everything and rotate secrets and take a hard look at your logs.
• Researchers Could Track the GPS Location of All of California's New Digital License Plates. Because of course they can. File this under "shockingly bad idea is still bad for all the reasons we thought." For all the car hacks of 2022 check out Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More.
• Security Update Guide Improvement - Representing Hotpatch Updates. You can now easily identify hotpatches for Windows Server VMs in Azure which can be applied without a reboot (feature introduced last year). Linux users heard saying "what took so long?"
• [PDF] Factoring integers with sublinear resources on a superconducting quantum processor. Researchers out of China claim to have a system where "traditional" lattice-reduction math is used to dramatically reduce the number of qbits a quantum computer needs to factor numbers (the basis of RSA). If correct, they could theoretically break 2048-bit RSA with 372 qbits (which IBM already has). However, "this destroys the RSA cryptosystem" is a statement other papers have made, and so far, failed to deliver.
• U.S. Targets Non-Compete Clauses That Block Workers From Better Jobs. A staple of any tech employment contract, the non-compete could be coming to an end.
• Making an SSH client the hard way. Your weekly reminder that the modern browser is the OS of tomorrow.

Techniques and Write-ups

• TouchEn nxKey: The keylogging anti-keylogger solution. Every article I read by Wladimir makes me more and more scared of any browser extension. In this case, an all-but-required extension for Korean banking can be repurposed as a keylogger easily among other scarry things.
• Escaping from bhyve. A sesonsed VM escaper (QEMU previously) tries their hand at bhyve, FreeBSD's hypervisor, and comes away with a new VM escape. It's impressive to witness people who can point their attention at something and have impressive bugs fall out.
• A study on Windows HTTP authentication (Part II). Kerberos over HTTP? Windows authentication options are impressive in their vastness. This is a great post for any Windows network assessor, and the Prox-Ez tool will certainly come in handy once inside your next corporate network.
• Bypass firewalls with of-CORs and typo-squatting. The dangers of "just clicking a link" are real in 2023, but not because your computer will get compromised (excluding browser 0day+SBX) but because your company's internal web apps are YOLOing their CORS and authentication, allowing any browser on the network to pull data. This is really neat attack that is only possible because of overpermissive internal web apps. Use of-CORS to pull off your own sweet CORS hacks.
• CVE-2022-27510, CVE-2022-27518 - Measuring Citrix ADC & Gateway version adoption on the Internet. The cool part of this post isn't the Citrix exploits, its the method of getting your hands on different versions of Citrix ADC images and fingerprinting the versions.
• Microsoft Defender for Identity JSON API. The inner workings of the Microsoft Defender for Identity and its API can hold some secrets if you compromise a machine running a sensor. Use Microsoft-Defender-for-Identity-API-Fiddler to play with it.
• CVE-2022-25026 & CVE-2022-25027: Vulnerabilities in Rocket TRUfusion Enterprise. Some classic web app vulnerabilities in this post.
• DeTT&CT: Automate your detection coverage with dettectinator . This post introduces a new tool, dettectinator, which is a framework that helps blue teams in using MITRE ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviors.
• Passwordless Persistence and Privilege Escalation in Azure. TIL that Azure comes with its own privesc to Global Admin. Neat.
• Lateral movement risks in the cloud and how to prevent them - Part 2: from compromised container to cloud takeover. What can you do once you land in a prod pod? Depends on the cloud, but probably a lot.

Tools and Exploits

• iCDump. A Modern Objective-C Class Dump. Blog here.
• UnhookingPatch - Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime.
• HellHall is a combination of HellsGate and indirect syscalls.
• WalkerGate is a method to take syscall with memory parsing of ntdll.
• zsyscall is an implementation of the Hell's Gate VX technique. The main difference with the original implementation is the use of the zsyscall procedure instead of HellsGate and HellDescent for using syscalls.
• SOC-Multitool - A free and open source tool to aid in SOC investigations!
• Alcatraz is a x64 binary obfuscator that is able to obfuscate various different pe formats.
• sub-scout is a simple bash script to automate your inital recon and extend your attack surface using popular tools made by infosec community.
• MITRE_ATTACK_CLI - CLI Search for Security Operators of MITRE ATT&CK URLs.
• nuclearpond is a utility leveraging Nuclei to perform internet wide scans for the cost of a cup of coffee.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• A New PyRDP Release: The Rudolph Desktop Protocol!. The gosecure RSS feed was slow on this one?
• KubeStalk discovers Kubernetes and related infrastructure based attack surface from a black-box perspective.
• NTLMRecon - A tool for performing light brute-forcing of HTTP servers to identify commonly accessible NTLM authentication endpoints.
• smudge - Passive OS detection based on SYN packets without Transmitting any Data

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• [LastPass] Notice of Recent Security Incident. The breach from August is worse than initially reported, with encrypted password vaults stolen. Despite their encryption, weak master passwords or perhaps other issues could lead to passwords and other information leaking to the perpetrators. If you use a password manager (cloud based or not), the loss of your vault has to be part of your threat model. Other services have been quick to capitalize on LastPass' failure.
• Announcing OSV-Scanner: Vulnerability Scanner for Open Source. Google launches an open source dependency vulnerability scanner based on their OSV database.
• OWASSRF, a new exploit for Exchange vulnerabilities, exploited in the wild: everything you need to know. At this point, self-hosting Microsoft Exchange is an extremely risky proposition. Unless it's behind a VPN or Zero Trust Network Access (making it hard to use with Outlook/etc), you're asking for compromise.
• 2022 Adversary Infrastructure Report. Cobalt Strike still dominates.
• Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability. In the unlikely case you are running SMB using the new kernel module and not samba, update now or face unauthenticated RCE.
• Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users. The title is a bit bland, but this is official FBI communication encouraging the use of ad blockers. I've heard stories of companies that force uBlock Origin as part of their managed Chrome install to great effect.
• Sunsetting DetectionLab. One of the best automated lab tools is ending development. The scene is set for an open source, modular, lab infrastructure system to be released...
• Crack the ELF RE challenges - "Here are some reverse-engineering challenges I've made on my spare time."

Techniques and Write-ups

• Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg. Some great technical Linux exploitation detail in this write up.
• Spice up your persistence: loading PHP extensions from memory. This technique is neat as your backdoor lives in the PHP process with only some suspect memory maps to give it away after loading from disk (and unloading the disk backed copy of the backdoor).
• Writing x64dbg scripts and Writing x64dbg plugins will help you level up your x64dbg game.
• Puckungfu: A NETGEAR WAN Command Injection. This command injection requires control of DNS on the WAN side of the router.
• MeshyJSON: A TP-Link tdpServer JSON Stack Overflow. In contrast to the relatively simple command injection exploit in Puckungfu, this exploit is a address leak and heap spray to bypass KASLR to execute a ROP gadget. Impressive stuff.
• CVE-2021-43444 to 43449: Exploiting ONLYOFFICE Web Sockets for Unauthenticated Remote Code Execution. This is a great read for any web app pentesters. The inital bug doesn't look so bad, but the chain to RCE is impressive.
• Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 1). This post is all lab/dev setup and a Hello World, but the series could get interesting quickly. For a finished series, check out Lord Of The Ring0.
• LABScon Replay | Breaking Firmware Trust From The Other Side: Exploiting Early Boot Phases (Pre-Efi). You've heard of bootkits, but what about pre-bootkits?
• Trend Micro drops 2x macOS LPE posts: Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities and A Technical Analysis of CVE-2022-22583 and CVE-2022-32800.
• Navigating the Vast Ocean of Sandbox Evasions. Palo Alto's sandbox is custom and has fixes for many common sandbox detections. Would your detections get caught in this sandbox?
• Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463. Part 3 of the amazingly detailed browser exploitation series is here!
• Gatekeeper's Achilles heel: Unearthing a macOS vulnerability. Microsoft digs into a strange "AppleDouble" file format and finds a Gatekeeper bypass.
• .NET Startup Hooks. If you can set environment variables for .NET programs, you can inject arbitrary code. Could be a useful persistence technique as there are built in .NET binaries in Windows.

Tools and Exploits

• Avoiding Detection with Shellcode Mutator. By randomly adding nops or nop equivalent instructions, ShellcodeMutator can break yara rules that look for specific assembly sequences in shellcode.
• Dirty-Vanity - A POC for the new injection technique, abusing windows fork API to evade EDRs. See the slides from BlackHat EU here.
• DirCreate2System - Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting.
• CVE-2022-2602-Kernel-Exploit and CVE-2022-2602 are Linux LPEs for Linux kernel upstream stable 5.4.x, 5.15.x, and later versions. 5.10.x may be vulnerable as well.
• Cohab_Processes - A small Aggressor script to help Red Teams identify foreign processes on a host machine.
• CaFeBiBa - COFF parser - a COFF parser for binaries compiled with MSVC.
• Offensive-Rust - Various offensive techniques in Rust.
• ASRenum-BOF - Cobalt Strike BOF that identifies Attack Surface Reduction (ASR) rules, actions, and exclusion locations.
• CVE-2022-42046 - CVE-2022-42046 Proof of Concept of wfshbr64.sys local privilege escalation via DKOM.
• linux_injector - A simple ptrace-less shared library injector for x64 Linux.
• Venom is a library that meant to perform evasive communication using stolen browser socket.
• wanderer - An open-source process injection enumeration tool written in C#.
• Invoke-Retractor - Build a Seatbelt executable containing only commands you specify.
• WTSRM2 - Writing Tiny Small Reliable Malware 2. This has a ton of cool features, worth a look.
• PassTheChallenge - Recovering NTLM hashes from Credential Guard. See the blog post for more details.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• pike is a tool for determining the permissions or policy required for IAC code.
• policies - Security policies for Tailscale.
• A Visual Guide to SSH Tunnels: Local and Remote Port Forwarding. I use SSH tunnels on a daily basis, and this is a great visual guide to anyone new to the concept (or as a reference if you forget!).
• portable-secret - Better privacy without special software.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Apple advances user security with powerful new data protections. This is a great step forward for a company who has marketed "privacy" but technically had some work to do. While iMessage has always been end-to-end encrypted, iCloud backups, which contain all your iMessages conveniently have not been. Thus, with a simple court order, all your iPhone contents are available to any legally valid request. With this change, everything except Email, Contacts, and Calendar are encrypted on iCloud, rendering those data requests useless. iMessage Contact Key Verification feels a lot like Signal, and security key support for iCloud accounts is long overdue. While none of these steps are groundbreaking, Apple is pushing the boundaries for "mainstream" tech privacy.
• ChatGPT bid for bogus bug bounty is thwarted. It was inevitable. Perhaps bugs will be triaged by AI soon, and the AIs can fight it out amongst themselves.
• Anker's Eufy lied to us about the security of its security cameras. Last week's story was only about the notification image, but it appears that you could get an unencrypted stream URL from Eufy cameras that worked over the internet until recently. So much for local only. I repeat: Put your cameras on a VLAN without egress, and VPN in to view them - trust no one.
• Releasing Semgrep 1.0. Now you have no excuse for not using it to find vulns.

Techniques and Write-ups

• Precious Gemstones: The New Generation of Kerberos Attacks. This is a great refresher if you have missed the last few Kerberos attack releases and need to catch up.
• Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass. It boils down to an undocumented Windows kernel method and structure to implement syscall hooks. "This is a very brave and cool feature." This post contains good general investigative process documentation that will be applicable to kernel hackers and other low level devs.
• GOAD - part 11 - ACL. The latest in a series that walks through the excellent GOAD vulnerable active directory environment.
• Cool vulns don't live long - Netgear and Pwn2Own. Having two vulnerabilities patched the day before a competition is heartbreaking. Perhaps parallel discovery?
• Exploiting CVE-2022-42703 - Bringing back the stack attack "This exploit demonstrates a highly reliable and agnostic technique that can allow a broad spectrum of uncontrolled arbitrary write primitives to achieve kernel code execution on x86 platforms.""
• Part 3: I Hope This Vishing Call Finds You Well…. Vishing can be that extra push to get a phishing campaign across the line. It is being used by adversaries to great effect already; consider adding it to your next service offering.
• Replicating CVEs with KLEE. Symbolic execution engines for bug hunting aren't new, but KLEE is new to me.
• An open source SMS gateway for pentest projects. smsgate holds the code.
• Issue 2346: Windows: HTTP.SYS Kerberos PAC Verification Bypass EoP. A tasty LPE (now patched).
• Assessing Standalone Managed Service Accounts. Managed Service Accounts (MSA) have automatic password management, but that doesn't mean the passwords can't be dumped, hashes reused, and account privileges abused.
• StealthHook - A method for hooking a function without modifying memory protection. "This post describes a method for stealthily hooking a function without modifying memory protection. By overwriting a global pointer or virtual table entry that is nested within the target function, it is possible to hook the function without raising suspicion because many of these memory regions already have write permissions enabled."
• Unauthenticated Command Injection (Cacti). An authentication bypass and a command injection combine for a deadly bug.
• [PDF] Knockout win against TCC, a.k.a. 20+ NEW ways to bypass your macOS privacy mechanisms. Two of the best macOS security researchers team up to take down TCC.

Tools and Exploits

• RedditC2 - Abusing Reddit API to host the C2 traffic, since most of the blue-team members use Reddit, it might be a great way to make the traffic look legit.
• emailGPT - a quick and easy interface to generate emails with ChatGPT.
• noseyparker is a command-line program that finds secrets and sensitive information in textual data and Git history.
• CVE-2022-44721 Crowdstrike Falcon Uninstaller.
• DCOMPotato - Exploit collection for some Service DCOM Object local privilege escalation vulnerabilities (SeImpersonatePrivilege abuse).
• WindowSpy is a Cobalt Strike Beacon Object File meant for targetted user surveillance. The goal of this project was to trigger surveillance capabilities only on certain targets, e.g. browser login pages, confidential documents, vpn logins etc.
• Wiretap is a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• BlueMap helps penetration testers and red teamers to perform Azure auditing, discovery & enumeration, and exploitation in interactive mode that saves complex opsec and overhead that usually exists in Azure penetration testing engagements.
• TProxy is an interception proxy for TCP traffic. It can be used to monitor, drop, modify or inject packets in an existing TCP connection. For monitoring purposes, TProxy has the ability to decrypt incoming TLS traffic and re-encrypt outgoing packets. It also leverages Wireshark dissectors to build a dissection tree of each intercepted packet.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• ChatGPT: Optimizing Language Models for Dialogue. Well, this exploded last week. If you haven't tried it, it's worth some specific technical queries. You can even jailbreak it or run a 'virtual machine' in it.
• Anker's Eufy Cameras Caught Uploading Content to the Cloud Without User Consent. While it was only thumbnail images being uploaded, still a bad look for a brand that is heavy on "local only" branding. Compared to Ring cameras that will find their own wifi to steam video to the cloud, this seems minor. Put your cameras on a VLAN without egress, and VPN in to view them - trust no one.
• Web browsers drop mysterious company with ties to U.S. military contractor. Props to The Washington Post for exposing the root CA and finally getting enough pressure to have it removed from browsers (12 years too late?).
• The FreeBSD Project - Stack overflow in ping(8). Despite the scary title, it only applies to ping responses, and the ping process "runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur." I doubt this will yield remote shells any time soon. LPE however...
• Memory Safe Languages in Android 13. No memory safety related bugs in the Rust code added to Android (yet). It's not a magic bullet, but the evidence shows it really does help prevent memory safety bugs.
• We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012. Control character injection lets you register emails that "matched" actual users, and thereby take over their car via the internet. What a time to be alive. Not broad enough? What about taking over multiple brands of cars via SiriusXM?.
• Hell's Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access. Potential access to the CI of the IBM cloud. Yikes!

Techniques and Write-ups

• Shedding Light on Huawei's Security Hypervisor. This post tears apart the encrypted security hypervisor used in Huawei devices and nets a CVE: CVE-2021-39979 OOB Accesses Using the Logging System.
• CVE-2022-41924 - RCE in Tailscale, DNS Rebinding, and You. The rebinding attacks are neat (if a bit hard to pull off in the real world), but the vendor response is downright amazing, and in a good way this time!
• Pre-Auth RCE with CodeQL in Under 20 Minutes. CodeQL is a force multiplier, I've said it before and I'll say it again.
• Debugging Protected Processes. Debugging protected processes on Windows can be tricky, so what if you made your debugger have the same level of protection instead? Now you can with PPLcontrol.
• Stalking inside of your Chromium Browser. Browsers are where lots of important information is accessed. If you don't have good access methods to leverage endpoint access to dump browser information, or better yet live inside the browser, you should prioritize development.
• How to mimic Kerberos protocol transition using reflective RBCD. Kerberos contains more foot-guns than any authentication protocol I've seen.
• Making unphishable 2FA phishable. Thanks to non-input enabled devices, even the best 2FA can be phished (sometimes).

Tools and Exploits

• SysmonEoP - Proof of Concept for arbitrary file delete/write in Sysmon (CVE-2022-41120).
• Visual Studio Code: Remote Code Execution. Jypiter notebook links could have led to RCE in vscode when clicked.
• SilentMoonwalk is a PoC implementation of a true call stack spoofer, implementing a technique to remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow. Want it in rust? Try Unwinder.
• PrintNotifyPotato - Another potato, using PrintNotify COM service for lifting rights.
• BumbleCrypt - A Bumblebee-inspired Crypter.
• google_lure.py - Generate phishing lures that exploit open-redirects from www.google.com using Google Docs.
• NimDllSideload allows you to easily generate Nim DLLs you can use sideloading/proxy loading. If you're unfamiliar with what DLL sideloading is, take a gander at this blog post.
• Defender_Exclusions-BOF - A BOF to determine Windows Defender exclusions.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Neton is a tool for getting information from Internet connected sandboxes.
• kubeshark , the API Traffic Viewer for kubernetes, provides deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster. Think of a combination of Chrome Dev Tools, TCPDump and Wireshark, re-invented for Kubernetes.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• A Confused Deputy Vulnerability in AWS AppSync. The cloud is just someone else's computer. And sometimes it has vulnerabilities too. This one is particularly bad; case insensitivity led to the ability to access resources in other AWS accounts - aka the worst thing possible in a cloud provider. There is a reason some workloads should stay on prem - but only if your on prem security is better than AWS's ability to prevent cross account access (unlikely).
• Stable Diffusion 2.0 Release. AI is shaping up to be a major disruptor. Play with it locally with DiffusionBee. Want to be more awed by the power of AI? Read this.
• Researchers Quietly Cracked Zeppelin Ransomware Keys. Score one for the good guys.
• CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures. Another border device manufacturer with RCE...

Techniques and Write-ups

• Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice. This post digs into some of the technical details of the Nighthawk commercial C2 agent. MDSec claims the same was collected as part of legitimate red team activity and posted their own rebuttal: Nighthawk: With Great Power Comes Great Responsibility.
• Mind the Gap. TLDR: The patch gap is real, take advantage of it.
• A dive into Microsoft Defender for Identity. Some good ideas for detecting MDI after you land a phish or start an internal assessment with low privileges.
• Microsoft Defender for Identity Encrypted Password. More MDI fun, along with a tool release: Microsoft-Defender-for-Identity-Encrypted-Password.
• An End to KASLR Bypasses?. The new THREATINT_PROCESS_SYSCALL_USAGE ETW event coming to Windows 11 23H2 might make API based kernel address leaks, VM detection, and hardware persistence more difficult to get away with undetected.
• CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management. "A remote authenticated attacker can exploit the vulnerability by sending a crafted request to the target server. Successful exploitation could lead to arbitrary SQL code execution in the security context of the database service, which runs with SYSTEM privileges."
• Chrome Browser Exploitation, Part 2: Introduction to Ignition, Sparkplug and JIT Compilation via TurboFan. Another meaty post on Chrome internals and exploitation - the best browser exploit series since Connor McGarr's posts on Edge exploitation.
• Analysing Misconfigured Firebase Apps: A Tale of Unearthing Data Breaches (Wave 10). Back in the day I worked on an app with a firebase backend and the permission model was non-trivial. Not surprised this research showed that 20% of tested firebase instances exposed data. Want to try your hand at it? Check out firebaseExploiter.
• Tips and Tricks: Debugging .NET Malware in a Multi-Stage Malware Deployment. .NET may be easy to decompile but it can still be tricky to trace a mutli-stage dropper all the way back.
• The Art of Bypassing Kerberoast Detections with Orpheus. Kerberoasting becomes fully customizable with the orpheus tool. Beware of honeySPNs, but otherwise, targeted-roast away!
• macOS Sandbox Escape vulnerability via Terminal. One ENV variable could be set to escape the sandbox on macOS!
• Yet Another Azure VM Persistence Using Bastion Shareable Links. Convenient.

Tools and Exploits

• Sapling: A Scalable, User-Friendly Source Control System. Meta open sourced their in house version control system. Don't worry, it's written in Rust.
• BrokenFlow A simple PoC to invoke an encrypted shellcode by using an hidden call.
• nanorobeus COFF file (BOF) for managing Kerberos tickets.
• GCTI CobaltStrike rules. 165 yara rules for CobaltStrike. More info here.
• ReverseSock5Proxy A tiny Reverse Sock5 Proxy written in C.
• psmsi Create MSIs using PowerShell.
• MemoryEvasion A Cobalt Strike memory evasion loader for redteamers.
• geacon_pro A cross-platform Cobalt Strike Beacon written in Go, supports 4.1+.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• nuvola is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax.
• ofrak is a binary analysis and modification platform that combines the ability to unpack, analyze, modify, and repack binaries.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Russian Hackers Are Publishing Stolen Abortion Records on the Dark Web. Much like the Finnish mental health breach and hospital attacks this shows that no targets are off limits for criminals. Putting a digital red cross probably won't help.
• ISOs from the internet will have MotW. It was fun while it lasted. On to the next one.
• About the security content of iOS 16.1.1 and iPadOS 16.1.1. XML parsing bugs could lead to RCE. The bug details are here and here. The update also limits AirDrop 'Everyone' option to 10 minutes in China with the speculation being that censors can't monitor airdropped content.
• Amazon once again lost control (for 3 hours) over the IP pool in a BGP Hijacking attack. It is a little wild to me that in 2022 we still use protocols developed for use among friendly research institutions as the underlying infrastructure for cryptocurrencies whose original goal was to survive in a network of adversarial participants.
• Mysterious company with government ties plays key internet role. I said last week, "your OS is just a bootloader for your browser." Perhaps we should take a look at who gets trusted by default in our browsers...
• A Russian Missile Crew Was Geolocated From Just This Photo. OSINT is wild.
• Intel 471 Acquires SpiderFoot. Attack surface monitoring is hot right now.
• Github code search launches. I've been impressed with GitHub since the Microsoft acquisition. Let's see how long it lasts but so far so good.

Techniques and Write-ups

• Introducing ROADtools Token eXchange (roadtx) - Automating Azure AD authentication, Primary Refresh Token (ab)use and device registration. Dirk-jan is in the pantheon of researchers where every post is a must read. When it comes with a tool release... oh baby..
• Certificates and Pwnage and Patches, Oh My!. After a year, AD CS attacks have proven more pervasive than I thought they would be, led to more discoveries, and even patches from Microsoft to the way certs were mapped to identities. I guess you could say releasing their tooling really... imposed cost... as opposed to keeping it closed source.
• Accidental $70k Google Pixel Lock Screen Bypass. This would be a perfect "bugdoor" (intentional bug used as a backdoor), but it looks like an honest mistake with a complex system of overlapping lockscreen.
• Analysis of a LoadLibraryA Stack String Obfuscation Technique with Radare2 & x86dbg. Well laid out post on malware analysis.
• Untangling Azure Active Directory Permissions II: Privileged Access. Building on part 1, this post explores more Azure Active Directory access concepts.
• Microsoft Defender for Identity Recent Bypasses Comments. Some good tips for defenders.
• Tales of Windows detection opportunities for an implant framework. Some interesting detection techniques in here with code samples.
• Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server. RCE, privilege escalation, and directory traversal - the holy trinity.
• CVE-2019-8561: A Hard-to-Banish PackageKit Framework Vulnerability in macOS. A good post that also shows the Apple commitment to "old" OSs isn't there. Monterey's latest release (12.6.1) does not include the fix...

Tools and Exploits

• EDD - FindEmptySystem. More details here
• laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.
• Tool Release - Web3 Decoder Burp Suite Extension. Get those obnoxious cryptocurrency bounties!
• TelemetrySource - Project created to map functions responsible for triggering events from various telemetry sources. Details here.
• Introducing cnquery and cnspec. Imagine osquery but with GraphQL. Very cool.
• CInject Windows Kernel inject (no module no thread).
• SharpGmailC2 Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol.
• cve-2022-41352-zimbra-rce Zimbra <9.0.0.p27 RCE.
• AMSI-ETW-Patch Patch AMSI and ETW using a single byte patch for both.
• CVE-2022-3699 Lenovo Diagnostics Driver EoP - Arbitrary R/W.
• drv-vuln-scanner Finds imports that could be exploited, still requires manual analysis.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• squarephish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.
• Digital detritus. As a digital hoarder (look at me right now trying to collect and label all the relevant security stuff from last week) this post resinated with me.
• GPT-4 Rumors From Silicon Valley. AI is getting scary.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows. Sometimes the hype is just hype. This looks extremely hard to exploit with modern mitigations and a limited userbase.
• [PDF] How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub. Over 10% of PoCs were malicious! There is a reason there is a disclaimer at the end of each of these posts.
• LinkedIn Adds Verified Emails, Profile Creation Dates. Your favorite profile backstop just got a little harder to fake.
• Nighthawk 0.2.1 - Haunting Blue. Some cool features in the latest release of this commercial red team tool.
• Meet Fortra™ The new face of HelpSystems. HelpSystems (Cobalt Strike/Outflank's buyers) have rebranded - now with more generic corporate stock photos.
• [SimpleX] Security assessment by Trail of Bits. I've been playing with this new messenger app for a while and I think it has the potential to unseat Signal in a few versions. No shady CIA money, "open source" (but not really), blockchain silliness, etc. The pace of development is also impressive. They list their Monero address above their Bitcoin address - legit.
• urlscan.io's SOAR spot: Chatty security tools leaking private data. Careful what you auto-submit to external vendors.
• radare2.online. Your OS is just a bootloader for your browser. HTML/CSS/Javascript won the language war and will be the universal language of the future. Scary.
• [PDF] VX-Underground's Black Mass. Tmp.out and vx-underground keep the zine scene alive.

Techniques and Write-ups

• Exploiting Static Site Generators: When Static Is Not Actually Static. File this under "Serverless and other myths."
• A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain. Mobile exploit chains are always a trip. This one look surprisingly easy to understand compared to most.
• Lessons Learned from Cloning Windows Binaries and Code Signing Implants. Some good lessons here. Another option is to just used signed binaries for other purposes ...
• How one misconfiguration in ADCS can lead to full AD Forest compromise. ADCS is the gift that keeps on giving.
• CVE-2022-26730 | ColorSync | Hoyt LLC. macOS memory corruption in the processing of image ICC profiles can lead to RCE. Comes with the shorted PoC I have seen in a while (now patched).
• BYODC - Bring Your Own Domain Controller. This meme makes a comeback. This is some great traitorware - why fake a DCSync, if you can just do an actual DCSync? DCShadow is a previously discovered/implemented version of this.
• Checkmk: Remote Code Execution by Chaining Multiple Bugs (1/3). Quite a chain for unauth RCE across different tech/lanugages.

Tools and Exploits

• Volumiser is a command line tool and interactive console GUI for listing, browsing and extracting files from common virtual machine hard disk image formats.
• katana - A next-generation crawling and spidering framework from projectdiscovery.
• KeeFarceReborn - A standalone DLL that exports databases in cleartext once injected in the KeePass process.
• CVE-2022-33679 One day based on RC4 is still considered harmfrul.
• stager_libpeconv A basic meterpreter protocol stager using the libpeconv library by hasherezade for reflective loading.
• CVE-2022-40146_Exploit_Jar. Apache Batik SSRF to RCE Jar Exploit.
• awsrecon - Tool for reconnaissance of AWS cloud environments.
• exe_who - Executables on Disk? Bleh 🤮.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• The Information Security Kardashev Scale. Interesting way to tier out cybersecurity.
• PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.
• Kernelhub 🌴Kernel privilege escalation vulnerability collection, with compilation environment, demo GIF map, vulnerability details, executable file (Windows only).
• grace It's strace, with colors.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Forthcoming OpenSSL Releases. Behind this simple title is a spooky Halloween statement: "OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL." OpenSSL 3+ isn't that widespread yet, but this might be an interesting bug.
• Privacy Gateway: a privacy preserving proxy built on Internet standards. Domain fronting/hiding just went legit. Currently the relay domains are unique to the applications (and thus not useful for censor evasion) but there is no technical reason that has to remain the case. Check out the first implementation here. Keep in mind with this Cloudflare positions itself to collect that delicious metadata (although they seem to be actively trying to actually "don't be evil" - hopefully that continues).
• Check out our new Microcorruption challenges!. Excellent embedded security CTF!
• Stable Channel Update for Desktop. A good reminder to stay on top of your Chrome updates. Or use Firefox developer edition to break all the ROP gadgets.
• Apple clarifies security update policy: Only the latest OSes are fully patched. Apple going full opposite of the "still supports 16 bit DOS applications from 1993" stance of Microsoft and only fully patching the latest OS they release. Enterprises that use macOS can't be pleased by this, as even with developer betas there may be issues with production workflows on the latest OS version for some time after release. Hardware than can't be upgrade is now forever vulnerable? 2017 MacBook Pros are unable to be updated and aren't that old...
• It's here: Dark Mode Process Explorer!

Techniques and Write-ups

• Binary File Write via Microsoft Speech API. It's tricky to write files from macros in 2022 without Defender or other AV getting unhappy. This lesser known API has the ability to write binaries, which is a very useful primitive for a maldoc.
• RC4 Is Still Considered Harmful. Kerberos continues to be an issue for enterprises, and "just turn off X" is never that simple. Consider turning on FAST though (and disable RC4 if you can).
• Autodial(DLL)ing Your Way. The Winsock2 registry is used by anything that makes a network connection and thus is a good spot for persistence, lateral movement, and even credential dumping via SSP loads. Code here.
• From Self-Hosted GitHub Runner to Self-Hosted Backdoor. CI/CD compromise is scary because it not only affects your organization but potentially everyone who uses the product being build by that CI/CD pipeline.
• One shell to HANDLE them all. A webshell that can abuse leaked user token handles? Sign me up.
• Juniper SSLVPN / JunOS RCE and Multiple Vulnerabilities. Can we please go more than a week without an unauth RCE in a major SSL VPN? Zero trust can't come fast enough. Or things like Pre-authenticated Remote Code Execution in VMWare NSX Manager?
• PAWNYABLE UAF Walkthrough (Holstein v3). Some good technical binary exploitation content.
• The dangers of trust policies in AWS. The cloud is built on trust, so understanding best policies for trust policies is critical.
• A New Attack Surface on MS Exchange Part 4 - ProxyRelay!. If you're still running on-prem exchange... stop it. If you email is too sensitive to trust to a cloud provider, it certainly shouldn't be in the swiss cheese that is Exchange.
• Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 2: Exploit Analysis. More details on the Windows local privilege escalation vulnerability.
• GetDomain vs GetComputerDomain vs GetCurrentDomain. If you're in a network with complicated trust relationships or multiple forests, its a good idea to test your tools to make sure they are acting on the objects you expect!

Tools and Exploits

• guac aggregates software security metadata into a high fidelity graph database.
• Open-Obfuscator: A free and open-source obfuscator for mobile applications. A free and open-source solution for obfuscating mobile applications. Also some of the best looking docs I've seen in a long time.
• Free: Dastardly from Burp Suite is a free, lightweight web application security scanner for your CI/CD pipeline, from the makers of Burp Suite.
• TerraLdr - Payload Loader Designed With Advanced Evasion Features.
• BOF-herpaderping - Beacon Object File partial implementation of process herpaderping technique.
• Spartacus - DLL Hijacking Discovery Tool.
• siphon ⚗️ Intercept stdin/stdout/stderr for any process.
• SharpC2. This looks to be a rewrite/less featured version of Rastamouse's collab with xpn that was also called SharpC2 (now pulled from GitHub)?

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• caOptics - Azure AD Conditional Access gap analyzer
• Sandman is a NTP based backdoor for red team engagements in hardened networks.
• potto A minimum cross-platform implementation of COM (Component Object Model), DI/IOC framework.
• vhs Your CLI home video recorder 📼

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Investigation Regarding Misconfigured Microsoft Storage Location. SOCRadar put Microsoft on blast with their post Sensitive Data of 65,000+ Entities in 111 Countries Leaked due to a Single Misconfigured Data Bucket. 6 Azure buckets holding some sensitive items like statements of work were misconfigured and publicly accessible.
• Ghostwriter v3.1 Now Available. Now with deconfliction support!
• TikTok Parent ByteDance Planned To Use TikTok To Monitor The Physical Location Of Specific American Citizens. Is anyone surprised?
• IDA Pro Owner Hex-Rays Acquired by European VC Firm. With more competition VC firms are getting into the game.
• Iran's atomic energy organization says e-mail was hacked. I think "has been hacked by multiple parties" would probably be more accurate here...
• GitHub Copilot investigation. Surely the Microsoft lawyers signed off on Copilot?
• DEF CON 30 Videos Released. Enjoy!

Techniques and Write-ups

• Legitimate Rats: A Comprehensive Forensic Analysis of the Usual Suspects. Good to see people taking traitorware seriously.
• I'm in your hypervisor, collecting your evidence. Fox-IT adds ESXi live acquisition to its dissect tool suite.
• Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals. Most people use their OS as a loader for Chrome, so Chrome has become a target for all kinds of adversaries. However, actually understanding and exploiting Chrome is very difficult. This intro post shows some of the complexity involved.
• Microsoft Office Online Server Remote Code Execution. Web based authentication coercion that Microsoft claims it's a feature!
• PHP Filters Chain: What Is It and How to Use It. "Searching for new gadget chains to exploit deserialization vulnerabilities can be tedious. In this article we will explain how to combine a recently discovered technique called PHP filters [LOKNOP-GIST], to transform file inclusion primitives in PHP applications to remote code execution. To support our explanations we will rely on a Laravel file inclusion gadget chains that was discovered during this research."
• The Curious Case of the Password Database. Yes, passwords can be encrypted by a product, but unless they require user input to decrypt passwords there must be a way the software decrypts them. I've seen this is multiple products so Manage Engine is not unique. It's usually just a mater of finding the static key and encryption parameters.
• Dameware Mini: The Sleeper Hit of 2019?. More traitorware!
• SharedMemUtils - A simple tool to automatically find vulnerabilities in shared memory objects. Sometimes you can write to shared memory objects of high-privileged services on Windows. A fun primitive to explore potential privescs.
• Microsoft Office 365 Message Encryption Insecure Mode of Operation. ECB mode, not even once.
• osquery-defense-kit - Production-ready detection & response queries for osquery.
• Changing memory protection using APC. Not brand new, but a deeper drive into it.

Tools and Exploits

• Azure-AccessPermissions - Easy to use PowerShell script to enumerate access permissions in an Azure Active Directory environment. Check out the blog post for details.
• cypherhound - Python3 terminal application that contains 200+ Neo4j cyphers for BloodHound data sets
• ScreenshotBOF - An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file.
• SharpEfsPotato - Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
• PatchThatAMSI - This repo contains 6 AMSI patches, both force the triggering of a conditional jump inside AmsiOpenSession() that close the Amsi scanning session. The 1st patch by corrupting the Amsi context header and the 2nd patch by changing the string "AMSI" that will be compared to the Amsi context header to "D1RK". The other just set ZF to 1.
• ScubaGear - Automation to assess the state of your M365 tenant against CISA's baselines.
• Bitmancer - Nim Library for Offensive Security Development.
• GetFGPP - Get Fine Grained Password Policy.
• syser - syser debugger x32/x64 ring3 with source level debugging/watch view/struct view.
• webpty - A secure webshell. Built for legitimate access, I could see it adopted for red team uses.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• linen.dev - Google-searchable Slack alternative for Communities.
• usbsas - Tool and framework for securely reading untrusted USB mass storage devices.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Out Of Band Update: Cobalt Strike 4.7.2. The rumors and tweets were true, there was RCE i 4.7.1. Read the full details in Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1. Here's a PoC.
• Security of Passkeys in the Google Password Manager. GA later this year. With iOS/macOS already on board, nearly all mobile users will have passkeys by the end of the year. As services adopt FIDO2 solutions, offensive teams will have to adapt.
• WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware. APTs are using signed DLLs for DLL hijacking. Are you?
• Potential Log4shell situation. Developing...
• Disposable Root Servers. This is the coolest thing I've seen in a long time. Or it's a honey pot. 50/50.

Techniques and Write-ups

• DevAttackOps: Deploying Containers with Docker Compose (Part 3). DevOps and red teaming are friends - automate the boring stuff!
• Compromising a Backup System by iSCSI Interface During a Routine Penetration Test. Don't sleep on those open iSCSI ports!
• Hello World under the microscope. This is an interesting post that is the python version of "what does your computer do when you type google.com in a browser and hit enter."
• Writing an Independent Malware. Make your malware smaller (and import fewer DLLs) with the tricks in this post.
• Analysing LastPass, Part 1. The Chrome debugging protocol is very powerful and should be flagged by defenders any time it is invoked, but isn't (yet).
• Practical Attacks against NTLMv1. Why work hard against good protocols when you can downgrade to NTLMv1?
• Toner Deaf - Printing your next persistence (Hexacon 2022). Go where the EDR isn't. Not only a remote root RCE, but also persistence. Very cool stuff.
• Set up an Android Hacking Lab for $0. While not as good as a physical device, an emulator will get you pretty far.
• Diamond And Sapphire Tickets. Gold is old. Upgrade your tickets to the latest precious gem.
• Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 1: Root Cause Analysis. A Windows privesc in the common log file system driver (CLFS.sys).
• Relaying YubiKeys Part 2. I think this is the first code published that can actually interface with FIDO2 devices for phishing. Hardware tokens are good guards against phishing as they require an attacker to have access to the user's endpoint and the user and device must be present at/in the device when the attacker wants to use them OR the attacker has to control a subdomain of the valid site being targeted (if origins are not validated). This is a much more difficult situation for an attacker to achieve compared to a relatively simple MiTM proxy for TOTP or SMS 2FA on a look-a-like site. Code here.

Tools and Exploits

• CVE-2022-40684 - A proof of concept exploit for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager.
• XorStringsNET - Easy XOR string encryption for NET based binaries.
• akamai-security-research - This repository includes code and IoCs that are the product of research done in Akamai's various security research teams. Includes a fresh Windows Workstation Service Elevation of Privilege Vulnerability.
• RedEye - is a visual analytic tool supporting Red & Blue Team operations from CISA.
• CVE-2022-41852 - Remote Code Execution in JXPath Library (CVE-2022-41852) Proof of Concept.
• WAMBam - Tooling related to the WAM Bam - Recovering Web Tokens From Office blog post.
• RustHound - Active Directory data collector for BloodHound written in rust. 🦀
• PsyloDbg is a very simple Windows Debugger that currently only monitor for debug events.
• Add SCCM NTLM Relay Attack #1425. This is a little known but very cool attack I expect to work for decades to come.
• AtomPePacker - A Highly capable Pe Packer.
• Janus is a pre-build event that performs string obfuscation during compile time. This project is based off the CIA's Marble Framework.
• ProvisionAppx. Some fun lateral movement?!
• ShadowSpray - A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Oh my Git! An open source game about learning Git!. A resource for new (or even old) team members to help learn git.
• ElectricEye - Continuously monitor your AWS attack surface and evaluate services for configurations that can lead to degradation of confidentiality, integrity or availability. All results can be exported to Security Hub, JSON, CSV, Databases, and more for further aggregation and analysis.
• wiresocks A sock, with a wire, so you can tunnel all you desire. This is a great solution that may be even better than proxycap et al.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• The source code to the Intel Alder Lake has been leaked online. Critically, this seems to include the KetManifest signing key needed to sign BootPolicy and therefore bypass SecureBoot. A boon to CoreBoot and bootkits alike.
• Attacker managed to upload files into Web Client directory. CPIO unpacking in the AV engine used by Zimbra lead to arbitrary file writes (webshell) and RCE. You hate to see the AV used as an attack vector but it does happen.
• OnionPoison: infected Tor Browser installer distributed through popular YouTube channel. Always check the hash from the official source.
• WebVM: Linux Virtualization in WebAssembly with Full Networking via Tailscale. The x86 VM running in javascript in your browser window now has a networking stack. This must be a sign of the end times.
• Bofloader - Windows Meterpreter Gets Beacon Object File Loader Support. BOFs are the atomic element of offensive tools now.

Techniques and Write-ups

• The Follower - Using open cameras and AI to find how an Instagram photo is taken.. Imagine what governments/surveillance companies are doing...
• Jamf Threat Labs identifies macOS Archive Utility vulnerability allowing for Gatekeeper bypass. Very thorough research into a sneaky bug in the archive utility on macOS.
• Persistent php payloads in PNGs: how to inject php code in an image - and keep it there!. Some nice tricks to stashing PHP payloads in PNGs.
• How To Implement The Exchange Split Permissions Model?. If you still have on-prem exchange, this is for you. Also, seek help.
• Common conditional access misconfigurations and bypasses in Azure. Your target may required MFA, except if certain conditions are met.
• Evil Twin Enterprise WiFi Network using Hostapd-Mana. A good one for your next on-site or physical assessment.

Tools and Exploits

• VMware vCenter Server Platform Services Controller Unsafe Deserialization vulnerability. "A post-authentication java deserialization vulnerability exists in the data handler of the psc (Platform Services Controller) service."
• ObfLoader - MAC, IPv4, UUID shellcode Loaders and Obfuscators to obfuscate the shellcode and using some native API to converts it to it binary format and loads it.
• aftermath is a free macOS IR framework from Jamf.
• GooFuzz is a tool to perform fuzzing with an OSINT approach, managing to enumerate directories, files, subdomains or parameters without leaving evidence on the target's server and by means of advanced Google searches (Google Dorking).
• GitFive - 🐙 Track down GitHub users.
• eviltree - A python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches.
• Caught somewhere in time: Hunting for timer-queue timers. Timers are the "default" method rats use to sleep in memory. If you can detect suspect timers, you can probably find some interesting things. Code here.
• Added simple command to test CVE_2022_33679.. Now you can run 'askrc4' and exploit CVE-2022-33679 (KDC allows an interposing attacker to downgrade to RC4 MD4 encryption in compromising the user's TGT session key resulting in EoP). See this tweet <https://twitter.com/m3g9tr0n/status/1577783061919457281> and this project zero post.
• vba2clr - Running .NET from VBA.
• LockSmith - ObjectiveC CLI tool for interacting with macOS Keychain. I was just struggling with this a few weeks ago! Be sure to check out the slides in the repo.
• palera1n - iOS 15.0-15.3.1 tethered checkm8 "jailbreak" (rootless is 15.0-15.7 semi-tethered, no tweaks),
• ShadowSpray - A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
• RITM - Roast in the Middle.
• dissect - This project is a meta package, it will install all other Dissect modules with the right combination of versions.
• SharpNTLMRawUnHide - C# version of NTLMRawUnHide.
• NimShellcodeFluctuation - ShellcodeFluctuation PoC ported to Nim.
• MinHook.NET - A C# port of the MinHook API hooking library (now with D/Invoke).
• HavocNotion - A simple ExternalC2 POC for Havoc C2. Communicates over Notion using a custom python agent, handler and extc2 channel.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• AoratosWin - A tool that removes traces of executed applications on Windows OS.
• wodat - Windows Oracle Database Attack Toolkit.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Activate phishing-resistant MFA. No excuse to not have hardware MFA at this point. Cloudflare makes it $10 per key for high quality Yubikey 5's. This is the best $-to-protection ratio you will ever spend (if you enforce it).
• Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server. Microsoft pushed out a temporary rewrite rule to Exchange on prem, but my advice would be to stop hosting this RCE-as-a-service product in your environment. Sadly, the big providers have taken over the dream of a decentralized internet with email for now.
• Former NSA Employee Arrested on Espionage-Related Charges . I suppose you only read about the ones with bad OPSEC but man, this guy wasn't even really trying. I suspect his short employment period also put him under extra scrutiny. With OPSEC this bad, perhaps he should have applied to work at the CIA and contribute to America's Throwaway Spies.
• Introducing Wolfi - the first Linux (Un)distro designed for securing the software supply chain. I'm not fully sold on this "undistro." Seems a bit like Nix but with the package manager removed?
• PS5-4.03-Kernel-Exploit An experimental webkit-based kernel exploit (Arb. R/W) for the PS5 on 4.03FW. Not really useful for red teaming, but a neat exploit chain.

Techniques and Write-ups

• Introducing FingerprintX: The fastest port fingerprint scanner. httpx is a great tool for web scanning, but fingerprintx expands it other ports and protocols. Grab the code and start scanning!
• Two Lines of JScript for $20,000 - Pwn2Own Miami 2022. Exploitation doesn't always have to be "hard." If calc pops, it doesn't matter if you spent 2 hours or 2 years working on the exploit. Try some simple things first!
• Issue 2310: Windows: Kerberos RC4 MD4 Encryption Downgrade EoP. James Forshaw, destroyer of Windows worlds, is at it again. Who knew you could downgrade Kerberos encryption so badly, as well as other tricks to get the actual amount of data you need to brute force down to a single byte. Well played.
• The difference between signature-based and behavioral detections. A good primer on types of AV/EDR detections and ideas for how to get around them. TLDR: You will be writing custom code.
• What I learnt from reading 220* IDOR bug reports.. You're going to learn about IDOR today!
• YARI: A New Era of YARA Debugging. Woah, this is seriously cool if you work with yara. Code here.
• Kernel Driver Exploit: System Mechanic. I know I am late on this one (technically not last week), but it was too good to not include. Don't worry the blog is now monitored.
• Phishing With Chromium's Application Mode In this blog post mr.d0x shows how Chromium's application mode allows us to easily create realistic desktop phishing applications.

Tools and Exploits

• Iscariot Suite is a collection of tools to enhance and augment trusted open-source and commercial Blue Team/Sysadmin products, turning them into traitorware to achieve offensive security goals.
• Havoc. This is the much anticipated C2 from @C5pider. It also supports Third Party Agents.
• ASNMap - A Golang CLI tool for speedy reconnaissance using ASN data.
• constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.
• VirusTotalC2 Abusing VirusTotal API to host our C2 traffic, useful for bypassing blocking firewall rules if VirusTotal is in the target white list, and in case you don't have C2 infrastructure, now you have a free one.
• AzTokenFinder is a small tool to extract JWT (or JWT like looking data) from different processes, like PowerShell, Excel, Word or others.
• Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods.
• ChTimeStamp - Changing the Creation time and the Last Written time of a dropped file by the timestamp of other one , like the "kernel32.dll" timestamp.
• ADSrunner - Write a UUIDs bytes array "*" collected to the Alternate Data Stream of the current binary , then the ADS Runner will get the DATA tranfert it into a char table nice UUIDS shellcode and Run it.
• FileLessRemoteShellcode - Run Fileless Remote Shellcode directly in memory with Module Unhooking, Module Stomping, No New Thread. This repository contains the TeamServer and the Stager.
• DumpThatLSASS - Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk, plus functions and strings obfuscation, it contains Anti-sandbox, if you run it under unperformant Virtual Machine you need to uncomment the code related to it and recompile.
• airstrike is a basic stage 0 implant.
• KnownDllUnhook - Replace the .txt section of the current loaded modules from KnownDllsto bypass edrs.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• monkey365 provides a tool for security consultants to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews.
• lemmeknow. The fastest way to identify anything!
• jot - Rapid note management for the terminal.
• SnaffPoint - A tool for pointesters to find candies in SharePoint.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Out Of Band Update: Cobalt Strike 4.7.1. Cobalt Strike gets a rare out of band update after HTML injection in the victim controlled username was discovered. Other fixes for DoS prevention and a sleep mask bug were fixed as well.
• Resolved RCE in Sophos Firewall (CVE-2022-3236). RCE in your firewall has got to hurt.
• Antivirus Used by Millions Blocked All Google Sites by Mistake, Sowing Chaos. "Sowing Chaos" seems a bit much for an hour of outage. "For around an hour on Wednesday morning, some people who had Malwarebytes antivirus installed on their computers could not visit any Google site or use services like Gmail or the Google Play Store."
• The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities. I skip most of these "APT" teardown blogs, because the "APTs" getting caught are using powershell and certutil, asking to be caught. This one however, shows a bit more sophistication.

Techniques and Write-ups

• AttachMe: critical OCI vulnerability allows unauthorized access to customer cloud storage volumes. This has to be one of the worst cloud vulnerabilities. Arbitrary access to any storage volume by just knowing the identifier. Its a classic IDOR vulnerability, except it gets you cloud storage volumes! Wiz again proves their dominance in the cloud security space.
• Giving JuicyPotato a second chance: JuicyPotatoNG. The potatoes are the Windows privesc class that seems to never die. This one will take you from a service account to SYSTEM. I have 16 unique potato tools in my collection, and the authors hint they have yet another on the way!
• Part 2: Target Phishing — It's Gotten Personal. This kind of drawn out phishing is extremely effective.
• Tool Release - Project Kubescout: Adding Kubernetes Support to Scout Suite. Now you can use the familiar Scout Suite with your k8s clusters too!
• Skidaddle Skideldi - I just pwnd your PKI. This post is a one stop shop for AD CS pwnage walkthroughs.
• I don't know how to solve prompt injection. This is an interesting attack vector in "AI" powered bots. By feeding them input that looks like a back and forth, you can leak the original prompt. Who knew that natural language processing would lead to exploits in plain english.
• I Wanna Go Fast, Really Fast, like (Kerberos) FAST. The new protections in Kerberos (Flexible Authentication Secure Tunneling [FAST]) provide good protection against "offline" kerberoasting attacks, but are ineffective against attacks that leverage lsass to generate requests (certain Rubeus commands) and are difficult to implement correctly. From the MS docs: "This policy setting is affected by another setting. When a domain does not support Kerberos armoring by enabling KDC support claims, compound authentication, and Kerberos armoring, all authentication attempts for all its users will fail from computers that have this policy enabled."
• Exploiting a Seagate service to create a SYSTEM shell (CVE-2022-40286). From driver download to LPE. Excellent write up!
• Bypassing Intel CET with Counterfeit Objects. Some great low level exploit dev content here. Control Enforcement Technology (CET) was supposed to stop ROP at the hardware level, until Counterfeit Object-Oriented Programming (COOP) showed up to take its place. This post shows COOP working on modern Windows with CET enabled.
• Sapphire tickets. These might be the best precious-metal themed tickets yet. By not only requesting a ticket before modifying the PAC (Diamon Ticket), Sapphire tickets also request a ticket that contains a legitimate elevated privilege PAC to use with the previously requested ticket. This way, the information in the ticket matches exactly with whats in AD, making detection very difficult.
• Spoofing Calendar Invites Using .ics Files. I'm a bit sad this was posted as this technique has been extremely effective.

Tools and Exploits

• AutoHoneyPoC. Automatically generate "HoneyPoC" scripts to catch people running things without understanding them.
• SandboxSpy. Code for profiling sandboxes - Initially an idea to profile sandboxes, the code is written to take enviromental variables and send them back in a Base32 string over HTTP to an endpoint.
• githubC2 - Abusing Github API to host our C2 traffic, useful for bypassing blocking firewall rules if github is in the target white list , and in case you don't have C2 infrastructure, now you have a free one.
• monomorph- MD5-Monomorphic Shellcode Packer - all payloads have the same MD5 hash.
• FilelessRemotePE - Loading Fileless Remote PE from URI to memory with argument passing and ETW patching and NTDLL unhooking and No New Thread technique.
• mordor-rs - Rusty Hell's Gate / Halo's Gate / Tartarus' Gate and FreshyCalls / Syswhispers2 Library.
• GwisinMsi - PoC MSI payload based on ASEC/AhnLab's blog post.
• BloodHound.py-Kerberos - A Python based ingestor for BloodHound, now with kerberos support on Linux.
• DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
• CVE-2022-2588 This linux LPE effects 3.17 to 5.19 (Ubuntu 17-22).
• Cronos PoC for a new sleep obfuscation technique leveraging waitable timers to evade memory scanners.
• spycast A crossplatform mDNS enumeration tool.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• bbot - OSINT automation for hackers.
• NetCoreServer - Ultra fast and low latency asynchronous socket server & client C# .NET Core library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and 10K connections problem solution.
• A Free Pen Testing Learning Platform. Spin up your own cloud scenarios using these free templates.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Security update (Uber). The Uber hack made headlines last week, and for good reason. Looks like a single social engineering success (MFA push is too annoying?) plus some share drive spelunking allowed the attacker to achieve widespread system compromise. I wish this was surprising. It looks like they're hiring security engineers now.
• A New Life for Certificate Revocation Lists. Interesting thoughts from Scott on twitter.
• Twitter Whistleblower Says There Was at Least One Chinese Spy Working at the Company. Mudge's rumored $7MM severance and non-disclosure didn't cover congressional hearing it seems. Look's like someone is trying to dig up dirt on him.
• GTA 6 source code and videos leaked after Rockstar Games hack. This looks like a "legitimate" insider as opposed to the Uber hack.

Techniques and Write-ups

• Traces of Windows remote command execution. The quieter you become, the more... you know the joke. This post shows the artifacts left behind from a variety of "RCE" techniques (lateral movement) on Windows.
• Introducing: CloudFox. Cloudfox helps you gain situational awareness in unfamiliar cloud environments. It's a command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
• Use-after-freedom: MiraclePtr. Google's quest to prevent memory corruption exploits continues with a novel C++ add-on to Chrome for Windows and Android as of Chrome 102. Props to the team for pushing this out despite a tiny performance hit.
• Jetty Features for Hacking Web Apps. Some neat tricks specific to Jetty in this post.
• Myths About External C2. This post shows the basics of External C2 using a mock teamserver and agent (python).
• The Blind Spots of BloodHound. Nice attack graph you have there; it'd be a shame if something... happened to it...
• Practical Attacks against NTLMv1. Or check out the tweet-length-summary. TLDR: disable NTLMv1 everywhere!
• Fighting Golden Ticket Attacks with Privileged Attribute Certificate (PAC). PAC enforcement is scheduled for October 2022, are your golden ticket tools ready? The table at the end of the article is worth the price of admission.
• A Basic Guide to iOS Testing in 2022. Enough to get you started!
• Stealing Access Tokens From Office Desktop Applications. Your apps authenticate to MS services as you, and so the authentication material is in memory. This post shows you how to extract and use it - to read Outlook emails for example.
• Relaying YubiKeys. Hardware FIDO2 keys are the answer to all phishing right? Right!? Well if an attacker has your PIN and you don't have "touch to sign" enabled, then yes, its just another annoying step. "Touch to sign" is what keeps this from being practical, as the attacker would then also have to trick the user into touching the key for every blob they wanted to sign. Could always skip all that and use virtual-fido to nullify all the benefits of a hardware security device.

Tools and Exploits

• Mimikatz update. Now you can dump plaintext Citrix passwords from memory. Best part is you don't even need elevated rights for the current use context! If anyone has this as a BOF, DM me!
• ldapnomnom - Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP).
• CVE-2022-37706-LPE-exploit - A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04) - NOTE: only for enlightenment window manager (Tizen based TVs and... thats it?).
• MasqueradingPEB - Maquerade any legitimate Windows binary by changing some fields in the PEB structure.
• CVE North Stars - Leveraging CVEs as North Stars in vulnerability discovery and comprehension.
• ExecRemoteAssembly - Execute Remote Assembly with args passing and with AMSI and ETW patching.
• Teamsniper is a tool for fetching keywords in a Microsoft Teams such as (passwords, emails, database, etc.).
• DylibHijackTest - Discover DYLD_INSERT_LIBRARIES hijacks on macOS.
• Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code, and is developed for offensive security engagements such as Red/Purple Teams. What separates Codecepticon from other obfuscators is that it targets the source code rather than the compiled executables, and was developed specifically for AV/EDR evasion.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• CheeseOunce - Coerce Windows machines auth via MS-EVEN. Will we ever run out of coercion techniques?
• How we built Pingora, the proxy that connects Cloudflare to the Internet. Some companies are large enough where the milliseconds matter. I hope Pingora is opensourced soon!
• requests-ip-rotator - A Python library to utilize AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.
• DiffusionBee - Stable Diffusion GUI App for M1 Mac. DiffusionBee is the easiest way to run Stable Diffusion (AI image generation) locally on your M1 Mac. Comes with a one-click installer. No dependencies or technical knowledge needed.
• CitrixSecureAccessAuthCookieDump - Dump Citrix Secure Access auth cookie from the process memory.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically. OSS-fuzz recently found a trivial Command injection and its hungry for more vulnerability classes.
• Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection. Why encrypt entire files or every file when encrypting parts of files still achieves the same effect with greater speed and fewer detections?
• Google Completes Acquisition of Mandiant. First FireEye, now Google. Kevin Mandia must be Scrooge McDuck-ing into a pool of gold coins at this point.
• Sensitive Command Token - So much offense in my defense. There is a new Canary token for commands executed on Windows.

Techniques and Write-ups

• Avoiding Memory Scanners This is a written version of the presentation/deck ([PDF] Avoiding Memory Scanners - Customizing Malware to Evade YARA, PE-sieve, and More) and DEF CON presentation.
• Thoughts on the use of noVNC for phishing campaigns. Last week's EvilnoVNC has some flaws. I think with some more customization and effort, "browser emulation phishing" has its place, especially as login portals get better and better at defeating malicious reverse proxies.
• Solving the Unredacter Challenge. This is your weekly reminder to only redact with black boxes.
• Smart App Control Internals (Part 2). Deep dive into the internals of the new Windows Security feature: "Smart App Control."
• Fork Bomb for Flutter. This post discusses the creation of reFlutter, the Flutter Reverse Engineering Framework.
• Get Your SOCKS on with gTunnel. Steps to setup a wicked fast SOCKS proxy with a tool called gTunnel.
• WMI Internals Part 3. This blog looks at what happens after the COM method ITaskServices:NewTask.
• Video Blog: Using DLL Persist to Avoid Detection. "During an Incident Response case, the TrustedSec IR team came across a novel method used by an attacker to maintain access to the target's servers. After gaining access to the systems, the attacker then modified a DLL required by a service to include malicious code. This video demonstrates a similar process for embedding malicious code into a benign DLL to create a method of persistence that is not easily detected." Not sure I love the video blog format.
• Credential Gathering From Third-Party Software. A nice quick reference guide for red teamers.
• WriteProcessMemoryAPC - Write memory to a remote process using APC calls. Does what it says on the tin.
• "GIFShell" — Covert Attack Chain and C2 Utilizing Microsoft Teams GIFs. GIFShell allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft's own infrastructure. 3rd party C2 is on the rise and here to stay.
• CVE-2022-22629. This post is about the poc for the WebGL bug that was patched in Safari 15.4 security updates. See related: Step-by-Step Walkthrough of CVE-2022-32792 - WebKit B3ReduceStrength Out-of-Bounds Write.
• Quasar: Compromising Electron Apps. This post introduces a tool for backdooring electron app's ASAR archives: quASAR.
• New 2.5G Ethernet Expansion Card for Framework Laptops. If you haven't seen the framework laptop, check it out. I hope they can make it in the much attempted but never sustained reparable tech space.
• GeoSn0w demos his blizzard jailbreak on ios 15 and 16 booting from custom app. This should allow iPhone X and older devices to boot into a jailbroken state on any iOS version, a boon for researchers.

Tools and Exploits

• Athena v0.2. A big update to an up and coming Mythic C2 agent.
• pfBlockerNG Unauth RCE Vulnerability. This is only vulnerable on the LAN side of the firewall, unless you have some strange WAN rules that allow access to the pfblockerNG pages from WAN. Patched in 2022-06, its still a bad vulnerability. Poc here.
• QUEST KACE Desktop Authority Pre-Auth Remote Code Execution (CVE-2021-44031). Pre-Auth RCE is the flavor of the week it seems.
• Tool Release - Monkey365. Monkey 365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex admin panels from the start.
• Command injection vulnerability in Netgear R6200_v2 and R6300v2 routers. Authenticated and LAN side only it looks like.
• Sandbox_Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in the assembly of IOCs, understanding attack movement and in threat hunting.
• cobaltstrike-headless - Aggressorscript that turns the headless aggressor client into a (mostly) functional cobalt strike client.
• CVE-2022-27925 - Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-27925)
• TangledWinExec - This repository is for investigation of Windows process execution techniques. Most of PoCs are given a name corresponding to the technique. WmiSpawn is brand new and looks very interesting.
• chameleon provides better content discovery by using wappalyzer's set of technology fingerprints alongside custom wordlists tailored to each detected technologies.
• autobloody - Tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound. "Automatic" and "Exploit" are two words that when used together cause me great concern.
• evilgophish - evilginx2 + gophish.
• rust_syscalls Single stub direct and indirect syscalling with runtime SSN resolving for windows.
• HideProcessHook - DLL that hooks the NtQuerySystemInformation API and hides a process name.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• ContainerSSH: Launch containers on demand. ContainerSSH launches a new container for each SSH connection in Kubernetes, Podman, or Docker. The user is transparently dropped in the container and the container is removed when the user disconnects. Authentication and container configuration are dynamic using webhooks, no system users required.
• TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts.
• buildg - Interactive debugger for Dockerfile, with support for IDEs (VS Code, Emacs, Neovim, etc.).
• wappalyzergo - A high performance go implementation of Wappalyzer Technology Detection Library.
• Ekko_CFG_Bypass A PoC for adding NtContinue to CFG allowed list in order to make Ekko work in a CFG protected process

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Nmap 7.93 - 25th Anniversary Release!. The network scanner you know and love turns 25.
• China Accuses NSA of Hacking Its Military Research University “Regardless of whether the claims are true or false, this coordination of official statements and covert activity may be part of a broader propaganda campaign to negatively portray the U.S. and show off Chinese cybersecurity capabilities,” Zhang told VICE World News.
• Clop ransomware gang published screenshots that show SCADA interfaces for a UK water supplier. This is not the first ICS hack, and will not be the last. The stakes of cybersecurity are only increasing as we become more connected and reliant on connected infrastructure.
• Was tiktok hacked by a user 'Against the West'?. It's still not clear if this was an actual breach or a breach of a 3rd party scraping service.
• HelpSystems welcomes Outflank. The Dutch cybersecurity startup with some impressive tooling and initial access work gets acquired by the US based HelpSystems who also scooped up Cobalt Strike. This may aid US based purchases of Outflanks "Offensive Security Toolkit."

Techniques and Write-ups

• Sharkbot is back in Google Play. Good breakdown of Android malware.
• How to Decrypt Manage Engine PMP Passwords for Fun and Domain Admin - a Red Teaming Tale. It's a great day when you can find and decrypt password managers on red team engagements. The use of a password manager to diversify passwords across sites and generate truly random passwords still greatly outweighs the risk of having all passwords centralized. My go-to recommendation is Bitwarden, an open source option that just raised $100 million. You can self-host the backend with vaultwarden and use the official applications, but their free tier is good enough for many use cases.
• PersistAssist: Your Persistence Assistant!. PersistAssist is a fully modular persistence framework written in C# which automates persistence deployment and clean up. Code here.
• Automating Azure Abuse Research — Part 2. This post dives into the BloodHound Attack Research Kit (BARK) and explains how the BloodHound Enterprise team uses BARK to perform so-called “continuous abuse primitive validation.”
• SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250). The amount of work for a modern Linux privesc to work is impressive. This post breaks down each step of the exploitation discovery process.
• Abusing Microsoft Teams Direct Routing. An external, unauthenticated attacker is able to send specially crafted SIP messages, that pretend to originate from Microsoft and are therefore correctly classified by the victim's Session Border Controller. As a result, unauthorized external calls are made through the victim's phone line (toll fraud).
• Attacks on Sysmon Revisited - SysmonEnte. The state of the art in blinding Sysmon has arrived. SysmonEnte is an impressive tool.
• Living-Off-the-Blindspot - Operating into EDRs' blindspot. Signed, widely used tools combined with lack of dynamic code introspection makes the perfect storm for EDR evasion.

Tools and Exploits

• SSD Advisory - Linux CONFIG_WATCH_QUEUE LPE. A vulnerability in the way Linux handles the CONFIG_WATCH_QUEUE allows local attackers to reach a race condition and use this to elevate their privileges to root. PoC and Exploit included.
• EvilnoVNC - Ready to go Phishing Platform built on noVNC. Why intercept creds when you can have your victim use a real browser you control?
• PXEThief is a set of tooling that can extract passwords from the Operating System Deployment functionality in Microsoft Endpoint Configuration Manager. You'll probably also want configmgr-cryptderivekey-hashcat-module, a Hashcat module that can crack a password used to derive an AES-128 key with CryptDeriveKey from CryptoAPI.
• MsSettingsDelegateExecute. Bypass UAC on Windows 10/11 x64 using ms-settings DelegateExecute registry key.
• NoFaxGiven. Code Execution & Persistence in NETWORK SERVICE FAX Service.
• CVE-2022-2639-PipeVersion. It was taken down before I even got to it. Untested. Kernels 3.13 to 5.18 are vulnerable (fix committed 2022-04-15).
• Origami - Packer compressing .net assemblies, (ab)using the PE format for data storage. Updated last week with .NET Core support, Costura support, and a simplified loader.
• reinschauer - A PoC to remotely control Windows machines over Websockets.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• SCMKit allows the user to specify the Source Code Management system and attack module to use, along with specifying valid credentials (username/password or API key) to the respective SCM system. Currently, the SCM systems that SCMKit supports are GitHub Enterprise, GitLab Enterprise and Bitbucket Server. The attack modules supported include reconnaissance, privilege escalation and persistence.
• Headway Self-hostable maps stack, powered by OpenStreetMap.
• Use TouchID to Authenticate sudo on macOS. Your TouchID equipped Mac can easily be configured to use your fingerprint to approve sudo commands.
• The Immediate Sound of Distant Hammers. The first sci-fi short story from Universal Shards in over a year!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.