Reading view

There are new articles available, click to refresh the page.

Last Week in Security (LWiS) - 2022-03-28

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-21 to 2022-03-28.

News

Techniques and Write-ups

Tools and Exploits

  • tetanus is a Mythic C2 agent targeting Linux and Windows hosts written in Rust.
  • DelegationBOF uses LDAP to check a domain for known abusable Kerberos delegation settings. Currently, it supports RBCD, Constrained, Constrained w/Protocol Transition, and Unconstrained Delegation checks.
  • OffensivePascal is a Pascal Offsec repo for malware dev and red teaming 🚩.
  • CVE-2019-0708 is a BlueKeep proof of concept allowing pre-auth RCE on Windows 7.
  • YouMayPasser is an x64 implementation of Gargoyle. Don't sleep on this one ;)
  • ctfd-parser is a python script to dump all the challenges locally of a CTFd-based Capture the Flag.
  • wireproxy is a Wireguard client that exposes itself as a socks5 proxy
  • TCC-ClickJacking is a proof of concept for a clickjacking attack on macOS.
  • DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Cronos-Rootkit is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.
  • reverse_ssh is a cross platform RAT that uses SSH as the transport protocol. This allows the use of native SSH with all the niceties that SSH offers (port forwarding, scp, etc).
  • ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON.
  • OffensiveNotion uses Notion as a platform for offensive operations.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-03-21

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-14 to 2022-03-21.

News

Techniques and Write-ups

Tools and Exploits

  • CustomKeyboardLayoutPersistence can achieve execution using a custom keyboard layout, tested in Windows 11 Home version 21H2. Warning: there is no code related to the uninstallation process in the PoC.
  • Group3r can find vulnerabilities in AD Group Policy, but do it better than Grouper2 did.
  • Malfrat's OSINT Map is an update to the OSINT Framework <https://osintframework.com/>. OSINT-Map is the GitHub repo if you'd like to contribute.
  • oxide A PoC packer written in Rust!
  • AtlasC2 is a C# C2 Framework centered around Stage 1 operations.
  • poro is a tool to scan publicly accessible assets on your AWS cloud environment.
  • snoop Secretly record audio and video with chromium based browsers. Be sure to check out VOODOO, the macOS Man in the Browser Framework as well.
  • Coeus is an ADSI based Situational Awareness toolkit for domain environments with modularity in mind. Allows for the enumeration of users/groups/computers as well as some common misconfigurations including roasting (AS-REP, kerber) and delegation (Constrained, Unconstrained, RCBD) attacks.
  • xepor is a web routing framework for reverse engineers and security researchers, brings the best of mitmproxy & Flask.
  • LeakedHandlesFinder is a leaked Windows processes handles identification tool. Useful for identify new LPE vulnerabilities during a pentest or simply as a new research process. Currently supports exploiting (autopwn) procesess leaked handles spawning a new arbitrary process (cmd.exe default).
  • AutoSmuggle is a utility to craft HTML smuggled files for Red Team engagements.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • rust_bof. Cobalt Strike Beacon Object Files (BOFs) written in rust with rust core and alloc.
  • S1EM. This project is a SIEM with SIRP and Threat Intel, all in one.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-03-14

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-28 to 2022-03-14.

News

Techniques and Write-ups

Tools and Exploits

  • Removing PowerShell Comments, Whitespace, and Handles. A simple script to help make your Powershell less detectible.
  • oxasploits. All of these exploits are originally coded by oxagast / Marshall Whittaker. Some of them were already known vulnerabilities that they took and re-evaluated then wrote an exploit for them that they thought was more functional or logical in some way. Some of these vulnerabiltiies are partial PoC exploits that will make something crash, but not actually get root. Some will straight drop you at a root shell. None of this code should ever under any circumstances be run in a production environment, or on a system that you do not have express permission to run a penetration test on.
  • RunOF is a .NET application that is able to load arbitrary BOFs, pass arguments to them, execute them and collect and return any output. For more details check out Introducing RunOF – Arbitrary BOF tool.
  • graphql-cop is a small Python utility to run common security tests against GraphQL APIs.
  • nrich is a command-line tool to quickly analyze all IPs in a file and see which ones have open ports/ vulnerabilities. Can also be fed data from stdin to be used in a data pipeline.
  • donut this is a donut fork that contains syscall support for AMSI/WDLP patching.
  • SyscallPack is a BOF and some shellcode for full DLL unhooking using dynamic syscalls.
  • SysWhispers3 is SysWhispers on Steroids - AV/EDR evasion via direct system calls.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • iocscraper is a python tool that enables you to extract IOCs and intelligence from different data sources.
  • litefuzz is a multi-platform fuzzer for poking at userland binaries and servers.
  • BlueTeam.Lab is a Blue Team detection lab created with Terraform and Ansible in Azure.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-02-28

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-21 to 2022-02-28.

News

Techniques and Write-ups

Tools and Exploits

  • Fennec is an artifact collection tool written in Rust to be used during incident response on nix based systems. fennec allows you to write a configuration file that contains how to collect artifacts.
  • TeamsImplant is a stealthy teams implant that proxies the urlmon.dll that teams uses compile and throw this bad boy in the teams directory as urlmon.dll and you got yourself a persistence backdoor whenever teams runs by a user or at startup.
  • aws-cloudsaga is for AWS customers to test security controls and alerts within their Amazon Web Services (AWS) environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).
  • Nimcrypt2 is yet another PE packer/loader designed to bypass AV/EDR. An improvement on the original Nimcrypt project, with the main improvements being the use of direct syscalls and the ability to load regular PE files as well as raw shellcode.
  • Jbin-website-secret-scraper will gather all the URLs from the website and then it will try to expose the secret data from them such as API keys, API secrets, API tokens and many other juicy information.
  • LdapSignCheck is a Beacon Object File to scan a Domain Controller to see if LdapEnforceChannelBinding or LdapServerIntegrity has been modified to mitigate against relaying attacks.
  • YaraDbg.dev is a free web-based Yara debugger to help security analysts to write hunting or detection rules with less effort and more confidence. By using YaraDbg, you can perform a thorough root-cause-analysis (RCA) on why some of your Yara rules did or did not match with a specific file. It can also help you to better maintain a large set of yara rules.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • PowerBruteLogon is a powershell port of win-brute-logon which can brute force local accounts on a Windows machine. The Administrator account, if enabled, is exempt from lockout.
  • opensquat s an opensource Intelligence (OSINT) security tool to identify cyber squatting threats to specific companies or domains, such as Phishing campaigns, Domain squatting, Typo squatting, Bitsquatting, IDN homograph attacks, Doppenganger domains, and Other brand/domain related scams.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-02-22

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-14 to 2022-02-22.

News

Techniques and Write-ups

Tools and Exploits

  • Athena is a fully-featured cross-platform agent designed using the .NET 6. Athena is designed for Mythic 2.2 and newer. Crossplatform operations with Athena has all the details.
  • IgnoreAppLocker.dll is a DLL to launch a cmd.exe as NT AUTHORITYSERVICE, which doesn't get blocked or logged by AppLocker, and neither do any processes launched by this cmd.exe process.
  • PELoader is a PELoader implement various shellcode injection techniques, and use libpeconv library to load encrypted PE files instead of injecting shellcode into remote thread.
  • kraken is a dockerized multi-platform distributed brute-force password cracking system with a web front end.
  • bflat is a concoction of Roslyn - the "official" C# compiler that produces .NET executables - and NativeAOT (née CoreRT) - the ahead of time compiler for .NET based on CoreCLR. Thanks to this, you get access to the latest C# features using the high performance CoreCLR GC and native code generator (RyuJIT). C# as you know it but with Go-inspired tooling (small, selfcontained, and native executables).
  • BananaPhone is a go variant of Hells gate! (directly calling windows kernel functions, but from Go!) - not new, but now with Halo's gate!

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • lossless-cut aims to be the ultimate cross platform FFmpeg GUI for extremely fast and lossless operations on video, audio, subtitle and other related media files. The main feature is lossless trimming and cutting of video and audio files, which is great for saving space by rough-cutting your large video files taken from a video camera, GoPro, drone, etc. It lets you quickly extract the good parts from your videos and discard many gigabytes of data without doing a slow re-encode and thereby losing quality. Not offsec related, but useful!
  • fastfinder is a lightweight tool made for threat hunting, live forensics and triage on both Windows and Linux Platforms.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-02-14

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-07 to 2022-02-14.

News

Techniques and Write-ups

Tools and Exploits

  • KrbRelay is a framework for Kerberos relaying. The relaying game just got a whole lot more interesting. The demo is very impressive.
  • CobaltBus is a Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus.
  • TymSpecial is a SysWhispers integrated shellcode loader w/ ETW patching, anti-sandboxing, & spoofed code signing certificates
  • PPL_Sandboxer is a A small C POC to make Defender Useless by removing Token privileges and lowering Token Integrity.
  • SpoolFool is an exploit for CVE-2022-21999 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE) that should work by default on all Windows desktop versions up to the 2022-02-08 patch.
  • hygieia is a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.
  • pdfrip is a fast PDF password cracking utility equipped with commonly encountered password format builders and dictionary attacks.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation.
  • monorepo.tools. "Everything you need to know about monorepos, and the tools to build them." With a bit of nudging to use Nx because the team the wrote this is selling Nx (but honestly Nx looks pretty awesome).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-02-07

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-31 to 2022-02-07.

News

Techniques and Write-ups

Tools and Exploits

  • authz0 is an automated authorization test tool. Unauthorized access can be identified based on URLs and Roles & Credentials.
  • SharpLdapWhoami is a "WhoAmI" that functions by asking the LDAP service on a domain controller. I'm not 100% sure what this would be useful for without testing it.
  • EvilSelenium is a new project that weaponizes Selenium to abuse Chrome - steal cookies, dump creds, take screenshots, add SSH keys to GitHub, etc.
  • shelloverreversessh is a simple implant which connects back to an OpenSSH server, requests a port be forwarded to it from the server, and serves up SOCKS4a or a shell to forwarded connections.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • reave is a post-exploitation framework tailored for hypervisor endpoints. Interesting concept, I'll be following it.
  • GoodHound uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation.
  • ShadowCoerce is an MS-FSRVP coercion abuse PoC. Not sure how I missed this one.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-01-31

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-25 to 2022-01-31.

News

Techniques and Write-ups

Tools and Exploits

  • stratus-red-team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.
  • T.D.P. - Thread Description Poisoning uses SetThreadDescription and GetThreadDescription functions to hide the payload from memory scanners.
  • CVE-2022-21882 is the win32k LPE bypass CVE-2021-1732.
  • NimGetSyscallStub gets fresh Syscalls from a fresh ntdll.dll copy. This code can be used as an alternative to the already published awesome tools NimlineWhispers and NimlineWhispers2 by @ajpc500 or ParallelNimcalls.
  • DefenderStop is a C# project to stop the defender service using via token impersonation.
  • PurplePanda fetches resources from different cloud/saas applications focusing on permissions in order to identify privilege escalation paths and dangerous permissions in the cloud/saas configurations. Note that PurplePanda searches both privileges escalation paths within a platform and across platforms.
  • NimPackt-v1 is a Nim-based packer for .NET (C#) executables and shellcode targeting Windows. It automatically wraps the payload in a Nim binary that is compiled to Native C and as such harder to detect and reverse engineer.
  • wholeaked. s a file-sharing tool that allows you to find the responsible person in case of a leakage. I could see this being useful for sending multiple copies of phishing documents and seeing which ones end up on Virus Total or similar sites.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • hobbits is a multi-platform GUI for bit-based analysis, processing, and visualization. This reminds me of the 010 Editor and its templates.
  • spraycharles a low and slow password spraying tool, designed to spray on an interval over a long period of time.
  • cent or Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place.
  • Frida HandBook is an amazing resource for all things binary instrumentation.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-01-25

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-18 to 2022-01-25.

News

Techniques

Tools and Exploits

  • chrome-bandit is a proof of concept to show how your saved passwords on Google Chrome and other Chromium-based browsers can easily be stolen by any malicious program on macOS.
  • TREVORproxy is a SOCKS proxy written in Python that randomizes your source IP address. Round-robin your evil packets through SSH tunnels or give them billions of unique source addresses!
  • chronorace is a tool to accurately perform timed race conditions to circumvent application business logic. Well timed race conditions can allow for uncovering all kinds of interesting edge cases. Here is a good example.
  • RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array.
  • Sliver v1.5.0. This release has a lot of cool changes. My favorite is BOF support!
  • FunctionStomping is a new shellcode injection technique. Given as C++ header or standalone Rust program. Currently undetected by hollows-hunter.
  • SharpGhosting is Process Ghosting (x64 only) in C#.
  • CVE-2021-45467: CWP CentOS Web Panel – preauth RCE. File inclusion + directory traversal = RCE.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-01-18

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-10 to 2022-01-18.

News

  • Illegal Activities of members of an organized criminal community stopped (REvil) [Russian, fsb.ru] The FSB claims that due to recent "joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized." You can even see video of the takedowns on YouTube. While 14 individuals were arrested, it's too soon to see if this will impact REvils operations. If it does, what prompted Russia to finally take action? Google translate of the FSB releases says the "basis for the search activities was the appeal of the competent US authorities."
  • HTTP Protocol Stack Remote Code Execution Vulnerability. Patch tuesday brought with it an unauthenticated RCE in Window's http.sys drivers for Windows 10 (1809+) and Server (2019+). What looks like a crash PoC is available here, complete with a pointless 17 second sleep.
  • Coming Soon: New Security Update Guide Notification System. Microsoft is making it easier to get notifications of changes to security update guides but the biggest news is that this system no longer requires a Live ID. A separate email/password combo can be used for the new system.
  • Exploiting IndexedDB API information leaks in Safari 15. "Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session." WebKit is slowly becoming the internet explorer of the modern browsers. PoC code here.

Techniques

Tools and Exploits

  • azure-function-proxy is a basic proxy as an azure function serverless app to use *[.]azurewebsites[.]net domain for phishing.
  • Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique. This loader has a bunch of nice features and is far beyond the typical loader released on Github.
  • ParallelNimcalls is a Nim version of MDSec's Parallel Syscall PoC. Last week it was in C++ and C#, now it's in Nim!

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • vapi is a Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios.
  • reFlutter is a Flutter Reverse Engineering Framework for iOS and Android apps. This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-01-10

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-03 to 2022-01-10.

News

Techniques

Tools and Exploits

  • inject-assembly is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly.
  • rathole is a lightweight, stable and high-performance reverse proxy for NAT traversal, written in Rust. An alternative to frp and ngrok.
  • insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces. More details here.
  • SysmonSimulator is a Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.
  • PowerRemoteDesktop is a Remote Desktop client entirely coded in PowerShell. This could be useful for restricted environments like virtual desktops.
  • Hunt-Sleeping-Beacons is a project to identify beacons which are unpacked at runtime or running in the context of another process.
  • defender-detectionhistory-parser is a parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables. First one to write this as a BOF wins.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
  • domains is (probably) the world’s single largest Internet domains dataset.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-01-03

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-20 to 2022-01-03.

News

Techniques

Tools and Exploits

  • KaynLdr is a Reflective Loader written in C / ASM. It uses direct syscalls to allocate virtual memory as RW and changes it to RX. It erases the DOS and NT Headers to make it look less suspicious in memory.
  • WMEye is a post exploitation tool that uses WMI Event Filter and MSBuild Execution for lateral movement.
  • hayabusa is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs. Reminds me of chainsaw.
  • Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches. This loader forces Java agents to be loaded and can inject Java or JVMTI agents into Java processes (Sun/Oracle HotSpot or OpenJ9).
  • Invoke-Bof loads any Beacon Object File using Powershell!
  • Inject_Dylib is Swift code to programmatically perform dylib injection.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Pentest Collaboration Framework is an open source, cross-platform, and portable toolkit for automating routine processes when carrying out vulnerability testing.
  • Registry-Spy is a cross-platform registry browser for raw Windows registry files written in Python.
  • iptable_evil is a very specific backdoor for iptables that allows all packets with the evil bit set, no matter the firewall rules. While this specific implementation is modeled on a joke RFC, the code could easily be modified to be more stealthy/useful.
  • Narthex is a modular & minimal dictionary generator for Unix and Unix-like operating system written in C and Shell. It contains autonomous Unix-style programs for the creation of personalized dictionaries that can be used for password recovery & security assessments.
  • whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.
  • The HatSploit Framework is a modular penetration testing platform that enables you to write, test, and execute exploit code.
  • TokenUniverse is an advanced tool for working with access tokens and Windows security policy.
  • LACheck is a multithreaded C# .NET assembly local administrative privilege enumeration. That's underselling it though, this has lots of cool enumeration capabilities such as remote EDR driver enumeration.
  • Desktop environment in the browser. This is just... wow. Code here: daedalOS.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-12-20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-14 to 2021-12-20.

News

Techniques

Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • awspx is a graph-based tool for visualizing effective access and resource relationships in AWS environments.
  • mariana-trench is Facebook's security focused static analysis tool for Android and Java applications.
  • adPEAS. Note this is not part of the "official" PEAS toolset. It's a Powershell tool to automate Active Directory enumeration.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-12-14

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-07 to 2021-12-14.

News

Techniques

  • CVE-2021-42287/CVE-2021-42278 Weaponisation. With all the log4j hype, this one may have slipped by. Don't let it, as it allows any domain user with the ability to add computer accounts (default 10 per user), can get a ticket as a DC to arbitrary services which allows dcsyncing. Patch is out, but given the season and log4j, this one might have legs into 2022. Be sure to also checkout more sAMAccountName Impersonation. The switches needed for this attack are now in Rubeus.
  • A phishing document signed by Microsoft – part 1. The masters of maldocs are back at it. This time using an Excel add-in (XLAM) with modified contents but "valid" Microsoft signature to deliver malicious vbs. Amazing work as always.
  • Getting root on Ubuntu through wishful thinking. Exploits are hard, even when you get root sometimes you aren't sure why. Adding a sleep to allow the ability to attach a debugger when the process did eventually crash was clever. Full PoC here.
  • MiTM Cobalt Strike Network Traffic. This relies on having the beacon private keys, but once in hand, network defenders or those in privileged network positions could inject commands into Cobalt Strike traffic.
  • Kernel Karnage – Part 6 (Last Call). This series has been great thus far. Let's seen what kernel driver loading tricks they come up with in future posts!

Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • AFLTriage is a tool to triage crashing input files using a debugger. It is designed to be portable and not require any run-time dependencies, besides libc and an external debugger. It supports triaging crashes generated by any program, not just AFL, but recognizes AFL directories specially, hence the name.
  • KingHamlet is a simple tool, which allows you to perform a Process Ghosting Attack.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-12-07

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-22 to 2021-12-07.

News

Techniques

Tools and Exploits

  • InstallerFileTakeOver is a Windows LPE 0day for all supported Windows version. RIP.
  • cracken is a fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in pure safe Rust.
  • Exploiting CVE-2021-43267. This is a walkthrough and full exploit for Linux TIPC vulnerabilitiy that affects kernels between 5.10-rc1 and 5.15.
  • EDRSandblast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
  • SSHClient is a small SSH client written in C#. May be useful for pivoting from Windows to Linux.
  • EntitlementCheck is a Python3 script for macOS to recursively check /Applications and also check /usr/local/bin, /usr/bin, and /usr/sbin for binaries with problematic/interesting entitlements. Also checks for hardened runtime enablement.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • DetectionLabELK is a fork of DetectionLab with ELK stack instead of Splunk.
  • GoMapEnum is a user enumeration (Linkedin) and password bruteforcer for Azure, ADFS, OWA, O365, and Teams.
  • redherd-framework is a collaborative and serverless framework for orchestrating a geographically distributed group of assets capable of simulating complex offensive cyberspace operations.
  • ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and based on Flask that automates the entire analysis process starting from the extraction of the observables from the header and the body of an email to the elaboration of a verdict which is final in most cases.
  • BOF2shellcode is a POC tool to convert CobaltStrike BOF files to raw shellcode.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-11-22

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-16 to 2021-11-22.

News

Techniques

Tools and Exploits

  • tldraw is a tiny little drawing app. Check it out at tldraw.com.
  • msticpy. Ever wonder how Microsoft's MSTIC threat hunt group finds evil? msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks with many data analysis features.
  • fileless-xec is a stealth dropper executing remote binaries without dropping them on disk.
  • TPM sniffing. With $49 of hardware you too can read a bitlocker key as it leaves the TPM of a laptop. TPM 2.0 has support to encrypt this value, but until then/even after consider adding a second factor to your laptop's decryption routine (PIN, hardware key, etc).
  • CheckCert A small utility to request the SSL certificate from a public or private web application implemented in C# and as a BOF.
  • SQLRecon is a C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
  • Oh365UserFinde is used for identifying valid o365 accounts and domains without the risk of account lockouts. The tool parses responses to identify the "IfExistsResult" flag is null or not, and responds appropriately if the user is valid.
  • Visual-Studio-BOF-template is a baseline template that can be reused to develop BOFs with Visual Studio without having to worry about dynamic function resolution syntax, stripping symbols, compiler configurations, C++ name mangling, or unexpected runtime errors.
  • GPUSleep moves the beacon image to GPU memory before the beacon sleeps, and move it back to main memory after sleeping. Check out the blog post here.
  • MultiPotato is another "potato" to get SYSTEM via SeImpersonate privileges, but this one is different since tt doesn't contain any SYSTEM auth trigger for weaponization so the code can be used to integrate your favorite trigger by yourself. Also, tt's not only using CreateProcessWithTokenW to spawn a new process. Instead you can choose between CreateProcessWithTokenW, CreateProcessAsUserW, CreateUser and BindShell.
  • DumpNParse is a Combination LSASS Dumper and LSASS Parser adapted from other projects.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-11-16

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-08 to 2021-11-16.

News

  • Hoax Email Blast Abused Poor Coding in FBI Website. A series of blunders allowed a hacker to send tens of thousands of emails from an FBI mail server to arbitrary addresses with arbitrary content. Not a good look for the FBI.
  • CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces. Another unauthenticated RCE as root in a gateway device. Thankfully this "only" affects older PAN-OS 8.1-8.1.17 devices. The interesting bit is how this was found by a red team and used privately for ~8 months before disclosure. Their rationale is here (official) and here (reddit). Technical details will be released 2021-12-10.
  • ClusterFuzzLite: Continuous fuzzing for all. After the success of OSS-fuzz, Google is releasing an "easy to use" fuzzing workflow: "ClusterFuzzLite is a continuous fuzzing solution that runs as part of Continuous Integration (CI) workflows to find vulnerabilities faster than ever before. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed."

Techniques

Tools and Exploits

  • lsarelayx is system wide NTLM relay tool designed to relay incoming NTLM based authentication to the host it is running on. lsarelayx will relay any incoming authentication request which includes SMB. The original application still gets its authentication and there are no errors for the user. This is the next generation of NTLM relaying - with the important caveat of loading into lsass.
  • ExternalC2.NET is a .NET implementation of Cobalt Strike's External C2 Spec. This could be the basis for your own C2 channel written in C# that uses any medium you can interface with via C# - think services like Slack, Google Drive, Twitter, etc.
  • Living Off Trusted Sites (LOTS) Project. Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. This is a list of websites that allow attackers to use their domain or subdomain to host content that may be used as a C2 channel, phishing site, file host, or data exfiltration destination.
  • blacksmith is a next-gen Rowhammer fuzzer that uses non-uniform, frequency-based patterns. Read this blog post for more information. Bypassing password logic for sudo in ~5-30 minutes is pretty impressive.
  • rpcfirewall is a firewall for Windows RPC that can be used for research, attack detection, and attack prevention.
  • Spray365 makes spraying Microsoft accounts (Office 365 / Azure AD) easy through its customizable two-step password spraying approach. The built-in execution plan features options that attempt to bypass Azure Smart Lockout and insecure conditional access policies.
  • bloodyAD is an Active Directory Privilege Escalation Framework that can perform specific LDAP/SAMR calls to a domain controller in order to perform AD privesc. It supports authentication using password, NTLM hashes or Kerberos.
  • skweez spiders web pages and extracts words for wordlist generation.
  • LocalDllParse checks all loaded Dlls in the current process for a version resource. Useful for identifying EDRs on a system without making calls out of the current process and avoids all commonly monitored API calls.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • kerbmon pulls the current state of the Service Principal Name (SPN) records and sAMAccounts that have the property 'Do not require Kerberos pre-authentication' set (UF_DONT_REQUIRE_PREAUTH). It stores these results in a SQLite3 database.
  • NSGenCS is an extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-11-08

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-11-01 to 2021-11-08.

News

Techniques

Tools and Exploits

  • DLL-Hijack-Search-Order-BOF is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest), that will traverse the SafeSearch order of DLL resolution. Optionally, this will also attempt to ascertain a HANDLE to the provided file (if found), and alert the operator of its mutability (WRITE access).
  • DLL-Exports-Extraction-BOF is a BOF for DLL export extraction with optional NTFS transactions.
  • blint is a Binary Linter to check the security properties, and capabilities in your executables.
  • braktooth_esp32_bluetooth_classic_attacks is a series of baseband & LMP exploits against Bluetooth classic controllers.
  • CVE-2021-34886 is a Linux kernel eBPF map type confusion that leads to EoP and affects Linux kernel 5.8 to 5.13.13. Writeup (CN) here.
  • elfloader is an architecture-agnostic ELF file flattener for shellcode written in Rust.
  • socksdll isa a loadable socks5 proxy via CGo/C bridge.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • pyWhat easily lets you identify emails, IP addresses, and more. Feed it a .pcap file or some text and it'll tell you what it is! 🧙
  • ThreatMapper is used to identify vulnerabilities in running containers, images, hosts and repositories and helps you to monitor and secure your running applications, in Cloud, Kubernetes, Docker, and Fargate Serverless.
  • AssemblyLine is a C library and binary for generating machine code of x86_64 assembly language and executing on the fly without invoking another compiler, assembler or linker. Could you build this into your RAT to execute shellcode modules without suspicious API calls?

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-11-01

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-26 to 2021-11-01.

News

Techniques

  • Neat SIP bypass for macOS. system_installd executes a zsh shell and has an entitlement to bypass SIP. Microsoft found a way to leverage this to run commands with the same entitlement with /etc/zshenv. How many more ways are there? Full Microsoft post: Shrootless.
  • Create a proxy DLL with artifact kit. DLL proxying is a great way to persist and in some cases elevate privileges. This post shows how to use the official artifact kit to turn a Cobalt Strike DLL into a "function proxy."
  • Lateral Movement 101. The old favorites are here, but perhaps there are details you've missed? Rasta also dropped new C# related projects today: D/Invoke Baguette.
  • Kernel Karnage – Part 2 (Back to Basics). EDRs are moving to the kernel, and drivers can provide great local privilege escalation opportunities. This post explores the ability to hook other driver's (EDR) functions. Want to start debugging the windows kernel? This 101 post was released yesterday.
  • Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833). These types of archive extraction arbitrary file writes can be great for phishing and even local privilege escalation (if a program accepts an archive and extracts it at a higher privilege level). Fixed in 12.0.1.
  • CVE-2021-30920 - CVE-2021-1784 strikes back - TCC bypass via mounting. macOS 12 has a regression that allows users to mount over ~/Library and this the TCC database. Yikes! Fixed in 12.0.1.
  • Tortellini in Brodobuf. Serializing data just adds a layer of unpacking, not security. This post goes from manual decode and exploitation proof to writing a sqlmap tamper script to automate it.
  • Understanding SysCalls Manipulation. Direct syscalls have been around for a while, but this technique makes sure they jmp back to memory space of NTDLL.DLL to avoid suspicious of the kernel returning to program memory space it should't (i.e. the location of your direct syscall). Sneaky! PoC here.

Tools and Exploits

  • quiet-riot is an enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, root e-mail addresses, users, and roles. Check out the blog post here.
  • DInvoke is a library to dynamically invoke arbitrary unmanaged code from managed code without P/Invoke. Fork of D/Invoke by TheWover, but refactored to .NET Standard 2.0 and split into individual NuGet packages.
  • Metsubushi is a Go project to generate droppers with encrypted payloads automatically.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • melting-cobalt scans for Cobalt Strike teamservers, grabs beacons that allow staging, and stores their configs. No reason to leave staging enabled these days...
  • dockerized-android is a container-based framework to enable the integration of mobile components in security training platforms.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-10-27

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-19 to 2021-10-27.

News

Techniques

Tools and Exploits

  • ProfSvcLPE is an currently unpatched local privilege escalation that shares the same root cause as CVE-2021-34484, but wasn't properly patched. The repo contains a word doc with a writeup as well.
  • ZipExec is a unique technique to execute binaries from a password protected zip on Windows.
  • Phishious is an open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers. This is the coolest tool I've seen in a while.
  • FakeAMSI. Have you ever persisted by pretending to e an antivirus product?
  • SharpSelfDelete is a C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs.
  • CallbackHell is an exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)
  • DLL_Imports_BOF is a BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • cloudspec is an open source tool for validating your resources in your cloud providers using a logical language.
  • jimi is an automation first no-code platform designed and developed originally for Security Orchestration and Response. Since its launch jimi has developed into a fully fledged IT automation platform which effortlessly integrates with your existing tools unlocking the potential for autonomous IT and Security operations.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-10-19

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-11 to 2021-10-19.

News

Techniques

Tools and Exploits

  • Cobalt Strike Sleep Python Bridge. Rejoice! You no longer need to write sleep (a Java/Perl hybrid) to interact with Cobalt Strike. Lots of cool examples of how it can be used in the post. It's only a matter of time before someone writes a nice web GUI for cobalt strike, or writes an integration for Mythic. For prior art, check out pycobalt.
  • The ESF Playground will let you view events from the Apple Endpoint Security Framework on your mac. This is particularly useful when trying to write detections and see how different processes are behaving.
  • ScareCrow v3.0 released. This popular shellcode loader has been updated with more EDR bypass tricks and some bug fixes.
  • Introducing Snowcat: World’s First Dedicated Security Scanner for Istio. Istio is a popular service mesh and Snowcat is a tool to audit it.
  • nosferatu is an lsass NTLM authentication backdoor DLL that is injected into lsass and provides a skeleton key password for all accounts. On domain joined machines SMB, WinRM, and WMI are functional with the skeleton key password, on non-domain joined machines authentication via RDP, runas, and the lock screen also accepts the skeleton key password.
  • AnyDesk Escalation of Privilege (CVE-2021-40854). You've got love a privesc that involves a classic Open dialog -> run cmd.exe path that results in SYSTEM in 2021.
  • LDAPmonitor monitors creation, deletion and changes to LDAP objects live during your pentest or system administration!
  • Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted. Probably want to review the code before use (same goes for all tools).
  • WPBT-Builder is a simple UEFI application to create a Windows Platform Binary Table (WPBT) from the UEFI shell. This is a PoC for Everyone Gets a Rootkit.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • EDRHunt scans Windows services, drivers, processes, registry for installed EDRs (Endpoint Detection And Response). Read more about EDRHunt here.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-10-11

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-06 to 2021-10-11.

News

Techniques

  • Analyzing and Detecting a VMTools Persistence Technique. VMware tools binaries/services are commonly found on VMs and can be leveraged for persistence on power state changes. Unsure of how useful this would be in practice, as most legitimate target VMs would be in a datacenter somewhere powered on all the time?
  • Bindiff and POC for the IOMFB vulnerability, iOS 15.0.2. An "in the wild" exploit of IOMobileFrameBuffer is cited in the iOS 15.0.2 patch notes, and this bindiff and PoC is incredibly quick. In the end a reliable crash with arbitrary data is achieved. Update those iOS devices (and/or save your SHSH2 blobs ;). What's amazing is this analysis/PoC was completed and published in under 2 hours of the patch being released. Very impressive.
  • gcpHound: A Swiss Army Knife Offensive Toolkit for Google Cloud Platform (GCP). This is a perfect tool to run after you land on a developer's machine with GCP credentials. Currently only available in the docker image desijarvis/gcphound:v1.1-beta and the tool is written in python at /root/gcpHound.
  • Environmental Disaster - a LaunchServices Tale. The ability to control environment variables when launching a process from an app sandbox on macOS leads to a few different kinds of sandbox escapes, with more likely lurking thanks to popular applications/frameworks and their use of environment variables that are not block-listed by Apple.
  • Backdoor .NET assemblies with… dnSpy 🤔. Everyone loves a good backdoor for persistence, data exfiltration, or even privilege escalation. .NET assesmblies can be modified to run arbitrary code with dnSpy, and if exposed to the internet, could even be triggerable!

Tools and Exploits

  • HandleKatz is a position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump(). The tool does not allocate any more executable memory and can therefore efficiently be combined with concepts such as (Phantom)DLL-Hollowing (unlike Donut, sRDI, etc).
  • SharpCalendar is a tool that uses Microsoft.Office.Interop.Excel to retrieve Outlook Calendar details in operator defined one month chunks. Sometimes its nice to know if/when someone will be out of office!
  • Ninja_UUID_Dropper is a loader that uses module stomping, no new thread, HellsGate syscaller, and UUID encoding for x64 Windows 10. The technique of encoding shellcode in UUIDs was first seen in Lazarus malware.
  • covert-tube is a program to control systems remotely by uploading videos to Youtube using Python to create the videos and the listener. It creates videos with frames formed of simple text, QR codes with cleartext, or QR codes using AES encryption. It may be easier to use youtube comments/video descriptions with encrypted text instead of reading data out of the videos themselves?
  • weakpass_3a is the latest weakpass wordlist. 107.77 GB of plaintext password goodness to feed your GPU cluster.
  • hermes is a Swift 5 Mythic payload for macOS. It currently supports Mythic 2.2.8 and will update as necessary.
  • SuspendedThreadInjection is a meterpreter injection technique using C# that attempts to bypass Defender.
  • DInvoke_rs brings the popular DInvoke/direct syscall technique to Rust! I'm excited to see more rust tooling for red teams.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Viper is a graphical penetration tool that wraps metasploit in a nice, multi-user web-gui.
  • Clash is a rule-based tunnel daemon in Go that supports many protocols like VMess, Shadowsocks, Trojan, etc.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-10-06

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-09-28 to 2021-10-06.

News

Techniques

Tools and Exploits

  • OffensiveRust is a series of experiments in weaponizing Rust for implant development and general offensive operations.
  • Apache HTTP Server 2.4 vulnerabilities. This is a path traversal vulnerability that can lead to RCE. PoC: curl --data "A=|id>>/tmp/x;uname$IFS-a>>/tmp/x" 'http://[IP]:[PORT]/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' -vv (credit to @hackerfantastic). Note that this only affects 2.4.49 (released 2021-09-15) due to this commit from August 2021. Test it out in the CVE-2021-41773 Playground.
  • DCOM_AV_EXEC allows for "diskless" lateral movement to a target on the same network via DCOM. The AV_Bypass_Framework_V3 creates a .NET shellcode runner (output as DLL) which can be used with the DCOM_AV_EXEC tool to bypass antivirus solutions like Microsoft Defender as all shellcode is AES encrypted and executed in memory.
  • kenzer performs automated web assets enumeration & scanning.
  • PHP 7.0-8.0 disable_functions bypass [user_filter] is a 10 year old bug to get around disabled_functions set in php.ini and execute shell commands on the target webserver.
  • DonPAPI dumps DPAPI credentials remotely.
  • aad-sso-enum-brute-spray A PoC for the vulnerability that would, in theory, allow one to perform brute force or password spraying attacks against one or more AAD accounts without causing account lockout or generating log data, thereby making the attack invisible.

-FindUncommonShares is a Python equivalent of PowerView's Invoke-ShareFinder.ps1 which finds uncommon SMB shares on remote machines.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • shottr is a great screenshot tool for macOS. It can do on-device text extraction, blurring, measurements, cropping, etc. The only outbound network traffic is to google analytics (unlike some other screenshot apps).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-09-28

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-09-20 to 2021-09-28.

News

Techniques

  • Financially motivated actor breaks certificate parsing to avoid detection. By using End of Content markers in fixed length encoding, adware distributers were able to trick non-OpenSSL based products (i.e. Windows) to believe an invalid PE signature is actually valid. This is a neat trick, and I'm a bit surprised to see it burned on adware. Who else was aware/using it too?
  • XSS to RCE: Covert Target Websites into Payload Landing Pages. I really like this idea for delivering payloads for a red teaming phish, assuming the customer site is vulnerable to XSS that is otherwise not very valuable in terms of the assessment objectives.
  • Chrome in-the-wild bug analysis: CVE-2021-30632. Dig into the internals of the V8 JIT engine with GitHub as they analyzed this browser bug. PoC here.
  • Apache Dubbo: All roads lead to RCE. More GitHub technical content, this time a great article that goes from target identification to RCE using CodeQL. Be sure to check this out if you aren't using CodeQL for source code analysis/bug hunting.
  • Resetting Expired Passwords Remotely. Some great techniques to get past expired or must-be-reset passwords found on a Windows network.
  • IAM Vulnerable - Assessing the AWS Assessment Tools. This is a great test of the four major open source AWS IAM misconfiguration assessment tools. I wonder if the IAM Vulnerable project could be used with CI/CD for these tools to show "live" coverage of the test cases as they improve.
  • An Intro to Fuzzing (AKA Fuzz Testing). Just what the title says. One of the best intro articles that covers the basics.
  • Beyond the good ol' LaunchAgents - 20 - Terminal Preferences. Wild that this series is already up to 20. This one would only work against technical targets, as they have to open the terminal application to run your persistence.
  • Pwn2Own 2021: Parallels Desktop Guest to Host Escape. "Many evenings it is easier for me to read other people’s research, but I won’t find vulnerabilities reading blog posts. You find them by trying to do your own research." Damn, got me there. I've got some original research cooking (slow cooking, but still cooking).
  • New Azure Active Directory password brute-forcing flaw has no fix. The Azure Active Directory Seamless Single Sign-On has been good for user enumeration since 2019 but this new discovery allows brute forcing (via a web endpoint, so it will be slow) without even logging anywhere. Wild. A successful login will generate a log, but you can spray all day without alerting any organization that users pass-through authentication.
  • Everyone Gets a Rootkit. On Windows since Windows 8 the Windows Platform Binary Table has a weakness that can allow an attacker to run malicious code with kernel privileges when a device boots up. WPBT is a feature that allows OEMs to modify the host operating system during boot to include vendor-specific drivers, applications, and content. Compromising this process can enable an attacker to install a rootkit compromising the integrity of the device.
  • FinSpy: unseen findings. What's better than a rootkit? A bootkit of course. FinSpy has been busy since it was last reported on in 2018 with some seriously advanced malware.

Tools and Exploits

  • injectEtwBypass is a CobaltStrike BOF that injects an ETW bypass into a remote process via syscalls using HellsGate/HalosGate. This BOF contains some excellent assembly primitives for finding syscalls dynamically.
  • PPLDump_BOF is a fully-fledged BOF to dump an arbitrary protected process.
  • Needle_Sift_BOF is a file search bof to find strings within files without downloading the file from target. It uses strstr to do the search, and is case sensitive (no strcasestr function in Windows).
  • Dragonfly: your next generation malware sandbox. A new sandbox with rules engine. Details are light but it looks like this sandbox uses binary emulation vs running samples in an instrumented virtual machine. Sign up for the Alpha here.
  • ThreadStackSpoofer is a PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
  • gitoops is Bloodhound for GitHub organizations by abusing CI/CD pipelines and GitHub access controls.
  • SyscallNumberExtractor exports all ntdll.dll syscalls to syscalls.txt. Useful for hard coding direct syscalls if not using a *gate technique.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-09-20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-09-14 to 2021-09-20.

News

Techniques

Tools and Exploits

  • OMIGOD
  • goblin is a phishing tool that can host sites and display notices if uses click call to action buttons. This won't replace GoPhish any time soon.
  • fapro is a multi-protocol honey pot with ELK logging support. Looks like no source code is available (yet?).
  • PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets.
  • CVE-2021-40444--CABless. Your favorite Word RCE, now with no CAB and a single line of javascript.
  • CFG_Allowed_Functions is a pykd version-independent tool that finds and dump functions allowed by Control Flow Guard (CFG).
  • Zerotier - Multiple Vulnerabilities. An attacker may chain Zerotier root-server identity overwriting, insecure identity verification and various information leakage vulnerabilities to gain unauthorized access to private Zerotier networks. To exploit, see ZTCrack.
  • Umbra is an experimental remotely controllable LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that can spawn reverse shells to remote hosts, launch malware remotely and much more.
  • Rosplant Pis a proof of concept to leverage Roslyn for post-exploitation (Roslyn + Implant = Rosplant). It comes in two parts, the server and client. Raw C# is entered into the server's console by the attacker, which is sent to the client (via TCP for the PoC). The client uses Roslyn to evaluate the code and sends the results back to the attacker.
  • SharpExfiltrate is a tiny but modular C# framework to exfiltrate loot over secure and trusted channels. It supports both single-files and full-directory paths (recursively), file extension filtering, and file size filtering. Exfiltrated data will be compressed and encrypted before being uploaded. While exfiltrating a large amount of data will require the output stream to be cached on disk, smaller exfiltration operations can be done all in memory with the "memoryonly" option.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Smersh is a pentest oriented collaborative tool used to track the progress of your company's missions and generate rapport.
  • Obfuscating Malicious, Macro-Enabled Word Docs. Missed this one last week, but some great tips on macro-obfuscation techniques for when that Word RCE stops being useful.
  • be-a-hacker. This is a road map to being a self-taught hacker.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-09-14

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-09-07 to 2021-09-14 (bonus day!).

News

Techniques

Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • wwwgrep is a rapid search “grepping” mechanism that examines HTML elements by type and permits focused (single), multiple (file based URLs) and recursive (with respect to root domain or not) searches to be performed.
  • AppInitHook is a global user-mode hooking framework, based on AppInit_DLLs. The goal is to allow you to rapidly develop hooks to inject in an arbitrary process. Developed to reverse engineer and customize random applications, it has broad implications for read teaming.
  • ElusiveMice is a Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-09-07

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-08-23 to 2021-09-07.

News

Techniques

  • Operational Mental Models. After releasing the EDR Sensor Evasion Flowchart, @Jackson_T is back with another meta-assessment post about the frameworks and models for offensive research and development.
  • ZDI-21-1053: Bypassing Windows Lock Screen. The ease of access on screen reader is used once again to execute binaries on a USB and execute code even with the screen of a Windows 10 computer locked. PoC video here.
  • From RpcView to PetitPotam. In this post, we will see how the information provided by this tool can be used to create a basic RPC client application in C/C++. Then, we will see how we can reproduce the trick used in the PetitPotam tool.
  • Introducing Process Hiving & RunPE. "This blog introduces innovative techniques and is a must have tool for the red team arsenal. RunPE is a .NET assembly that uses a technique called Process Hiving to manually load an unmanaged executable into memory along with all its dependencies, run that executable with arguments passed at runtime, including capturing any output, before cleaning up and restoring memory to hide any trace that it was run." A solid PE runner is a must-have in ever red team toolkit. Code here.
  • %appdata% is a mistake – Introducing Invoke-DLLClone. DLL hijacking isn't new but darn if it isn't effective still. The new Invoke-DLLClone is worth a look!
  • Obsidian, Taming a Collective Consciousness. Red team knowledge management is a topic I am all too familiar with (imagine the data that powers this blog...). This post shows a "flat" markdown note based approach that uses Obsidian.
  • Widespread credential phishing campaign abuses open redirector links. Most commercial email providers scan links for reputation and can prevent phishing links from being opened. Attackers are now using open redirects on "trusted" sites to bypass these protections and deliver their payloads/load their pages. These are also combined with reCAPTCHA protections to prevent automated scanning.
  • Backdoor Office 365 and Active Directory - Golden SAML. This quick post shows the 8 steps to generate a golden SAML token as well as some detections.
  • Blinding EDR On Windows. This is a great post that brings together a lot of information about AV/EDR as well as kernel drivers, driver signing, and how to use kernel drivers against EDRs.

Tools and Exploits

  • Quick Tunnels: Anytime, Anywhere. Cloudflare tunnels are available without an account. They use 4x HTTPS connections to Cloudflare IPs to tunnel traffic to anything the cloudflared binary can reach. Consider this a more trusted version of ngrok. "Unless you delete them, Tunnels can live for months." Defenders, look for update.argotunnel.com, h2.cftunnel.com, and trycloudflare.com based on my testing.
  • RCE-0-day-for-GhostScript-9.50. This 0-day exploit affects the ImageMagick with the default settings from Ubuntu repository (tested with default settings of ImageMagick on Ubuntu 20.04). More info here.
  • LiquidSnake is a program aimed at performing lateral movement against Windows systems without touching the disk. The tool relies on WMI Event Subscription in order to execute a .NET assembly in memory, the .NET assembly will listen for a shellcode on a named pipe and then execute it using a variation of the thread hijacking shellcode injection.
  • NSGenCS is an extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows. More information at The Birth of NSGenCS.
  • AWS ReadOnlyAccess: Not Even Once. ReadOnlyAccess sounds secure, but it can cause a false sense of security and is usually too broad for whatever is actually needed.
  • OpenBMC: remote code execution in netipmid. IPMI is a very powerful interface with tons of bugs. Add this RCE to your next internal assessment bag of tricks.
  • iHide is a utility for hiding jailbreaks from iOS applications. This can be a huge help when doing security assessments on applications with pesky jailbreak detection. See the blog post for more info.
  • PR0CESS has a few projects for interesting PE loading techniques.
  • CVE-2021-33909 is a Linux LPE for Sequoia.
  • laurel is a tool to transform Linux Audit logs into JSON for SIEM usage.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • packetsifterTool is a tool/script that is designed to aid analysts in sifting through a packet capture (pcap) to find noteworthy traffic. Packetsifter accepts a pcap as an argument and outputs several files.
  • zuthaka is a collaborative free open-source Command & Control integration framework that allows developers to concentrate on the core function and goal of their C2.
  • JadedWraith is a powerful backdoor capable of either listening on a TCP port or sniffing packets for a "magic" ICMP packet instructing the backdoor to either callback or listen.
  • beacon_health_check is an aggressor script that uses a beacon's note field to indicate the health status of a beacon.
  • Khepri is a post-exploiton tool written in Golang and C++, with architecture and usage like Cobalt Strike. So much like Cobalt Strike that a casual look at the screenshot could confuse the two!
  • ockam is a library for end-to-end encryption and mutual authentication for distributed applications.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-08-23

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-08-16 to 2021-08-23.

News

Techniques

Tools and Exploits

  • Added EfsRpc method (aka PetitPotam). SweetPotato gets a PetitPotam upgrade so if you have SeImpersonatePrivilege on a fully patched windows 10 machine, you can get SYSTEM.
  • ServiceMove-BOF is a new lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution. Note that is work on Windows 10 1809 or above only.
  • BOF-ForeignLsass dumps lsass memory by opening a handle to a process that already has a handle open to lsass, with the hopes of looking less suspicious by stealing this "legitimate" handle.
  • kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-08-16

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-08-09 to 2021-08-16.

News

Techniques

Tools and Exploits

  • CobaltStrikeReflectiveLoader is perhaps the first public User-Defined Reflective Loader for Cobalt Strike 4.4. If you are writing your own, be ready to write a lot of assembly...
  • ProxyShell is the Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write) patched in April and May of 2021 (but not published in an advisory until July 2021). Also check out proxyshell-poc. See here for the technique break down: My Steps of Reproducing ProxyShell.
  • MiniDump is a C# implementation of mimikatz/pypykatz minidump functionality to get credentials from LSASS dumps.
  • LazySign creates fake certs for binaries using windows binaries and the power of bat files. If you're on Linux try Limelighter.
  • CobaltSpam is a tool based on CobaltStrikeParser from SentinelOne which can be used to spam a CobaltStrike server with fake beacons.
  • COM-Hijacking is an example of COM hijacking using a proxy DLL.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • raivo-otp / ios-application. A native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP! Why switch from my current OTP app? See here.
  • reko is a decompiler for machine code binaries. If Ghidra or redare2/Rizin aren't your thing, give reko a shot.
  • SysmonTools contains the following: Sysmon View: an off-line Sysmon log visualization tool, Sysmon Shell: a Sysmon configuration utility, and Sysmon Box: a Sysmon and Network capture logging utility.
  • RmiTaste allows security professionals to detect, enumerate, interact and exploit RMI services by calling remote methods with gadgets from ysoserial.
  • REW-sploit can get a shellcode/DLL/EXE, emulate the execution, and give you a set of information to help you in understanding what is going on. Example of extracted information are: API calls, encryption keys used by MSF payloads, decrypted 2nd stage coming from MSF, and Cobalt-Strike configurations (if CobaltStrikeParser is installed).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

❌