News

• Illegal Activities of members of an organized criminal community stopped (REvil) [Russian, fsb.ru] The FSB claims that due to recent "joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized." You can even see video of the takedowns on YouTube. While 14 individuals were arrested, it's too soon to see if this will impact REvils operations. If it does, what prompted Russia to finally take action? Google translate of the FSB releases says the "basis for the search activities was the appeal of the competent US authorities."
• HTTP Protocol Stack Remote Code Execution Vulnerability. Patch tuesday brought with it an unauthenticated RCE in Window's http.sys drivers for Windows 10 (1809+) and Server (2019+). What looks like a crash PoC is available here, complete with a pointless 17 second sleep.
• Coming Soon: New Security Update Guide Notification System. Microsoft is making it easier to get notifications of changes to security update guides but the biggest news is that this system no longer requires a Live ID. A separate email/password combo can be used for the new system.
• Exploiting IndexedDB API information leaks in Safari 15. "Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session." WebKit is slowly becoming the internet explorer of the modern browsers. PoC code here.

Techniques

• Load nanodump as an SSP. The most advanced lsass dumper BOF was updated to allow you to load it as a Security support provider (SSP) which prevents your process from opening any handles to lsass.exe. More details on SSPs can be found here.
• 10 real-world stories of how we’ve compromised CI/CD pipelines. I like the thesis here that CI/CD pipelines are just "execution engines," and without proper protection can be abused like any other system. This one is worth a read and ponder if your CI/CD pipelines would fall to any of these or similar attacks.
• Creating an Exploit: SolarWinds Vulnerability CVE-2021-35211. This is a great walkthrough of going from CVE to shell.
• Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more. This is incredible research and a serious vulnerability. The smart card demo was particularly impressive. This was patched last Tuesday, but should give pause to using RDP on machines with any high privileged account.
• CyberArk Endpoint Manager Local Privilege Escalation CVE-2021–44049.. Off the high of the last article (written by a CyberArk employee), this one shows that simple permissions issues can lead to LPEs.
• Mixed Messages: Busting Box’s MFA Methods. The use of a valid app-based MFA token for a controlled account allows bypass on a target account when a user only has SMS based MFA. The back end of Box must have been missing some pretty basic checks for this to work, but props for trying it!
• Zooming in on Zero-click Exploits. A deep look at Zoom reveals a buffer overflow and information leak. It's not surprising that the massive code base of Zoom has issues.
• BreadMan Module Stomping & API Unhooking Using Native APIs. This new type of module stomping has some advantages, namely you don't need to load an arbitrary library into our memory space and the starting function call of the thread will point to an address space resolved usually by trusted DLLs such as ntdll.dll. Code here.

Tools and Exploits

• azure-function-proxy is a basic proxy as an azure function serverless app to use *[.]azurewebsites[.]net domain for phishing.
• Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique. This loader has a bunch of nice features and is far beyond the typical loader released on Github.
• ParallelNimcalls is a Nim version of MDSec's Parallel Syscall PoC. Last week it was in C++ and C#, now it's in Nim!

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• vapi is a Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios.
• reFlutter is a Flutter Reverse Engineering Framework for iOS and Android apps. This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• RCE in H2 Console. With all the dust kicked up by the JDNI injection log4j RCE, you just knew that someone would find JDNI injection elsewhere. "There are bound to be more packages that are affected by the same root cause as Log4Shell.".

Techniques

• EDR Parallel-asis through Analysis. "During the development of the Nighthawk C2 MDSec stumbled upon what appears to be a new and novel technique for identifying syscall numbers for certain syscalls which may then be used to load a new copy of ntdll into memory, allowing the remaining syscalls to be read successfully without triggering any installed function hooks." Is this whole post a humble-brag/sales pitch for Nighthawk? Maybe. But I'll gladly take high quality research and PoCs to prove how cool Nighthawk is. Want it in C#? say no more.
• Domain Persistence – AdminSDHolder. The special AdminSDHolder ACL is applied to all groups and accounts that are part of that object every hour, enabling permissions to be continuously restored to an account if detected by the blue team.
• Domain Escalation – sAMAccountName Spoofing. The sAMAccountName/noPac attack dropped last month, but this post shows multiple tools/attack methods to exploit it in practice. TrustedSec has a good blog post on detection opportunities.
• A phishing document signed by Microsoft – part 2. Microsoft signed add-ins are back, and have vulnerabilities. A string of bugs/features were used/abused to enable remote XLL loading. At this point I'm not sure anyone outside of Redmond, WA knows more about office document internals than Pieter, Dima, and the team at Outflank.
• Scanning millions of domains and compromising the email supply chain of Australia's most respected institutions. The use a AWS Lambda and DynamoDB for distributed scanning was clever, but the number sites where SPF/DMARC checks passed just with some light EC2 cycling to get proper IPs was frightening. Very cool research!
• Kernel Karnage – Part 8 (Getting Around DSE). This serious has been great so far, and now that real world protections are turned back on it's really getting good. There is no PoC dropped, but enough code to get you pretty far in your own driver loading BOF adventures. Keep up the great work @cerbersec.
• Get expert training on advanced hunting. This is a great collection of MS defender for endpoint and KQL training.
• Random Mosaic – Detecting unauthorized physical access with beans, lentils and colored rice. If you ever need to be really sure no one has intercepted your package, this is a cool option.
• Staging Cobalt Strike with mTLS using Caddy. Staging is a bad idea. But what if you protected your staging endpoint with mTLS? You'd end up with CaddyStager!

Tools and Exploits

• inject-assembly is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly.
• rathole is a lightweight, stable and high-performance reverse proxy for NAT traversal, written in Rust. An alternative to frp and ngrok.
• insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces. More details here.
• SysmonSimulator is a Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.
• PowerRemoteDesktop is a Remote Desktop client entirely coded in PowerShell. This could be useful for restricted environments like virtual desktops.
• Hunt-Sleeping-Beacons is a project to identify beacons which are unpacked at runtime or running in the context of another process.
• defender-detectionhistory-parser is a parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables. First one to write this as a BOF wins.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
• domains is (probably) the world’s single largest Internet domains dataset.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• China suspends deal with Alibaba for not sharing Log4j 0-day first with the government. Note this isn't as bad as the headline makes it seems, as China only suspended a "cooperative partnership... regarding cybersecurity threats and information-sharing platforms." Regardless, it sends a clear message. If you find a vulnerability in China, you'd better tell the government about it before anyone else.
• ZeroPeril Deep dive into executable packers & malware unpacking Training Course Announcement. New fully remote training that uses x86/x64dbg. Training is fully remote (Teams).
• How did LastPass master passwords get compromised?. A number of users received emails that their master password had correctly been used from a suspicious location, even after changing it. Is this an email error or something deeper? Either way, not a good look for LastPass, which has already lost credibility.
• In 2022, YYMMDDhhmm formatted times exceed signed int range, breaking Microsoft services. Duct tape and glue. It's all just duct tape and glue.

Techniques

• Android Application Testing Using Windows 11 and Windows Subsystem for Android. You've heard of the Windows subsystem for Linux, but how about the Windows subsystem for Andrid? Now you can use your favorite mobile assessment tools like objection and Burp suite without needing a real android device!
• Hopper Disassembler. This post shows how to use Hopper to bypass simple jailbreak detection by modifying a single jump instruction. Sometimes it is that simple, but the trick is knowing which byte to change.
• MS Teams: 1 feature, 4 vulnerabilities. None of these are severe, but some are simple issues that you wouldn't expect a market leader in connectivity to be making.
• Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation (PDF). System on a Chip (SoC) designs can include multiple wireless technologies with shared components. This overlap can lead to one compromised protocol being able to read or edit data on another medium via the shared resources.
• How to exploit Log4j vulnerabilities in VMWare vCenter. Unauthenticated remote code execution as root against vCenter via Log4j. The post covers good post-exploitation options and even drops the PoC: Log4jCenter.
• Where's the Interpreter!? (CVE-2021-30853). This dead-simple Gatekeeper bypass makes you wonder what other silly tricks are out there. Patrick doesn't stop at the PoC and dives deep into the root cause of this bug. Notably this fix is absent for Catalina (10.15.7), however my very limited testing indicates it may not be vulnerable.
• A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard. If you're interested in what "real" APT malware looks like, this long post covers a lot of tools.
• Remote Process Enumeration with WTS Set of Windows APIs. With the proper privileges you can get a remote process list using standard Windows APIs. This would be a nice tool to avoid machines with EDR or other programs running.
• CVE-2021-31956 vulnerability analysis (Chinese). This post explores CVE-2021-31956, a local privilege escalation within Windows due to a kernel memory corruption bug which was patched within the June 2021 Patch Tuesday and contains actual exploit code.
• HyperGuard – Secure Kernel Patch Guard: Part 1 – SKPG Initialization
• Dumping LSASS with Duplicated Handles. Rastamouse walks through how to use duplicated handles to dump LSASS which builds on his previous post on enumerating and duplicating handles. It still dumps to disk, so a pure in-memory implementation will get you even more evasion points.
• Another Log4j on the fire: Unifi. Another great walkthrough on how to go from login page to backdoored appliance from Nicholas at Sprocket Security. 67,000 exposed instances on shodan... RIP in peace.
• Phishing With Spoofed Cloud Attachments. "Abuse the way O365 Outlook renders cloud attachments to make malicious executable cloud attachments look like harmless files." This is phishing gold. Paired with a nice sandbox aware firewall/redirector it will likely yield success with a simple docuement.pdf.exe payload because the mail looks so good.
• Edition 14: To WAF or not to WAF Effectiveness of WAFs are a hotly debated subject in AppSec circles. This post tries to bring a structure to that discussion.

Tools and Exploits

• KaynLdr is a Reflective Loader written in C / ASM. It uses direct syscalls to allocate virtual memory as RW and changes it to RX. It erases the DOS and NT Headers to make it look less suspicious in memory.
• WMEye is a post exploitation tool that uses WMI Event Filter and MSBuild Execution for lateral movement.
• hayabusa is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs. Reminds me of chainsaw.
• Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches. This loader forces Java agents to be loaded and can inject Java or JVMTI agents into Java processes (Sun/Oracle HotSpot or OpenJ9).
• Invoke-Bof loads any Beacon Object File using Powershell!
• Inject_Dylib is Swift code to programmatically perform dylib injection.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Pentest Collaboration Framework is an open source, cross-platform, and portable toolkit for automating routine processes when carrying out vulnerability testing.
• Registry-Spy is a cross-platform registry browser for raw Windows registry files written in Python.
• iptable_evil is a very specific backdoor for iptables that allows all packets with the evil bit set, no matter the firewall rules. While this specific implementation is modeled on a joke RFC, the code could easily be modified to be more stealthy/useful.
• Narthex is a modular & minimal dictionary generator for Unix and Unix-like operating system written in C and Shell. It contains autonomous Unix-style programs for the creation of personalized dictionaries that can be used for password recovery & security assessments.
• whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.
• The HatSploit Framework is a modular penetration testing platform that enables you to write, test, and execute exploit code.
• TokenUniverse is an advanced tool for working with access tokens and Windows security policy.
• LACheck is a multithreaded C# .NET assembly local administrative privilege enumeration. That's underselling it though, this has lots of cool enumeration capabilities such as remote EDR driver enumeration.
• Desktop environment in the browser. This is just... wow. Code here: daedalOS.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Log4j 2.15.0 stills allows for exfiltration of sensitive data. You'll be writing this one up on assessments for years to come. 2.16 was released but also had a DoS-able vulnerability. Third patch is the charm? This whole saga has become the best example of Dependency in recent memory. If you need to exploit Log4j, grab the JNDI-Exploit-Kit. Trying to keep it all straight? This flow chart was up to date when published.
• Updates to the Bug Slayer bug bounty program. If you use CodeQL to find and report bugs, you may be eligible for a bonus bounty.
• Nighthawk 0.1 – New Beginnings. MDSec releases more details about its impressive in-house C2 framework. I'd love to get my hands on it and test it out. DM's open ;).
• REVEN Free Edition - Available as a VM. REVEN is a "Timeless Analysis" system that allows you to triage crashes more effectively. Now it's even easier to try out with a ready made virtual machine.

Techniques

• How I found the Grafana zero-day Path Traversal exploit that gave me access to your logs. A manual source code audit and some fuzzing found this arbitrary file read bug.
• A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution. Wow. NSO used a JBIG2 vulnerability to construct a custom computer architecture they then used to search and modify memory to carry out the next stage of the exploit chain. Talk about weird machines.
• Defeat the Castle - Bypass AV & Advanced XDR solutions.. AV/EDR solutions seem to struggle with the double encryption/encoding used here. Tool available here.
• Yes, fun browser extensions can have vulnerabilities too!. "A one-time visit to a malicious website would have been sufficient to compromise the browser integrity permanently." It's time to start thinking of browsers as OSs and extensions as programs running as root.
• Alternative Process Injection. This processes injects shellcode into the already loaded DLL memory page, which gets around most (but not all) indicators of injection.
• Blackswan Technical Writeup (PDF). Six Windows privescs with beautifully presented write ups? Yes please.

Tools and Exploits

• Cobalt Strike 4.5 Update Specifics:

  • Writing Beacon Object Files: Flexible, Stealthy, and Compatible. This post is great as it covers lesser used concepts like syscalls in x86 BOFs.
  • Process Injection Update in Cobalt Strike 4.5
  • User Defined Reflective Loader (UDRL) Update in Cobalt Strike 4.5
  • Sleep Mask Update in Cobalt Strike 4.5
  • A Deeper Look Into the Max Retry Strategy Option

• moonwalk helps cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.
• The Hacker Tools is focused on documenting and giving tips & tricks on common infosec tools. This is an awesome initiative and an idea I've had for a while. Happy to see it being executed.
• Cobalt-Clip is clipboard addons for Cobalt Strike to interact with clipboard. With this you can dump, edit and monitor the content of a clipboard.
• intruducer is a Rust crate to load a linux shared library into a target process without using ptrace.
• KernelSharp is an example of how to use NativeAOT to compile C# code to a Windows Kernel Mode driver.
• KernelBypassSharp is a C# Kernel Mode Driver to read and write memory in protected processes.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• awspx is a graph-based tool for visualizing effective access and resource relationships in AWS environments.
• mariana-trench is Facebook's security focused static analysis tool for Android and Java applications.
• adPEAS. Note this is not part of the "official" PEAS toolset. It's a Powershell tool to automate Active Directory enumeration.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• log4j logging framework vulnerable to RCE (10.0 CVSS3). Who knew that the ability to do Jndi lookups with user supplied data could be such and awful idea. Early reports claimed a recent version of Java and some environment variables would mitigate the vulnerability, but they were mistaken. Check out this Blue Team Cheatsheet for links to advisories.
• Pixel prevented me from calling 911. When you give up control of a core function like dialing to third party apps, in this case Microsoft Teams, bad things can happen.
• Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. You can now submit drivers directly to Microsoft with details about how they are vulnerable or malicious.
• Cobalt Strike 4.5: Fork&Run – you’re "history". "We dedicated a significant portion of this release to improving controls around product licensing." When your tool is used in nearly all ransomware events, I suspect HelpSystems got a call from someone to put more controls in place. The biggest change in this release for users is the ability to define custom process injection technique as well as increased size limits for sleep mask kit and user reflective loaders. Cobalt Strike continues to innovate and adapt to the changing offensive security landscape - the reason why it is the go to tool in the space.

Techniques

• CVE-2021-42287/CVE-2021-42278 Weaponisation. With all the log4j hype, this one may have slipped by. Don't let it, as it allows any domain user with the ability to add computer accounts (default 10 per user), can get a ticket as a DC to arbitrary services which allows dcsyncing. Patch is out, but given the season and log4j, this one might have legs into 2022. Be sure to also checkout more sAMAccountName Impersonation. The switches needed for this attack are now in Rubeus.
• A phishing document signed by Microsoft – part 1. The masters of maldocs are back at it. This time using an Excel add-in (XLAM) with modified contents but "valid" Microsoft signature to deliver malicious vbs. Amazing work as always.
• Getting root on Ubuntu through wishful thinking. Exploits are hard, even when you get root sometimes you aren't sure why. Adding a sleep to allow the ability to attach a debugger when the process did eventually crash was clever. Full PoC here.
• MiTM Cobalt Strike Network Traffic. This relies on having the beacon private keys, but once in hand, network defenders or those in privileged network positions could inject commands into Cobalt Strike traffic.
• Kernel Karnage – Part 6 (Last Call). This series has been great thus far. Let's seen what kernel driver loading tricks they come up with in future posts!

Tools and Exploits

• CVE Trends is a dashboard for expensive threat intel monitoring twitter without having to learn about tweetdeck. This is a really nice site check for the latest log4j RCE or to put up in your NOC.
• Podman Desktop is the Docker desktop replacement you may be looking for now that Docker Desktop is no longer free for most companies.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• AFLTriage is a tool to triage crashing input files using a debugger. It is designed to be portable and not require any run-time dependencies, besides libc and an external debugger. It supports triaging crashes generated by any program, not just AFL, but recognizes AFL directories specially, hence the name.
• KingHamlet is a simple tool, which allows you to perform a Process Ghosting Attack.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• US military's hacking unit publicly acknowledges taking offensive action to disrupt ransomware operations. Consider the hounds released.
• Former Employee Of Technology Company Charged With Stealing Confidential Data And Extorting Company For Ransom While Posing As Anonymous Attacker. The Ubiquiti hack/breach/whatever from last year was actually an insider who demanded 50 bitcoin as ransom during the attack. He now faces up to 37 years in prison.
• Introducing Buy now, pay later in Microsoft Edge. Predatory lending coming to a browser near you by default!
• GoDaddy Announces Security Incident Affecting Managed WordPress Service. GoDaddy has been riding the high of its first mover advantage for about two decades now. Don't worry breach bingo players, "GoDaddy leadership and employees take our responsibility to protect our customers’ data very seriously."
• US State Department Employees Targeted with NSO Group Malware. After being heavily sanctioned, details about US based attacks are coming out. NSO groups woes continue to mount with Apple suing them.
• Is “KAX17” performing de-anonymization Attacks against Tor Users?. Someone spend a fair amount of money to run a lot of Tor middle nodes, but have since been subject to a mass rejection of relays. Tin foil hats on to guess who may be behind this.

Techniques

• Carrying the Tortellini's golf sticks - Using Caddy to spin up fast and reliable C2 redirectors. While Apache and Nginx are the most common redirectors, Caddy is a light weight web server that can be used as a redirector as well. This post details some helpful configuration options you should look into if you go down this route. Be care of the more unique JA3S hash though. Since caddy is written in Go and open source, this can be changed (with something like this for the server side).
• Windows 10 RCE: The exploit is in the link. Fabian and Lukas found that the default handler for ms-officecmd: URIs allows argument injection. Typical bug bounty payment shenanigans followed. There are great details about the process of finding the bug and exploiting it in this post - don't skip it.
• Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm. Much like JA3 and JA3S, TLS metadata about certificates can be extremely useful for detecting anomalies.
• TrickBot Leverages Zoom Work from Home Interview Malspam, Heaven’s Gate and… Spamhaus?. Trickbot is back with a nifty LNK+loader campaign. Threat emulator take note.
• Exploring Container Security: A Storage Vulnerability Deep Dive. Containers are taking over the DevOps world, best learn how to exploit them.
• USB Over Ethernet | Multiple Vulnerabilities in AWS and Other Major Cloud Services. Some base libraries used in many remote desktop services has a vulnerability that can be triggered from sandboxes (i.e. web browsers).
• Go away BitLocker, you´re drunk. You've read some stories about leaking bitlocker keys, but they lacked memes and snark. I believe this is the third bitlocker hardware hack post on LWiS. Have you added a second factor to your bitlocker deployment yet?
• Halo's Gate Evolves -> Tartarus' Gate. This new "gate" adds a check for a different type of hook used by an EDR vendor. Code here.
• Azure Privilege Escalation via Azure API Permissions Abuse. At this point I'm convinced that each "cloud" is it's own entire security research domain.
• The hidden side of Seclogon part 2: Abusing leaked handles to dump LSASS memory. This is a fresh take on credential dumping with a PoC available: MalSeclogon.

Tools and Exploits

• InstallerFileTakeOver is a Windows LPE 0day for all supported Windows version. RIP.
• cracken is a fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in pure safe Rust.
• Exploiting CVE-2021-43267. This is a walkthrough and full exploit for Linux TIPC vulnerabilitiy that affects kernels between 5.10-rc1 and 5.15.
• EDRSandblast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
• SSHClient is a small SSH client written in C#. May be useful for pivoting from Windows to Linux.
• EntitlementCheck is a Python3 script for macOS to recursively check /Applications and also check /usr/local/bin, /usr/bin, and /usr/sbin for binaries with problematic/interesting entitlements. Also checks for hardened runtime enablement.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• DetectionLabELK is a fork of DetectionLab with ELK stack instead of Splunk.
• GoMapEnum is a user enumeration (Linkedin) and password bruteforcer for Azure, ADFS, OWA, O365, and Teams.
• redherd-framework is a collaborative and serverless framework for orchestrating a geographically distributed group of assets capable of simulating complex offensive cyberspace operations.
• ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and based on Flask that automates the entire analysis process starting from the extraction of the observables from the header and the body of an email to the elaboration of a verdict which is final in most cases.
• BOF2shellcode is a POC tool to convert CobaltStrike BOF files to raw shellcode.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• GitHub’s commitment to npm ecosystem security. Dependancy package security is a hard problem to solve, but it seems NPM has gotten a lot of flak recently. Mandatory 2FA and other measures may help. "But I use rust," you say? Read on...
• Backdooring Rust crates for fun and profit. Running other people's code easily is a bedrock feature of any software dependency or library manager. It's quite difficult to make sure that code isn't malicious.
• An in-depth look at hacking back, active defense, and cyber letters of marque. Interesting conclusion (government should be in control) for a guy who prevented a malware outbreak with "active defense" as a civilian. Perhaps that gives more weight to his argument, having "seen the other side?" I have yet to read any opinion pieces by current or former government offensive security professionals on the matter - aside from Jake Williams of course.
• Emotet, once the world's most dangerous malware, is back. What is dead my never die? Keep track of the threat here.
• NUCLEUS:13. The IoT/OT/embedded OS from Siemens, Nucleus RTOS, had flaws in its TCP/IP stack including a buffer overflow in the FTP USER command. The project-memoria-detector can help identify the TCP/IP stack of a device if you think you may have some Nucleus systems in your environment.

Techniques

• AFL++ on Android with QEMU support. Ever wanted to fuzz close-source libraries directly on your Android phone? Now you can!
• Nanodump: A Red Team Approach to Minidumps. The tool has been out for a while, but this post explains the motivation and technical details.
• Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver. Some interesting bugs found in the NPU driver accessible from the untrusted app sandbox on (presumably) lots of Android devices.
• When You sysWhisper Loud Enough for AV to Hear You. Static syscalls have their signatures. This post explores some work arounds, but some *Gate (Hell's, Heaven's, etc) would prevent these artifacts in your code at all (but introduce others).
• An Illustrated Guide to Elliptic Curve Cryptography Validation. Elliptic curves are becoming the standard way to perform asymmetric cryptography, but how do they actually work? This post can serve as a refresher for that college cryptography class you took or didn't take.
• Active Directory Attack Paths — “Is it always this bad?”. From experience: yes. This post is mostly an ad for Bloodhound Enterprise, but that's ok.
• Some notes about Microsoft Exchange Deserialization RCE (CVE-2021–42321). After ProxyShell, Exchange got some serious attention and to no one's surprise more RCE fell out of it. This one affected Exchange 2016 CU21/22 and 2019 CU10/1 but he post goes into technical detail and stops just short of a PoC.
• HackSys Extreme Vulnerable Driver — Arbitrary Write NULL (New Solution). This is a very detailed post on a cool privilege escalation against a vulnerable by design driver.
• Abusing Google Drive's Email File Functionality. This is a great way to abuse legitimate services to deliver phishing emails. Very tricky!
• ExternalC2.NET. This is the post that explains the tool released last week.
• Pentest tale - Dumping cleartext credentials from antivirus. Sometimes memory dumps and findstr is all it takes to find credentials of value.
• Picky PPID Spoofing. This post has some good example code to help find svchost processes with your integrity level to allow them to be used as a PPID for your process.
• No Logs? No Problem! Incident Response without Windows Event Logs. You can also read this as, "All the things you need to clean up to help stay undetected."
• Using CVE-2021-40531 for RCE with Sketch. "This post covers a vulnerability in Sketch that I discovered back in July — CVE-2021-40531. In its simplest form, it is a macOS quarantine bypass, but in context it can be used for remote code execution."

Tools and Exploits

• tldraw is a tiny little drawing app. Check it out at tldraw.com.
• msticpy. Ever wonder how Microsoft's MSTIC threat hunt group finds evil? msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks with many data analysis features.
• fileless-xec is a stealth dropper executing remote binaries without dropping them on disk.
• TPM sniffing. With $49 of hardware you too can read a bitlocker key as it leaves the TPM of a laptop. TPM 2.0 has support to encrypt this value, but until then/even after consider adding a second factor to your laptop's decryption routine (PIN, hardware key, etc).
• CheckCert A small utility to request the SSL certificate from a public or private web application implemented in C# and as a BOF.
• SQLRecon is a C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
• Oh365UserFinde is used for identifying valid o365 accounts and domains without the risk of account lockouts. The tool parses responses to identify the "IfExistsResult" flag is null or not, and responds appropriately if the user is valid.
• Visual-Studio-BOF-template is a baseline template that can be reused to develop BOFs with Visual Studio without having to worry about dynamic function resolution syntax, stripping symbols, compiler configurations, C++ name mangling, or unexpected runtime errors.
• GPUSleep moves the beacon image to GPU memory before the beacon sleeps, and move it back to main memory after sleeping. Check out the blog post here.
• MultiPotato is another "potato" to get SYSTEM via SeImpersonate privileges, but this one is different since tt doesn't contain any SYSTEM auth trigger for weaponization so the code can be used to integrate your favorite trigger by yourself. Also, tt's not only using CreateProcessWithTokenW to spawn a new process. Instead you can choose between CreateProcessWithTokenW, CreateProcessAsUserW, CreateUser and BindShell.
• DumpNParse is a Combination LSASS Dumper and LSASS Parser adapted from other projects.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• digital-forensics-lab is a free hands-on digital forensics labs for students and faculty. Note that on windows it actually drops the binary to disk and runs it, going against the very name of the project...

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Hoax Email Blast Abused Poor Coding in FBI Website. A series of blunders allowed a hacker to send tens of thousands of emails from an FBI mail server to arbitrary addresses with arbitrary content. Not a good look for the FBI.
• CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces. Another unauthenticated RCE as root in a gateway device. Thankfully this "only" affects older PAN-OS 8.1-8.1.17 devices. The interesting bit is how this was found by a red team and used privately for ~8 months before disclosure. Their rationale is here (official) and here (reddit). Technical details will be released 2021-12-10.
• ClusterFuzzLite: Continuous fuzzing for all. After the success of OSS-fuzz, Google is releasing an "easy to use" fuzzing workflow: "ClusterFuzzLite is a continuous fuzzing solution that runs as part of Continuous Integration (CI) workflows to find vulnerabilities faster than ever before. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed."

Techniques

• Windows Security Updates for Hackers. This is the one stop shop for all information related to Windows releases, updates, and tools to find missing patches. Bookmark it.
• Becoming A Super Admin In Someone Else's Gsuite Organization And Taking It Over With a few edited requests in Google Domains you could add yourself to arbitrary GSuite customers as a Super Admin. Great find! PoC video here.
• Analyzing a watering hole campaign using macOS exploits. macOS is making gains in the consumer market, and thus is getting attention from threat actors. The targets and geography leave little to imagination in terms of attributions. More and more 0days are being used to target activists these days, how dystopian. For more details check out SentielOne's analysis of macOS.Macma.
• Malware Analysis: Syscalls. These malware analysis posts should serve to enlighten the reader as to how their own tools may look from the "other side."
• Kernel Karnage – Part 3 (Challenge Accepted). To fight kernel driver EDR, you must be come kernel driver EDR?
• Golden Certificate. DCShadow and Golden Tickets getting too popular/detectable? If the environment is running Active Directory Certification Services (AD CS) you can mint a "Golden Certificate" instead.
• Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications. This post is an exemplar of how to think more about a technique is uses and design detections around it vs an easily bypassed signature.
• AutoPoC - Validating the Lack of Validation in PoCs. From HoneyPoC to AutoPoC, Andy has exposed more "threat intelligence" scripts "products" and "professionals" than anyone. It's pretty crazy to see the amount of trust some people have in random GitHub projects.
• Implementing Shellcode Retrieval. The inceptor framework can now abstract how shellcode is delivered to the loader so it can be store in arbitrary formats like UUIDs.

Tools and Exploits

• lsarelayx is system wide NTLM relay tool designed to relay incoming NTLM based authentication to the host it is running on. lsarelayx will relay any incoming authentication request which includes SMB. The original application still gets its authentication and there are no errors for the user. This is the next generation of NTLM relaying - with the important caveat of loading into lsass.
• ExternalC2.NET is a .NET implementation of Cobalt Strike's External C2 Spec. This could be the basis for your own C2 channel written in C# that uses any medium you can interface with via C# - think services like Slack, Google Drive, Twitter, etc.
• Living Off Trusted Sites (LOTS) Project. Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. This is a list of websites that allow attackers to use their domain or subdomain to host content that may be used as a C2 channel, phishing site, file host, or data exfiltration destination.
• blacksmith is a next-gen Rowhammer fuzzer that uses non-uniform, frequency-based patterns. Read this blog post for more information. Bypassing password logic for sudo in ~5-30 minutes is pretty impressive.
• rpcfirewall is a firewall for Windows RPC that can be used for research, attack detection, and attack prevention.
• Spray365 makes spraying Microsoft accounts (Office 365 / Azure AD) easy through its customizable two-step password spraying approach. The built-in execution plan features options that attempt to bypass Azure Smart Lockout and insecure conditional access policies.
• bloodyAD is an Active Directory Privilege Escalation Framework that can perform specific LDAP/SAMR calls to a domain controller in order to perform AD privesc. It supports authentication using password, NTLM hashes or Kerberos.
• skweez spiders web pages and extracts words for wordlist generation.
• LocalDllParse checks all loaded Dlls in the current process for a version resource. Useful for identifying EDRs on a system without making calls out of the current process and avoids all commonly monitored API calls.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• kerbmon pulls the current state of the Service Principal Name (SPN) records and sAMAccounts that have the property 'Do not require Kerberos pre-authentication' set (UF_DONT_REQUIRE_PREAUTH). It stores these results in a SQLite3 database.
• NSGenCS is an extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Reward Offers for Information to Bring DarkSide Ransomware Variant Co-Conspirators to Justice. $10M USD for conviction of "individual(s) who hold(s) a key leadership position in the DarkSide" group. I think the goal of this is to sow distrust within DarkSide, and a potential $10M payout to snitch will certainly do that.
• Pwn2Own Austin 2021 - Schedule and Live Results. It's always cool to see how many and what types of devices fall at Pwn2Own.
• Introducing Firefox’s new Site Isolation Security Architecture. Great news for the underdog browser. However, it may be too little too late.
• Cisco Policy Suite Static SSH Keys Vulnerability. Cisco is the king of 9.0+ CVSS scores in critical networking hardware. This time it's SSH in the Policy Suite software and its Catalyst Passive Optical Network (PON) switches that could allow and attacker to log in a root.
• Iraqi PM Safe After Drone Attack on Residence, Military Says. Explosive laden assassination drones. "The future dystopia is already here — it’s just not very evenly distributed."
• Phishing emails seemingly coming from a Kaspersky email address. A better title might be, "oops someone used one of our AWS SES tokens to phish."

Techniques

• Master of Puppets Part II – How to tamper the EDR?. Tons of great ideas for how to disable EDR, even if it has a kernel driver. Great work.
• Using Microsoft CES/CEP for Linux Workstation Certificate Enrollment with Kerberos Workstation Authentication. While not a "red team" post, this shows how to set up CES/CEP with Linux which will give you an understanding to how that all works, and ideas for how it can be leveraged if you find yourself on a domain joined Linux machine.
• Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3. If you're using for Cobalt Strike for serious operations, you're asking for trouble. Security through obscurity is a legitimate part of a larger security model.
• Kerberoast with OpSec. Kerberoasting remains a powerful attack, but it's time to clean up how you go about searching for kerberoastable accounts.
• CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution. Interesting bug and walk through (CodeQL again...). No PoC yet.
• This is how I bypassed almost every EDR!. Userland unhooking and direct syscalls aren't novel, but the use of the PEB to find the clean functions in NTDLL without syscalls is a nice twist.
• PGSharp: Analysis of a Cheating App for PokemonGO. This is an in-depth analysis of an Android cheat engine. Tons of good stuff if you are an android "tool" developer.
• CVE-2021-22205 Rapid7 Analysis. Lots of Gitlab instances were used in a DDoS attack last week. This is how. Note that this was patched back in April 2021.
• Pwn2Own to Xxe2Rce. XXE to RCE on an ICS controller - nice!
• Newly discovered #lolbin "C:WindowsSystem32Cmdl32.exe". Download files with a Microsoft signed binary. So long certutil.exe, hello cmdl32.exe!

Tools and Exploits

• DLL-Hijack-Search-Order-BOF is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest), that will traverse the SafeSearch order of DLL resolution. Optionally, this will also attempt to ascertain a HANDLE to the provided file (if found), and alert the operator of its mutability (WRITE access).
• DLL-Exports-Extraction-BOF is a BOF for DLL export extraction with optional NTFS transactions.
• blint is a Binary Linter to check the security properties, and capabilities in your executables.
• braktooth_esp32_bluetooth_classic_attacks is a series of baseband & LMP exploits against Bluetooth classic controllers.
• CVE-2021-34886 is a Linux kernel eBPF map type confusion that leads to EoP and affects Linux kernel 5.8 to 5.13.13. Writeup (CN) here.
• elfloader is an architecture-agnostic ELF file flattener for shellcode written in Rust.
• socksdll isa a loadable socks5 proxy via CGo/C bridge.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• pyWhat easily lets you identify emails, IP addresses, and more. Feed it a .pcap file or some text and it'll tell you what it is! 🧙
• ThreatMapper is used to identify vulnerabilities in running containers, images, hosts and repositories and helps you to monitor and secure your running applications, in Cloud, Kubernetes, Docker, and Fargate Serverless.
• AssemblyLine is a C library and binary for generating machine code of x86_64 assembly language and executing on the fly without invoking another compiler, assembler or linker. Could you build this into your RAT to execute shellcode modules without suspicious API calls?

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Trick & Treat! 🎃 Paying Leets and Sweets for Linux Kernel privescs and k8s escapes. Exploit a k8s environment to earn $31,337-$50,337 USD! More details here.
• Protecting your device information with Private Set Membership. This cryptographic process could be useful for all kinds of sensitive data lookups (i.e. is my password in a breach?).
• MalAPI.io launches. MalAPI.io can be used when developing malware (for legal purposes of course) or when analyzing the source code of malware. It's a MITRE ATT&CK matrix for Windows APIs.
• Announcing the DEF CON 30 Call For Contests & Events!. Start planning early!
• Google Docs in a clean-room browser. Just an example of how much duct tape and glue

Techniques

• Neat SIP bypass for macOS. system_installd executes a zsh shell and has an entitlement to bypass SIP. Microsoft found a way to leverage this to run commands with the same entitlement with /etc/zshenv. How many more ways are there? Full Microsoft post: Shrootless.
• Create a proxy DLL with artifact kit. DLL proxying is a great way to persist and in some cases elevate privileges. This post shows how to use the official artifact kit to turn a Cobalt Strike DLL into a "function proxy."
• Lateral Movement 101. The old favorites are here, but perhaps there are details you've missed? Rasta also dropped new C# related projects today: D/Invoke Baguette.
• Kernel Karnage – Part 2 (Back to Basics). EDRs are moving to the kernel, and drivers can provide great local privilege escalation opportunities. This post explores the ability to hook other driver's (EDR) functions. Want to start debugging the windows kernel? This 101 post was released yesterday.
• Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833). These types of archive extraction arbitrary file writes can be great for phishing and even local privilege escalation (if a program accepts an archive and extracts it at a higher privilege level). Fixed in 12.0.1.
• CVE-2021-30920 - CVE-2021-1784 strikes back - TCC bypass via mounting. macOS 12 has a regression that allows users to mount over ~/Library and this the TCC database. Yikes! Fixed in 12.0.1.
• Tortellini in Brodobuf. Serializing data just adds a layer of unpacking, not security. This post goes from manual decode and exploitation proof to writing a sqlmap tamper script to automate it.
• Understanding SysCalls Manipulation. Direct syscalls have been around for a while, but this technique makes sure they jmp back to memory space of NTDLL.DLL to avoid suspicious of the kernel returning to program memory space it should't (i.e. the location of your direct syscall). Sneaky! PoC here.

Tools and Exploits

• quiet-riot is an enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, root e-mail addresses, users, and roles. Check out the blog post here.
• DInvoke is a library to dynamically invoke arbitrary unmanaged code from managed code without P/Invoke. Fork of D/Invoke by TheWover, but refactored to .NET Standard 2.0 and split into individual NuGet packages.
• Metsubushi is a Go project to generate droppers with encrypted payloads automatically.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• melting-cobalt scans for Cobalt Strike teamservers, grabs beacons that allow staging, and stores their configs. No reason to leave staging enabled these days...
• dockerized-android is a container-based framework to enable the integration of mobile components in security training platforms.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.