Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-29 to 2024-05-06.
A recent security incident involving Dropbox Sign - Where the juciy data goes, so go the attackers. This was an acquisition (HelloSign) from 2019, no it should have been fully integrated into DropBox's security practice.
Sodinokibi/REvil Affiliate Sentenced for Role in $700M Ransomware Scheme - A Ukrainian national was sentenced today to 13 years and seven months in prison and ordered to pay over $16 million in restitution for his role in conducting over 2,500 ransomware attacks and demanding over $700 million in ransom payments. A rare conviction in the ransomware scene.
What's new in Windows Server 2025 (preview) - Microsoft has decided to change the default on #pre2k computer accounts and has removed the checkbox entirely in upcoming server releases.
Uncharmed: Untangling Iran's APT42 Operations - Tradecraft details including their use of social engineering for initial access and credential harvesting. NGOs and journalists are being targeted.
SCCM Exploitation: Compromising Network Access Accounts - An article on how fruitful Network Access Accounts are along with some mitigation and detection guidance. Even comes with wazuh and elastic parsers and rules! Thorough work.
CFG in Windows 11 24H2 - Explore how Windows 11's 24H2 update integrates Control Flow Guard with hotpatching to enhance system security and efficiency.
Tale of Code Integrity & Driver Loads - The article discusses how the Core Isolation user setting in Windows affects the process of driver loading, particularly focusing on Virtualization-based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI).
SharpGraphView - Microsoft Graph API post-exploitation toolkit.
symbolizer-rs - A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Hypervisor-Detection - Detects virtual machines and malware analysis environments.
wstunnel - Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available.
puter - π The Internet OS! Free, Open-Source, and Self-Hostable.
Installomator - Installation script to deploy standard software on Macs.
blint - BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
QCSuper - QCSuper is a tool communicating with Qualcomm-based phones and modems, allowing to capture raw 2G/3G/4G radio frames, among other things.
proxybroker2 - The New (auto rotate) Proxy [Finder | Checker | Server]. HTTP(S) & SOCKS π.
JS-Tap - JavaScript payload and supporting software to be used as XSS payload or post exploitation implant to monitor users as they use the targeted application. Also includes a C2 for executing custom JavaScript payloads in clients.
git-rotate - Leveraging GitHub Actions to rotate IP addresses during password spraying attacks to bypass IP-Based blocking.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-22 to 2024-04-29.
News
Trusted Signing is in Public Preview - Code sign your payloads with Microsoft? Note that your company will need "3 years of tax history" to use the service.
ETW-ByeBye: Disabling ETW-TI Without PPL - A vulnerability that allows disabling ETW-TI (Event Tracing for Windows Threat Intelligence) logging without Protected Process Light (PPL) requirements, using SeDebug or SeTcb privileges on certain Windows versions. PoC code and detection guidance is provided. Note: this only works on Windows 10, Windows 11 patched this bug.
JA4T: TCP Fingerprinting - JA4 scanner released. Certainly worth adding to your recon worfklow and automation.
NetNTLM is still a thing? - Yes. Yes it is. This post gives a good recap of how you can still relay NetNTLM via various methods. Details some less common techniques like leveraging HTTP.SYS for setting up a listener without admin privileges, bypassing the Windows firewall, and using SSH for port forwarding to relay. You aren't checking emails or doing day to day activities with a highly privileged account, right?
Adversaries sometimes compute gradients. Other times, they rob you. This blog post discusses the concept of an "adversary flywheel," which involves attackers using data science to adapt and optimize their methods based on defensive responses, enhancing their ability to exploit security vulnerabilities efficiently.
Arbitrary 1-click Azure tenant takeover via MS application - Blog post on how reply URLs in Azure Applications can be used as a vector for phishing. The impact of this can range from data leaks to complete tenant takeover; just by luring a victim into clicking on a link. Another disappointing bug bounty case unfortunately.
ReadWriteDriverSample - Sample driver + user component to demonstrate writing into arbitrary process memory from Kernel via CR3 manipulation (opposed to the usual KeStackAttachProcess API).
24h2-nt-exploit - Exploit targeting NT kernel in 24H2 Windows Insider Preview.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
ics-forensics-tools - Microsoft ICSpector (ICS Forensics Tools framework) is an open-source forensics framework that enables the analysis of Industrial PLC metadata and project files.
Evidence Collection Environment - This environment is intended to be useful for when you have multiple investigators or external parties adding data for evaluation. Some key features (hopefully) implemented in this setup leverage the Azure Storage legal hold, Azure Storage analytics logging for validation of access by which parties, Azure Key Vault logging with the logs going to a Log Analytics workspace in the resource group.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-16 to 2024-04-22.
How we built the new Find My Device network with user security and privacy in mind - Google enters the "Find My" crowdsourced device-locating network game with the similarly named "Find My Device" network. It support the standard which allows trackers to be detected by iOS devices (and vice-versa) so unwanted trackers will alert users.
GitHub comments abused to push malware via Microsoft repo URLs - The fact that GitHub will upload a file to a publically accessable URL during comment editing, actors don't need to publish comments to get files hosted under trusted projects URLs. If you're ok with giving your payload to Microsoft (GitHub), this is a pretty sneaky way to host it.
SSO tax, cut - Tailscale is the best VPN solution there is (unsponsored opinion). Between this change and Tailnet lock, they have eliminated all issues I had with their service. If you're a self-hosting true purist, there is still headscale.
An Introduction to the Canadian Program for Cyber Security Certification (CPCSC) - Starting at the end of 2024, Canadian defense industry suppliers will need to be certified under the Canadian Program for Cyber Security Certification (CPCSC) to bid on certain government contracts, an initiative designed to enhance security measures within the nation's federal contracting processes.
CVE-2023-6345: Integer overflow in Skia MeshOp::onCombineIfPossible - An intiger overflow in the Skia graphics library has been used to exploit Chrome. The fact that it would not appear in debug builds due to assert calls that are not compiled with release builds is interesting. Make sure you are fuzzing release binaries!
LSA Whisperer - Some seriously indepth research into the local security authority (LSA) of Windows which leads to all kinds of functionality. My favorite is the possible use of CacheLogon to cache a specific NT hash into an active logon session which will allow for stable Pass-the-hash without having to patch LSASS memory (but will require injection into LSASS). I can only imagine the amount of reverse-engineering it took to get to the lsa-whisperer.
Passbolt: a bold use of HaveIBeenPwned - Passbolt is a password manager that uses the HaveIBeenPwned API to check if a password has been compromised. This post goes into the details of how they implemented it.
ROPGadget: Writing a ROPDecoder - This post discusses creating a ROPDecoder from scratch, detailing the selection and use of ROP gadgets to encode and decode shellcode, and automating the process to handle bad characters effectively in exploit dev.
The Windows Registry Adventure #1: Introduction and research results - Wild. Mateusz Jurczyk of Google Project Zero audited the Windows Registry for local privilege escalation bugs over 20 months, identifying multiple vulnerabilities now fixed as 44 CVEs by Microsoft, utilizing methods from fuzzing to manual review in an extensive security research effort.
State of DevSecOps - Datadog's State of DevSecOps report is out. TLDR - Java/JS account for tons of issues, automated security scanners are just noise, the industry sucks at prioritizing what to fix, manual cloud deployments (no IaC) is still very common, and more.
lsa-whisperer - Tools for interacting with authentication packages using their individual message protocols.
KExecDD - Admin to Kernel code execution using the KSecDD driver.
CloudConsoleCartographer - Released at Black Hat Asia on April 18, 2024, Cloud Console Cartographer is a framework for condensing groupings of cloud events (e.g. CloudTrail logs) and mapping them to the original user input actions in the management console UI for simplified analysis and explainability.
PasteBomb - PasteBomb C2-less RAT. The creator of this project is only 13 years old. Impressive! Great work.
poutine - poutine is a security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository. It supports parsing CI workflows from GitHub Actions and Gitlab CI/CD.
panos-scanner - Determine the Palo Alto PAN-OS software version of a remote GlobalProtect portal or management interface.
LetMeowIn - A sophisticated, covert Windows-based credential dumper using C++ and MASM x64.
MagicDot - A set of rootkit-like abilities for unprivileged users, and vulnerabilities based on the DOT-to-NT path conversion known issue.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
smugglefuzz - A rapid HTTP downgrade smuggling scanner written in Go.
netz - Discover internet-wide misconfigurations while drinking coffee.
cognito-scanner - A simple script which implements different Cognito attacks such as Account Oracle or Privilege Escalation.
Living Off the Pipeline - "....to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection. "
BAADTokenBroker post-exploitation tool designed to leverage device-stored keys (Device key, Transport key etc..) to authenticate to Microsoft Entra ID.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-08 to 2024-04-16.
Muddled Libra's Evolution to the Cloud - Unit 42 researchers discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments.
Our Response to Hashicorp's Cease and Desist Letter - Some turmoil in the IaC world. "The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp's BSL code. All such statements have zero basis in facts."
[PDF] KONA BLU - Declassified DHS project - KONA BLUE - A special access program for recovering materials user for inter dimensional, time, and space travel. While the project only was a SAP for 6 months and seems like it [PDF] never really did anything a look into what goes into a SAP is interesting and the first example being declassified we are aware of.
CS Technologies β Evolution Vulnerabilities - A set of vulnerabilities within software used to administer the EVO2 and EVO4 door access controllers. Chained together, this leads to unauthenticated access to add a user with access to every door in the building, control doors, etc.
We discovered an AWS access vulnerability - A vulnerability in AWS STS allowed users to gain unauthorized account access due to incorrect role trust policy evaluations. It's been patched! Cool to read that this SaaS has a different AWS account per customer as a security boundary.
Chaining N-days to Compromise All: Part 3 β Windows Driver LPE: Medium to System - This post discusses the exploitation of a logic bug in the Windows kernel driver mskssrv.sys (CVE-2023-29360), which was demonstrated in Pwn2Own 2023. The exploit allows priv-esc from user to SYSTEM by manipulating the Memory Descriptor List (MDL) to map physical memory addresses incorrectly, effectively bypassing security checks. It was part of this crazy VM escape chain.
Understanding ETW Patching - A quick summary from @jsecurity101 on how function patching can be applied to ETW providers to alter or inhibit their standard behavior, potentially evading detection by modifying or bypassing function execution in both user-mode and kernel-mode operations.
CreateRCE β Yet Another Vulnerability in CreateUri In another episode of Akamai vs Outlook clients... "An attacker on the internet can trigger the vulnerability against Outlook clients without any user interaction (zero-click)". The technical write-up of CVE-2023-35628 which was patched December 2023.
Sysrv Infection (Linux Edition) - Write up of the Sysrv botnet, which deployed a crypto miner on a Linux system using a payload pulled down from a specified URL. Sometimes detecting these can be as easy as checking those DNS logs for known mining pools.
How I Leveraged WMI to Enumerate a Process Modules and Their Base Addresses - "Leverage Windows Management Instrumentation (WMI) to extract the loaded modules of a specific process and understand how to get each module base address, show the advantages and the ability to perform ShellCode injection in .text section directly."
Flaw in PuTTY P-521 ECDSA signature generation leaks SSH private keys - "An attacker who compromises an SSH server may be able to leverage this vulnerability to compromise the user's private key. Attackers may also be able to compromise the SSH private keys of anyone who used git+ssh with commit signing and a P-521 SSH key, simply by collecting public commit signatures." Cryptography is hard!
Tools and Exploits
UserManagerEoP - PoC for CVE-2023-36047. Patched last week. Should still be viable if you're on an engagement right now!
Shoggoth - Shoggoth is an open-source project based on C++ and asmjit library used to encrypt given shellcode, PE, and COFF files polymorphically.
ExploitGSM - Exploit for 6.4 - 6.5 Linux kernels and another exploit for 5.15 - 6.5. Zero days when published.
Copilot-For-Security - Microsoft Copilot for Security is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale, while remaining compliant to responsible AI principles
CVE-2024-21378 - DLL code for testing CVE-2024-21378 in MS Outlook. Using this with Ruler.
ActionsTOCTOU - Example repository for GitHub Actions Time of Check to Time of Use (TOCTOU vulnerabilities).
obfus.h - obfus.h is a macro-only library for compile-time obfuscating C applications, designed specifically for the Tiny C (tcc). It is tailored for Windows x86 and x64 platforms and supports almost all versions of the compiler.
Wareed DNS C2 is a Command and Control (C2) that utilizes the DNS protocol for secure communications between the server and the target. Designed to minimize communication and limit data exchange, it is intended to be a first-stage C2 to persist in machines that don't have access to the internet via HTTP/HTTPS, but where DNS is allowed.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
GoAlert - Open source on-call scheduling, automated escalations, and notifications so you never miss a critical alert
AssetViz - AssetViz simplifies the visualization of subdomains from input files, presenting them as a coherent mind map. Ideal for penetration testers and bug bounty hunters conducting reconnaissance, AssetViz provides intuitive insights into domain structures for informed decision-making.
GMER - the art of exposing Windows rootkits in kernel mode - GMER is an anti-rootkit tool used to detect and combat rootkits, specifically focusing on the prevalent kernel mode rootkits, and remains effective despite many anti-rootkits losing relevance with advancements in Windows security.
AiTM Phishing with Azure Functions - The deployment of a serverless AiTM phishing toolkit using Azure Functions to phish Entra ID credentials and cookies
orange - Orange Meets is a demo application built using Cloudflare Calls. To build your own WebRTC application using Cloudflare Calls. Combine this with some OpenVoice or Real-Time-Voice-Cloning. Scary.
awesome-secure-defaults - Share this with your development teams and friends or use it in your own tools. "Awesome secure by default libraries to help you eliminate bug classes!"
taranis-ai - Taranis AI is an advanced Open-Source Intelligence (OSINT) tool, leveraging Artificial Intelligence to revolutionize information gathering and situational analysis.
MSFT_DriverBlockList - Repository of Microsoft Driver Block Lists based off of OS-builds.
HSC24RedTeamInfra - Slides and Codes used for the workshop Red Team Infrastructure Automation at HackSpanCon2024.
SuperMemory - Build your own second brain with supermemory. It's a ChatGPT for your bookmarks. Import tweets or save websites and content using the chrome extension.
Kubenomicon - An open source offensive security focused threat matrix for kubernetes with an emphasis on walking through how to exploit each attack.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-01 to 2024-04-08.
News
Pixel Update BulletinβApril 2024 - "There are indications that the following may be under limited, targeted exploitation." Update those Pixels!
The Incognito Mode Myth Has Fully Unraveled - Google settles a lawsuit about Incognito Mode by agreeing to delete "billions of data records" the company collected while users browsed the web using Incognito mode. This implies that the data was tagged as being collected while the browser was in incognito mode.
Ghostwriter v4.1: The Custom Fields Update - The Ghostwriter documentation automation web-app just got a lot more customizable, as you can extend the data models easily in 4.1, and now any formatted text fields support Jinja2 templates!
Security Advisory YSA-2024-01 YubiKey Manager Privilege Escalation - "any browser windows opened by YubiKey Manager GUI may also be elevated with Administrator privileges depending on the browser in use. This issue can be used by an attacker to escalate local attacks and increase the impact of browser based attacks."
Burp2API - Converting your Burp Suite projects into JSON APIs.
nimfilt - A collection of modules and scripts to help with analyzing Nim binaries.
No-Consolation - A BOF that runs unmanaged PEs inline. Updated this week to automatically encrypt and store binaries in memory which allows multiple runs of the same binary without having to send it to target each time.
Aplos - Aplos an extremely simple fuzzer for Windows binaries.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
CVE-2024-28085 - WallEscape vulnerability in util-linux.
VolWeb - A centralized and enhanced memory analysis platform.
secator is a task and workflow runner used for security assessments. It supports dozens of well-known security tools and it is designed to improve productivity for pentesters and security researchers.
kasld - Kernel Address Space Layout Derandomization (KASLD) - A collection of various techniques to infer the Linux kernel base virtual address as an unprivileged local user, for the purpose of bypassing Kernel Address Space Layout Randomization (KASLR).
SignSaboteur - Burp Suite extension for editing, signing, verifying various signed web tokens
Blauhaunt - A tool collection for filtering and visualizing logon events. Designed to help answering the "Cotton Eye Joe" question (Where did you come from where did you go) in Security Incidents and Threat Hunts
Microsoft-Extractor-Suite - A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.
Microsoft-Analyzer-Suite - A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID
ARL - Injecting a DLL into a process directly from memory rather than from disk
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-25 to 2024-04-01.
Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques - This got overshadowed by the xz backdoor but it's epic. A tale about exploiting KernelCTF Mitigation, Debian, and Ubuntu instances with a double-free in nf_tables in the Linux kernel, using novel techniques like Dirty Pagedirectory. All without even having to recompile the exploit for different kernel targets once.
Azure Redirect URI Takeover Vulnerability - A vulnerability in Azure's OAuth 2.0 flow where unregistered subdomains in application redirect URIs could be exploited by TAs to steal authorization codes and impersonate users.
The Power of UI Automation - UI Automation provides a tree of UI automation elements representing various aspects of a user interface. Could be useful to automate certain testing or other tasks.
Improving port scans against API servers - Friendly reminder to explore new tools because you might end up liking them. Like replacing your ESXi host with Ludus π! This blog discusses some of the reasons they moved away from Nmap and into naabu (from the projectdiscovery team).
Tools and Exploits
TeamsNTLMLeak - Leak NTLM via Website tab in teams via MS Office.
Atexec-pro - Fileless atexec, no more need for port 445.
SharpConflux - SharpConflux is a .NET application built to facilitate Confluence exploration. It allows Red Team operators to easily investigate Confluence instances with the goal of finding credential material and documentation relating to objectives without having to rely on SOCKS proxying. Here is the related blog.
SQL-BOF - A library of beacon object files to interact with remote SQL servers and data.
CspReconGo - It automates the extraction and analysis of domains from Content Security Policy (CSP) headers and JavaScript files on websites.
CVE-2024-1086 - Universal local privilege escalation Proof-of-Concept exploit for CVE-2024-1086, working on most Linux kernels between v5.14 and v6.6, including Debian, Ubuntu, and KernelCTF. The success rate is 99.4% in KernelCTF images.
CcmPwn - Lateral movement script that leverages the CcmExec service to remotely hijack user sessions.
curlrevshell - Kooky cURL-powered replacement for reverse shell via /dev/tcp.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
RustRedOps - π¦ | RustRedOps is a repository dedicated to gathering and sharing advanced techniques and offensive malware for Red Team, with a specific focus on the Rust programming language.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-18 to 2024-03-25.
Introducing STAR-FS The Bank of England announced the introduction of a new regulatory framework, STAR-FS, to support the financial sector in its cyber resilience operations.
GoFetch - A new vulnerability baked into Apple's M-series of chips that allows attackers (and/or userspace applications) to extract secret keys from Macs. It looks like there are mitigation flags that can be set to mitigate this for sensitive cryptographic calls. Time will tell if they are effective/implemented.
naively bypassing new memory scanning POCs - This blog focuses on in-memory evasion from both offensive and defensive angles, and introduces a simple but effective method to avoid detection by leveraging behaviors similar to legitimate JIT (Just-In-Time) compilation processes
Identity Providers for RedTeamers - A look at popular cloud-based Identify Providers and their attack primitives. Awesome work by Adam Chester of (now) SpecterOps. Very practical to modern operations against SaaS/Remote friendly companies.
Jigsaw - Hide shellcode by shuffling bytes into a random array and reconstruct at runtime
IoDllProxyLoad - DLL proxy load example using the Windows thread pool API, I/O completion callback with named pipes, and C++/assembly
OpenTIDE - Open Threat Informed Detection Engineering is the European Commission DIGIT.S2 (Security Operations) open source initiative to build a rich ecosystem of tooling and data supporting Cyber Threat Detections.
Pwned by the Mail Carrier - Compromising exchange with some defensive guidance on adjusting ACEs to limit Exchange's AD permissions and establishing security boundaries for Tier Zero assets. Jonas is on a tear lately.
nimvoke - Indirect syscalls + DInvoke made simple.
ActionsCacheBlasting - Proof-of-concept code for research into GitHub Actions Cache poisoning.
CVE-2023-36424 - Windows Kernel Pool (clfs.sys) Corruption Privilege Escalation.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
The Top 100+ Developer Tools 2023 - Looking for a research target inspiration? "This year we analyzed well over 12 million data points shared by you - the StackShare community - to bring you these rankings."
Devika - Devika is an Agentic AI Software Engineer that can understand high-level human instructions, break them down into steps, research relevant information, and write code to achieve the given objective. Devika aims to be a competitive open-source alternative to Devin by Cognition AI.
VoiceCraft: Zero-Shot Speech Editing and Text-to-Speech in the Wild - VoiceCraft is a token infilling neural codec language model, that achieves state-of-the-art performance on both speech editing and zero-shot text-to-speech (TTS) on in-the-wild data including audiobooks, internet videos, and podcasts. The model weights aren't out yet but should be by the end of the month. This is going to make vishing deadly.
lumentis - AI powered one-click comprehensive docs from transcripts and text.
Cobalt Strike Resources - Various resources to enhance Cobalt Strike's functionality and its ability to evade antivirus/EDR detection.
bincapz - Enumerate binary capabilities, including malicious behaviors.
Twikit - Simple API wrapper to interact with twitter's unofficial API. You can log in to Twitter using your account username, email address and password and use most features on Twitter, such as posting and retrieving tweets, liking and following users. Curious on how long this will last.
tracecat - πΌ The AI-native, open source alternative to Tines / Splunk SOAR.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-11 to 2024-03-18.
Open Release of Grok-1 - This is the raw base model checkpoint from the Grok-1 pre-training phase, which concluded in October 2023. This means that the model is not fine-tuned for any specific application, such as dialogue. It's up to you to determine if this is a PR play as Grok isn't useful for much that other smaller open source models can't do.
2024 Threat Detection Report - Red Canary's 2024 Threat Detection Report. Emphasis on "Detection". Take a look at their most commonly identify tools. If you're a red teamer using unmodified versions of those tools, consider yourself caught. Another interesting comment in this report: "Our new industry analysis showcases how adversaries reliably leverage the same small set of 10-20 techniques against organizations, regardless of their sector or industry.". Red teamers don't need a bunch of fancy techniques. Stick to a few OPSEC friendly/effective techniques and focus on your objectives.
Discovering Deserialization Gadget Chains in Rubyland - Write-up that details the process and insights gained from creating a Ruby deserialization gadget chain from scratch, utilizing libraries such as action_view, active_record, dry-types, and eventmachine, to demonstrate deserialization exploitation in Ruby apps.
LTair: The LTE Air Interface Tool - LTair, a tool that allows NCC Group to perform different attacks on the LTE Control Plane via the air interface. Niche assessment type. Looks neat but the tool isn't actually released yet?
BlueSpy - Proof of concept to record and replay audio from a bluetooth device without the legitimate user's awareness.
Introducing AzurEnum - The latest Azure tool - Intended to give pentesters/red teamers a good idea of the main security issues of an azure tenant and its permission structure. The code is here.
Gungnir - Gungnir is a command-line tool written in Go that continuously monitors certificate transparency (CT) logs for newly issued SSL/TLS certificates.
SymProcAddress - Zero EAT touch way to retrieve function addresses (GetProcAddress on steroids)
GamingServiceEoP - Exploit for arbitrary folder move in GamingService component of Xbox. GamingService is not default service. If service is installed on system it allows low privilege users to escalate to system.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Mythic Community Overview - Mythic agent capability matrix. Cool project for those that develop their own agents for Mythic.
localsend - An open-source cross-platform alternative to AirDrop
FindMeAccess - Finding gaps in Azure/M365 MFA requirements for different resources, client ids, and user agents. The tool is mostly based off Spray365's auditing logic.
PurpleLab - PurpleLab is an efficient and readily deployable lab solution, providing a swift setup for cybersecurity professionals to test detection rules, simulate logs, and undertake various security tasks, all accessible through a user-friendly web interface
DetectDee - Hunt down social media accounts by username, email or phone across social networks.
Moriarty - Moriarty is designed to enumerate missing KBs, detect various vulnerabilities, and suggest potential exploits for Privilege Escalation in Windows environments.
Miaow - Project Miaow is a prove of concept to escalate privileges in Microsoft Azure using an ARM template deployment
Payload Wizard - AI assistant that utilizes GPT language models to interpret and generate cybersecurity payloads πͺ. Github repo is here.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-04 to 2024-03-11.
News
Incognito Darknet Market Mass-Extorts Buyers, Sellers - Getting your darknet market shutdown is the worst thing that can happen right? What if the market operators then extort both the buyers and sellers? We'll see if this becomes the largest darknet market data dump ever on April 1st.
YARP as a C2 Redirector - C2 redirectors via the YARP project. This was the solution built my microsoft for internal engineers to use as a reverse proxy. Potential option for your team to explore if you're migrating away from apache/nginx rewrite rules.
MacOS Malware Dev - This article explores macOS malware development, covering the architecture, security features, and coding practices. Good read!
Smishing with EvilGophish - Using EvilGophish to send those pesky texts. I wonder how many red teams are actually simulating/emulating this attack vector.
Browserless Entra Device Code Flow - Performing every step in Entra's OAuth 2.0 Device Code flow β including the user authentication steps β without a browser!
Parasite-Invoke - Hide your P/Invoke signatures through other people's signed assemblies
ADeleginator - A companion tool that uses ADeleg to find insecure trustee and resource delegations in Active Directory
Misconfiguration Manager - Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance.
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Are We Helping? Interesting perspective. Thought provoking notes about the current state of infosec.
Freyja Purple Team Agent - Freyja is a Golang, Purple Team agent that compiles into Windows, Linux and macOS x64 executables.
gitlab-secrets - This tool analyzes a given Gitlab repository and searches for dangling or force-pushed commits containing potential secret or interesting information.
dockerc - container image to single executable compiler.
PoolParty - A set of fully-undetectable process injection techniques abusing Windows Thread Pools.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-26 to 2024-03-04.
Merck settles with insurers who denied $700 million NotPetya claim - The "11th-hour" settlement leaves more questions, but it seems that Merck got some payout. New policies are sure to include language exempting "state-sponsored" attacks, which will make attribution a multi-million dollar business.
Scrutinizing the Scrutinizer - What's more fun than getting an unauthenticated root shell on a network monitoring appliance?
Leaking ObjRefs to Exploit HTTP .NET Remoting - You've heard of PS remoting (aka WinRM) but what about .NET Remoting? Turns out it can provide remote code execution. Sad that Microsoft didn't assign a CVE or give code white any credit, despite clearly patching this issue based on their report.
Meet Silver SAML: Golden SAML in the Cloud - "Any attacker that obtains the private key of an externally generated certificate can forge any SAML response they want and sign that response with the same private key that Entra ID holds. With this type of forged SAML response, the attacker can then access the applicationβas any user." Compromised cloud environment could get messy. This (for the moment) is likely a great option to Entra ID persistence.
A Trip Down Memory Lane - The frustration and walkthrough of this one stuck out. It really shows the thought process and frustrations of evading endpoint detection. And "...do your dev work on a VM with no internet access...". We agree! Use Ludus. The post drops a tool called ldrgen - Template-based generation of shellcode loaders.
Nemesis-Download-Watcher - Watches the Downloads folder for any new files and inserts it into Nemesis for analysis.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
winhttp A library to make HTTP requests with the Windows winhttp API
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-19 to 2024-02-26.
News
ConnectWise ScreenConnect Vulnerabilities - What is there to say about this except π€¦.
RepoReaper - RepoReaper is an automated tool crafted to meticulously scan and identify exposed .git repositories within specified domains and their subdomains.
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
SploitScan - is a sophisticated cybersecurity utility designed to provide detailed information on vulnerabilities and associated proof-of-concept (PoC) exploits.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-12 to 2024-02-19.
News
Free Nginx - It seems the maintainer of nginx is forking. Limited details at announcing freenginx.org - This seems to have stemmed over F5/Nginx issuing CVEs for experiemental QUIC code and Maxim not liking that. Here is the advisory, you be the judge.
Snap Trap: The Hidden Dangers Within Ubuntu's Package Suggestion System - "We've examined the command-not-found package that is installed by default in Ubuntu, which suggests packages to install for unrecognized commands. Our findings reveal that besides searching for apt packages, it also queries the Snap Store for snap packages. Given that any user can upload to the Snap Store, an attacker could potentially manipulate the command-not-found package to recommend their own malicious package. This blog discusses the suggestion mechanism, how an attacker might exploit it, the risks associated with installing a malicious snap package, and our discovery that an attacker could impersonate 26% of the commands from apt packages."
Backdoors that let cops decrypt messages violate human rights, EU court says - The "confidentiality of communications is an essential element of the right to respect for private life and correspondence," and requiring messages to be decrypted by law enforcement "cannot be regarded as necessary in a democratic society."
CVE Crowd - Picks up where cvetrends left off (killed by twitter API limits). CVE trends uses the "fediverse" (mastodon) for its data.
Azure Devops Zero-Click CI/CD Vulnerability - Pipeline triggers confused Azure to think that the pipeline was run from the project and not a fork, allowing access to secrets.
Fuzzer Development: Sandboxing Syscalls - The fuzzer/emulator being built in this blog is interesting and its fun to watch its progress. This installment is all about sandboxing the Bochs emulator to prevent it from accessing anything outside of its environment.
Delegated NT DLL - "Like the WOW64 table, the NT delegate table provides a simple way to intercept a variety of callbacks in 32-bit mode without the need to overwrite code with inline hooking." Code here.
Cross Window Forgery: A Web Attack Vector - I'd say this isn't a vulnerability but certianly a neat hack. Convincing a user to agree to a SSO prompt without them realizing it is classic social engineering. This paired with a phish could be an interesting intial access method to online services.
The Most Dangerous Entra Role You've (Probably) Never Heard Of - TLDR: "Entra ID has a built-in role called βPartner Tier2 Supportβ that enables escalation to Global Admin, but this role is hidden from view in the Azure portal GUI." I'm not a hacker, I'm an "unathorized remote partner tier2 support engineer."
Hello Lucee! Let us hack Apple again? - The PD team find some critical vulnerabilities within Lucee, a CFML server, with RCE capabilities. Decent payout $$$.
Microsoft Exchange Server Elevation of Privilege Vulnerability - "An attacker who successfully exploited this vulnerability could relay a user's leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user." Sounds like fun.
github-secrets - This tool analyzes a given Github repository and searches for dangling or force-pushed commits containing potential secret or interesting information. Check out the blog post: Hidden GitHub Commits and How to Reveal Them.
FullBypass - A tool which bypasses AMSI (AntiMalware Scan Interface) and PowerShell CLM (Constrained Language Mode) and gives you a FullLanguage PowerShell reverse shell.
InflativeLoading - Dynamically convert a native EXE to PIC shellcode by appending a shellcode stub.
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
NullSection - NullSection is an Anti-Reversing tool that applies a technique that overwrites the section header with nullbytes.
sessionless - TokenSigner is a Burp Suite extension for editing, signing, verifying various signed web tokens.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-07 to 2024-02-12.
After a tip, ExpressVPN acts swiftly to protect customers - ExpressVPN users could have experienced DNS leaks for the past 2 years. Ouch. "The bug was introduced in ExpressVPN Windows versions 12.23.1 - 12.72.0, published between May 19, 2022, and Feb. 7, 2024, and only affected those using the split tunneling feature."
SEC Fines Firms $81M For Off-Channel Communications Lapses - "Sixteen firms are collectively on the hook for more than $81 million to settle SEC charges that they failed to preserve off-channel electronic communications." The SEC is not a fan of personal Signal chats!
New attack vectors in EKS - In the recent enhancement of AWS's managed Kubernetes service, EKS, including EKS Access Entries, Policies, and Pod Identity, potential security risks are introduced, explored in the second blog post of a series, emphasizing the need for least privilege and awareness of new attack vectors.
Active Directory Enumeration for Red Teams - Some post-ex LDAP fun by MDSec. There are detection considerations towards the end as well. TD;DR - Blend in where possible or else you'll stick out like a sore thumb. Assuming the defense is looking!
Securing AI: Azure Machine Learning Studio - This post covers the deployment of Machine Learning Studio, the creation of a test training model, and then attacking the AI/ML training infrastructure to deploy persistence. With AI being the hot thing right now, it's nice to see someone shelling some AI tooling.
[PDF] Insights into Commercial Surveillance Vendors - Google reports on commercial espionage. Interested read considering their role in society. "Of the 72 known in-the-wild 0-day exploits affecting Google products since mid-2014, TAG attributes 35 of these 0-days to Commercial Surveillance Vendors." That's a huge percentage!
Sudo On Windows a Quick Rundown - The blog post provides an overview of the newly introduced sudo command in Windows Insider Preview build 26052, highlighting its implementation using User Account Control (UAC), its configuration options, and potential security vulnerabilities, including the lack of proper access control on the RPC server, despite being written mostly in Rust for enhanced security.
ParentProcessValidator.cpp - This C++ code snippet demonstrates how to verify if an executable is launched by explorer.exe to enhance security during red team operations.
EternelSuspention - a simple poc showcasing the ability of an admin to suspend EDR's protected processes.
NidhoggScript - NidhoggScript is a tool to generate "script" file that allows execution of multiple commands for Nidhogg. Nidhogg is an all-in-one simple to use rootkit.
TPM-Sniffing - Retrieving Bitlocker keys from the TPM using SPI, I2C or LPC communications requires an understanding of the specific protocol supported by the TPM chip, as well as the device's make and model.
gocheck - GoCheck a blazingly fastβ’ alternative to Matterpreter's DefenderCheck which identifies the exact bytes that Windows Defender AV by feeding byte slices to MpCmdRun.exe
NTLM Relay Gat - NTLM Relay Gat is a powerful tool designed to automate the exploitation of NTLM relays using ntlmrelayx.py from the Impacket tool suite. By leveraging the capabilities of ntlmrelayx.py, NTLM Relay Gat streamlines the process of exploiting NTLM relay vulnerabilities, offering a range of functionalities from listing SMB shares to executing commands on MSSQL databases.
Native Threadpool - Work, timer, and wait callback example using solely Native Windows APIs.
LoLCerts - A repository of code signing certificates known to have been leaked or stolen, then abused by threat actors
Living off the False Positive! - Living off the False Positive is an autogenerated collection of false positives sourced from some of the most popular rule sets. The information is categorized along with ATT&CK techniques, rule source, and data source. Entries include details from related rules along with their description and detection logic. See the blog post Introducing LoFP for more info.
BadExclusionsNWBO - BadExclusionsNWBO is an evolution from BadExclusions to identify folder custom or undocumented exclusions on AV/EDR. An evolution of BadExclusions.
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
awesome-tunneling - List of ngrok alternatives and other ngrok-like tunneling software and services. Focus on self-hosting.
gftrace - A command line Windows API tracing tool for Golang binaries.
AutomatedBadLab - Scripts to provision vulnerable and testing environments using AutomatedLab.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-29 to 2024-02-07.
News
AnyDesk Incident Response 2-2-2024 - An RMM company, AnyDesk, was breached. "Customers Urged to Reset Passwords." Is breaching the upstream RMM company the ultimate traitorware?
Ivanti - We're up to four (4) CVEs. CISA is ordering everyone to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks. Even Assetnote is getting in the action with a new authentication bypass. What a mess!
Thanksgiving 2023 security incident - Threat actor utilized stolen credentials from the October 2023 Okta compromise to access Cloudflare's network. TLDR - Threat actors were in Cloudflare's internal wiki, bug database, and established persistent access to the Atlassian server but 2FA prevented most lateral movement. Cloudflare even returned the hardware that was connected to a console server the actors attempted but failed to gain access to. Now that is serious remediation!
Externalizing the Google Domain Tiers Concept - Google's Security Team has introduced the concept of Domain Tiers to categorize approximately 10,000 domains based on sensitivity, helping prioritize security efforts. The tiering system, with five levels (Tier 0 being the highest sensitivity), aids in identifying potential vulnerabilities and influences Google Vulnerability Reward payouts. This is really dope!
Vastaamo hacker traced via 'untraceable' Monero transactions, police says - "KRP did not disclose the exact mechanism for tracing the Monero transactions, citing the need to protect sensitive investigative techniques that can prove invaluable in future cases. Thus, the exact methods involved are unclear." However, the suspect used a centralize exchange to exchange between BTC and XMR and eventually an email address linked to a server managed by the suspect. Seems like a lot of opportunities to find the suspect other than breaking XMR privacy, and I highly doubt that has happened. Binance Will Delist XMR on 2024-02-20, which may be related. Reminder: the Universal Declaration of Human Rights Article 12 states privacy is a universal human right and not a crime. Using XMR for crimes is a crime, the same way using USD cash for crimes is a crime.
Arrests in $400M SIM-Swap Tied to Heist at FTX?. Three Americans charged with orchestrating SIM-swapping attacks resulting in over $400 million of stolen crypto, likely from FTX. The attacks took place between March 2021 and April 2023. There is no excuse to use SMS based 2FA for anything important after all these SIM swaps. Phone companies are not the place to outsource your identity verification!
Anonymous IP address involving Apple iCloud Private Relay - iCloud Private Relay is being used by their iPhone users to "anonymize" their traffic. Well, that is causing some issues for defenders. Some defenders might allowlist these relays on their SIEM or security tooling. Time for red teams to look into using this if you haven't already.
The curious case of [email protected] - A detailed blog post on an AWS incident response use-case from a month long attack. Initial access via exposed access key, some recon via SES and IAM API calls, privilege escalation via AttachUserPolicy, and more.
Evolution of UNC4990: Uncovering USB Malware's Hidden Depths - Always fun to read threat actor tradecraft. This one particularly stood out because threat actors are using vimeo[.]com and arstechnica[.]com to host payloads in addition to their usual registered domains.
Visualizing ACLs with Adalanche - An alternative to Bloodhound when enumerating AD. Maybe not as signatured as Sharphound for those looking for a quick option. We originally talked about Adalanche all the way back in LWiS 2021-06-14!
RoleCrawl - PowerShell tool designed to audit User and Group role assignments in Azure, covering both subscription and resource scopes.
hfinder - Help recon of hostnames from specific ASN or CIDR, thanks to Robtex and BGP.HE
ThievingFox - A collection of post-exploitation tools to gather credentials from various password managers and windows utilities. Came with a blog post.
IntelRAGU - An open-source initiative to document and share experiments to apply Retrieval Augmented Generation (RAG) techniques to Threat Intelligence searching capabilities.
arachne is a Mythic webshell payload for Windows (aspx) and Linux (php). When run alone, the arachne container reaches out to the specified URL to issue tasking. When an agent links via P2P to an arachne agent, then that agent will remotely reach out to the specified URL to issue tasking. Check out the blog: Spinning Webs β Unveiling Arachne for Web Shell C2.
ReverseSocks5 - Single executable reverse SOCKS5 proxy written in Golang. This is v2 which adds SOCKS5 support.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
certstream-server-go - This project aims to be a drop-in replacement for the certstream server by Calidog. This tool aggregates, parses, and streams certificate data from multiple certificate transparency logs via websocket connections to the clients.
SigFinder - Identify binaries with Authenticode digital signatures signed to an internal CA/domain. This could be useful when pillaging SCCM distribution point servers.
wirez - redirect all TCP/UDP traffic of any program to SOCKS5 proxy.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-22 to 2024-01-30.
Bypassing browser tracking protection for CORS misconfiguration abuse Blog that talks about bypassing browser tracking protection through CORS misconfiguration abuse, explaining the CORS web protocol, detailing specific HTTP headers used in CORS, and highlights vulns associated with misconfigurations, with a focus on Access-Control-Allow-Credentials.
Shipping your Private Key - CVE-2023-43870, Paxton do a Lenovo - A vuln (CVE-2023-43870) in Paxton Access's Net2 software, revealing that the default installation of Net2 includes a vulnerable certificate authority (CA) key, allowing an attacker to intercept HTTPS traffic on machines running Net2 or those that installed the CA as instructed by the Web API.
Leveraging Fake DLLs, Guard Pages, and VEH for Enhanced Detection - Unconventional but very interesting detection mechanism used in conjunction with EDR, based on a combination of process environment block (PEB) modification, the use of fake DLLs and guard pages, and the use of vectored exception handling.
A Practical Guide to PrintNightmare in 2024. PrintNightmare may be a memory, but the core of the issue - printer drivers install as SYSTEM on Windows - hasn't changed. I love these kinds of "work around the problem" hacks. This post is true hacking and even drops some automation (powershell) to help exploit vulnerable scenarios.
How Apple accidentally broke my Spotify client. Not really cybersecurity related, but the level of depth in the investigation was so deep it was basically a vulnerability write up. Impressive. Spoiler: it was DNS (because of course it was).
Tools and Exploits
SOAPHound - This made some noise this week. A custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
InjectKit - Modified versions of the Cobalt Strike Process Injection Kit
Stardust - A modern 64-bit position independent implant template. Came with a good blog if you want to take a look here.
Grroxy - Another competitor to Burpsuite Pro? Caido is another one that comes to mind.
Frameless BITB - A new approach to Browser In The Browser (BITB) without the use of iframes, allowing the bypass of traditional framebusters implemented by login pages like Microsoft and the use with Evilginx. Even came with a demo.
CsWhispers - Source generator to add D/Invoke and indirect syscall methods to a C# project.
EventLogCrasher - Proof of concept for a bug, that allows any user to crash the Windows Event Log service of any other Windows 10/Windows Server 2022 machine on the same domain. The crash occurs in wevtsvc!VerifyUnicodeString when an attacker sends a malformed UNICODE_STRING object to the ElfrRegisterEventSourceW method exposed by the RPC-based EventLog Remoting Protocol.
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Trimarc Whitepaper: Owner or Pwnd? - This whitepaper touches on all aspects of AD ownership: Organizational Units (OUs), Computers, Groups, Users, AD Certificate Services (ADCS), Group Policy Objects (GPOs), and even Active Directory Integrated DNS (ADI DNS).
jsoncrack.com - β¨ Innovative and open-source visualization application that transforms various data formats, such as JSON, YAML, XML, CSV and more, into interactive graphs.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
In this blog post we will go into a user-friendly memory scanning Python library that was created out of the necessity of having more control during memory scanning. We will give an overview of how this library works, share the thought process and the whyβs. This blog post will not cover the inner workings of the memory management of the respective platforms.
Memory Scanning
Memory scanning is the practice of iterating over the different processes running on a computer system and searching through their memory regions for a specific pattern. There can be a myriad of reasons to scan the memory of certain processes. The most common use cases are probably credential access (accessing the memory of the lsass.exe process for example), scanning for possible traces of malware and implants or recovery of interesting data, such as cryptographic material.
If time is as valuable to you as it is to us at Fox-IT, you probably noticed that performing a full memory scan looking for a pattern is a very time-consuming process, to say the least.
Why is scanning memory so time consuming when you know what you are looking for, and more importantly; how can this scanning process be sped up? While looking into different detection techniques to identify running Cobalt Strike beacons, we noticed something we could easily filter on, speeding up our scanning processes: memory attributes.
Speed up scanning with memory attributes
Memory attributes are comparable to the permission system we all know and love on our regular file and directory structures. The permission system dictates what kind of actions are allowed within a specific memory region and can be changed to different sets of attributes by their respective API calls.
The following memory attributes exist on both the Windows and UNIX platforms:
Read (R)
Write (W)
Execute (E)
The Windows platform has some extra permission attributes, plus quite an extensive list of allocation1 and protection2 attributes. These attributes can also be used to filter when looking for specific patterns within memory regions but are not important to go into right now.
So how do we leverage this information about attributes to speed up our scanning processes? It turns out that by filtering the regions to scan based on the memory attributes set for the regions, we can speed up our scanning process tremendously before even starting to look for our specified patterns.
Say for example we are looking for a specific byte pattern of an implant that is present in a certain memory region of a running process on the Windows platform. We already know what pattern we are looking for and we also know that the memory regions used by this specific implant are always set to:
Type
Protection
Initial
PRV
ERW
ERW
Table 1. Example of implant memory attributes that are set
Depending on what is running on the system, filtering on the above memory attributes already rules out a large portion of memory regions for most running processes on a Windows system.
If we take a notepad.exe process as an example, we can see that the different sections of the executable have their respective rights. The .text section of an executable contains executable code and is thus marked with the E permission as its protection:
If we were looking for just the sections and regions that are marked as being executable, we would only need to scan the .text section of the notepad.exe process. If we scan all the regions of every running process on the system, disregarding the memory attributes which are set, scanning for a pattern will take quite a bit longer.
Introducing Skrapa
Weβve incorporated the techniques described above into an easy to install Python package. The package is designed and tested to work on Linux and Microsoft Windows systems. Some of the notable features include:
Configurable scanning:
Scan all the process memory, specific processes by name or process identifier.
Regex and YARA support.
Support for user callback functions, define custom functions that execute routines when user specified conditions are met.
Easy to incorporate in bigger projects and scripts due to easy to use API.
The package was designed to be easily extensible by the end users, providing an API that can be leveraged to perform more.
Where to find Skrapa?
The Python library is available on our GitHub, together with some examples showing scenarios on how to use it.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-15 to 2024-01-23.
Calling Home, Get Your Callbacks Through RBI - If you're a fan of cloudflare. This is a good read. Circumvent Remote Browser Isolation (RBI) technology during offensive assessments.
Web3's Achilles' Heel: A Supply Chain Attack on Astar Network - Another episode of self-hosted runner exploitation. The researcher is banned from a bug bountry platform after hacking all the things... "The vulnerability allowed anyone who could fix a typo in the astarNetwork/astar repository to modify the release binaries for their validator nodes and wasm runtimes." He modified a 2 week old release with a single print statement, a release that would not be pulled by anyone following the docs to set up a validator. Seems like a reasonable PoC to me. π€·
Insomni'hack 2024 CTF Teaser - Cache Cache. Normally I don't post CTF write ups, but this is a unique, Windows challenge based on a real vulnerability class (and a well done write up by the challenge author).
Tools and Exploits
Cobalt-Strike-Profiles-for-EDR-Evasion - Some ideas to modify CS profiles to bypass simple EDR checks. However, if you want to use SourcePoint I'm not sure I would trust the copy in this random repository...
GraphStrike - Cobalt Strike HTTPS beaconing over Microsoft Graph API implemented as a user defined reflective loader (URDL). Appreciate the Why? section on this one. Better hope those Blue team network sensors have really good anomaly detection, because this will use legitimate microsoft domains for C2. However, now you have Microsoft's threat team to deal with, and there has been some discussion that they will ban accounts that conduct C2 over their API if they detect it.
hi_my_name_is_keyboard. Zero click Bluetooth exploits for Android prior to the 2023-12-05 security patch (and Android <= 10 forever). Nice close access method to get payloads on an Android phone (assuming the target won't notice their screen acting up on its own). It also works against macOS and iOS (iOS < 17.2, Magic Keyboard Firmware < 2.0.6) if you can trigger it exactly when the computer/phone attempts to connect with an Apple Magic keyboard via Bluetooth.
slippy-book-exploit - CVE-2023-44451, CVE-2023-52076: RCE Vulnerability affected popular Linux Distros including Mint, Kali, Parrot, Manjaro etc. EPUB File Parsing Directory Traversal Remote Code Execution.
atril_cbt-inject-exploit - CVE-2023-44452, CVE-2023-51698: CBT File Parsing Argument Injection that affected Popular Linux Distros.
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Realm - Realm is a cross platform Red Team engagement platform with a focus on automation and reliability. This was in the LWiS 2023-10-24, but the ShmooCon talk is what bubbled it back up for me and made me really look into it. The docs look great and I plan to play with this one very soon.
GHunt - Recently got an update (OAuth based instead of cookies). Check it out!
ADCSync - Use ESC1 to perform a makeshift DCSync and dump hashes.
RemoteRegSave - A .NET implementation to dump SAM, SYSTEM, SECURITY registry hives from a remote host.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-08 to 2024-01-15.
The Covert Hardware Implant: Part 1 - "...we use our hardware implants in real-world Red Team operations while constantly evolving the form factor to align with the most effective solution for the mission"
Deep Dive: http.favicon - Favicons have been making a come back the past few years. Don't sleep on this recon data point.
Kiosk Tooling. Next time you only have a browser and need to break out, browse to this site for some potential quick wins.
CS-Aggressor-Scripts - Aggressor Scripts for Cobalt Strike (that post data to a Slack Channel).
OpenVoice - Instant voice cloning by MyShell. I have warned of this, and now it is here and easy to use. Vishing will never be the same.
BobTheSmuggler - "Bob the Smuggler": A tool that leverages HTML Smuggling Attack and allows you to create HTML files with embedded 7z/zip archives. The tool would compress your binary (EXE/DLL) into 7z/zip file format, then XOR encrypt the archive and then hides inside PNG/GIF image file format (Image Polyglots).
SuperSharpShares - SuperSharpShares is a tool designed to automate enumerating domain shares, allowing for quick verification of accessible shares by your associated domain account.
DFSCoerce-exe-2 - DFSCoerce exe revisited version with custom authentication.
raddebugger - A native, user-mode, multi-process, graphical debugger.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
FlowMate - a BurpSuite extension that brings taint analysis to web applications, by tracking all parameters send to a target application and matches their occurrences in the responses.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-01 to 2024-01-10.
NPM registry prank leaves developers unable to unpublish packages. A package that depended on every package on npm eventually got a circular dependency going and could not be removed. This also caused all public packages to be unable to be removed for a while.
Entra ID Connect Arbitrary Password Overwrite - Did you compromise the AADConnect Server and want to pivot to Azure without having to crack NT hashes? Overwrite any users NT hash with an attacker-controlled value and give yourself access to the organizations Azure subscription as the compromised user.
Research Uncovers AWS Account Numbers Hidden in Access Keys - Some recent updates to trufflehog because of "...simple base-32 decoding and bit shifting can transform any AWS access key credential type into the corresponding account number."
PRT Abuse from Userland with Cobalt Strike - How to acquire an Azure AD Single Sign-On session from a non-privileged user session on a victim host. The token is later used to enumerate Azure AD via ROADTools.
Handly - Abuse leaked token handles. Token handles in MSSQL's process (sqlservr.exe) can be abused to change security context and escalate privileges both locally and in the domain.
SSH-Snake - A self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.
Swarm - Formerly known as axiom, swarm is the next generation of distributed cloud scanning and attack surface monitoring.
Moriarty - Moriarty is a comprehensive .NET tool that extends the functionality of Watson and Sherlock, originally developed by @_RastaMouse. It is designed to enumerate missing KBs, detect various vulnerabilities, and suggest potential exploits for Privilege Escalation in Windows environments.
CanaryTokenScanner - CanaryTokenScanner is a script designed to proactively identify Canary Tokens within office documents (docx, xlsx, pptx).
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
sessionprobe - A multi-threaded tool designed for penetration testing and bug bounty hunting. It evaluates user privileges in web applications by taking a session token and checking access across a list of URLs, highlighting potential authorization issues.
msoffcrypto-tool - Python tool and library for decrypting MS Office files with passwords or other keys.
ContinuousMage - Continuousmage is automated testing PoC for the Mythic framework.
jsluice - Extract URLs, paths, secrets, and other interesting bits from JavaScript.
COFF-Loader - A reimplementation of Cobalt Strike's Beacon Object File (BOF) Loader.
DirtyCLR - An App Domain Manager Injection DLL PoC on steroids and it came with a blog post.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
This post is cross-posted on SIXGEN's blog.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week(s). This post covers 2023-12-04 to 2024-01-01.
News
Operation Triangulation: What You Get When Attack iPhones of Researchers. The most complex double-exploitation chain I have seen in a long time. Ask yourself - if the actor that deployed this is willing to burn and entire 1-click chain just to package it with a 0-click, what do they have on the shelf or are using very sparingly?
Finding that one weird endpoint, with Bambdas. Bambdas are a fun new feature of Burp Suite to quickly test for things in your project files directly inside the proxy. This post has some nice examples of how they can be used.
Writing A Decent WIN32 Keylogger. This three part series covers the ins and outs of writing a keylogger for Windows that handles unicode and other edge cases. The tool is called keebcap.
Introducing YARA-Forge. If you deal with yara rules (defense or testing your offensive tools), this project will likely help you organize and optimize all your rules.
Tools and Exploits
sleepy - A lexer and parser for Sleep. Read more here.
A (beta) Canarytoken for Active Directory Credentials. Perhaps one of the most effective canary tokens yet. Slightly more complicated than just dropping a file, but it will be extremely effective in catching red teams and adversaries.
frinet - Frida-based tracer for easier reverse-engineering on Android, iOS, Linux, Windows and most related architectures.
Christmas - By splitting up the injection actions across different spawned processes, none of the spawned processes generate enough signal to trip EDR (in theory).
sj - A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files. See this post for more info.
Ghidriff: Ghidra Binary Diffing Engine. Back in my day, BinDiff was paid software. This is a great addition to your reverse engineering/diffing toolbox, and fully open source!
bbs - bbs is a router for SOCKS and HTTP proxies. It exposes a SOCKS5 (or HTTP CONNECT) service and forwards incoming requests to proxies or chains of proxies based on the request's target. Routing can be configured with a PAC script (if built with PAC support), or through a JSON file.
SignToolEx - Patching "signtool.exe" to accept expired certificates for code-signing.
WMIProcessWatcher - A CIA tradecraft technique to asynchronously detect when a process is created using WMI.
Marble - The CIA's Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools.
Amnesiac - Amnesiac is a post-exploitation framework entirely written in PowerShell and designed to assist with lateral movement within Active Directory environments.
EDRSilencer - A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server. This is similar to shutter (shoutout to @naksyn).
Ghidra 11.0. 11.0 brings the "Bsim" binary similarity tool, better Go binary support, and initial Rust binary support.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
CLR_Heap_encryption. This is a POC for a CLR sleep obfuscation attempt. It use IHostMemoryManager interface to control the memory allocated by the CLR. Turns out you can use both ICorRuntimeHost and ICLRRuntimeHost at the same time, so we can still use ICorRuntimeHost to run an assembly from memory while having all the benefits from ICLRRuntimeHost.
sheye - Opensource assets and vulnerability scanning tool.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
This post is cross-posted on SIXGEN's blog.
Windows Defender (the antivirus shipped with standard installations of Windows) places malicious files into quarantine upon detection.
Reverse engineering mpengine.dll resulted in finding previously undocumented metadata in the Windows Defender quarantine folder that can be used for digital forensics and incident response.
Existing scripts that extract quarantined files do not process this metadata, even though it could be useful for analysis.
Fox-ITβs open-source digital forensics and incident response framework Dissect can now recover this metadata, in addition to recovering quarantined files from the Windows Defender quarantine folder.
dissect.cstruct allows us to use C-like structure definitions in Python, which enables easy continued research in other programming languages or reverse engineering in tools like IDA Pro.
Want to continue in IDA Pro? Just copy paste the structure definitions!
Introduction
During incident response engagements we often encounter antivirus applications that have rightfully triggered on malicious software that was deployed by threat actors. Most commonly we encounter this for Windows Defender, the antivirus solution that is shipped by default with Microsoft Windows. Windows Defender places malicious files in quarantine upon detection, so that the end user may decide to recover the file or delete it permanently. Threat actors, when faced with the detection capabilities of Defender, either disable the antivirus in its entirety or attempt to evade its detection.
The Windows Defender quarantine folder is valuable from the perspective of digital forensics and incident response (DFIR). First of all, it can reveal information about timestamps, locations and signatures of files that were detected by Windows Defender. Especially in scenarios where the threat actor has deleted the Windows Event logs, but left the quarantine folder intact, the quarantine folder is of great forensic value. Moreover, as the entire file is quarantined (so that the end user may choose to restore it), it is possible to recover files from quarantine for further reverse engineering and analysis.
While scripts already exist to recover files from the Defender quarantine folder, the purpose of much of the contents of this folder were previously unknown. We donβt like big unknowns, so we performed further research into the previously unknown metadata to see if we could uncover additional forensic traces.
Rather than just presenting our results, weβve structured this blog to also describe the process to how we got there. Skip to the end if you are interested in the results rather than the technical details of reverse engineering Windows Defender.
In summary, whenever Defender puts a file into quarantine, it does three things: A bunch of metadata pertaining to when, why and how the file was quarantined is held in a QuarantineEntry. This QuarantineEntry is RC4-encrypted and saved to disk in the /ProgramData/Microsoft/Windows Defender/Quarantine/Entries folder.
The contents of the malicious file is stored in a QuarantineEntryResourceData file, which is also RC4-encrypted and saved to disk in the /ProgramData/Microsoft/Windows Defender/Quarantine/ResourceData folder.
Within the /ProgramData/Microsoft/Windows Defender/Quarantine/Resource folder, a Resource file is made. Both from previous research as well as from our own findings during reverse engineering, it appears this file contains no information that cannot be obtained from the QuarantineEntry and the QuarantineEntryResourceData files. Therefore, we ignore the Resource file for the remainder of this blog.
While previous scripts are able to recover some properties from the ResourceData and QuarantineEntry files, large segments of data were left unparsed, which gave us a hunch that additional forensic artefacts were yet to be discovered.
Windows Defender encrypts both the QuarantineEntry and the ResourceData files using a hardcoded RC4 key defined in mpengine.dll. This hardcoded key was initially published by Cuckoo and is paramount for the offline recovery of the quarantine folder.
Pivotting off of public scripts and Bauchβs whitepaper, we loaded mpengine.dll into IDA to further review how Windows Defender places a file into quarantine. Using the PDB available from the Microsoft symbol server, we get a head start with some functions and structures already defined.
Recovering metadata by investigating the QuarantineEntry file
Let us begin with the QuarantineEntry file. From this file, we would like to recover as much of the QuarantineEntry structure as possible, as this holds all kinds of valuable metadata. The QuarantineEntry file is not encrypted as one RC4 cipherstream, but consists of three chunks that are each individually encrypted using RC4.
These three chunks are what we have come to call QuarantineEntryFileHeader, QuarantineEntrySection1 and QuarantineEntrySection2.
QuarantineEntryFileHeader describes the size of QuarantineEntrySection1 and QuarantineEntrySection2, and contains CRC checksums for both sections.
QuarantineEntrySection1 contains valuable metadata that applies to all QuarantineEntryResource instances within this QuarantineEntry file, such as the DetectionName and the ScanId associated with the quarantine action.
QuarantineEntrySection2 denotes the length and offset of every QuarantineEntryResource instance within this QuarantineEntry file so that they can be correctly parsed individually.
A QuarantineEntry has one or more QuarantineEntryResource instances associated with it. This contains additional information such as the path of the quarantined artefact, and the type of artefact that has been quarantined (e.g. regkey or file).
An overview of the different structures within QuarantineEntry is provided in Figure 1:
Figure 1: An example overview of a QuarantineEntry. In this example, two files were simultaneously quarantined by Windows Defender. Hence, there are two QuarantineEntryResource structures contained within this single QuarantineEntry.
As QuarantineEntryFileHeader is mostly a structure that describes how QuarantineEntrySection1 and QuarantineEntrySection2 should be parsed, we will first look into what those two consist of.
QuarantineEntrySection1
When reviewing mpengine.dll within IDA, the contents of both QuarantineEntrySection1 and QuarantineEntrySection2 appear to be determined in the QexQuarantine::CQexQuaEntry::Commit function.
The function receives an instance of the QexQuarantine::CQexQuaEntry class. Unfortunately, the PDB file that Microsoft provides for mpengine.dll does not contain contents for this structure. Most fields could, however, be derived using the function names in the PDB that are associated with the CQexQuaEntry class:
Figure 2: Functions retrieving properties from QuarantineEntry
The Id, ScanId, ThreatId, ThreatName and Time fields are most important, as these will be written to the QuarantineEntry file.
At the start of the QexQuarantine::CQexQuaEntry::Commit function, the size of Section1 is determined.
Figure 3: Reviewing the decompiled output of CqExQuaEntry::Commit shows the size of QuarantineEntrySection1 being set to thre length of ThreatName plus 53.
This sets section1_size to a value of the length of the ThreatName variable plus 53. We can determine what these additional 53 bytes consist of by looking at what values are set in the QexQuarantine::CQexQuaEntry::Commit function for the Section1 buffer.
This took some experimentation and required trying different fields, offsets and sizes for the QuarantineEntrySection1 structure within IDA. After every change, we would review what these changes would do to the decompiled IDA view of the QexQuarantine::CQexQuaEntry::Commit function.
Some trial and error landed us the following structure definition:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
While reviewing the final decompiled output (right) for the assembly code (left), we noticed a field always being set to 1:
Figure 4: A field of QuarantineEntrySection1 always being set to the value of 1.
Given that we do not know what this field is used for, we opted to name the field βOneβ for now. Most likely, itβs a boolean value that is always true within the context of the QexQuarantine::CQexQuaEntry::Commit commit function.
QuarantineEntrySection2
Now that we have a structure definition for the first section of a QuarantineEntry, we now move on to the second part. QuarantineEntrySection2 holds the number of QuarantineEntryResource objects confined within a QuarantineEntry, as well as the offsets into the QuarantineEntry structure where they are located.
In most scenarios, one threat gets detected at a time, and one QuarantineEntry will be associated with one QuarantineEntryResource. This is not always the case: for example, if one unpacks a ZIP folder that contains multiple malicious files, Windows Defender might place them all into quarantine. Each individual malicious file of the ZIP would then be one QuarantineEntryResource, but they are all confined within one QuarantineEntry.
QuarantineEntryResource
To be able to parse QuarantineEntryResource instances, we look into the CQexQuaResource::ToBinary function. This function receives a QuarantineEntryResource object, as well as a pointer to a buffer to which it needs to write the binary output to. If we can reverse the logic within this function, we can convert the binary output back into a parsed instance during forensic recovery.
Looking into the CQexQuaResource::ToBinary function, we see two very similar loops as to what was observed before for serializing the ThreatName of QuarantineEntrySection1. By reviewing various decrypted QuarantineEntry files, it quickly became apparent that these loops are responsible for reserving space in the output buffer for DetectionPath and DetectionType, with DetectionPath being UTF-16 encoded:
Figure 5: Reservation of space for DetectionPath and DetectionType at the beginning of CQexQuaResource::ToBinary
Fields
When reviewing the QexQuarantine::CQexQuaEntry::Commit function, we observed an interesting loop that (after investigating function calls and renaming variables) explains the data that is stored between the DetectionType and DetectionPath:
Figure 6: Alignment logic for serializing Fields
It appears QuarantineEntryResource structures have one or more QuarantineResourceField instances associated with them, with the number of fields associated with a QuarantineEntryResource being stored in a single byte in between the DetectionPath and DetectionType. When saving the QuarantineEntry to disk, fields have an alignment of 4 bytes. We could not find mentions of QuarantineEntryResourceField structures in prior Windows Defender research, even though they can hold valuable information.
The CQExQuaResource class has several different implementations of AddField, accepting different kinds of parameters. Reviewing these functions showed that fields have an Identifier, Type, and a buffer Data with a size of Size, resulting in a simple TLV-like format:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
To understand what kinds of types and identifiers are possible, we delve further into the different versions of the AddField functions, which all accept a different data type:
Figure 7: Finding different field types based on different implementations of the CqExQuaResource::AddField function
Visiting these functions, we reviewed the Type and Size variables to understand the different possible types of fields that can be set for QuarantineResource instances. This yields the following FIELD_TYPE enum:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As the AddField functions are part of a virtual function table (vtable) of the CQexQuaResource class, we cannot trivially find all places where the AddField function is called, as they are not directly called (which would yield an xref in IDA). Therefore, we have not exhausted all code paths leading to a call of AddField to identify all possible Identifier values and how they are used. Our research yielded the following field identifiers as the most commonly observed, and of the most forensic value:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Especially CreationTime, LastAccessTime and LastWriteTime can provide crucial data points during an investigation.
Revisiting the QuarantineEntrySection2 and QuarantineEntryResource structures
Now that we have an understanding of how fields work and how they are stored within the QuarantineEntryResource, we can derive the following structure for it:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Revisiting the QexQuarantine::CQexQuaEntry::Commit function, we can now understand how this function determines at which offset every QuarantineEntryResource is located within QuarantineEntry. Using these offsets, we will later be able to parse individual QuarantineEntryResource instances. Thus, the QuarantineEntrySection2 structure is fairly straightforward:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The last step for recovery of QuarantineEntry: the QuarantineEntryFileHeader
Now that we have a proper understanding of the QuarantineEntry, we want to know how it ends up written to disk in encrypted form, so that we can properly parse the file upon forensic recovery. By inspecting the QexQuarantine::CQexQuaEntry::Commit function further, we can find how this ends up passing QuarantineSection1 and QuarantineSection2 to a function named CUserDatabase::Add.
We noted earlier that the QuarantineEntry contains three RC4-encrypted chunks. The first chunk of the file is created in the CUserDatabase::Add function, and is the QuarantineEntryHeader. The second chunk is QuarantineEntrySection1. The third chunk starts with QuarantineEntrySection2, followed by all QuarantineEntryResource structures and their 4-byte aligned QuarantineEntryResourceField structures.
We knew from Bauchβs work that the QuarantineEntryFileHeader has a static size of 60 bytes, and contains the size of QuarantineEntrySection1 and QuarantineEntrySection2. Thus, we need to decrypt the QuarantineEntryFileHeader first.
Based on Bauchβs work, we started with the following structure for QuarantineEntryFileHeader:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
That leaves quite some bytes unknown though, so we went back to trusty IDA. Inspecting the CUserDatabase:Add function helps us further understand the QuarantineEntryHeader structure. For example, we can see the hardcoded magic header and footer:
Figure 8: Magic header and footer being set for the QuarantineEntryHeader
A CRC checksum calculation can be seen for both the buffer of QuarantineEntrySection1 and QuarantineSection2:
Figure 9: CRC Checksum logic within CUserDatabase::Add
These checksums can be used upon recovery to verify the validity of the file. The CUserDatabase:Add function then writes the three chunks in RC4-encrypted form to the QuarantineEntry file buffer.
Based on these findings of the Magic header and footer and the CRC checksums, we can revise the structure definition for the QuarantineEntryFileHeader:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was the last piece to be able to parse QuarantineEntry structures from their on-disk form. However, we do not want just the metadata: we want to recover the quarantined files as well.
Recovering files by investigating QuarantineEntryResourceData
We can now correctly parse QuarantineEntry files, so it is time to turn our attention to the QuarantineEntryResourceData file. This file contains the RC4-encrypted contents of the file that has been placed into quarantine.
Step one: eyeball hexdumps
Letβs start by letting Windows Defender quarantine a Mimikatz executable and reviewing its output files in the quarantine folder. One would think that merely RC4 decrypting the QuarantineEntryResourceData file would result in the contents of the original file. However, a quick hexdump of a decrypted QuarantineEntryResourceData file shows us that there is more information contained within:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As visible in the hexdump, the MZ value (which is located at the beginning of the buffer of the Mimikatz executable) only starts at offset 0xCC. This gives reason to believe there is potentially valuable information preceding it.
There is also additional information at the end of the ResourceData file:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
At the end of the hexdump, we see an additional buffer, which some may recognize as the βZone Identifierβ, or the βMark of the Webβ. As this Zone Identifier may tell you something about where a file originally came from, it is valuable for forensic investigations.
Step two: open IDA
To understand where these additional buffers come from and how we can parse them, we again dive into the bowels of mpengine.dll. If we review the QuarantineFile function, we see that it receives a QuarantineEntryResource and QuarantineEntry as parameters. When following the code path, we see that the BackupRead function is called to write to a buffer of which we know that it will later be RC4-encrypted by Defender and written to the quarantine folder:
Figure 10: BackupRead being called withi nthe QuarantineFile function.
Step three: RTFM
A glance at the documentation of BackupRead reveals that this function returns a buffer seperated by Win32 stream IDs. The streams stored by BackupRead contain all data streams as well as security data about the owner and permissions of a file. On NTFS file systems, a file can have multiple data attributes or streams: the βmainβ unnamed data stream and optionally other named data streams, often referred to as βalternate data streamsβ. For example, the Zone Identifier is stored in a seperate Zone.Identifier data stream of a file. It makes sense that a function intended for backing up data preserves these alternate data streams as well.
The fact that BackupRead preserves these streams is also good news for forensic analysis. First of all, malicious payloads can be hidden in alternate data streams. Moreover, alternate datastreams such as the Zone Identifier and the security data can help to understand where a file has come from and what it contains. We just need to recover the streams as they have been saved by BackupRead!
Diving into IDA is not necessary, as the documentation tells us all that we need. For each data stream, the BackupRead function writes a WIN32_STREAM_ID to disk, which denotes (among other things) the size of the stream. Afterwards, it writes the data of the stream to the destination file and continues to the next stream. The WIN32_STREAM_ID structure definition is documented on the Microsoft Learn website:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
While reversing parts of mpengine.dll, we came across an interesting looking call in the HandleThreatDetection function. We appreciate that threats must be dealt with swiftly and with utmost discipline, but could not help but laugh at the curious choice of words when it came to naming this particular function. Figure 11: A function call to SendThreatToCamp, a βcallβ to action that seems pretty harsh.
Implementing our findings into Dissect
We now have all structure definitions that we need to recover all metadata and quarantined files from the quarantine folder. There is only one step left: writing an implementation.
During incident response, we do not want to rely on scripts scattered across home directories and git repositories. This is why we integrate our research into Dissect.
We can leave all the boring stuff of parsing disks, volumes and evidence containers to Dissect, and write our implementation as a plugin to the framework. Thus, the only thing we need to do is parse the artefacts and feed the results back into the framework.
The dive into Windows Defender of the previous sections resulted in a number of structure definitions that we need to recover data from the Windows Defender quarantine folder. When making an implementation, we want our code to reflect these structure definitions as closely as possible, to make our code both readable and verifiable. This is where dissect.cstruct comes in. It can parse structure definitions and make them available in your Python code. This removes a lot of boilerplate code for parsing structures and greatly enhances the readability of your parser. Letβs review how easily we can parse a QuarantineEntry file using dissect.cstruct :
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As you can see, when the structure format is known, parsing it is trivial using dissect.cstruct. The only caveat is that the QuarantineEntryFileHeader, QuarantineEntrySection1 and QuarantineEntrySection2 structures are individually encrypted using the hardcoded RC4 key. Because only the size of QuarantineEntryFileHeader is static (60 bytes), we parse that first and use the information contained in it to decrypt the other sections.
To parse the individual fields contained within the QuarantineEntryResource, we have to do a bit more work. We cannot add the QuarantineEntryResourceField directly to the QuarantineEntryResource structure definition within dissect.cstruct, as it currently does not support the type of alignment used by Windows Defender. However, it does support the QuarantineEntryResourceField structure definition, so all we have to do is follow the alignment logic that we saw in IDA:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We can use dissect.cstructβs dumpstruct function to visualize our parsing to verify if we are correctly loading in all data:
And just like that, our parsing is done. Utilizing dissect.cstruct makes parsing structures much easier to understand and implement. This also facilitates rapid iteration: we have altered our structure definitions dozens of times during our research, which would have been pure pain without having the ability to blindly copy-paste structure definitions into our Python editor of choice.
Implementing the parser within the Dissect framework brings great advantages. We do not have to worry at all about the format in which the forensic evidence is provided. Implementing the Defender recovery as a Dissect plugin means it just works on standard forensic evidence formats such as E01 or ASDF, or against forensic packages the like of KAPE and Acquire, and even on a live virtual machine:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The full implementation of Windows Defender quarantine recovery can be observed on Github.
Conclusion
We hope to have shown that there can be great benefits to reverse engineering the internals of Microsoft Windows to discover forensic artifacts. By reverse engineering mpengine.dll, we were able to further understand how Windows Defender places detected files into quarantine. We could then use this knowledge to discover (meta)data that was previously not fully documented or understood. The main results of this are the recovery of more information about the original quarantined file, such as various timestamps and additional NTFS data streams, like the Zone.Identifier, which is information that can be useful in digital forensics or incident response investigations.
The documentation of QuarantineEntryResourceField was not available prior to this research and we hope others can use this to further investigate which fields are yet to be discovered. We have also documented how the BackupRead functionality is used by Defender to preserve the different data streams present in the NTFS file, including the Zone Identifier and Security Descriptor.
When writing our parser, using dissect.cstruct allowed us to tightly integrate our findings of reverse engineering in our parsing, enhancing the readability and verifiability of the code. This can in turn help others to pivot off of our research, just like we did when pivotting off of the research of others into the Windows Defender quarantine folder.
This research has been implemented as a plugin for the Dissect framework. This means that our parser can operate independently of the type of evidence it is being run against. This functionality has been added to dissect.target as of January 2nd 2023 and is installed with Dissect as of version 3.4.
Security information and event management (SIEM) tooling allows security teams to collect and analyse logs from a wide variety of sources. In turn this is used to detect and handle incidents. Evidently it is important to ensure that the log ingestion is complete and uninterrupted. Luckily SIEMs offer out-of-the-box solutions and/or capabilities to create custom health monitoring. In this blog post we will take a look at the health monitoring capabilities for log ingestion in Microsoft Sentinel.
Microsoft Sentinel
Microsoft Sentinel is the cloud-native Security information and event management (SIEM) and Security orchestration, automation, and response (SOAR) solution provided by Microsoft. It provides intelligent security analytics and threat intelligence across the enterprise, offering a single solution for alert detection, threat visibility, proactive hunting, and threat response. As a cloud-native solution, it can easily scale to accommodate the growing security needs of an organization and alleviate the cost of maintaining your own infrastructure.
Microsoft Sentinel utilizes Data Connectors to handle log ingestion. Microsoft Sentinel comes with out of the box connectors for Microsoft services, these are the service-to-service connectors. Additionally, there are many built-in connectors for third-party services, which utilize Syslog, Common Event Format (CEF) or REST APIs to connect the data sources to Microsoft Sentinel.
Besides logs from Microsoft services and third-party services, Sentinel can also collect logs from Azure VMs and non-Azure VMs. The log collection is done via the Azure Monitor Agent (AMA) or the Log Analytics Agent (MMA). As a brief aside, itβs important to note that the Log Analytics Agent is on a deprecation path and wonβt be supported after August 31, 2024.
The state of the Data Connectors can be monitored with the out-of-the-box solutions or by creating a custom solution.
Microsoft provides two out-of-the-box features to perform health monitoring on the data connectors: The Data connectors health monitoring workbook & SentinelHealth data table.
Using the Data connectors health monitoring workbook
The Data collection health monitoring workbook is an out-of-the-box solution that provides insight regarding the log ingestion status, detection of anomalies and the health status of the Log Analytics agents.
The workbook consists of three tabs: Overview, Data collection anomalies & Agents info.
The Overview tab shows the general status of the log ingestions in the selected workspace. It contains data such as the Events per Second (EPS), data volume and time of the last log received. For the tab to function, the required Subscription and Workspace have to be selected at the top
The Data collection anomalies tab provides info for detecting anomalies in the log ingestion process. Each tab in the view presents a specific table. The General tab is a collection of a multiple tables.
Weβre given a few configuration options for the view:
AnomaliesTimeRange: Define the total time range for the anomaly detection.
SampleInterval: Define the time interval in which data is sampled in the defined time range. Each time sample gets an anomaly score, which is used for the detection.
PositiveAlertThreshold: Define the positive anomaly score threshold.
NegativeAlertThreshold: Define the negative anomaly score threshold.
The view itself contains the expected amount of events, the actual amount of events & anomaly score per table. When a significant drop or rise in events is detected, a further investigation is advised. The logic behind the view can also be re-used to setup alerting when a certain threshold is exceeded.
The Agent info tab contains information about the health of the AMA and MMA agents installed on your Azure and non-Azure machines. The view allows you to monitor System location, Heartbeat status and latency, Available memory and disk space & Agent operations. There are two tabs in the view to choose between Azure machines only and all machines.
You can find the workbook under Microsoft Sentinel > Workbooks > Templates, then type Data collection health monitoring in the search field. Click View Template to open the workbook. If you plan on using the workbook frequently, hit the Save button so it shows up under My Workbooks.
The SentinelHealth data table
The SentinelHealth data table provides information on the health of your Sentinel resources. The content of the table is not limited to only the data connectors, but also the health of your automation rules, playbooks and analytic rules. Given the scope of this blog post, we will focus solely on the data connector events.
Currently the table has support for following data connectors:
Amazon Web Services (CloudTrail and S3)
Dynamics 365
Office 365
Microsoft Defender for Endpoint
Threat Intelligence β TAXII
Threat Intelligence Platforms
For the data connectors, there are two types of events: Data fetch status change & Data fetch failure summary.
The Data fetch status change events contain the status of the data fetching and additional information. The status is represented by Success or Failure and depending on the status, different additional information is given in the ExtendedProperties field:
For a Success, the field will contain the destination of the logs.
For a Failure, the field will contain an error message describing the failure. The content of this message depends on the failure type.
These events will be logged once an hour if the status is stable (i.e. status doesnβt change from Success to Failure and vice versa). Once a status change is detected it will be logged immediately.
The Data fetch failure summary events are logged once an hour, per connector, per workspace, with an aggregated failure summary. They are only logged when the connector has experienced polling errors during the given hour. The event itself contains additional information in the ExtendedProperties field, such as all the encountered failures and the time period for which the connectorβs source platform was queried.
Using the SentinelHealth data table
Before we can start using the SentinelHealth table, we first have to enable it. Go to Microsoft Sentinel > Settings > Settings tab > Auditing and health monitoring, press Enable to enable the health monitoring.
Once the SentinelHealth table contains data, we can start querying on it. Below youβll find some example queries to run.
List the latest failure per connector
SentinelHealth
| where TimeGenerated > ago(7d)
| where OperationName == "Data fetch status change"
| where Status == "Failure"
| summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId
Connector status change from Failure to Success
let success_status = SentinelHealth
| where TimeGenerated > ago(1d)
| where OperationName == "Data fetch status change"
| where Status == "Success"
| summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId;
let failure_status = SentinelHealth
| where TimeGenerated > ago(1d)
| where OperationName == "Data fetch status change"
| where Status == "Failure"
| summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId;
success_status
| join kind=inner (failure_status) on SentinelResourceName, SentinelResourceId
| where TimeGenerated > TimeGenerated1
Connector status change from Success to Failure
let success_status = SentinelHealth
| where TimeGenerated > ago(1d)
| where OperationName == "Data fetch status change"
| where Status == "Success"
| summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId;
let failure_status = SentinelHealth
| where TimeGenerated > ago(1d)
| where OperationName == "Data fetch status change"
| where Status == "Failure"
| summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId;
success_status
| join kind=inner (failure_status) on SentinelResourceName, SentinelResourceId
| where TimeGenerated > TimeGenerated1
Custom Solutions
With the help of built-in Azure features and KQL queries, there is the possibility to create custom solutions. The idea is to create a KQL query and then have it executed by an Azure feature, such as Azure Monitor, Azure Logic Apps or as a Sentinel Analytics Rule. Below youβll find two examples of custom solutions.
Log Analytics Alert
For the first example, weβll setup an alert in the Log Analytics workspace where Sentinel is running on. The alert logic will run on a recurring basis and alert the necessary people when it is triggered. For starters, weβll go the the Log Analytics Workspace and and start the creation of a new alert.
Select Custom log search for the signal and weβll use the Connector status change from Success to Failure query example as logic.
Set both the aggregation and evaluation period to 1hr, so it doesnβt incur a high monthly cost. Next, attach an email Action Group to the alert, so the necessary people are informed of the failure.
Lastly, give the alert a severity level, name and description to finish off.
Logic App Teams Notification
For the second example, weβll create a Logic App that will send an overview via Teams of all the tables with an anomalous score.
For starters, weβll create a logic app and create a Workflow inside the logic app.
Inside the Workflow, weβll design the logic for the Teams Notification. Weβll start off with a Recurrence trigger. Define an interval on which youβd like to receive notifications. In the example, an interval of two days was chosen.
Next, weβll add the Run query and visualize results action. In this action, we have to define the Subscription, Resource Group, Resource Type, Resource Name, Query, Time Range and Chart Type. Define the first parameters to select your Log Analytics Workspace and then use following query. The query is based on the logic from the Data Connector Workbook. The query looks back on the data of the past two weeks with an interval of one day per data sample. If needed, the time period and interval can be increased or decreased. The UpperThreshold and LowerThreshold parameter can be adapted to make the detection more or less sensitive.
let UpperThreshold = 5.0; // Upper Anomaly threshold score
let LowerThreshold = -5.0; // Lower anomaly threshold score
let TableIgnoreList = dynamic(['SecurityAlert', 'BehaviorAnalytics', 'SecurityBaseline', 'ProtectionStatus']); // select tables you want to EXCLUDE from the results
union withsource=TableName1 *
| make-series count() on TimeGenerated from ago(14d) to now() step 1d by TableName1
| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)
| where anomalies[-1] == 1 or anomalies[-1] == -1
| extend Score = score[-1]
| where Score >= UpperThreshold or Score <= LowerThreshold
| where TableName1 !in (TableIgnoreList)
| project TableName=TableName1, ExpectedCount=round(todouble(baseline[-1]),1), ActualCount=round(todouble(count_[-1]),1), AnomalyScore = round(todouble(score[-1]),1)
Lastly, define the Time Range and Chart Type parameter. For Time Range pick Set in query and for Chart Type pick Html Table.
Now that the execution of the query is defined, we can define the sending of a Teams message. Select the Post message in a chat or channel action and configure the action to send the body of the query to a channel/person as Flowbot.
Once the Teams action is defined, the logic app is completed. When the logic app runs, you should expect an output similar to the image below. The parameters in the table can be analysed to detect Data Connector issues.
Conclusion
In conclusion, as stated in the intro, monitoring the health of data connectors is a critical part of ensuring an uninterrupted log ingestion process into the SIEM. Microsoft Sentinel offers great capabilities for monitoring the health of data connectors, thus enabling security teams to ensure the smooth functioning of log ingestion processes and promptly address any issues that may arise. The combination of the two out-of-the-box solutions and the flexibility to create custom monitoring solutions, makes Microsoft Sentinel a comprehensive and adaptable choice for managing and monitoring security events.
Frederik Meutermans
Frederik is a Senior Security Consultant in the Cloud Security Team. He specializes in the Microsoft Azure cloud stack, with a special focus on cloud security monitoring. He mainly has experience as security analyst and security monitoring engineer.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-11-27 to 2023-12-04.
News
About the security content of iOS 17.1.2 and iPadOS 17.1.2. Two webkit vulnerabilities may have been exploited in the wild. Not to be outdone, Chrome patched their sixth 0day this year. Browsers are where the data is and the most frequent way users execute untrusted code, so its where the high value exploitation is as well.
O365 Phishing infrastructure. "Last year, mails sent by Dev Tenants got immediately flagged, but something changed." Oh boy. If there isn't a fix for this soon it will be abused.
We Hacked Ourselves With DNS Rebinding. A very neat usecase for DNS rebinding which is often a theoretical attack. I also like that the author didn't stop investigating when the change to IMDSv2 was made which prevented the outcome, but didn't solve the original "vulnerability."
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
windiff - Web-based tool that allows comparing symbol, type and syscall information of Microsoft Windows binaries across different versions of the OS.
PySQLRecon - Offensive MSSQL toolkit written in Python, based off SQLRecon.
Kerberos.NET - A Kerberos implementation built entirely in managed code.
Scudo is a C++ class that encrypts and dynamically executes functions. This open-source repository offers a concise solution for securing and executing encrypted functions in your codebase.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
This post is cross-posted on SIXGEN's blog.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-11-13 to 2023-11-29.
lateralus (CVE-2023-32407) - a macOS TCC bypass - A macOS TCC bypass by exploiting a bug in the Metal framework's handling of the MTL_DUMP_PIPELINES_TO_JSON_FILE environment variable, allowing attackers to control file paths and potentially overwrite sensitive files, leading to a $30,500 bounty from Apple, who promptly addressed the issue and removed the problematic environment variable. POC. Want more TCC bypasses? sqlol (CVE-2023-32422) - a macOS TCC bypass also dropped last week.
Executing from Memory Using ActiveMQ CVE-2023-46604 - Bypass current detections of existing PoCs. This post discusses the exploitation of the ActiveMQ CVE-2023-46604 by executing Nashorn JavaScript from memory.
Low-Level Process Hunting on macos - This post discusses low-level process hunting on macOS, emphasizing the importance of understanding parent/child relationships and the nuances of process creation using fork, exec, and their combination. Decent read for those starting out macOS development.
Okta for Red Teamers β Perimeter Edition - Identifying Okta portals, phishing infrastructure, hosting considerations, Evilginx phishlet setup, distributing phishing links, replaying captured session cookies, and evading Okta's behavioral detection policies. So much fuego in this one π₯
Mockingjay revisited - Process stomping and loading beacon with sRDI - "...a variation of hasherezade's Process Overwriting and it has the advantage of writing a shellcode payload on a targeted section instead of writing a whole PE payload over the hosting process address space."
A βdeep diveβ in Cert Publishers Group - Members of Cert Publishers can add a malicious Certification Authority, potentially leading to trusted certificates for various malicious activities.
A Touch of Pwn - Part I - Vulnerabilities in the fingerprint sensors of Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X/8 leading to auth bypass. Surprisingly, the Microsoft Surface was the worst of the bunch, despite the research being funded by Microsoft!
Fun with another PG-compliant Hook - The article describes a technique for hooking SYSCALL in a PG-compliant manner using Event Tracing for Windows (ETW) and the HalPrivateDispatchTable. Useful for your next Windows rootkit.
Kerbeus-BOF - BOF for Kerberos abuse (an implementation of some important features of the Rubeus).
LocklessBof - A Beacon Object File (BOF) implementation of Lockless by HarmJ0y, designed to enumerate open file handles and facilitate the fileless download of locked files.
LyinEagle - BETA C2 server that uses the legitimate FIN7 Griffon JScript as its implant.
badgerDAPS - Brute Ratel LDAP filtering and sorting tool. Easily take BR log output and pull hostnames for ease of use with other red team tooling. Supports OU filtering and removes disabled hosts.
AI Exploits - A collection of real world AI/ML exploits for responsibly disclosed vulnerabilities.
ProcessStomping - A variation of ProcessOverwriting to execute shellcode on an executable's section.
DumpS1.ps1 - Uses a CoSetProxyBlanket to call the dump function in SentinelAgent.exe to dump a PID to disk. Requires local admin. Love the traitorware aspect here.
waveterm - An open-source, cross-platform terminal for seamless workflows. Reminds me of an open source warp.
genpatch - genpatch is IDA plugin that generates a python script for patching binary.
faction - Pen Test Report Generation and Assessment Collaboration.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
This post is cross-posted on SIXGEN's blog.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-11-06 to 2023-11-13.
The Triforce of Initial Access - Initial access TTPs based on phishing + gathering loot automatically. Check out Bobber in the tools section.
Abusing Slack for Offensive Operations: Part 2 - "Slack has followed the cookie storage blueprint used by browsers, like Google Chrome, making existing tooling and techniques adaptable for Slack exploitation." Easy to dump from memory on Windows, a bit more complicated on macOS.
Using SSL Certificates for Red Team Payloads - Interesting idea. "I found out that you could embed x.509 extensions into a certificate in the form of OIDs". You can use these x.509 extensions to inject your payload.
fastsync - Fast synchronization across networks using speedy compression, lots of parallelization and fast hashmaps for keeping track of things internally.
MAAS - Malware As A Service. This project describes a DevOps approach which leverages the CI/CD capabilities of gitlab to build a malware artifact generation pipeline.
.NetConfigLoader - List of .Net application signed by Microsoft that can be used to load a dll via a .config file (AppDomain Hijacking). Ideal for EDR/AV evasion and execution policy bypass.
Bloodhound_Community_Docker - Generator of docker-compose file to allow secure configurations and multi-deployment strategy.
CVE-Half-Day-Watcher - a security tool designed to highlight the risk of early exposure of Common Vulnerabilities and Exposures (CVEs) in the public domain.
GoSleepyCrypt - In-memory sleep encryption and heap encryption for Go applications through a shellcode function.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
the !CVE Program - The mission of the !CVE Program is to provide a common space for cybersecurity !vulnerabilities that are not acknowledged by vendors but still are serious security issues.
hakrevdns - Small, fast tool for performing reverse DNS lookups en masse.
RoastInTheMiddle- Roast in the Middle is a rough proof of concept (not attack-ready) that implements a man-in-the-middle ARP spoof to intercept AS-REQ's to modify and replay to perform a Kerberoast or Sessionroast attack.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
This post is cross-posted on SIXGEN's blog.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-10-24 to 2023-11-06.
Introducing HAR Sanitizer: secure HAR sharing - In response to the latest Okta breach, Cloudflare is recommending folks to sanitize their HAR files to minimize attack surface. We wouldn't recommend sending anyone your HAR files but this is a good response and idea for all using HAR files in your debugging workflow. I think think of a couple infosec vendors asking for HAR files for debugging. This was an interesting turn of events.
Phishing With Dynamite - Pretty nifty implementation of phishing users in accessing an environment you control via the browser. Similar to phishing with noVNC by Mr.d0x.
Data-Bouncing - The art of indirect exfiltration. - "....by directing web requests to certain domains that process hostnames in headers, you can relay small pieces of data to your DNS listener, allowing you to collect and reconstruct data, be it strings, files, or anything else." Using web requests to "font" a DNS request. Good to get data out of restrictive network - slowly.
GhostTask - Create/modify scheduled tasks directly in the registry to avoid event logs and alerts.
LdrLockLiberator - A collection of techniques for escaping or otherwise forgoing Loader Lock while executing your code from DllMain.
Kernel_VADInjector - Windows 10 DLL Injector via Driver utilizing VAD and hiding the loaded driver.
maliciousCodeMatchingMFA - A small executable to trick a user to authenticate using code matching MFA.
PsMapExec - The cme saga continues. This project is in powershell and inspired by CrackMapExec.
cuddlephish - Weaponized Browser-in-the-Middle (BitM) for Penetration Testers.
pandora - A red team tool that assists into extracting/dumping master credentials and/or entries from different password managers.
WIP Mockingjay BOF Conversion - Cobalt Strike Beacon Object File (BOF) Conversion of the Mockingjay Process Injection Technique.
LdrLibraryEx - A small x64 library to load dll's into memory.
ReleaseTheHounds - Tool to upload large datasets and interact with BloodHound CE API.
sshx - A secure web-based, collaborative terminal.
DayBird - Extension functionality for the NightHawk operator client.
porch-pirate - Porch Pirate is the most comprehensive recon / OSINT client and framework for Postman that facilitates the automated discovery and exploitation of API endpoints and secrets committed to workspaces, collections, requests, users and teams. Porch Pirate can be used as a client or be incorporated into your own applications.
NerfDefender - BOF and C++ implementation of the Windows Defender sandboxing technique described by Elastic Security Labs/Gabriel Landau.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
hashcathelper - Got some creds? Has a couple different modules. One allows operators to insert new relationships into an existing BloodHound database such as when users have the same password. Improve those screenshots!
postleaks - Search for sensitive data in Postman public library.
OffensiveGo - Looking to do some offensive dev in go? Start here. Notable golang tools at the bottom such as sliver and merlin.
Hijacking Someone Else's DCSync - Friendly reminder that your AADConnect server are tier 0 assets. Pwn the AADConnect server -> wait for cloud takeoff -> catch hashes in flight.
PyMeta - Pymeta will search the web for files on a domain to download and extract metadata. This technique can be used to identify: domains, usernames, software/version numbers and naming conventions.
LME - Logging Made Easy (LME) is a free and open logging and protective monitoring solution serving all organizations. Good resource for a detection lab (RIP), but very manual setup.
Get-LoggedOn.py - Lookup logged in users using itm4n's session enum via registry.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
This post is cross-posted on SIXGEN's blog.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-10-09 to 2023-10-23.
[PDF] Security Incident report [Internal Report]. "[the suspected compromised endpoint] was scanned with the free version of Malwarebytes, which reported no findings." I'm not sure what I'm more concerned about: the IR process at 1Password is to run free AV against the endpoint or that the CTO happily published that fact.
The Sky Has Not Yet Fallen - Curl (CVE-2023-38545). With the hype from the curl author himself ("Buckle up.") I was expecting more out of this bug. It's a pretty niche use case that is exploitable (client using a malicious proxy with curl). Here is the hackerone report.
(Un)Hooking, COWs and Meow Meow. When you modify ntdll in memory (i.e. hooking/unhooking), you really load a second copy into your process memory space.
NovaLdr - Threadless Module Stomping In Rust with some features.
WolfPack - WolfPack combines the capabilities of Terraform and Packer to streamline the deployment of red team redirectors on a large scale.
FalconHound - FalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool.
GraphRunner - A Post-exploitation Toolset for Interacting with the Microsoft Graph API.
EvilSln - A New Exploitation Technique for Visual Studio Projects.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
GATOR - GCP Attack Toolkit for Offensive Research, a tool designed to aid in research and exploiting Google Cloud Environments.
CVE-2023-36723 - PoC for arbitrary directory creation bug in Windows Container Manager service.
tinyproxy - a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems.
SMBLibrary - Free, Open Source, User-Mode SMB 1.0/CIFS, SMB 2.0, SMB 2.1 and SMB 3.0 server and client library.
realm - Realm is a cross platform Red Team engagement platform with a focus on automation and reliability.
CoercedPotato - From Patate (LOCAL/NETWORK SERVICE) to SYSTEM by abusing SeImpersonatePrivilege on Windows 10, Windows 11 and Server 2022.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
This post is cross-posted on SIXGEN's blog.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-10-02 to 2023-10-09.
90s Vulns In 90s Software (Exim) - Is the Sky Falling? - "So, our advice is the usual - patch when you can, once patches are available (Exim have stated they will release patches at 12:00 UTC today, Monday 2nd October). But in the meantime, don't panic - this one is more of a damp squib than a world-ending catastrophe." Unless you have a Sophos Firewall, in which case you should patch ASAP.
MacOS "DirtyNIB" Vulnerability - It's possible to hijack the entitlements of Apple apps by swapping out the interface (NIB) file. This is currently unpatched, even on macOS 14.0. Weaponize this for camera/mic/keychain/file access once you get code execution. Or maybe even bundle it in with your dropper.
Launch and Environment Constraints Deep Dive. A great companion to the previous post that details what Launch and Environment Constraints are and what kind of bugs they hamper.
Solving The βUnhookingβ Problem - Unhooking gets complicated when the user can run arbitrary code (BOF/C#) that may load libraries without the protection of the C2 agent. Outflank presents their solution to this issue - visibility, automation, and on-demand unhooking.
Sliver and Cursed Chrome for Post Exploitation - With sensitive information moving to SaaS and other browser based apps, being able to operate as a compromised user in the context of their browser is essential for modern red teams.
Cobalt Strike Aggressor Callbacks - Shows how to use the new callbacks feature of Cobalt Strike 4.9. Much better than setting global flags and parsing all beacon output in a timer function which is what we had to do before.
linWinPwn - Bash script that automates a number of Active Directory Enumeration and Vulnerability checks. Will be interesting if they keep up with this project. Interesting new project since it's using the new NetExec . Will other tools do the same?
LatLoader - PoC module to demonstrate automated lateral movement with the Havoc C2 framework.
sccmhunter v.0.0.2 - Updated Admin Module - SCCM is the gift that keeps on giving. This is a new easy way to execute commands on managed machines (Administration Service API).
archive_pwn - A Python-based tool to create zip, tar and cpio archives to exploit common archive library issues and developer mistakes. Blog Post.
SmmBackdoorNg - Updated version of System Management Mode backdoor for UEFI based platforms: old dog, new tricks.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Kerberos 102 - Overview Three part blog series on kerberos, delegation, and cross-realm. You can never read enough about kerberos.
ted_api - TED is a limited general purpose reverse engineering API, and hybrid debugger, that allows for inspection and modification of a program's inner workings. TED carries out its functionality by being injected into a target process and starting a gRPC server, which clients can then connect to.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
This post is cross-posted on SIXGEN's blog.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-09-19 to 2023-10-03.
JA4+ Network Fingerprinting. The evolution of the JA3, JA3S, and JARM fingerprints. Break out Cloak to blend in. You're proxying your C2 traffic via legitimate web servers to blend in already right?
Summiting the Pyramid: Level Up Your Analytics. New methodology for detection engineering. "...This methodology shifts the advantage to defenders, even as adversaries evolve, and allows us to change the game on the adversary."
SCCM Hierarchy Takeover. "...if an attacker gains control of any primary site, they gain control of the entire SCCM hierarchy." SCCM has been a huge are of domain privilege escalation on recent assessments. Due to its complexity, I wager that more attacks will come out of it in the coming months.
Home Grown Red Team: LNK Phishing Revisited In 2023. Threat actors are using lnks with some truly gross command lines to great effect. This post has some alternative techniques for lnk based initial access.
ExtractBitlockerKeys - Post-ex script to automatically extract the bitlocker recovery keys from a domain.
transitiveObjectControl.py - Given transitive object control: output info on last hop, chain length, and type.
MaldevAcademyLdr.1 - The team at Maldev Academy drop their first "openly released" loader.
LOLBins- The LOLBins CTI-Driven (Living-Off-the-Land Binaries Cyber Threat Intelligence Driven) is a project that aims to help cyber defenders understand how LOLBin binaries are used by threat actors during an intrusion in a graphical and digestible format for the TIPs platform using the STIX format.
proxy_calls - Proof of Concept - Custom Call Stack for LoadLibrary with TrySubmitThreadpoolCallback/TpSimpleTryPost.
LDAPWordlistHarvester - A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.
REC2 - New rust-based C2 (Yes another C2). Uses VirusTotal and Mastodon APIs.
HeaderLessPE - A memory PE loading technique using HVNC.
CVE-2023-29357- Patched June 2023 but... Microsoft SharePoint Server priv esc.
JonMon - @jsecurity101 with a tool drop for defenders/attackers. "...collection of open-source telemetry sensors designed to provide users with visibility into the operations and activity of their Windows systems". Add this to your maldev boxes to see what defenders could be collecting on your actions.
AD_Miner - Use your existing neo4j DB to find some quick wins (may not work well against large environments based on our testing).
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Windows Hook Events. Short read by Mr. Yosifovich. Discusses the SetWinEventHook API in Windows for intercepting and processing user interface-related events.
haylxon. Gowitness replacement? Blazing-fast tool to grab screenshots of your domain list right from terminal.
graftcp. A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy.
VcenterKit. vCenter Comprehensive Penetration and Exploitation Toolkit.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
This post is cross-posted on SIXGEN's blog.