Last Week in Security (LWiS) - 2020-07-13

VBA macro static analysis defeats by @gabriele_pippi, anti-RE VBS tricks from @Laughing_Mantis, EDR telemetry redirection techniques by @Jackson_T, Google open sources their Tsunami security scanning engine from @slekies and team, an index of Windows binaries from @m417z, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-06 to 2020-07-13. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • CVE-2020-1300: Remote Code Execution Through Microsoft Windows CAB Files. The PathCchCanonicalize function strikes again, this time when opening a CAB file or installing a printer. In the case of the printer, arbitrary file write (and therefore remote code execution) is achieved as SYSTEM. No public proof of concepts exist yet, but there is enough detail in the post to craft your own.
  • Incoming .NET SQLClient introduces a .NET MSSQL client that can be used with any in-memory .NET loader (i.e. Cobalt Strike's execute-assembly) for use during post-exploitation activities. [TA0009 Collection]
  • tsunami-security-scanner is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence from Google. This scanner and nuclei are recent open source competitors to Tenable's Nessus.
  • SNOWCRASH creates a script that can be launched on both Linux and Windows machines. Payload selected by the user (in this case combined Bash and Powershell code) is embedded into a single polyglot template, which is platform-agnostic. I could see this being used for a cross-platform stage 1 payload against cross-platform target applications (i.e. Apache struts). [T1059 Command and Scripting Interpreter]
  • VBA-Stendhal injects encrypted commands into EMF shapes for C2 in VBA/Office malware. This is really cool Macro/VBA work by @Laughing_Mantis, and you can read more about how the technique works here. [T1562 Impair Defenses]
  • CreateFile_based_rootkit - Windows' DOS origins rears its ugly head once again with a bug where NtCreateFile can access directories with strange names like " ." but CreateFile cannot - it returns " " instead. This could prove useful if EDR tools use CreateFile, and also hides directories from explorer.exe and cmd.exe. [T1562 Impair Defenses]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • IntelOwl - analyze files, domains, IPs in multiple ways from a single API at scale.
  • freenom.com is a free domain registrar for .tk, .ml, .ga, .cf, and .gq domains. This could be useful for bug bounties or other engagements.
  • CFB is a distributed tool for capturing I/O request packets (IRPs) sent to any Windows driver. This is very useful for driver reverse engineering and fuzzing. Check out the examples here.

This post is cross-posted on SIXGEN's blog.