Last Week in Security (LWiS) - 2020-07-13
VBA macro static analysis defeats by @gabriele_pippi, anti-RE VBS tricks from @Laughing_Mantis, EDR telemetry redirection techniques by @Jackson_T, Google open sources their Tsunami security scanning engine from @slekies and team, an index of Windows binaries from @m417z, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-06 to 2020-07-13. MITRE ATT&CK techniques are in brackets where appropriate.
News
- Mozilla suspends Firefox Send service while it addresses malware abuse. The popular end-to-end encrypted file transfer service is "temporarily" offline as Mozilla works to implement a better abuse reporting system. However, the code for Send is open source so you can run your own instance if you rely on the service. [T1204.001 User Execution: Malicious Link]
- From Exposure To Takeover: Part 1. Beg, Borrow, And Steal Your Way In. The number of stolen credentials has gone up 300% over the last two years. If you haven't enabled multi-factor authentication everywhere possible (bonus points for non-SMS) you should! [T1078 Valid Accounts]
- Toward trusted sensing for the cloud: Introducing Project Freta introduces a system to provide automated full-system volatile memory inspection of Linux systems. More information available in the documentation.
- Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902. Last week's F5/BIG-IP vulnerability and exploit got a lot of attention. This posts breaks down the root cause and may help you find similar issues, or just have a better understanding of what happened when someone asks.
Techniques
- Advanced VBA macros: bypassing olevba static analyses with 0 hits. In this post @gabriele_pippi shows multiple techniques to bypass static detection of VBA macros in Word and Excel documents. Reference this on your next phishing assessment to help get around pesky mail or file filters. [T1562 Impair Defenses]
- Windows Process Injection: EM_GETHANDLE, WM_PASTE and EM_SETWORDBREAKPROC. This post digs up nearly 20 year old research to come up with a novel process injection method for Windows that uses the clipboard to copy shellcode to the target process. Odzhan adds this new technique to their expansive library of injection techniques. [T1055 Process Injection]
- Restricting SMB-based lateral movement in a Windows environment. This is pure gold for blue teams or red teams writing remediation recommendations for SMB attacks. [T1021.002 Remote Services: SMB/Windows Admin Shares]
- Praetorian's Approach to Red Team Infrastructure. Praetorian takes a modern, "BeyondCorp" or "Zero Trust" approach to their red team infrastructure. I particularly like the use of hardware tokens for authentication in this reference architecture. If you are a red team, have you red-teamed your own infrastructure?
- How I was able to change victim’s password using IDN Homograph Attack. This is a "simple" yet effective technique that exploits a system's poor processing of internationalized domain name (IDN) homographs. The use of burp collaborator to exploit the issue is well done, and prevents the need to buy a domain.
- DLL Proxy Loading Your Favorite C# Implant. @Flangvik shows the full process of abusing DLL proxying to deploy persistence of arbitrary C# (or really any position independent executable/shellcode) using SharpDllProxy and donut. [T1574.002 Hijack Execution Flow: DLL Side-Loading]
- A Guide to Reversing and Evading EDRs: Parts 1-3. @Jackson_T delivers some seriously high quality research into the initial stages of setting up an EDR lab for research into evasion techniques, including diverting and inspecting the telemetry connections. If you have any interest in EDR evasion (I most certainly do), follow this series closely. [T1562 Impair Defenses]
- Introducing Winbindex - the Windows Binaries Index. @m417z indexed all Windows files which appear in Windows update packages, and created a website which allows to quickly view information about the files and download some of them from Microsoft servers. This will prove very useful to patch differs everywhere!
Tools and Exploits
- CVE-2020-1300: Remote Code Execution Through Microsoft Windows CAB Files. The PathCchCanonicalize function strikes again, this time when opening a CAB file or installing a printer. In the case of the printer, arbitrary file write (and therefore remote code execution) is achieved as SYSTEM. No public proof of concepts exist yet, but there is enough detail in the post to craft your own.
- Incoming .NET SQLClient introduces a .NET MSSQL client that can be used with any in-memory .NET loader (i.e. Cobalt Strike's execute-assembly) for use during post-exploitation activities. [TA0009 Collection]
- tsunami-security-scanner is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence from Google. This scanner and nuclei are recent open source competitors to Tenable's Nessus.
- SNOWCRASH creates a script that can be launched on both Linux and Windows machines. Payload selected by the user (in this case combined Bash and Powershell code) is embedded into a single polyglot template, which is platform-agnostic. I could see this being used for a cross-platform stage 1 payload against cross-platform target applications (i.e. Apache struts). [T1059 Command and Scripting Interpreter]
- VBA-Stendhal injects encrypted commands into EMF shapes for C2 in VBA/Office malware. This is really cool Macro/VBA work by @Laughing_Mantis, and you can read more about how the technique works here. [T1562 Impair Defenses]
- CreateFile_based_rootkit - Windows' DOS origins rears its ugly head once again with a bug where NtCreateFile can access directories with strange names like " ." but CreateFile cannot - it returns " " instead. This could prove useful if EDR tools use CreateFile, and also hides directories from explorer.exe and cmd.exe. [T1562 Impair Defenses]
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- IntelOwl - analyze files, domains, IPs in multiple ways from a single API at scale.
- freenom.com is a free domain registrar for .tk, .ml, .ga, .cf, and .gq domains. This could be useful for bug bounties or other engagements.
- CFB is a distributed tool for capturing I/O request packets (IRPs) sent to any Windows driver. This is very useful for driver reverse engineering and fuzzing. Check out the examples here.
This post is cross-posted on SIXGEN's blog.