Last Week in Security (LWiS) - 2020-07-20

Sophos XG 0day discovery by @ramoliks and @niph_, a D/Invoke primer by @_RastaMouse, EDR bypass via driver exploits by @matteomalvica, fooling facial recognition from @shawnshan26 and team, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-13 to 2020-07-20. MITRE ATT&CK techniques are in brackets where appropriate.



Tools and Exploits

  • capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate. Details on the Fireeye Blog.
  • project-citadel is a free & open source alternative project management tool that offers basic task tracking through a Kanban board (think Trello).
  • pwn-machine is a self hosting solution based on docker aiming to provide an easy to use pwning station for bughunters. This is a first release, but it could become a very cool platform to help automate the backend stuff required to find interesting bugs. More information in this blog post.
  • McAfee Total Protection (MTP) < 16.0.R26 Escalation of Privilege (CVE-2020-7283). Another AV allows for local privilege escalation due to symlink mishandling and overly permissive permissions. [T1068 Exploitation for Privilege Escalation]
  • RequestAADRefreshToken obtains a refresh token for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account). An attacker can then use the token to authenticate to Azure AD as that user. More info on the Specter Ops blog.
  • RuralBishop is practically a carbon copy of UrbanBishop by b33f, but all P/Invoke calls have been replaced with D/Invoke.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

This post is cross-posted on SIXGEN's blog.