Last Week in Security (LWiS) - 2020-07-27

NTLM relaying via Citrix Workspace by @_EthicalChaos_, access the entire AD database via Exchange with a new tool from @_mohemiv, a new Go based C2/Agent from @paragonsec and team, phishing tips from @lorentzenman, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-20 to 2020-07-27. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • Boomerang is a tool to expose multiple internal servers to web/cloud. This project is in early stages, and has no authentication or encryption, but may provide a good base if you are looking to write your own tunneling agent with Go.
  • RpcSsImpersonator is an Administrator or Network Service to SYSTEM privilege exploit for Windows.
  • Malwarebytes-Disabler injects shellcode into a malwarebytes process which allows a user to disable "Malware Protection" even if the Malwarebytes administrator has set a password to protect this setting from being changed. [T1562.001 Impair Defenses: Disable or Modify Tools]
  • SpaceRunner enables the compilation of a C# program that will execute arbitrary PowerShell code, without launching PowerShell processes through the use of runspace and includes AMSI patching. [T1562.006 Impair Defenses: Indicator Blocking]
  • KITT-O365-Tool is a tool designed to make working O365 Business Email Compromise investigations easier and more efficient for DFIR and SOC analysts by pairing the power of PowerShell cmdlets with the ease of use of a GUI.
  • DeimosC2 is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods in order to control machines that have been compromised. DeimosC2 server and agents works on, and has been tested on, Windows, Darwin, and Linux. It is entirely written in Golang with a front end written in Vue.js. This is a very impressive 1.0 release!
  • vopono is a tool to run applications through VPN tunnels via temporary network namespaces. This allows you to run only a handful of applications through different VPNs simultaneously, whilst keeping your main connection as normal.
  • dazzleUP is a tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems. It uses the Windows Update Agent API instead of WMI (like others) when finding missing patches, and comes with a CobaltStrike cna script. [T1068 Exploitation for Privilege Escalation]
  • CVE-2020-15778 is a simple command injection in openssh <= 8.3p1. If you have access to a linux host without shell access but only scp access, you just got shell access.
  • Carbuncle is a tool for interacting with outlook interop during red team engagements; enumerate, read, monitor, and send email.

This post is cross-posted on SIXGEN's blog.