Last Week in Security (LWiS) - 2020-09-07

Remote SAM dumping in .NET by @G0ldenGunSec, Using Yara offensively by @_batsec_, Custom DLL injection in CobaltStrike by @tomcarver_, a C# Chrome cookie cloner from @buffaloverflow, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-31 to 2020-09-07.

News

Techniques

  • Pwning Windows Event Logging with YARA rules. This project allows for offensive operators to selectively mute logging using Yara rules in memory. It works by injecting a hook into the ETW event callback function and using Yara to scan the contents of every event to determine if it should be dropped or not. EvtMute contains all the code and example Yara rules.
  • Privilege Escalation in AWS Elastic Kubernetes Service (EKS) by compromising the instance role of worker nodes. AWS account-wide denial of service and enumeration is accessible by only having compromised a single, underprivileged pod in the cluster. The AWS accounts in question come by default when spinning up an EKS cluster. The post includes remediation steps to block the AWS metadata service access from pods to prevent this attack.
  • Abusing dynamic groups in Azure AD for privilege escalation. Putting AD in the cloud introduced new features, and new potential vulnerabilities, in this case the ability to abuse dynamic groups to access other accounts or modify attributes. If AD Connect Sync is in use, on-prem ADs can be affected as well.
  • So, You Got Access to a *nix system… Now What?. This quick post is a basic overview, but may contain a new script or command you didn't previously know about.
  • Custom DLL injection with Cobalt Strike's Beacon Object Files. Cobalt Strike is a great C2 platform, but the fact that it is popular means it will be detected without some work to modify it. In this post Tom Carver works through building a custom DLL injector using the new Beacon Object File spec from the 4.1 release.
  • WSUS Attacks Part 1: Introducing PyWSUS. Scary things happen when you can Man-in-the-middle connections. In this post, ARP spoofing is used to intercept and respond to a Windows update request which allows for arbitrary code execution as SYSTEM if the system is not using HTTPS for WSUS. Video here, code here.
  • living-off-the-land combines some tricks to achieve persistence with two registry writes (semi-hidden) and no files on disk.

Tools and Exploits

  • SharpSecDump is a .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py. By default runs in the context of the current user, but can use alternate credentials supplied on the command line. Note: this doesn't have DCSync functionality yet so no AD dumping - use SharpKatz for that.
  • SeasideBishop: A C port of b33f’s UrbanBishop shellcode injector. AV/EDR detecting your standard injection methods? Try this latest iteration of the *Bishop series which uses some tricks and APC queuing to inject shellcode into a process. Code here.
  • CVE-2020-7460: FreeBSD Kernel Privilege Escalation. A rare FreeBSD privilege escalation for any 64 bit kernel since 2014. PoC here.
  • TREVORspray is a featureful Python O365 sprayer based on MSOLSpray which uses the Microsoft Graph API that can use SSH hosts to proxy requests.
  • vmpdump is yet another (this makes 3, see LWiS-2020-08-17) VMProtect deobfuscator.
  • Ubuntu ppp's CVE-2020-15704 wrap-up. On certain Ubuntu machines from 12.04 to 20.04 (KVM kernel builds) that don't have /dev/ppp, modprobe environment variables can be used for arbitrary file read.
  • Watchcom Security Group uncovers Cisco Jabber vulnerabilities. Cisco Jabber is often seen in enterprise environments for team collaboration and is another good example of how using Electron/Chromium based apps can turn a simple XSS into an RCE.
  • CVE-2020-0986: Windows splwow64 Untrusted Pointer Dereference. Google Project Zero drops this Windows privilege escalation (patched 2020-06-09) that was reported by Kaspersky Lab who found it being used in the wild.
  • chlonium is a C# application designed for cloning Chromium Cookies. The unique feature here is the utility to allow the easy importing of Chrome cookies into a second browser. Demo here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • wordlist_generator generates wordlists with unique words with techniques mentioned in tomnomnom's report "Who, What, Where, When". It takes URLs from gau and splits them to get words in URLs. Then it requests each URL to fetch all words. Finally, wordlist_generator removes from wordlist everything from "denylists" directory files to keep only unique words, which you can use for domain, directory, parameter, vhosts, etc bruteforcing.

This post is cross-posted on SIXGEN's blog.