Last Week in Security (LWiS) - 2020-09-21

Argument injection makes a comeback by @dozernz, persistence with the Dock in macOS by @_D00mfist, the nuclear option for unhooking by @winternl_t, DCOM lateral movement by @domchell, a better MitM by @HttpToolkit, owning Firefox on Android by @LukasStefanko, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-09-14 to 2020-09-21.

News

Techniques

  • Aruba Clearpass RCE (CVE-2020-7115). Argument injection is an under appreciated bug class, but it is more powerful and more widespread than most researchers realize. In this case Daniel uses some nifty tricks to get a root reverse shell.
  • Building a custom Mimikatz binary shows how red teamers can take open source tools, and modify the source code to bypass most static detections. You'll have to do some more work for advanced EDR detections based on dynamic or behavioral analysis.
  • Are You Docking Kidding Me?. In this post, Leo Pitt shows the macOS equivalent of using LNK files on Windows to persist in the Dock on macOS. The post ends with a very thorough detection section.
  • Beacon Object File ADVENTURES: Some Zerologon, SMBGhost, and Situational Awareness. Beacon object files (BOFs) are a new capability in Cobalt Strike that allow for compiled code to run in the context of a beacon. This post introduces two exploits and a bunch of situational awareness BOFs to get you started.
  • Implementing Direct Syscalls Using Hell’s Gate. Instead of baking your syscall numbers into your binary (and having to keep a list of them for every OS), use the Hell's Gate technique (LWiS 2020-06-08) to determine them dynamically. PoC here.
  • MacOS Injection via Third-Party Frameworks. This is some great macOS research by Adam Chester that shows how apps that use debugging pipes (like Fiddler or VSCode) for injection as well as Electron apps for Transparency, Consent, and Control (TCC) bypass/obfuscation.
  • MemFuck: Bypassing User-Mode Hooks. Sometimes you want to remove ALL the usermode hooks from your process by unmapping everything you can. In that case this project is for you - it uses some really interesting tricks to unmap DLLs and then use direct syscalls. PoC here.
  • I Like to Move It: Windows Lateral Movement Part 2 – DCOM. Dominic Chell shows how DCOM can be used for lateral movement in a Windows network, including using Excel 4 macros for lateral movement.

Tools and Exploits

  • DLLsForHackers generates Dlls that can be used for side loading and other attack vectors. This Dll will (maybe) not cause deadlock since it only use functions that are DllMain safe (unlike many other tools/DLL hijacking techniques). For a potentially more mature tool, see Koppeling.
  • tmpmail is a command line utility that allows you to create a temporary email address and receive emails to the temporary email address. It uses 1secmail's API to receive emails. Prefer python? pydispo has you covered.
  • AMSI.fail is a C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process. Check out the live site: www.amsi.fail.
  • sshiva is a C# application that allows you to run SSH commands against a host or list of hosts.
  • DiscerningFinch collects an array of OS specific string constants and then attempts to use those to brute-force decrypt the inner binary. If it succeeds it loads the inner binary into memory passing along any command line arguments that may exists. If it fails, it prints out a .NET-looking error message as feedback.
  • Firefox for Android LAN-Based Intent Triggering. The SSDP engine in Firefox for Android (68.11.0 and below) can be tricked into triggering Android intent URIs with zero user interaction. This attack can be leveraged by attackers on the same WiFi network and manifests as applications on the target device suddenly launching, without the users' permission, and conducting activities allowed by the intent. Demo here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • HTTP Toolkit is a cross platform, open source, HTTP MitM proxy. This looks super powerful, and easy to use. For HTTP request monitoring and modification, this looks easier to use than Burp Suite.
  • MoveScheduler focuses on lateral movement via several different methods of scheduling tasks: Win32_ScheduledJob (C#), Win32_Scheduledjob (PowerShell), TaskScheduler Library, and PS_ScheduleTask.

This post is cross-posted on SIXGEN's blog.