Oct 05 2020 Last Week in Security (LWiS) - 2020-10-05

News

• UHS hospitals hit by reported country-wide Ryuk ransomware attack. Two weeks ago was the first possible death related to ransomware. There are at least three being reported due to this. Of note, while many ransomware crews stated they would not target hospitals when the pandemic started, Ryuk remained silent.
• Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. Cybersecurity firms now need to register as money services to legally make ransomware payments, and "payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial."
• OST Map from Intezer connects threat actors with the tools they use. This is an interesting resource for adversary emulation purposes. If you enjoy this you may also like the CyberWar Map.
• Sectigo to Be Acquired by GI Partners. The Root CA shell game continues (Sectigo used to be Comodo). This will trigger another round of compliance checks.
• Escaping strings in Bash using !:q. A quick tip for bash users.
• Code scanning is now available!. GitHub code scanning attempts to find vulnerabilities in your code via static analysis before it gets deployed. They are using the acquisition of Semmle to push CodeQL even further. This proactive approach is a good thing for security.

Techniques

• Defeat Bitdefender total security using windows API unhooking to perform process injection. This post shows practical API unhooking and how to discover/repair hooked API calls using x64dbg.
• Sysmon Internals - From File Delete Event to Kernel Code Execution. In addition to some file delete and shredding detection bypasses, this post shows how the file delete event logging is actually a write-what-where primitive from usermode to the Windows kernel. It goes on to exploit this into full kernel code execution. Demo here, code here. The post also includes detections and a YARA rule as well.
• Attacking Smart Card Based Active Directory Networks. On networks where physical smart cards are in use (government uses them heavily), Rubeus can now be used with a smartcard and PIN stolen with PinSwipe to get a kerberos TGT that is valid for 7 days.
• How to Store Session Tokens in a Browser (and the impacts of each). Modern web applications have to store session tokens in the browser some how, and there are many different ways to do it. This post shows examples of each, and how they can be accessed if the page is vulnerable to cross site scripting (XSS).
• Breaking JCaptcha using Tensorflow and AOCR. Simple Captchas are no match for machine learning. Integrate this into your attack workflow when brute forcing or spraying is allowed.
• Forcing Firefox to Execute XSS Payloads during 302 Redirects. A GET parameter reflected into the HTTP response of a 302 allows for XSS using one of the tricks listed in this short post.
• UACMe 3.5, WD and the ways of mitigation. The canonical source of UAC bypasses, UACMe has been updated to 3.5, and lots of old code was removed. The author also broke down each working bypass and provided potential defender bypasses in this post and added the bypasses to the 3.5 release.
• Exporting registry hives from a live system. This Digital Forensics & Incident Response blog post is aimed at IR practitioners looking to recover live forensics but is just as useful for red teamers looking to gather information from registry hives.
• Dynamic Binary Instrumentation Techniques to Address Native Code Obfuscation. This is a very cool talk on instrumenting Android applications to aid in reverse engineering.
• The Hidden Dangers of Network Printers. On engagements open printers are often discovered. This post shows the potential dangers of printers in the enterprise.

Tools and Exploits

• SIEGMA aims to automate the creation of SIEM rule consumables by leveraging a pre-defined set of configurations/mappings and by utilizing the sigma rule format and engine.
• DecryptRDCManager is a .NET port of Decrypt-RDCMan.ps1 which was written by Ben Turner and Rich Hicks. This tool will decrypt credentials from Remote Desktop Manager by using the functionality from the RDCMan.DLL.
• Fork-n-Run. This is great raw C# material for building into your own tools (PPID spoofing, BlockDLLs, argument spoofing, comms via pipes).
• MFASweep is a PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled. Depending on how conditional access policies and other multi-factor authentication settings are configured some protocols may end up being left single factor. It also has an additional check for ADFS configurations and can attempt to log in to the on-prem ADFS server if detected. Be warned, this will attempt 7 authentications, so be sure to use a correct password or possibly get locked out! Blog post here.
• AggressiveGadgetToJScript is a Cobalt Strike Aggressor script to generate GadgetToJScript payloads. It uses the QueueUserAPC injection method and injects into notepad.exe (you should change this).
• bitleaker is a complete physical attack tool (bootable USB) that leverages CVE-2018-6622 (BIOS sleep TPM bug) and the new CVE-2020-0526 to enable the mounting of Bitlocker encrypted drives without the user's password which is normally required. If devices are out of your physical control (work from home, travel) this bug/exploit applies to you. Update your systems to the latest BIOS firmware, disable sleep in the BIOS, or use BitLocker with a PIN to mitigate this.
• GLORP is a command line HTTP intercept proxy. The idea is to provide a CLI based tool for when you wanna-look-at-this-thing-real-quick and not fire up yet another full-fat container/vm/whatever with Burp and so forth. Looking for more GUI? Read on...
• hetty is an HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty community. Currently in the early stages, this is an interesting project to watch.
• Raccine is a simple ransomware vaccine that kills the process tree that invokes vssadmin or wmic calls to delete volume shadow copies by registering as a debugger for vssadmin and wmic. This is a neat trick that will likely work against many ransomware variants.
• elsa is a minimal, fast and secure runtime for Javascript and Typescript written in Go. This could be used to create an embedded scripting environment in your Go malware a la gscript.
• sploit is a Go package that aids in binary analysis and exploitation. Think of it as the start of a Go version of pwntools.
• feroxbuster is a fast, simple, recursive content discovery tool written in Rust.
• CSharp-CmdLineHelper-Parser is a "no frills" 1 class-only, C# .NET command line parser with support for - and / args, switches only, and Name : Values. This will be useful for small C# projects.
• checksec.py is a complete checksec tool in python with rich terminal output. It supports PE and ELF files and there is an exe in the Github release.
• Docker-eyeOS runs iOS (xnu-arm64) in a Docker container! Supports KVM + iOS kernel debugging (GDB)! It's like having your own local Corellium.
• A New Tool for Password Spraying Emulation. Spray at scale using GCP/AWS with this new tool from Praetorian. Code here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• Vulmap is an online local vulnerability scanner. It's aimed at organizations to do vulnerability scanning across their fleets, but it can also be used for one off checks to see what is available to privesc.
• grinder is a python framework to automatically discover and enumerate hosts from different back-end systems (Shodan, Censys). Add this to your enumeration pipeline.
• GHunt is a tool to investigate Google Accounts given only an email.

This post is cross-posted on SIXGEN's blog.