Nov 10 2020 Last Week in Security (LWiS) - 2020-11-09

News

• Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945. Linux based APTs don't get much attention, and APTs that target Solaris, even less - until now. Mandiant exposes all the tricks of an APT group that used a Solaris SSH 0day for initial access, and deployed quite a suite of tools (including an entire QEMU VM) once in the network.
• Raspberry Pi 400 launched. This new Raspberry Pi introduces a new form factor, the computer-as-a-keyboard. A new board incorporates the Raspberry Pi 4 (4GB) into a small keyboard. One notable change is a slightly updated processor with a 1.8 GHz quad-core ARMv8 chip (vs 1.5 GHz in the standard 4), and a massive heatsink to keep it from overheating. With its ability to run dual 4k displays, this portable computer could be perfect for students or anyone who needs a basic computing environment. I am also interested to see it being used as a thin client device.
• Chrome Root Program. Chrome will start shipping its own root Certification Authorities (CA) store instead of relying on the operating system's CA store. Mozilla already does this in Firefox, and it will present challenges to enterprises that deploy their own root CAs for HTTPS interception or other purposes.
• Cyber ActorsTarget Misconfigured SonarQube Instances to Access Proprietary Source Code of US Government Agencies and Businesses. The FBI reveals that threat actors have stolen private and US Government source code due to misconfigurations in SonarQube instances. This is a great example of why having a government backdoor "only for the good guys" is a terrible idea.
• Cobalt Strike 4.2 – Everything but the kitchen sink details the improvements in the most recent release of the commercial red team tool. Many are welcome quality of life additions (better key logging and screenshot support), but there is also good low level improvements for in-memory evasion and templates for artifacts the the named-pipe beacon uses to communicate with post-exploitation jobs. ThreatExpress has the latest malleable C2 additions documented nicely.

Techniques

• Malware development part 5. This is a continuation of a great series on malware (or red team tool) development. This one covers parent PID spoofing, process protection, environmental keying and bruteforce decryption of malware data and configuration.
• Traditional Signature Based Antivirus Evasion Tests. Simple string manipulation is good enough to get a ~50% reduction in detections on virus total. Not bad.
• Resourceful macOS Malware Hides in Named Fork. Named Forks are the alternate data streams (ADS) of the macOS world, and just like ADSs on Windows, they will be abused by malware to hide payloads. This post shows the full chain from download to execution. The helpful icons for gatekeeper bypass could prove useful for your next macOS phishing engagement.
• Sharing the Myth. Apfell became Mythic a few months ago, and it is an impressive framework. This post shows how it is architected and introduced a C# agent called Apollo.
• Privileged arbitrary file read (CVE-2020-16938) with The Sleuth Kit. This regression in Windows 10 2004 allows any user to access any file on the system, but only via raw NTFS. 7zip was used in the original PoC, and a native PoC exists, but this post shows how to "exploit" this bug using The Sleuth Kit binaries.
• Writing Custom Shellcode Encoders and Decoders. At some point you will likely have to use some shellcode on target. Encode or encrypt it to make defender's jobs a little harder and bypass static signatures.
• Using Custom Covenant Listener Profiles & Grunt Templates to Elude AV. Covenant is a great C2, but its default Grunts are well signatured. This post shows how to do some basic modifications to change the signatures a bit.

Tools and Exploits

• AggressiveProxy is a combination of a .NET 3.5 binary (LetMeOutSharp) and a Cobalt Strike aggressor script (AggressiveProxy.cna). Once LetMeOutSharp is executed on a workstation, it will try to enumerate all available proxy configurations and try to communicate with the Cobalt Strike server over HTTP(s) using the identified proxy configurations. The story behind the tool can be found here.
• Shellycoat is a utility designed to aid in bypassing User-Mode hooks utilized by AV/NGAV/EDR/Sandboxes/DLP etc. to gain visibility into potentially suspicious actions. It is a DLL or PIC shellcode blob that can be injected into a process and will "clean" that processes ntdll using direct syscalls to remove any hooks. Use this with a custom loader before executing your malicious payload to bypass AV.
• StandIn is a "small" AD post-compromise toolkit. It allows for all kinds of enumeration including LDAP objects, ASREP, SPNs, Unconstrained/constrained delegation, DC's, Groups Operations, and Machine Object Operations.
• 1768 K is a tool to decode and dump the configuration of Cobalt Strike beacons from memory from the great Didier Stevens (1768 Kelvin is the melting point of Cobalt).
• red-kube is a red team cheat sheet based on kubectl commands. As more things get containerized, it's good to know how to break k8s.
• APKProxyHelper patches an apk for proxying and repacks back to an apk. For iOS the author has a tweak called SSLBypass that does what it says on the tin.
• SCShell now comes with a Cobalt Strike BOF. Fileless lateral movement was never as easy!
• Git Large File Storage / Git LFS (git-lfs) - Remote Code Execution (RCE). It's been a while since we heard from Dawid Golunski (3 years?), but he is back with a RCE that can be triggered by a git clone command. Demo here.
• xpcspy implements bidirectional XPC message interception for iOS and macOS.
• gsocket is an end-to-end encrypted relay network that allows for advanced features beyond simple TCP and SFTP, like mounting a remote file system. As of now, self-hosting a relay is not an option and all traffic goes through gs.thc.org. Perhaps it's an elaborate honey pot?!
• Coldfire is a Go malware development framework that includes a lot of the basic functions all good malware needs, from logging to sandbox detection.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• gosecretsdump. Impacket is great, but sometimes it can be really slow. When your NTDS.dit file is measured in GBs, it's time to break out the Go for significant speed boost. Also works on SAM/SYSTEM backups, or even local SAM/SYSTEM if run as SYSTEM.
• gron transforms JSON into discrete assignments to make it easier to grep for what you want and see the absolute 'path' to it. It eases the exploration of APIs that return large blobs of JSON but have terrible documentation. It may fill gaps that jq can't in your workflow.

This post is cross-posted on SIXGEN's blog.