Last Week in Security (LWiS) - 2020-11-30
OffSecOps setup (@xenosCR), direct syscalls in CobaltStrike (@brsn76945860), VBA DLL linking (@rd_pentest), advanced red teaming (@BorjaMerino), invoking managed code in .NET DLLs (@_xpn_), shellcode execution via PostgreSQL extensions (@DarkCoderSc), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-23 to 2020-11-30.
News
- Exploit PoCs now fetch your crashlogs. Careful with that new iOS PoC, as it will upload all the crashdumps on your device to ZecOps every time it is run. The PoC is open source, but the analytics code is hidden in a zip.
- WireGuard for Windows 0.3: ARM support, enterprise features, & more. This is a major release for WireGuard. Windows gets "enterprise" features (non-admins can start and stop tunnels if a registry key is set, etc) that will make it much easier to deploy within modern companies that are properly enforcing the principle of least privilege. Documentation here.
- This Bluetooth Attack Can Steal a Tesla Model X in Minutes. The cryptographic checks exist to prevent this, but are not enforced! Video of the process here.
- Drupal issues emergency fix for critical bug with known exploits. Another critical Drupal remote code execution vulnerability - this time if the server processes .tar, .tar.gz, .bz2, or .tlz file uploads. Patch and segment your servers!
- Developer Successfully Virtualizes Windows for Arm on M1 Mac. It took some serious QEMU hacks, but Windows for Arm is running on the new Apple Silicon.
Techniques
- Hindering Threat Hunting, a tale of evasion in a restricted environment. Some great "advanced red team" tactics in this post. From the initial execution via signed binary DLL hijacking, to the C2 via a trusted service (Google Apps Scripts), this engagement put the "A" in APT. I particularly enjoy that none of these techniques are "new" but rather pulled from actual threat actor TTPs (and the link to my Noctilucent project).
- VBA and Function Pointers. Despite its "unique" syntax, VBA is a fully featured programming language and as such, advanced programming techniques like run time dynamic linking of DLLs can be done in pure VBA.
- Don't fear the bark, ts_rewrite to dodge the mark. This post shows the process of developing a PostgreSQL WAF bypass using ts_rewrite to encode/rewrite queries.
- Implementing Syscalls In The Cobaltstrike Artifact Kit. This was teased in the BloodHoundGang Slack, and @brsn76945860 does not disappoint. This posts walks through porting Cobalt Strike's Artifact Kit to Windows/Visual Studio and then using SysWhispers for direct syscalls in Cobalt Strike's beacon. This should help keep detections low for many AV/EDR solutions.
- OffSecOps Basic Setup. Based on the SpecterOps Con 2020 talk by Will Schroeder, the post walks through the basics of setting up a "OffSecOps" pipeline with Jenkins on Windows.
- Active Directory Lab Setup Tool does what it says on the tin. For a completely automated solution, check out DetectionLab.
- The .NET Export Portal walks through the ways code can be exposed in DLL exports, and how to call managed functions without having to mark anything as exported. PoC code here.
- Exploiting a “Simple” Vulnerability – In 35 Easy Steps or Less! This post shows the work that goes into memory corruption exploits. A great in depth post for anyone interested in exploit development. Windows local privilege escalation PoC here.
- Postgresql Extension Shellcode Execution. If you can write a DLL to disk and you have SQL execution (perhaps via SQL injection) you can load a custom extension that can execute arbitrary code! Example extension here.
Tools and Exploits
- mythic-deploy automates the deployment and configuration of a Mythic server with Terraform and Ansible. Adapt it to meet your red team's needs.
- grab_beacon_config is a nmap NSE script to parse beacon payloads from cobalt strike servers to show their configurations. Use against your own infrastructure to see what others can tell about your beacons.
- TinyCheck is a network IOC scanner for smartphones with a self-contained wifi man in the middle capture ability. Currently it alerts on known stalkerware indicators as well as plain text data exfiltration so don't count on it to find that NSO Group rootkit.
- Set-RBCDBytes will set the msds-allowedtoactonbehalfofotheridentity property on the target with the security descriptor for a supplied user or machine that has an SPN. Where would this be useful? Consider an overprovisioned help desk (or similar) account that has GenericAll over every object in the domain and you want to quickly set the msds-allowedtoactonbehalfofotheridentity property on a specific target without importing all of PowerView. This is the script you need! SharpAllowedToAct is the C# variant, and more information on the technique can be found here.
- clean_wordlist.sh is great for cleaning up some of the noise from last week's AssetNote's wordlists.
- s3_objects_check is a script to check S3 object permissions in order to identify publicly accessible objects. The script requires two accounts, one with read access to S3 and one with no access to S3.
- cloudquery transforms your cloud infrastructure into queryable SQL tables for easy monitoring, governance and security. Think osquery for the cloud.
- Neurax. Redcode labs keeps the Go based malware libraries coming with Neurax, library for constructing self-spreading binaries.
- NetworkSniffer will log ALL traffic for any iOS application. This includes WKWebView and UIWebView, and no certificate pinning bypass is required! Requires a jailbroken iPhone.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- Tigard is a one-stop-shop for all your hardware hacking needs.
- DbgShell is a PowerShell front-end for the Windows debugger engine.
This post is cross-posted on SIXGEN's blog.