Last Week in Security (LWiS) - 2020-11-30

OffSecOps setup (@xenosCR), direct syscalls in CobaltStrike (@brsn76945860), VBA DLL linking (@rd_pentest), advanced red teaming (@BorjaMerino), invoking managed code in .NET DLLs (@_xpn_), shellcode execution via PostgreSQL extensions (@DarkCoderSc), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-23 to 2020-11-30.

News

Techniques

Tools and Exploits

  • mythic-deploy automates the deployment and configuration of a Mythic server with Terraform and Ansible. Adapt it to meet your red team's needs.
  • grab_beacon_config is a nmap NSE script to parse beacon payloads from cobalt strike servers to show their configurations. Use against your own infrastructure to see what others can tell about your beacons.
  • TinyCheck is a network IOC scanner for smartphones with a self-contained wifi man in the middle capture ability. Currently it alerts on known stalkerware indicators as well as plain text data exfiltration so don't count on it to find that NSO Group rootkit.
  • Set-RBCDBytes will set the msds-allowedtoactonbehalfofotheridentity property on the target with the security descriptor for a supplied user or machine that has an SPN. Where would this be useful? Consider an overprovisioned help desk (or similar) account that has GenericAll over every object in the domain and you want to quickly set the msds-allowedtoactonbehalfofotheridentity property on a specific target without importing all of PowerView. This is the script you need! SharpAllowedToAct is the C# variant, and more information on the technique can be found here.
  • clean_wordlist.sh is great for cleaning up some of the noise from last week's AssetNote's wordlists.
  • s3_objects_check is a script to check S3 object permissions in order to identify publicly accessible objects. The script requires two accounts, one with read access to S3 and one with no access to S3.
  • cloudquery transforms your cloud infrastructure into queryable SQL tables for easy monitoring, governance and security. Think osquery for the cloud.
  • Neurax. Redcode labs keeps the Go based malware libraries coming with Neurax, library for constructing self-spreading binaries.
  • NetworkSniffer will log ALL traffic for any iOS application. This includes WKWebView and UIWebView, and no certificate pinning bypass is required! Requires a jailbroken iPhone.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Tigard is a one-stop-shop for all your hardware hacking needs.
  • DbgShell is a PowerShell front-end for the Windows debugger engine.

This post is cross-posted on SIXGEN's blog.