Last Week in Security (LWiS) - 2020-12-07

Remote iOS RCE (@i41nbeer), decrypting AutoLogon creds (@secure_sean), the Unprotect Project (@fr0gger_ + @DarkCoderSc), C2 in C++ book (@shogun_lab), depixelization tool (@spibblez), SharpMapExec (@cube0x0), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-30 to 2020-12-07.

News

Techniques

  • A Modern Exploration of Windows Memory Corruption Exploits - Part I: Stack Overflows. Forrest Orr (@_ForrestOrr) puts together a great primer on stack overflow exploits, and unlike nearly every other resource, he uses Windows as the target OS which brings its own set of challenges. This is a great resource for any aspiring exploit developer. Source code to follow along is here.
  • Multiple (RCE) Vulnerabilities in Micro Focus Operations Bridge Manager. Who watches the watchers? OBM is a product to monitor and identify IT infrastructure problems, but comes with its own set of security issues - including the classic Java deserialization.
  • CVE-2020-14418: madCodeHook Library Local Privilege Escalation. 'Tis the season of Windows local privilege escalation vulnerabilities in drivers. The Cisco ExPrevDriver.sys module, formally known as MorphiDriver32.sys has a time-of-check-time-of-use (TOCTOU) vulnerabilities that allows for arbitrary DLL loading.
  • The Unprotect Project is a MITRE ATT&CK like collection of specific, technical techniques malware uses from @fr0gger_ and @DarkCoderSc. Excited to see where this goes!
  • Bypass cobaltstrike beacon config scan. This post discusses the recent (last week's LWiS) Cobalt Strike beacon configuration scanners/parsers that connect to a Cobalt Strike that is configured for staged payloads (default) and dumps their configuration. By reversing Cobalt Strike itself, Zero Team was able to modify the static stage encryption key (a single byte XOR) and repack Cobalt Strike. Blue teams should brute force this key (256 possibilities) when attempting to parse a staged payload from a suspected Cobalt Strike server.
  • Building C2 Implants in C++: A Primer goes through the process of designing a C2 infrastucture, listening post, implant, tasking, and a CLI client.
  • D/Invokify PPID Spoofy & BlockDLLs. RastaMouse keeps the hits coming with this post on D/Invoke (direct syscalls) and PPID spoofing. This should help anyone developing their own C# tools to bypass API hooks and some AV detection.
  • How to Find Someone's U.S. Court and Property Records. If your target(s) are in the US, this post has lots of good resources to potentially uncover great phishing pretext.
  • APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique. There are some interesting, and some sloppy, techniques in this post. The initial execution and file swap is a great trick that is likely to be effective against many macOS users. Consider implementing it on your next macOS targeted phishing engagement.
  • Weaponizing Windows Sandbox To Bypass Defender. This is an interesting technique that uses the Windows Sandbox to hide malicious activity. Malware has done similar things by shipping an entire VM and Virtualbox to a target to run ransomware without detection, but the built in Windows Sandbox is in place on Windows 10 Pro and Enterprise, and can be launched with a .wsb file (phishing potential?).
  • Leaking Browser URL/Protocol Handlers. Fortinet has some good research (and a CVE) on fingerprinting installed applications using URL/protocol handlers, aka shortlinks. Different responses to these shortlinks indicated if an application was installed or not. The vendor response is along party lines: Mozilla issues a CVE and quickly fixes, Microsoft says it's not a security issue, and Google basically says they'll get around to it when they get a chance.

Tools and Exploits

  • writehat is a reporting tool which removes Microsoft Word from the reporting process. Markdown --> HTML --> PDF. Created by penetration testers, for penetration testers - but can be used to generate any kind of report. Written in Django (Python 3). This and Ghostwriter (also written with Django) are interesting options for reporting.
  • DecryptAutoLogon is a command line tool (C#) to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon.
  • SharpMapExec is a C# version of CrackMapExec and is able to both scan for access, identify vulnerable configurations, and exfiltrate data using Kerberos or NTLM authentication. CME is one of my favorite Windows tools, so a C# version is very exciting.
  • GetOSVersion.h is a useful function for developing direct syscall solutions that uses the kuser data structure to pull version information, avoiding any API calls before using the correct direct syscalls.
  • APOLLO v1.4 - Now with 'Gather' Function from iOS/macOS and updates to iOS14 and macOS 11 modules. Apple Pattern Of Life Lazy Outputter (APOLLO) is a great tool for macOS and iOS forensics, and it just got a big update for the latest operating systems.
  • Carnivore is a tool for assessing on-premises Microsoft servers such as ADFS, Skype, Exchange, and RDWeb. NCC group has a blog post about the tool, as well as a DEF CON 28 presentation (slides).
  • Depix is a tool for recovering passwords from pixelized screenshots. Use black boxes to redact and ensure they are not removable objects!
  • Nero. Now this is a cool application of machine learning. "Neural Reverse Engineering of Stripped Binaries using Augmented Control Flow Graphs" is the title of the paper. Who wants to implement this as a Ghidra plugin?!
  • tc2 is a repo of example C2 stacks, fronted using Traefik to avoid JARM signature detection.
  • slipstream is a Go implementation of the NAT Slipstream attack from 2020-11-02's LWiS. The benefit is a single binary for client and server to check if your router is vulnerable.
  • fibratus is a modern tool for the Windows kernel exploration and tracing written in Go. It uses Event Tracing for Windows (ETW), so if that is being bypassed, this tool will be unable to pick it up. This could be a good addition to a blue team toolkit.
  • ELFPatch is an x86/64 Python library to manipulate and patch ELFs with dynamically sized patches. This could be super useful for exploit development.
  • cloudlist is a multi-cloud tool for getting Assets (Hostnames, IP Addresses) from Cloud Providers. This is intended to be used by the blue team to augment Attack Surface Management efforts by maintaining a centralized list of assets across multiple clouds with very little configuration efforts. This tool requires an access token for each cloud service to enumerate the assets, making it much more of a blue team tool than red.
  • SharpLigolo is a C# wrapper of the Go tool ligolo which is a simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection using TLS certificate for security. It is comparable to Meterpreter with Autoroute + Socks4a, but more stable and faster, and now wrapped in C#!
  • Sharp-HackBrowserData is a C# wrapper of the Go tool HackBrowserData which can decrypt passwords, bookmarks, cookies and history from every browser except Internet Explorer and Safari across all three major OSs.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • ripgrep-all is a line-oriented search tool that allows you to look for a regex in a multitude of file types. rga wraps the awesome ripgrep and enables it to search in pdf, docx, sqlite, jpg, movie subtitles (mkv, mp4), etc. Useful for everyday use, or to find credentials and other interesting data on a target machine.
  • ImHex is a Hex Editor for Reverse Engineers, Programmers and people that value their eye sight when working at 3 AM.
  • vast, or Visibility Across Space and Time, is a network telemetry engine for data-driven security investigations with sub-second response times over the entire zeek/suricata/json/csv imported data lake, thanks to multi-level bitmap indexing and actor model concurrency.

This post is cross-posted on SIXGEN's blog.