Last Week in Security (LWiS) - 2021-03-22

The latest/greatest mem dumper BOF (@anthemtotheego), CLR usage logging evasion (@bohops), Windows deception engineering (@ollieatnccgroup), MobileIron enumeration (@OptivSourceZero), common vulns and mis-configs (@ShitSecure), macOS persistence (@theevilbit), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-03-15 to 2021-03-22.

News

Techniques

Tools and Exploits

  • CredBandit. This BOF is the culmination of many great projects, and allows you to dump process memory using direct syscalls and a custom MiniDumpWriteDump adapted from ReactOS, all without having the dump touch disk, transferring it back via a BeaconPrintf hack. Hopefully this kind of workaround won't be required in the next version of Cobalt Strike. It would be great to have a way to send arbitrary data back to a teamserver in a BOF.
  • bloodhound-quickwin is a simple script to extract useful informations from the combo BloodHound + Neo4j. It can help to choose a target for follow on actions.
  • xeuledoc can fetch information about any public Google document (doc, sheet, slide, map, drawing, etc).
  • Lepus3 is a subdomain finder with various API integrations. Learn more in the post: Reviving and Refactoring DNS Enum.
  • Add exploit for CVE-2021-1732. The Windows 10 local privilege escalation vulnerability discovered in the wild is now in metasploit - but nothing is stopping you from modifying this code for use in your own framework/tool.
  • dnsfwd is a DNS forwarder that only forwards queries for the domains you specify to an upstream host. This is useful for things like DNS beacons where you only want to send beacon related traffic to Cobalt Strike.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • grex is a command-line tool and library for generating regular expressions from user-provided test cases. All you do is give it examples of strings to match and it will generate a regular expression that matches all of them. A great tool for getting a good start on a tough regex.
  • CredMaster is a refactored & improved CredKing password spraying tool that uses FireProx APIs (AWS) to rotate IP addresses, stay anonymous, and beat throttling. More details here.
  • SecurityTips is a collection of "HackerScrolls" tips, cheatsheets, and mindmaps.
  • terraformer is a CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code

This post is cross-posted on SIXGEN's blog.