Last Week in Security (LWiS) - 2021-03-22
The latest/greatest mem dumper BOF (@anthemtotheego), CLR usage logging evasion (@bohops), Windows deception engineering (@ollieatnccgroup), MobileIron enumeration (@OptivSourceZero), common vulns and mis-configs (@ShitSecure), macOS persistence (@theevilbit), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-03-15 to 2021-03-22.
News
- Lending a hand to the community – Covenant v0.7 Updates. It's great to see a community project like Covenant get contributions from the companies using it on assessments.
- How we found and fixed a rare race condition in our session handling. You probably had to log back into GitHub last week, and this explains why. A rare race condition could have returned data from another user's session.
- Azure Key Vault - Intermittent failures - Mitigated (Tracking ID 5LJ1-3CZ). The 14 hour O365 outage last Monday was caused by key rotation during "complex cross-cloud migration."
- RCE in Google Cloud Deployment Manager. This bug netted a total of $164,674 for the researcher - the highest single-bug award I can recall. Well done!
- In-the-Wild Series: October 2020 0-day discovery. Google Project Zero discovered seven (!) 0days being actively used in the wild as part of a watering hole campaign against Android, Windows, and iOS devices.
- New macOS malware XcodeSpy Targets Xcode Developers with EggShell Backdoor. With echos of XcodeGhost from 2015, a malicious Xcode project included a script in the build processes to install a backdoor on the developer's machine. This feels very similar to the campaign targeting security researchers from January 2021.
- Facebook's ‘Red Team X’ Hunts Bugs Beyond the Social Network's Walls. Now this is a good red team scope! Any tech the company relies on can be tested by 'Red Team X.'
- Signal secure messaging app stops working in China. Surprised it took this long.
Techniques
- Malware development part 8. COFF/BOF loaders are all the rage right now. This post walks through another implementation of a stand-alone COFF (and thus BOF) loader. If you haven't put a BOF loader in your in house remote access tool, you are missing out on lots of community developed capabilities. The resulting COFFInjector code is available and can be used as a reference.
- Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads. Ransomware and other "loud" malware likes to try to uninstall any AV/EDR product as one of the first steps after execution. UninstalledAppCanary detects this by installing a product called "Security" (sure to hit some wildcards) and alerts you to a possible incident if it is uninstalled.
- MobileIron MDM Contains Static Key Allowing Account Enumeration. Encryption and key management is hard, which is why some vendors will hardcode a key as a way to have encryption without the headache of key management. As soon as this key is discovered however, anything it protects is no longer safe. rustyIron is a tool that can leverage this for discovery and more. Hey, at least it wasn't RCE this time?
- The most common on premises vulnerabilities & misconfigurations. I love these kinds of posts. So much knowledge packed into a few thousand words. Don't skip this one, there is sure to be at least one new thing in it for you.
- Beyond the good ol' LaunchAgents. This full series on macOS persistence is great stuff.
- Investigating .NET CLR Usage Log Tampering Techniques For EDR Evasion. Running C# or other CLR-based tools leaves usage logs which can be used by AV/EDR or blue teams to detect red team actions. This post goes over what is in these logs, and a few potential ways to stop them from ever being written in the first place.
Tools and Exploits
- CredBandit. This BOF is the culmination of many great projects, and allows you to dump process memory using direct syscalls and a custom MiniDumpWriteDump adapted from ReactOS, all without having the dump touch disk, transferring it back via a BeaconPrintf hack. Hopefully this kind of workaround won't be required in the next version of Cobalt Strike. It would be great to have a way to send arbitrary data back to a teamserver in a BOF.
- bloodhound-quickwin is a simple script to extract useful informations from the combo BloodHound + Neo4j. It can help to choose a target for follow on actions.
- xeuledoc can fetch information about any public Google document (doc, sheet, slide, map, drawing, etc).
- Lepus3 is a subdomain finder with various API integrations. Learn more in the post: Reviving and Refactoring DNS Enum.
- Add exploit for CVE-2021-1732. The Windows 10 local privilege escalation vulnerability discovered in the wild is now in metasploit - but nothing is stopping you from modifying this code for use in your own framework/tool.
- dnsfwd is a DNS forwarder that only forwards queries for the domains you specify to an upstream host. This is useful for things like DNS beacons where you only want to send beacon related traffic to Cobalt Strike.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- grex is a command-line tool and library for generating regular expressions from user-provided test cases. All you do is give it examples of strings to match and it will generate a regular expression that matches all of them. A great tool for getting a good start on a tough regex.
- CredMaster is a refactored & improved CredKing password spraying tool that uses FireProx APIs (AWS) to rotate IP addresses, stay anonymous, and beat throttling. More details here.
- SecurityTips is a collection of "HackerScrolls" tips, cheatsheets, and mindmaps.
- terraformer is a CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code
This post is cross-posted on SIXGEN's blog.