Last Week in Security (LWiS) - 2021-05-10

Full DarkHotel exploit ⛓️ (@_ForrestOrr), DomainBorrowing (@md5_salt), WinPmem to dump LSASS (@TheXC3LL), Twitter Tip Jar fail (@RachelTobac), the reasoning behind DripLoader (@_lpvoid), .NET + NTFS tricks (@G0ldenGunSec), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-05-03 to 2021-05-10.

News

Techniques

Tools and Exploits

  • DoubleStar is a personalized/enhanced re-creation of the Darkhotel "Double Star" APT exploit chain with a focus on Windows 8.1 and mixed with some custom techniques. While this exploit chain makes use of two (now patched) 0day exploits, it also contains an elevation of privilege technique which is still as of 2021-05-10 not patched, and remains feasible for integration into future attack chains today.
  • Introducing Mystikal. As more small and even large businesses adopt macOS, red teams are starting to focus more on the previously obscure platform. Mystikal is an initial access payload generator for macOS that includes: pkg installer with JavaScript, Microsoft Office Macros, and Armed "PDFs" (apps). Code here.
  • keygrabber is a script for grabbing keys from a Linux host. Useful during red team exercises to quickly help assess what access to a Linux host can lead to.
  • FalconEye is a windows endpoint detection software for real-time process injections. It is a kernel-mode driver that aims to catch process injections as they are happening (real-time). Since FalconEye runs in kernel mode, it provides a stronger and reliable defense against process injection techniques that try to evade various user-mode hooks. Add this to your detection lab and see if you can bypass it!
  • DomainBorrowing is a Covenant implementation of the evolution of my talk on Domain Hiding (since crippled by Cloudflare). Using some smaller CDNs it's possible to "borrow" a wildcard certificates if you register a nonexistent subdomain with them. Like Domain Hiding, this technique likely has a short shelf life but is really great research!
  • lateralus is a terminal based phishing campaign tool with template support. Could be useful for quick campaigns where you don't need the full power of something like Gophish.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • poseidon is a fully featured macOS Mythic implant with some Linux functionality as well.
  • metacall/core allows calling functions, methods or procedures between multiple programming languages. The ability to glue together multiple languages into a single solution without much overhead is very cool.

This post is cross-posted on SIXGEN's blog.