Last Week in Security (LWiS) - 2021-05-17

Exim RCE (@lockedbyte), Windows kernel exploit writeup (@33y0re), plaintext RDP creds from memory (@jonasLyk, @n00py1), MS Defender ATP bypasses (@Tyl0us), hashcat 6.2.0 (@hashcat), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-05-10 to 2021-05-17.

News

Techniques

Tools and Exploits

  • CVE-2020-28018 is one of the 21Nails Exim mail server vulnerabilities that combines a memory leak, arbitrary read primitive, and a write-what-where primitive to achieve arbitrary code execution. For details see From theory to practice: analysis and PoC development for CVE-2020-28018 (Use-After-Free in Exim).
  • Solaris is a LKM rootkit loader/dropper that lists available security mechanisms.
  • SharpNukeEventLog nukes the event log using some epic dinvoke fu to suspend the threads of the event log process.
  • RedWarden is a Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation.
  • Dent is a framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's Window's Defender Advanced Threat Protection (called Microsoft Defender for Endpoint this week) sensors. All the details are in Breaking the (WDAPT) Rules with COM.
  • Russian is a registry file that changes two keys that are checked by some malware to determine if you are using a Russian language keyboard. This should be an absolute last resort defense against ransomware, but is very easy to deploy.
  • exclave helps offload wrapping/unwrapping of offensive payloads with Intel SGX technology assist. This is an interesting project to protect C2 secrets using protected processor memory and Intel's secure enclave technology.
  • dnMerge is a lightweight .NET assembly dependency merger that uses dnLib and 7zip's LZMA SDK for compressing dependant assemblies.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • delta aims to make time studying diffs both efficient and enjoyable: it allows you to make extensive changes to the layout and styling of diffs, as well as allowing you to stay arbitrarily close to the default git/diff output.
  • jenkins-attack-framework is a project to help assess the popular CI/CD product Jenkins.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

This post is cross-posted on SIXGEN's blog.