Last Week in Security (LWiS) - 2021-05-24

CloudFlare IP filtering (@vysecurity), DNSStager (@mohammadaskar2), Cobalt Strike OPSEC (@jmoosdijk), Azure app phishing (@nikhil_mitt), decision making in red teams (@Jackson_T), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-05-17 to 2021-05-24.



  • Operators, EDR Sensors, and OODA Loops. This is a long post (full con talk), but should be required reading for any serious red team operator. Lots of people (ahem, me) can get focused on the latest exploit or technique and lose sight of process of red teaming. Hopefully this blog can serve as part of the "continual learning and growth" part of the act phase.
  • What the F#*%. The lesser known cousin of C# comes with Microsoft signed binaries that can be useful to get past application allowlisting defenses. Code available in the What-The-F repository.
  • That single GraphQL issue that you keep missing. Bug hunters will love this post on GraphQL based CSRF. The latest release of inql will help identify such issues on your next assessment or bug hunt.
  • CVE-2021-31166: A Wormable Code Execution Bug in HTTP.sys. While not as bad as it sounds, this is reachable from IIS and WinRM, so do patch! BSOD PoC: CVE-2021-31166.
  • CloudFlare for IP Address Filtering. CloudFlare is a massive presence on the internet today, hosting over 25 million domains. In this post Vincent uses the CloudFlare firewall to block known security organizations as well as "bots" to defend his red team infrastructure.
  • Introduction To 365-Stealer - Understanding and Executing the Illicit Consent Grant Attack. This tool/technique helps an attacker create an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting consent to the application so that the attacker can gain access to the data that the target user has access to. After the application has been granted consent, it has user account-level access to the data without the need for an organizational account. This can be defeated by admins who enable tenant restrictions to manage access to SaaS cloud applications.
  • Unveiling DNSStager: A tool to hide your payload in DNS. With enough delay, the 59 AAAA DNS requests could easily be lost on the noise and provide the perfect way to load a lifeline beacon. They client could be modified to check a trigger (value in a GitHub gist, Twitter bio, etc) and start the process when the value changes. Be careful though DNS is one of those things that defenders are either totally blind to, or can get you caught easily if someone is watching (high entropy/high volume of unusual requests).
  • Modding Gophish. Gophish has some default and unchangeable features that you may not want (X-Mailer header perhaps). This post shows how to change the 404 page as well as how to enable basic HTTP auth which may be more trusted by your targets.
  • Le Zeek, C’est Chic: Using an NSM for Offense. The blue team's favorite tool can also be used for offense to find dual-homed machines, dns queries, and even plaintext credentials on the wire.
  • SimuLand: Understand adversary tradecraft and improve detection strategies. SimuLand is an open-source initiative by Microsoft to help security researchers around the world deploy lab environments that reproduce well-known techniques used in real attack scenarios, actively test and verify the effectiveness of related Microsoft 365 Defender, Azure Defender, and Azure Sentinel detections, and extend threat research using telemetry and forensic artifacts generated after each simulation exercise.
  • How to Exploit Active Directory ACL Attack Paths Through LDAP Relaying Attacks. This excellent post discusses two methods by which an attacker can meet the requirements of hosting an “Intranet” site, explains how an attacker can combine this scenario with Active Directory ACL attack path vulnerabilities and LDAP relaying attacks to elevate privileges, and provides a detailed walkthrough of how an operator can accomplish these tasks through Cobalt Strike.

Tools and Exploits

  • HelpColor. I open the Beacon Command Behavior Survey page all the time; this will be super useful for quickly seeing if I am about to fork and run! It's easy to add your own BOFs and other tools as well.
  • RDPThiefInject is RdpThief run through donut and wrapped in C# to easily inject into mstsc. Convert to D/Invoke before using for better OPSEC.
  • OffensivePH. The older ProcessHacker driver has a lot of capabilities and may be a "known good" and thus not be detected.
  • golang-insecureskipverify-patch. If you need to inspect TLS protected communication of a black-box golang binary and it does not trust the system level CA certificates, then you can use this tool to patch the executable to act like InsecureSkipVerify was turned on. You still have some additional work, configuring a transparent proxy and setting up mitmproxy or similar.
  • macos_shell_memory is a CGo implementation of the initial technique put forward by Stephanie Archibald in her blog, Running Executables on macOS From Memory. It includes some convenience patches like prevent the executable's exit() call from killing the Go process.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • link is a command and control framework written in rust (cross platform) that has execute-assembly and other advanced featuers.
  • metarget is a framework providing automatic constructions of vulnerable infrastructures.
  • BlueCloud is a project for cyber range deployment including Velociraptor + HELK system with a Windows VM for security testing and R&D with Azure and AWS terraform support.
  • in-memory-cpython is a mod of cpython that can be run entirely from memory for use in offensive or defensive tooling.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.