Last Week in Security (LWiS) - 2021-06-14

Decrypting Veeam passwords (@checkymander), bypass Windows kASLR (@33y0re), Code > Commands (@TheXC3LL), AWS SSO phishing (@christophetd), forest trust 🧙‍♂️ (@_dirkjan), syscall detection bypass (@passthehashbrwn), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-06-08 to 2021-06-14.



Tools and Exploits

  • CVE-2021-33739-POC is an exploit for the Microsoft DWM Core Library Elevation of Privilege Vulnerability (Windows 10 1909 to 20H2 and Server Core 2004/20H2). You'll probably want to swap the included shellcode and test in a disposable VM!
  • MonitorUI is a GUI for Objective-See's ProcessMonitor tool for macOS.
  • Celeborn is a Userland API Unhooker developed for learning Windows APIs and Syscall implementations. It mainly detects and patches hooking instructions in NTDLL.dll file. Written in C, targeting Windows.
  • Melkor is able to read .Net assemblies and encrypt them in memory using DPAPI with the CRYPTPROTECT_LOCAL_MACHINE flag. These assemblies are kept encrypted when they are at rest. On demand Melkor can decrypt the assemblies and execute methods from them in a separate AppDomain. Once execution finishes the AppDomain is unloaded and only the encrypted assembly remains in memory.
  • SharpHook is inspired by the SharpRDPThief project. It uses various API hooks in order to output the desired credentials.
  • WindowsPermsPoC is a simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows. This is possible because of the way WriteProcessMemory works and the fact developers can disable DEP for their own programs. The end result is you can write and execute from READ_ONLY tagged memory. Only on windows...
  • SharpTeamsDump is a .Net implementation of the research published here. Note that is extracts messages from a log file on disk, not by interacting with Teams itself.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • adalanche is a bloodhound-like active directory explorer written in Go. While it cannot ingest standard sharphound data, it does have its own collection mechanism.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.