Last Week in Security (LWiS) - 2021-06-14
Decrypting Veeam passwords (@checkymander), bypass Windows kASLR (@33y0re), Code > Commands (@TheXC3LL), AWS SSO phishing (@christophetd), forest trust 🧙♂️ (@_dirkjan), syscall detection bypass (@passthehashbrwn), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-06-08 to 2021-06-14.
News
- How Hackers Used Slack to Break into EA Games. Nothing crazy here, but the "just ask" principle works more often than not. Most people like to be helpful, and attackers can exploit that helpfulness for access if unchecked.
Techniques
- Decrypting VEEAM Passwords. Veeam is used in many organizations for critical systems backup (i.e. VMware virtual machines like DCs) and so the built in credential manager is a great red team target.
- Offensive Approach to Online Sandboxes #1 – ANY.RUN & Testing With MSP. The ANY.RUN sandbox is an amazing tool for quickly getting a handle on what a process does, but it doesn't make much of an effort to hide itself. This post gives good detail on how you can detect being run in an ANY.RUN sandbox, as well as a trick to extend the time you can run up to nearly 2 hours.
- Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits, Part 1. Conor is an inspiration. Take the time to read his posts, even if it's to just motivate yourself to dig into hard problems - or to learn about the out-of-bounds read and kASLR bypass from low integrity, thats pretty cool too.
- Don't use commands, use code: the tale of Netsh & PortProxy. This kind of exploration and development is what separates good red teams from groups of people who know how to use tools. It also helps bypass solutions that signature the "easy" way to do things.
- Phishing for AWS credentials via AWS SSO device code authentication. As more things move to the cloud, this type of phishing will not only become more common, but more impactful. In this case, an attacker can pre-generate an AWS SSO link and send that to a user. The attacker then has an hour after the user authenticates to do whatever/persist/escalate.
- Active Directory forest trusts part 2 - Trust transitivity and finding a trust bypass. This post explores a way to exploit cross forest trusts by forging an entire domain, and includes some hidden gems along the way - like the use of Frida to patch in a different SID in lsass or the LsarLookupNames3 trick to get the SID of remote machine's local domain.
- Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes. When I talked about "fancy AI/ML" in my DEF CON talk this is what I had in mind. Using Zeek and ML for anomaly detections, JA3 hash outliers can be used as a data point to warrant more investigation (or not).
- Hiding your syscalls. In the cat and mouse game of hooking and direct syscalling, this is the next step (for the mouse). By reading a valid (unhooked) syscall instruction and then dynamically patching that address into stubs at runtime, this technique should bypass any static "uses-direct-syscalls" signatures. Code here. A similar method is used in FreshyCalls. Your move AV.
- Proxy Windows Tooling via SOCKS. What's the best way to keep from having a tool caught on target? Don't run it on target! This post goes over how to tunnel the most common windows tools using Proxifier.
- Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug. This old bug is only present in newer distributions because of how polkit was implemented in Debian and Debian forks (i.e. Ubuntu).
- Finding Privilege Escalation Vulnerabilities in Windows using Process Monitor. This method of finding privescs isn't "new" but that doesn't mean it isn't effective. Check out the filter here.
Tools and Exploits
- CVE-2021-33739-POC is an exploit for the Microsoft DWM Core Library Elevation of Privilege Vulnerability (Windows 10 1909 to 20H2 and Server Core 2004/20H2). You'll probably want to swap the included shellcode and test in a disposable VM!
- MonitorUI is a GUI for Objective-See's ProcessMonitor tool for macOS.
- Celeborn is a Userland API Unhooker developed for learning Windows APIs and Syscall implementations. It mainly detects and patches hooking instructions in NTDLL.dll file. Written in C, targeting Windows.
- Melkor is able to read .Net assemblies and encrypt them in memory using DPAPI with the CRYPTPROTECT_LOCAL_MACHINE flag. These assemblies are kept encrypted when they are at rest. On demand Melkor can decrypt the assemblies and execute methods from them in a separate AppDomain. Once execution finishes the AppDomain is unloaded and only the encrypted assembly remains in memory.
- SharpHook is inspired by the SharpRDPThief project. It uses various API hooks in order to output the desired credentials.
- WindowsPermsPoC is a simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows. This is possible because of the way WriteProcessMemory works and the fact developers can disable DEP for their own programs. The end result is you can write and execute from READ_ONLY tagged memory. Only on windows...
- SharpTeamsDump is a .Net implementation of the research published here. Note that is extracts messages from a log file on disk, not by interacting with Teams itself.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- adalanche is a bloodhound-like active directory explorer written in Go. While it cannot ingest standard sharphound data, it does have its own collection mechanism.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.