Last Week in Security (LWiS) - 2021-07-26

User readable SAM hives (@jonasLyk and @cube0x0), PetitPotam takes off (@topotam77), Smart AD bruteforcing (@_nwodtuhs and @podalirius_), automated advanced maldocs (@33y0re), Windows command line obfuscation (@Wietze), dockerized Android (@sickcodes), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-07-19 to 2021-07-26.

News

  • Updates Regarding VSA Security Incident. Kaseya got their hands on a universal decrpytor for the randomsware that hit thousands of their customers on the Friday before the July 4th holiday in the US. They state that, "in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor." This leaves two possibilities: Someone found a flaw in the encryption scheme a professional ransomware crew with years of experience was using, or someone acquired the universal decryptor key without paying for it (leak, hack, deal to not get arrested by the FSB, etc). If there was a flaw in the encryption, have researchers been sitting on it like the allies allowed ships to be sunk after breaking the Enigma cypher in WWII? Was the Kaseya incident big enough to "burn" the technique? With the disappearance of REvil's public infrastructure, I suspect the FSB came knocking, demanded the key, and told them to take a nice vacation on the Black Sea while things cool off.
  • OpenVPN Security Improvements and Changes. Two Ukrainian Windscribe VPN servers were seized and since they were unencrypted and had persistent disks, the authorities got hold of the OpenVPN private keys. In the age of ubiquitous HTTPS and HSTS preloading VPNs are effective against a very specific threat model, and are probably unnecessary for most people (despite what the YouTube ads will tell you).
  • CVE-2021-36934 aka HiveNightmare aka SeriousSAM. For some reason, Windows 10 starting with 1909 and Server 2019 modified the SAM database access control lists to allow regular users to read the contents. While the files are locked by lsass normally, if the system has volume shadow copies (VSS), they will be available there. Check out CVE-2021-36934 to check for shadow copies and read them all in memory, and this Velociraptor query to hunt for it.

Techniques

Tools and Exploits

  • Beaconator is an aggressor script for Cobalt Strike used to generate a raw stageless shellcode and packing the generated shellcode using PEzor.
  • smartbrute is a smart password spraying and bruteforcing tool for Active Directory Domain Services. Supports NTML over SMB or LDAP as well as Kerberos pre-authentication bruteforcing. It can also intelligently bruteforce a domain to prevent user lockouts.
  • inno-shellcode-example is an InnoSetup template to that runs shellcode! How easy is it to convince a user they need to install Zoom, Adobe Reader XYZ, or whatever-app to join your meeting, read your document, etc? Now you can have a legit installer with some extra shellcode injection!
  • Medusa is a cross-platform C2 agent compatible with Python 2.7 and 3.8, compatible with Mythic. This new agent has some nice features, but does require Python (just a base install) on the target to run.
  • LittleCorporal is a C# automated maldoc generator. It uses a two step process to first self-inject into Word via an AutoOpen macro, and then inject the real payload from word into a running process. The use of InlineShape and automated building is just the cherry on top.
  • ppmap is a scanner/exploitation tool written in Go, which leverages Prototype Pollution to XSS by exploiting known gadgets. Use this on your next web app assessment or bug bounty.
  • dock-droid is dockerized android. Run QEMU Android x86 and Android ARM in a Docker with X11 Forwarding. This could be useful for CI/CD for Android or for poking at Android apps "live."
  • BadAssMacros is an automated malicious macro generator written in C# with capabilities like VBA purging, sandbox detections, and shellcode obfuscation.
  • RemotePotato0 Cross Session Activation. Version 1.1 drops the requirement for the victim to be in session 0. Now you can coerce and relay NTLM authentication from any user in any session!
  • Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will return a list of detected API hooks or let the operator know no hooks were detected. This can be useful knowledge to have before performing certain post-exploitation actions.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • git-split-diffs brings GitHub style split diffs to your terminal.
  • dorothy is a tool to test security monitoring and detection for Okta environments.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.