Last Week in Security (LWiS) - 2021-08-09

Cobalt Strike Updates (@joevest, @adamsvoboda), ProxyShell [another exchange RCE] (@orange_8361). DeployPrinterNightmare (@Flangvik), Pulse Connect patch bypass (@buffaloverflow), Snapcraft App exploitation (@itszn13), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-08-02 to 2021-08-09.

News

Techniques

Tools and Exploits

  • DeployPrinterNightmare is a C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
  • whoc is a container image that extracts the underlying container runtime and sends it to a remote server. Poke at the underlying container runtime of your favorite CSP container platform!
  • Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS). This is the toolset promised with the release of Certified Pre-Owned: Abusing Active Directory Certificate Services in June of 2021. A recent post covered the attacks in more practical terms.
  • EyeWitnessTheFitness is a combination of EyeWitness (web screenshot OSINT tool) and fireprox (IP rotation proxy via AWS API gateway) that only uses one fireprox API for all EyeWitness targets.
  • SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys, etc) without invalidating or breaking the existing signature. This looks particularly nasty and is used by APT 10.
  • SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion. This tool was released along side the talk Operation Bypass Catch My Payload If You Can.
  • BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity. Check out IsBeaconProcess to make sure your beacon wouldn't get picked up.
  • concealed_position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Specifically, Concealed Position (CP) uses the as designed package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with known vulnerabilities which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.
  • haklistgen is a tool that turns any junk text into a usable wordlist for brute-forcing (subdomains, words in HTTP response, etc).

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • RegExp is a replacement for the Windows built-in Regedit.exe tool. Improvements over that tool includes many enhanced features.
  • reverse-ssh is a A statically-linked ssh server with a reverse connection feature for simple yet powerful remote access.
  • dnsmonster is a passive DNS collection and monitoring built with Golang, Clickhouse and Grafana. This is a scalable solution to do enterprise DNS monitoring.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.