Last Week in Security (LWiS) - 2021-09-07

Mental models for offsec dev (@Jackson_T), lockscreen bypass (@KLINIX5), DLL hijacking/cloning (@Jean_Maes_1994), AV evasion framework (@bb_hacks), jailbreak detection defeat (@_Kc57), Kernel drivers against EDR (@synzack21), Golden SAML (@inversecos), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-08-23 to 2021-09-07.

News

Techniques

  • Operational Mental Models. After releasing the EDR Sensor Evasion Flowchart, @Jackson_T is back with another meta-assessment post about the frameworks and models for offensive research and development.
  • ZDI-21-1053: Bypassing Windows Lock Screen. The ease of access on screen reader is used once again to execute binaries on a USB and execute code even with the screen of a Windows 10 computer locked. PoC video here.
  • From RpcView to PetitPotam. In this post, we will see how the information provided by this tool can be used to create a basic RPC client application in C/C++. Then, we will see how we can reproduce the trick used in the PetitPotam tool.
  • Introducing Process Hiving & RunPE. "This blog introduces innovative techniques and is a must have tool for the red team arsenal. RunPE is a .NET assembly that uses a technique called Process Hiving to manually load an unmanaged executable into memory along with all its dependencies, run that executable with arguments passed at runtime, including capturing any output, before cleaning up and restoring memory to hide any trace that it was run." A solid PE runner is a must-have in ever red team toolkit. Code here.
  • %appdata% is a mistake – Introducing Invoke-DLLClone. DLL hijacking isn't new but darn if it isn't effective still. The new Invoke-DLLClone is worth a look!
  • Obsidian, Taming a Collective Consciousness. Red team knowledge management is a topic I am all too familiar with (imagine the data that powers this blog...). This post shows a "flat" markdown note based approach that uses Obsidian.
  • Widespread credential phishing campaign abuses open redirector links. Most commercial email providers scan links for reputation and can prevent phishing links from being opened. Attackers are now using open redirects on "trusted" sites to bypass these protections and deliver their payloads/load their pages. These are also combined with reCAPTCHA protections to prevent automated scanning.
  • Backdoor Office 365 and Active Directory - Golden SAML. This quick post shows the 8 steps to generate a golden SAML token as well as some detections.
  • Blinding EDR On Windows. This is a great post that brings together a lot of information about AV/EDR as well as kernel drivers, driver signing, and how to use kernel drivers against EDRs.

Tools and Exploits

  • Quick Tunnels: Anytime, Anywhere. Cloudflare tunnels are available without an account. They use 4x HTTPS connections to Cloudflare IPs to tunnel traffic to anything the cloudflared binary can reach. Consider this a more trusted version of ngrok. "Unless you delete them, Tunnels can live for months." Defenders, look for update.argotunnel.com, h2.cftunnel.com, and trycloudflare.com based on my testing.
  • RCE-0-day-for-GhostScript-9.50. This 0-day exploit affects the ImageMagick with the default settings from Ubuntu repository (tested with default settings of ImageMagick on Ubuntu 20.04). More info here.
  • LiquidSnake is a program aimed at performing lateral movement against Windows systems without touching the disk. The tool relies on WMI Event Subscription in order to execute a .NET assembly in memory, the .NET assembly will listen for a shellcode on a named pipe and then execute it using a variation of the thread hijacking shellcode injection.
  • NSGenCS is an extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows. More information at The Birth of NSGenCS.
  • AWS ReadOnlyAccess: Not Even Once. ReadOnlyAccess sounds secure, but it can cause a false sense of security and is usually too broad for whatever is actually needed.
  • OpenBMC: remote code execution in netipmid. IPMI is a very powerful interface with tons of bugs. Add this RCE to your next internal assessment bag of tricks.
  • iHide is a utility for hiding jailbreaks from iOS applications. This can be a huge help when doing security assessments on applications with pesky jailbreak detection. See the blog post for more info.
  • PR0CESS has a few projects for interesting PE loading techniques.
  • CVE-2021-33909 is a Linux LPE for Sequoia.
  • laurel is a tool to transform Linux Audit logs into JSON for SIEM usage.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • packetsifterTool is a tool/script that is designed to aid analysts in sifting through a packet capture (pcap) to find noteworthy traffic. Packetsifter accepts a pcap as an argument and outputs several files.
  • zuthaka is a collaborative free open-source Command & Control integration framework that allows developers to concentrate on the core function and goal of their C2.
  • JadedWraith is a powerful backdoor capable of either listening on a TCP port or sniffing packets for a "magic" ICMP packet instructing the backdoor to either callback or listen.
  • beacon_health_check is an aggressor script that uses a beacon's note field to indicate the health status of a beacon.
  • Khepri is a post-exploiton tool written in Golang and C++, with architecture and usage like Cobalt Strike. So much like Cobalt Strike that a casual look at the screenshot could confuse the two!
  • ockam is a library for end-to-end encryption and mutual authentication for distributed applications.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.