Last Week in Security (LWiS) - 2021-10-19

macOS ESF playground (@jbradley89), Azure privesc via service principles (@_wald0), Java gadget finding (@hugow_vincent), malicious Azure AD OAuth2 (@nyxgeek), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-11 to 2021-10-19.



Tools and Exploits

  • Cobalt Strike Sleep Python Bridge. Rejoice! You no longer need to write sleep (a Java/Perl hybrid) to interact with Cobalt Strike. Lots of cool examples of how it can be used in the post. It's only a matter of time before someone writes a nice web GUI for cobalt strike, or writes an integration for Mythic. For prior art, check out pycobalt.
  • The ESF Playground will let you view events from the Apple Endpoint Security Framework on your mac. This is particularly useful when trying to write detections and see how different processes are behaving.
  • ScareCrow v3.0 released. This popular shellcode loader has been updated with more EDR bypass tricks and some bug fixes.
  • Introducing Snowcat: World’s First Dedicated Security Scanner for Istio. Istio is a popular service mesh and Snowcat is a tool to audit it.
  • nosferatu is an lsass NTLM authentication backdoor DLL that is injected into lsass and provides a skeleton key password for all accounts. On domain joined machines SMB, WinRM, and WMI are functional with the skeleton key password, on non-domain joined machines authentication via RDP, runas, and the lock screen also accepts the skeleton key password.
  • AnyDesk Escalation of Privilege (CVE-2021-40854). You've got love a privesc that involves a classic Open dialog -> run cmd.exe path that results in SYSTEM in 2021.
  • LDAPmonitor monitors creation, deletion and changes to LDAP objects live during your pentest or system administration!
  • Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted. Probably want to review the code before use (same goes for all tools).
  • WPBT-Builder is a simple UEFI application to create a Windows Platform Binary Table (WPBT) from the UEFI shell. This is a PoC for Everyone Gets a Rootkit.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • EDRHunt scans Windows services, drivers, processes, registry for installed EDRs (Endpoint Detection And Response). Read more about EDRHunt here.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.