Nov 16 2021 Last Week in Security (LWiS) - 2021-11-16

News

• Hoax Email Blast Abused Poor Coding in FBI Website. A series of blunders allowed a hacker to send tens of thousands of emails from an FBI mail server to arbitrary addresses with arbitrary content. Not a good look for the FBI.
• CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces. Another unauthenticated RCE as root in a gateway device. Thankfully this "only" affects older PAN-OS 8.1-8.1.17 devices. The interesting bit is how this was found by a red team and used privately for ~8 months before disclosure. Their rationale is here (official) and here (reddit). Technical details will be released 2021-12-10.
• ClusterFuzzLite: Continuous fuzzing for all. After the success of OSS-fuzz, Google is releasing an "easy to use" fuzzing workflow: "ClusterFuzzLite is a continuous fuzzing solution that runs as part of Continuous Integration (CI) workflows to find vulnerabilities faster than ever before. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed."

Techniques

• Windows Security Updates for Hackers. This is the one stop shop for all information related to Windows releases, updates, and tools to find missing patches. Bookmark it.
• Becoming A Super Admin In Someone Else's Gsuite Organization And Taking It Over With a few edited requests in Google Domains you could add yourself to arbitrary GSuite customers as a Super Admin. Great find! PoC video here.
• Analyzing a watering hole campaign using macOS exploits. macOS is making gains in the consumer market, and thus is getting attention from threat actors. The targets and geography leave little to imagination in terms of attributions. More and more 0days are being used to target activists these days, how dystopian. For more details check out SentielOne's analysis of macOS.Macma.
• Malware Analysis: Syscalls. These malware analysis posts should serve to enlighten the reader as to how their own tools may look from the "other side."
• Kernel Karnage – Part 3 (Challenge Accepted). To fight kernel driver EDR, you must be come kernel driver EDR?
• Golden Certificate. DCShadow and Golden Tickets getting too popular/detectable? If the environment is running Active Directory Certification Services (AD CS) you can mint a "Golden Certificate" instead.
• Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications. This post is an exemplar of how to think more about a technique is uses and design detections around it vs an easily bypassed signature.
• AutoPoC - Validating the Lack of Validation in PoCs. From HoneyPoC to AutoPoC, Andy has exposed more "threat intelligence" scripts "products" and "professionals" than anyone. It's pretty crazy to see the amount of trust some people have in random GitHub projects.
• Implementing Shellcode Retrieval. The inceptor framework can now abstract how shellcode is delivered to the loader so it can be store in arbitrary formats like UUIDs.

Tools and Exploits

• lsarelayx is system wide NTLM relay tool designed to relay incoming NTLM based authentication to the host it is running on. lsarelayx will relay any incoming authentication request which includes SMB. The original application still gets its authentication and there are no errors for the user. This is the next generation of NTLM relaying - with the important caveat of loading into lsass.
• ExternalC2.NET is a .NET implementation of Cobalt Strike's External C2 Spec. This could be the basis for your own C2 channel written in C# that uses any medium you can interface with via C# - think services like Slack, Google Drive, Twitter, etc.
• Living Off Trusted Sites (LOTS) Project. Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. This is a list of websites that allow attackers to use their domain or subdomain to host content that may be used as a C2 channel, phishing site, file host, or data exfiltration destination.
• blacksmith is a next-gen Rowhammer fuzzer that uses non-uniform, frequency-based patterns. Read this blog post for more information. Bypassing password logic for sudo in ~5-30 minutes is pretty impressive.
• rpcfirewall is a firewall for Windows RPC that can be used for research, attack detection, and attack prevention.
• Spray365 makes spraying Microsoft accounts (Office 365 / Azure AD) easy through its customizable two-step password spraying approach. The built-in execution plan features options that attempt to bypass Azure Smart Lockout and insecure conditional access policies.
• bloodyAD is an Active Directory Privilege Escalation Framework that can perform specific LDAP/SAMR calls to a domain controller in order to perform AD privesc. It supports authentication using password, NTLM hashes or Kerberos.
• skweez spiders web pages and extracts words for wordlist generation.
• LocalDllParse checks all loaded Dlls in the current process for a version resource. Useful for identifying EDRs on a system without making calls out of the current process and avoids all commonly monitored API calls.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• kerbmon pulls the current state of the Service Principal Name (SPN) records and sAMAccounts that have the property 'Do not require Kerberos pre-authentication' set (UF_DONT_REQUIRE_PREAUTH). It stores these results in a SQLite3 database.
• NSGenCS is an extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.