Last Week in Security (LWiS) - 2022-01-10
More JDNI to RCE (@jfrog), parallel loader (@peterwintrsmith and @cube0x0), MS signed phishing docs (@ptrpieter and @_DaWouw), IP-takeover vulns (@sebsalla), driver loading BOF dev (@cerbersec), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-03 to 2022-01-10.
News
- RCE in H2 Console. With all the dust kicked up by the JDNI injection log4j RCE, you just knew that someone would find JDNI injection elsewhere. "There are bound to be more packages that are affected by the same root cause as Log4Shell.".
Techniques
- EDR Parallel-asis through Analysis. "During the development of the Nighthawk C2 MDSec stumbled upon what appears to be a new and novel technique for identifying syscall numbers for certain syscalls which may then be used to load a new copy of ntdll into memory, allowing the remaining syscalls to be read successfully without triggering any installed function hooks." Is this whole post a humble-brag/sales pitch for Nighthawk? Maybe. But I'll gladly take high quality research and PoCs to prove how cool Nighthawk is. Want it in C#? say no more.
- Domain Persistence – AdminSDHolder. The special AdminSDHolder ACL is applied to all groups and accounts that are part of that object every hour, enabling permissions to be continuously restored to an account if detected by the blue team.
- Domain Escalation – sAMAccountName Spoofing. The sAMAccountName/noPac attack dropped last month, but this post shows multiple tools/attack methods to exploit it in practice. TrustedSec has a good blog post on detection opportunities.
- A phishing document signed by Microsoft – part 2. Microsoft signed add-ins are back, and have vulnerabilities. A string of bugs/features were used/abused to enable remote XLL loading. At this point I'm not sure anyone outside of Redmond, WA knows more about office document internals than Pieter, Dima, and the team at Outflank.
- Scanning millions of domains and compromising the email supply chain of Australia's most respected institutions. The use a AWS Lambda and DynamoDB for distributed scanning was clever, but the number sites where SPF/DMARC checks passed just with some light EC2 cycling to get proper IPs was frightening. Very cool research!
- Kernel Karnage – Part 8 (Getting Around DSE). This serious has been great so far, and now that real world protections are turned back on it's really getting good. There is no PoC dropped, but enough code to get you pretty far in your own driver loading BOF adventures. Keep up the great work @cerbersec.
- Get expert training on advanced hunting. This is a great collection of MS defender for endpoint and KQL training.
- Random Mosaic – Detecting unauthorized physical access with beans, lentils and colored rice. If you ever need to be really sure no one has intercepted your package, this is a cool option.
- Staging Cobalt Strike with mTLS using Caddy. Staging is a bad idea. But what if you protected your staging endpoint with mTLS? You'd end up with CaddyStager!
Tools and Exploits
- inject-assembly is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly.
- rathole is a lightweight, stable and high-performance reverse proxy for NAT traversal, written in Rust. An alternative to frp and ngrok.
- insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces. More details here.
- SysmonSimulator is a Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.
- PowerRemoteDesktop is a Remote Desktop client entirely coded in PowerShell. This could be useful for restricted environments like virtual desktops.
- Hunt-Sleeping-Beacons is a project to identify beacons which are unpacked at runtime or running in the context of another process.
- defender-detectionhistory-parser is a parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables. First one to write this as a BOF wins.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
- domains is (probably) the world’s single largest Internet domains dataset.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.