Last Week in Security (LWiS) - 2022-03-21
Browser in the Browser (@mrd0x), OSINT Map (@MalfratsInd), Rust packer (@verixvogel), local Kerberos to bypass UAC (@tiraniddo), crash to read/write in Chakra (@33y0re), AtlasC2 (@Gr1mmie), detecting Shadow Credentials (@cfalta ), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-14 to 2022-03-21.
News
- Microsoft says Windows 11 File Explorer ads were ‘not intended to be published externally’. Microsoft is slowly turning Windows into a "free to play" operating system. This started with ads in tiles in Windows 8.
- Ides of March – Chariot’s Launch Day. Praetorian launches their continous attack surface monitoring service which looks to be built on Nuclei Templates.
- NPM maintainer targets Russian users with data-wiping ‘protestware’. Another reminder to check your dependency management solution.
- Founder Of Cyberfraud Prevention Company Pleads Guilty To Defrauding Investors Of Over $100 Million. A lot of cybersecurity is snake oil, and this salesman got caught.
Techniques and Write-ups
- Browser In The Browser (BITB) Attack. The creation of false windows inside of browser pages isn't exactly new (see The inception bar) but this is the first time I've seen an fake SSO prompt window. Windows/macOS authentication prompts are also possible - check out @fuzz_sh's work.
- Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 2). Connor is back with part 2 which takes the exploit PoC from a simple crash to a read/write primitive and then to code execution against ChakraCore. ASLR, DEP, and CFG are all on the table as well, so this is an amazing bit of modern exploitation learning.
- Initial Access - Right-To-Left Override [T1036.002]. Not a new technique, but susinctly presented with AV bypasses as well. Code here.
- NotepadExec - Using notepad.exe to launch an EXE without code injection. Right click and "Open" an exe, but programatically.
- Detecting shadow credentials. This post shows how defenders can look into msDS-KeyCredentialLink attributes and the flow to determine if they are legitimate or not.
- Bypassing UAC in the most Complex Way Possible!. Local kerberos funny business with the service control manager on a domain joined machine to bypass UAC? Intersting...
- Arya: The New Tailor-Made EICAR Using Yara. Get "malicious" files from yara rules. These can be the moder EICAR test files of modern purple teams.
- CVE-2022-26500 Veeam Backup & Replication RCE. This is analysis and exploitaiton of the Veeam unauthenticated remote RCE from last week.
Tools and Exploits
- CustomKeyboardLayoutPersistence can achieve execution using a custom keyboard layout, tested in Windows 11 Home version 21H2. Warning: there is no code related to the uninstallation process in the PoC.
- Group3r can find vulnerabilities in AD Group Policy, but do it better than Grouper2 did.
- Malfrat's OSINT Map is an update to the OSINT Framework <https://osintframework.com/>. OSINT-Map is the GitHub repo if you'd like to contribute.
- oxide A PoC packer written in Rust!
- AtlasC2 is a C# C2 Framework centered around Stage 1 operations.
- poro is a tool to scan publicly accessible assets on your AWS cloud environment.
- snoop Secretly record audio and video with chromium based browsers. Be sure to check out VOODOO, the macOS Man in the Browser Framework as well.
- Coeus is an ADSI based Situational Awareness toolkit for domain environments with modularity in mind. Allows for the enumeration of users/groups/computers as well as some common misconfigurations including roasting (AS-REP, kerber) and delegation (Constrained, Unconstrained, RCBD) attacks.
- xepor is a web routing framework for reverse engineers and security researchers, brings the best of mitmproxy & Flask.
- LeakedHandlesFinder is a leaked Windows processes handles identification tool. Useful for identify new LPE vulnerabilities during a pentest or simply as a new research process. Currently supports exploiting (autopwn) procesess leaked handles spawning a new arbitrary process (cmd.exe default).
- AutoSmuggle is a utility to craft HTML smuggled files for Red Team engagements.
New to Me
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- rust_bof. Cobalt Strike Beacon Object Files (BOFs) written in rust with rust core and alloc.
- S1EM. This project is a SIEM with SIRP and Threat Intel, all in one.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.