Last Week in Security (LWiS) - 2022-09-12

Avoiding memory scanners (@kyleavery_), EvilnoVNC critiques (@TheXC3LL), Athena 0.2 (@checkymander), Monkey365 (@tr1ana), reFlutter (@lmpact_l), gTunnel/SOCKS (@greycatsecurity + @hotnops), cobaltstrike-headless (@codex_tf2), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-06 to 2022-09-12.


Techniques and Write-ups

Tools and Exploits

  • Athena v0.2. A big update to an up and coming Mythic C2 agent.
  • pfBlockerNG Unauth RCE Vulnerability. This is only vulnerable on the LAN side of the firewall, unless you have some strange WAN rules that allow access to the pfblockerNG pages from WAN. Patched in 2022-06, its still a bad vulnerability. Poc here.
  • QUEST KACE Desktop Authority Pre-Auth Remote Code Execution (CVE-2021-44031). Pre-Auth RCE is the flavor of the week it seems.
  • Tool Release - Monkey365. Monkey 365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex admin panels from the start.
  • Command injection vulnerability in Netgear R6200_v2 and R6300v2 routers. Authenticated and LAN side only it looks like.
  • Sandbox_Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in the assembly of IOCs, understanding attack movement and in threat hunting.
  • cobaltstrike-headless - Aggressorscript that turns the headless aggressor client into a (mostly) functional cobalt strike client.
  • CVE-2022-27925 - Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-27925)
  • TangledWinExec - This repository is for investigation of Windows process execution techniques. Most of PoCs are given a name corresponding to the technique. WmiSpawn is brand new and looks very interesting.
  • chameleon provides better content discovery by using wappalyzer's set of technology fingerprints alongside custom wordlists tailored to each detected technologies.
  • autobloody - Tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound. "Automatic" and "Exploit" are two words that when used together cause me great concern.
  • evilgophish - evilginx2 + gophish.
  • rust_syscalls Single stub direct and indirect syscalling with runtime SSN resolving for windows.
  • HideProcessHook - DLL that hooks the NtQuerySystemInformation API and hides a process name.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • ContainerSSH: Launch containers on demand. ContainerSSH launches a new container for each SSH connection in Kubernetes, Podman, or Docker. The user is transparently dropped in the container and the container is removed when the user disconnects. Authentication and container configuration are dynamic using webhooks, no system users required.
  • TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts.
  • buildg - Interactive debugger for Dockerfile, with support for IDEs (VS Code, Emacs, Neovim, etc.).
  • wappalyzergo - A high performance go implementation of Wappalyzer Technology Detection Library.
  • Ekko_CFG_Bypass A PoC for adding NtContinue to CFG allowed list in order to make Ekko work in a CFG protected process

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.