Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-08-07 to 2023-08-29.
- Introducing Python in Excel: The Best of Both Worlds for Data Analysis and Visualization. Looks like macros are back on the menu!
- X33fcon talks. Some good talks this year as usual.
- Microsoft Defender for Identity expands its coverage with new AD CS sensor!. Yes but you have to pay 💰
Techniques and Write-ups
- Living Off the Foreign Land. As EDR gets better, the move is to simply get a reverse SOCKS agent on a target machine and run all the "malware" on the comfort of your own machine. This series is a great intro to the world of "living off the foreign land."
- Real World Examples: The top AVs in the world missed all of these attacks. Some excellent examples of real world phishing documents that are currently getting past most AV.
- Dancing Offbit: The Story of a Single Character Typo that Broke a ChaCha-Based PRNG. Those bitwise operations will bite ya.
- Smashing the state machine: the true potential of web race conditions. Paper by @albinowax discussing the impact of race conditions and real world use cases (like gitlab) of exploitation.
- LAPS 2.0 Internals. @_xpn_ Dropping some knowledge on how LAPS 2.0 works along with BOF code .
- Demystifying DLL Hijacking. Some insight into some DLL Hijacking detection logic and methodology.
- DLL Notification Injection. New “threadless” process injection technique that works by utilizing the concept of DLL Notification Callbacks in local and remote processes.
- Track The Planet. Super cool talk from DEF CON 31. How username enumeration via the Microsoft cloud leads to tracking the world. Talk title is 👌
- A broken marriage. Abusing mixed vendor Kerberos stacks. DEF CON 31 talk -> Blog. Accounts are susceptible to user spoofing when providing Kerberos tickets to *nix based services joined to an Active Directory realm. Gssapi-abuse is the tool section of this post.
- Journey into Windows Kernel Exploitation: The Basics. Driver exploitation and abuse has been around forever. Here's a quick intro.
- SharpSCCM Demos - 2023 Black Hat USA Arsenal. The SCCM train continues. If you have not dove into SCCM abuse primatives, get on it! Don't believe us? Just faster forward to 4:46...
- Site Takeover via SCCM's AdminService API. The SCCM AdminService API is vulnerable to NTLM relaying 🤑
- Offensive Tool Development - The Shellcode Compiler Was Right There All Along.... TLDR; Linker scripts can be used to generate shellcode via C in a fairly platform agnostic way.
- The Client/Server Relationship — A Match Made In Heaven. @exploitph and @jsecurity101 share some insight into detecting Kerberos-based attacks.
- Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping. "...which render sensitive data such as the keystrokes that users type decipherable to network eavesdroppers"
- mTLS: When certificate authentication is done wrong. Any post that starts with an RFC screenshot is going to be a good time. Turns out you can do lots of nasty things with certificate parsing.
- Introducing Cloudflare's 2023 phishing threats report. How would your red team campaigns stack up?
- Naughty Hooking Detoxifying Memory Before Doing Crime. An impressive amount of step-by-step screenshots and basics here.
- Forget vulnerable drivers - Admin is all you need. Perhaps the most exciting research of this post? Tons of fun can be had in the kernel, and if you don't need vulnerable drivers (easy detection point) then its game on...
- DES Is Useful... Sometimes. Probably worth throwing an asktgt with the des option at every DC in your next assessment. Maybe you'll get lucky?
- CVE-2022-41099 - Analysis of a BitLocker Drive Encryption Bypass. There is going to be a long tail on this one as it requires some manual intervention to apply the patch fully.
Tools and Exploits
- Ensemble - A Bug Bounty Platform that allows hunters to issue commands over a geo-distributed cluster. Gives some botnet like feels 🤔.
- ContainYourself - DEF CON 31 Tool. Abuses the Windows containers framework to bypass EDRs.
- NoFilter - DEF CON 31 Tool. Abuses the Windows Filtering Platform for privilege escalation.
- DllNotificationInjection - DEF CON 31 Tool. POC of a new “threadless” process injection technique.
- CloudRecon - DEF CON 31 Tool. Suite of tools for red teamers and bug hunters to find ephemeral and development assets in their campaigns and hunts.
- EasyEASM DEF CON 31 Tool. Zero-dollar attack surface management tool. "The industry is dominated by $30k vendors selling "Attack Surface Management," but OG bug bounty hunters and red teamers know the truth" 👀
- gssapi-abuse - DEF CON 31 Tool. Impersonating AD users on *nix based hosts? Noice. Looks like rubeus was updated as well.
- DoubleDrive - BH23 Tool. A fully-undetectable ransomware that utilizes OneDrive to encrypt target files.
- apppoolcreddecrypt - A POC to show how IIS App Pool credentials are decrypted without appcmd.exe.
- NtRemoteLoad - Remote Shellcode injector using indirect native syscalls to inject shellcode into another process (based on HWSyscalls by ShorSec)
- konstellation - Konstellation is a configuration-driven CLI tool to enumerate cloud resources and store the data into Neo4j. Think Bloodhound for k8s.
- mellon - Open Supervised Device Protocol attack tool (and the Elvish word for friend).
- CVE-2023-36874_BOF - Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE.
- SharpShellPipe - This lightweight C# demo application showcases interactive remote shell access via named pipes and the SMB protocol.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- From Domain User to Domain Admin (DA), From DA to Global Admin (GA) - Nice walkthrough of one method of escalating from DA to GA.
- Evade signature-based phishing detections - Quick reminder that evading security controls doesn't always have to be complex. Safe browsing isn't immune.
- ProjectDiscovery Tools in 180 seconds - A bit sales-y but if you don't know about PD tools, this is a quick intro of their open-source tooling and capabilities.
- Vista UAC: The Definitive Guide - UAC under the hood hidden gem from 2008!
- NTDoc - Native API online documentation, based on the System Informer (formerly Process Hacker).
- SSH Cheatsheet - Friendly reminder that when you'll forget SCP/SSH commands
- html-obfuscator - Easily obfuscate your html!
- Nimperiments - Random projects written in Nim. Check out EvilLsassTwin!
- tiny_tracer - A Pin Tool for tracing API calls and instructions.
- windows-api-function-cheatsheets - A reference of Windows API function calls.
- e9patch - Static binary rewriting tool.
- Infinite-Storage-Glitch - I wonder a red teamer would use this for 🤔
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.