Sep 19 2023 Last Week in Security (LWiS) - 2023-09-19

Cobalt Strike 4.9, 38TB of internal MS data, a crazy phish, an Okta toolkit, macOS LPE, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-09-11 to 2023-09-19.

News

SMB NTLM blocking now supported in Windows Insider. The beginning of the end for NTLM relay attacks, but you know enterprise will still have it enabled for "legacy" support for 20 years.
WASI support in Go. The Sliver crew is already looking at doing fun things with this.
When MFA isn't actually MFA. "The caller claimed to be one of the members of the IT team, and deepfaked our employee'≈s actual voice." It finally happened. It's time to buy hardware keys for all your employees. There is no better defense against this type of advanced attack.
38TB of data accidentally exposed by Microsoft AI researchers. In the cloud, a signed URL can become a single factor that exposes a lot of data.
Fileless Remote Code Execution on Juniper Firewalls. I can't decide if we should laugh or cry. Firewalls, do your one job!
Cobalt Strike 4.9: Take Me To Your Loader. The Forta team is working hard to make Cobalt Strike even more modular as well as a bunch of other great enhancements.

Techniques and Write-ups

Deleting Your Way Into SYSTEM: Why Arbitrary File Deletion Vulnerabilities Matter. Detailed write up of how to use a file delete for much more than denial of service.
Azure Active Directory Domain Services Escalation of Privilege. Curious if the patch was just the PetitPotam patch...
Bypassing UAC with SSPI Datagram Contexts. It's messy in the PoC state (creates a service) but a nice UAC bypass.
Attacking an EDR - Part 2. With EDR going to the cloud for the heavy lifting in detection, if you can tamper with that network traffic, you can often blind the EDR.
Using AI for extracting Usernames, Emails, Phone Numbers, and Personal Names from large datasets. Neat, but you'll need a local model to operate on any sensitive data.
Hypervisor Detection with SystemHypervisorDetailInformation. Detect those sandboxes a little easier with cpuid - A class to emulate the behavior of NtQuerySystemInformation when passed the SystemHypervisorDetailInformation information class.
Okta for Red Teamers - This is fuego 🔥. The addition of a SAML authentication endpoint has been used by threat actors recently.
CVE-2023-38146: Arbitrary Code Execution via Windows Themes. Looks like the fix might be incomplete - more research needed here! The PoC is: themebleed.
Peeling back the curtain with call stacks. The elastic team has been on a good run recently with very technical posts.
I hacked macOS!!! CVE-2022-32947 - With Lina✨ & Cyan💎. Very creative site to explain an extremely technical exploit. The final "demo" is impressive. Some people are truly wizards and Lina is one of them.
Android 14 Still Allows Modification of System Certificates. Lots of claims stating Android 14 would break TLS interception, turns out, its still possible.
The Not So Pleasant Password Manager. Some tough restrictions on XXS were bypassed to successfully leak credentials.

Tools and Exploits

EchoDrv - Exploitation of echo_driver.sys.
Caro-Kann - Encrypted shellcode Injection to avoid Kernel triggered memory scans
malrdp-deploy - Automated (kinda) deployment of MalRDP infrastructure with Terraform & Ansible
Periscope - Fully Integrated Adversarial Operations Toolkit (C2, stagers, agents, ephemeral infrastructure, phishing engine, and automation). Note: purposely broken by the author.
NetExec - Crack Map Exec fork with different maintainers. Queue the drama.
POSTDump is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

donut-decryptor - Retrieve inner payloads from Donut samples
TierZeroTable - About Table of AD and Azure assets and whether they belong to Tier Zero
Evilginx3-Phishlets - This repository provides penetration testers and red teams with an extensive collection of dynamic phishing templates designed specifically for use with Evilginx3.
tracker-radar - Good for OSINT.
GPOZaurr - Group Policy Eater is a PowerShell module that aims to gather information about Group Policies but also allows fixing issues that you may find in them.
electroniz3r - Take over macOS Electron apps' TCC permissions.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.