Last Week in Security (LWiS) - 2023-10-03
Nighthawk update (@MDSecLabs), Teams external splash bypass, MSI LPEs, and Zip+LNKs (@pfiatde), SCCM takeover (@_Mayyhem), .NET obfuscation (@eversinc33), JonMon (@jsecurity101), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-09-19 to 2023-10-03.
News
- From ScreenConnect to Hive Ransomware in 61 hours. Solid write-up of how traitorware wreaks havoc.
- Nighthawk 0.2.6 - Three Wise Monkeys. The C2 wars continue. New Nighthawk version introduces API call stack masking.
- [PDF] People's Republic of China-Linked Cyber Actors Hide in Router Firmware. Cisco vuln leads to firmware backdoors by PRC. The decision to not share the actual trigger packet is unfortunate for defenders.
- Encrypted Client Hello - the last puzzle piece to privacy. A wise man once said Domain fronting is dead, long live domain fronting. This is very similar to my 2020 talk, except all sites share the cloudflare-ech.com unencrypted SNI value vs being able to spoof it.
- Default outbound access for VMs in Azure will be retired — transition to a new method of internet access. This is how AWS has always worked - you need a NAT gateway.
- Cloudflare is free of CAPTCHAs; Turnstile is free for everyone. Let the cat-and-mouse bot vs anti-bot wars continue!
Techniques and Write-ups
- JA4+ Network Fingerprinting. The evolution of the JA3, JA3S, and JARM fingerprints. Break out Cloak to blend in. You're proxying your C2 traffic via legitimate web servers to blend in already right?
- AWS keys and user cookie leakage via uninitialized memory leak in outdated librsvg version in Basecamp. Pretty cool report/find!
- Bypass Two-Factor Authentication of Facebook Accounts ($25,300). In todays episode of crazy bug...
- Summiting the Pyramid: Level Up Your Analytics. New methodology for detection engineering. "...This methodology shifts the advantage to defenders, even as adversaries evolve, and allows us to change the game on the adversary."
- Active Directory Hardening Series - Part 1 - Disabling NTLMv1 - Last week we reported that SMB NTLM is able to be disabled in the latest insiders builds of Windows 11, now Microsoft is pushing this. Relay those NTLM hashes while you still can!
- SCCM Hierarchy Takeover. "...if an attacker gains control of any primary site, they gain control of the entire SCCM hierarchy." SCCM has been a huge are of domain privilege escalation on recent assessments. Due to its complexity, I wager that more attacks will come out of it in the coming months.
- Teams external participant splash screen bypass. Teams external participant splash screen can be bypassed.
- Introducing ntdissector, a swiss army knife for your NTDS.dit files. Blog post to a tool release. The tool convert an NTDS file to well formatted JSON objects.
- EDR Evasion Part II: Your very own Scarecrow. A guide on what are some changes you can make to Scarecrow to evade EDRs. Part one of this series did a good job of walking through the capabilities of ScareCrow.
- A Thousand Sails, One Harbor - C2 Infra on Azure. Operational guidance on using Azure to hide your C2. Domain fronting in Azure is back on the menu!
- .NET Assembly Obfuscation for Memory Scanner Evasion. Having an automated way to obfuscate your payloads is becoming expected for moderately advanced red teams. How does your pipeline compare?
- Home Grown Red Team: LNK Phishing Revisited In 2023. Threat actors are using lnks with some truly gross command lines to great effect. This post has some alternative techniques for lnk based initial access.
- [P2O Vancouver 2023] SharePoint Pre-Auth RCE chain (CVE-2023-29357 & CVE-2023-24955). Wow. Makes you wonder what else has unauth RCE waiting to be discovered.
- nftables Adventures: Bug Hunting and N-day Exploitation (CVE-2023-31248). More good exploitation content from Star Labs; this time a nice Linux 6.2 LPE.
- Long Live the Pwn Request: Hacking Microsoft GitHub Repositories and More. GitHub actions and other types of CI/CD can be setup to run on pull requests or other actions where others control the code. Make sure they are appropriately locked down!
- MSIFortune - LPE with MSI Installers. Some excellent LPE ideas and even initial access ideas in this post.
- ZipLink - Combine Zips and Lnk for fun and profit. If the above was giving you ideas for initial access, check this post. A few clicks (zip + pop up), but not bad!
- Exploiting stale ADIDNS entries. Some fun DNS based tricks for domain compromise.
- A problem with .NET Self-Contained Apps and how to pop calculators in dnSpy. Update your dnSpy or get pop'd in the NK's next campaign targeting security researchers.
Tools and Exploits
- ExtractBitlockerKeys - Post-ex script to automatically extract the bitlocker recovery keys from a domain.
- transitiveObjectControl.py - Given transitive object control: output info on last hop, chain length, and type.
- MaldevAcademyLdr.1 - The team at Maldev Academy drop their first "openly released" loader.
- LOLBins- The LOLBins CTI-Driven (Living-Off-the-Land Binaries Cyber Threat Intelligence Driven) is a project that aims to help cyber defenders understand how LOLBin binaries are used by threat actors during an intrusion in a graphical and digestible format for the TIPs platform using the STIX format.
- proxy_calls - Proof of Concept - Custom Call Stack for LoadLibrary with TrySubmitThreadpoolCallback/TpSimpleTryPost.
- LDAPWordlistHarvester - A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.
- REC2 - New rust-based C2 (Yes another C2). Uses VirusTotal and Mastodon APIs.
- HeaderLessPE - A memory PE loading technique using HVNC.
- CVE-2023-29357- Patched June 2023 but... Microsoft SharePoint Server priv esc.
- JonMon - @jsecurity101 with a tool drop for defenders/attackers. "...collection of open-source telemetry sensors designed to provide users with visibility into the operations and activity of their Windows systems". Add this to your maldev boxes to see what defenders could be collecting on your actions.
- AD_Miner - Use your existing neo4j DB to find some quick wins (may not work well against large environments based on our testing).
- Sub7 - Source code for SubSeven 2.1.3 (if you're feeling nostalgic).
- CVE-2023-32364-macos-app-sandbox-escape - Exploit for CVE-2023-32364.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Windows Hook Events. Short read by Mr. Yosifovich. Discusses the SetWinEventHook API in Windows for intercepting and processing user interface-related events.
- haylxon. Gowitness replacement? Blazing-fast tool to grab screenshots of your domain list right from terminal.
- graftcp. A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy.
- VcenterKit. vCenter Comprehensive Penetration and Exploitation Toolkit.
- go-exploit. A Go-based Exploit Framework.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.