Nov 06 2023 Last Week in Security (LWiS) - 2023-11-06

News

• Joint Industry statement of support for Consumer IoT Security Principles. A good idea, but without teeth, what is there to keep these labels honest?
• Post Mortem on Cloudflare Control Plane and Analytics Outage. Perhaps the worst outage in Cloudflare history. Big props for such a timely and technical Post Mortem. It's going to be a busy end of the year for their reliability engineers.
• Introducing HAR Sanitizer: secure HAR sharing - In response to the latest Okta breach, Cloudflare is recommending folks to sanitize their HAR files to minimize attack surface. We wouldn't recommend sending anyone your HAR files but this is a good response and idea for all using HAR files in your debugging workflow. I think think of a couple infosec vendors asking for HAR files for debugging. This was an interesting turn of events.
• SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures. I guess you should actually implement the controls you tell investors you have - allegedly.

Techniques and Write-ups

• Running PEs Inline Without a Console. Woah. It can even run powershell without any process creation.
• Lateral Movement: Abuse the Power of DCOM Excel Application - ActivateMicrosoftApp() method within the DCOM Excel application for lateral movement.
• EC2 User-data to RCE - Instance Metadata Service v1 strikes again. Migrate to SSRF -> Creds -> User-Data -> RCE. Migrate to IMDSv2!
• Welcome to the Offensive ML Framework - Excited to see if this project gets some traction. They're keeping tabs of ML use cases in offsec.
• Phishing With Dynamite - Pretty nifty implementation of phishing users in accessing an environment you control via the browser. Similar to phishing with noVNC by Mr.d0x.
• By-design AV bypass with "dev drive" - Probably good for a few weeks. Interesting feature by MSFT. Walkthrough of Dev Drive on Windows 11.
• Data-Bouncing - The art of indirect exfiltration. - "....by directing web requests to certain domains that process hostnames in headers, you can relay small pieces of data to your DNS listener, allowing you to collect and reconstruct data, be it strings, files, or anything else." Using web requests to "font" a DNS request. Good to get data out of restrictive network - slowly.
• LDAP authentication in Active Directory environments. Great low level detail on how LDAP works and can be protected, and how to patch your tools to incorporate the new protections and continue working.
• Old CVEs Leading to New Vulns - Reverse Engineering TrendNet-731BRv1. Always educational to see someone else's though process as the take a known vulnerability and recreate an exploit for it.
• Citrix Bleed: Leaking Session Tokens with CVE-2023-4966. From patch diff to exploit.
• Building an Exploit for FortiGate Vulnerability CVE-2023-27997. Exploit development content for the FortiGate pre-authentication remote code injection vulnerability.
• LocalPotato HTTP edition. Another potato LPE. I really appreciate the lab setup section.
• Cisco IOS XE CVE-2023-20198: Deep Dive and POC. Not much of a deep dive as the exploit is simple.
• Fuzzer Development: The Soul of a New Machine. Develop a fuzzer from scratch? Impressive.
• Introducing CS2BR pt. III - Knees deep in Binary. I love authors that post their process even when it does not end in success. We learn a lot from failure!
• Persistence - Windows Telemetry. Another LOLBin and persistence mechanism.

Tools and Exploits

• Defender-Exclusions-Creator-BOF - A BOF to add or remove Windows Defender exclusions.
• cookie-monster - BOF to steal browser cookies.
• GhostTask - Create/modify scheduled tasks directly in the registry to avoid event logs and alerts.
• LdrLockLiberator - A collection of techniques for escaping or otherwise forgoing Loader Lock while executing your code from DllMain.
• Kernel_VADInjector - Windows 10 DLL Injector via Driver utilizing VAD and hiding the loaded driver.
• maliciousCodeMatchingMFA - A small executable to trick a user to authenticate using code matching MFA.
• PsMapExec - The cme saga continues. This project is in powershell and inspired by CrackMapExec.
• cuddlephish - Weaponized Browser-in-the-Middle (BitM) for Penetration Testers.
• pandora - A red team tool that assists into extracting/dumping master credentials and/or entries from different password managers.
• WIP Mockingjay BOF Conversion - Cobalt Strike Beacon Object File (BOF) Conversion of the Mockingjay Process Injection Technique.
• LdrLibraryEx - A small x64 library to load dll's into memory.
• ReleaseTheHounds - Tool to upload large datasets and interact with BloodHound CE API.
• sshx - A secure web-based, collaborative terminal.
• DayBird - Extension functionality for the NightHawk operator client.
• porch-pirate - Porch Pirate is the most comprehensive recon / OSINT client and framework for Postman that facilitates the automated discovery and exploitation of API endpoints and secrets committed to workspaces, collections, requests, users and teams. Porch Pirate can be used as a client or be incorporated into your own applications.
• NerfDefender - BOF and C++ implementation of the Windows Defender sandboxing technique described by Elastic Security Labs/Gabriel Landau.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• hashcathelper - Got some creds? Has a couple different modules. One allows operators to insert new relationships into an existing BloodHound database such as when users have the same password. Improve those screenshots!
• postleaks - Search for sensitive data in Postman public library.
• OffensiveGo - Looking to do some offensive dev in go? Start here. Notable golang tools at the bottom such as sliver and merlin.
• Hijacking Someone Else's DCSync - Friendly reminder that your AADConnect server are tier 0 assets. Pwn the AADConnect server -> wait for cloud takeoff -> catch hashes in flight.
• Mido - The Secure Microsoft Windows Downloader.
• Exploring SCCM by Unobfuscating Network Access Accounts - These Network Access Accounts (NAA) accounts have been very fruitful lately...
• PyMeta - Pymeta will search the web for files on a domain to download and extract metadata. This technique can be used to identify: domains, usernames, software/version numbers and naming conventions.
• LME - Logging Made Easy (LME) is a free and open logging and protective monitoring solution serving all organizations. Good resource for a detection lab (RIP), but very manual setup.
• Get-LoggedOn.py - Lookup logged in users using itm4n's session enum via registry.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.