Last Week in Security (LWiS) - 2024-02-12
LDAP tradecraft (@domchell), CreateRemoteThread saftey (@m417z), Lab automation (@W9HAX), LoFP (@br0k3ns0und), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-07 to 2024-02-12.
News
- End Of General Availability of the free vSphere Hypervisor (ESXi 7.x and 8.x) (2107518) - The end of free vSphere is a great chance to migrate to Proxmox and ludus makes it easy!
- Feds Want to Ban the World's Cutest Hacking Device. Experts Say It's a 'Scapegoat'. Canada has banned the Flipper Zero due to an increase in car thefts where there is no evidence a Flipper Zero was used. 🧐 Here is the tweet announcing it.
- After a tip, ExpressVPN acts swiftly to protect customers - ExpressVPN users could have experienced DNS leaks for the past 2 years. Ouch. "The bug was introduced in ExpressVPN Windows versions 12.23.1 - 12.72.0, published between May 19, 2022, and Feb. 7, 2024, and only affected those using the split tunneling feature."
- CVE-2024-23109 - Yes, Fortinet again. Patch ASAP...
- SEC Fines Firms $81M For Off-Channel Communications Lapses - "Sixteen firms are collectively on the hook for more than $81 million to settle SEC charges that they failed to preserve off-channel electronic communications." The SEC is not a fan of personal Signal chats!
- Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline - Mo money mo problems. Some interesting analytics surrounding the crime groups and their profits.
Techniques and Write-ups
- Directory.ReadWrite.All Is Not As Powerful As You Might Think Some deep dive into MS Graph API. Guaranteed escalations to Global Admin from RoleManagement.ReadWrite.Directory and AppRoleAssignment.ReadWrite.All roles.
- New attack vectors in EKS - In the recent enhancement of AWS's managed Kubernetes service, EKS, including EKS Access Entries, Policies, and Pod Identity, potential security risks are introduced, explored in the second blog post of a series, emphasizing the need for least privilege and awareness of new attack vectors.
- Active Directory Enumeration for Red Teams - Some post-ex LDAP fun by MDSec. There are detection considerations towards the end as well. TD;DR - Blend in where possible or else you'll stick out like a sore thumb. Assuming the defense is looking!
- Conditional Love for AWS Metadata Enumeration - This came with a tool release. An AWS metadata enumeration tool by Daniel Grzelak of Plerion. Use it to enumerate resource tags, account IDs, and org IDs.
- Securing AI: Azure Machine Learning Studio - This post covers the deployment of Machine Learning Studio, the creation of a test training model, and then attacking the AI/ML training infrastructure to deploy persistence. With AI being the hot thing right now, it's nice to see someone shelling some AI tooling.
- [PDF] Insights into Commercial Surveillance Vendors - Google reports on commercial espionage. Interested read considering their role in society. "Of the 72 known in-the-wild 0-day exploits affecting Google products since mid-2014, TAG attributes 35 of these 0-days to Commercial Surveillance Vendors." That's a huge percentage!
- The Crow Flies at Midnight — Exploring Red Team Persistence via AWS Lex Chatbots - Use AWS Lex chatbot as a persistence method for your ops. The blog post details the steps to modify a Lex bot to exfiltrate credentials as well.
- Fake LastPass password manager spotted on Apple's App Store - Insert creds everywhere meme. Not sure how this gets by Apple but LastPass can't catch a break!
- Sudo On Windows a Quick Rundown - The blog post provides an overview of the newly introduced sudo command in Windows Insider Preview build 26052, highlighting its implementation using User Account Control (UAC), its configuration options, and potential security vulnerabilities, including the lack of proper access control on the RPC server, despite being written mostly in Rust for enhanced security.
- Tracking ShadowPad Infrastructure Via Non-Standard Certificates - Some common OPSEC mistakes. Lock down your C2! Use something like headscale if you must! This is another related article from this week.
- Para Bailar La Bambda: Contributing to Burp Suite's New Filtering Capabilities - A simple example of how to use Bamdas in your Burp Suite workflow.
- When is it generally safe to CreateRemoteThread? - Short answer: probably ok if you wait for the C runtime initialization to take place and the process doesn't do any "wierd stuff."
- Offensive Lab Environments (Without the Suck) - Labs are so hot right now!
- CVE-2024-20328 - ClamAV Not So Calm - Send email with a EICAR test string and properly named file, get shell?
- A Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass - The anti-anti-cheat developers and the EDR bypassers share a lot in common.
Tools and Exploits
- ParentProcessValidator.cpp - This C++ code snippet demonstrates how to verify if an executable is launched by explorer.exe to enhance security during red team operations.
- EternelSuspention - a simple poc showcasing the ability of an admin to suspend EDR's protected processes.
- NidhoggScript - NidhoggScript is a tool to generate "script" file that allows execution of multiple commands for Nidhogg. Nidhogg is an all-in-one simple to use rootkit.
- TPM-Sniffing - Retrieving Bitlocker keys from the TPM using SPI, I2C or LPC communications requires an understanding of the specific protocol supported by the TPM chip, as well as the device's make and model.
- conditional-love - An AWS metadata enumeration tool.
- gocheck - GoCheck a blazingly fast™ alternative to Matterpreter's DefenderCheck which identifies the exact bytes that Windows Defender AV by feeding byte slices to MpCmdRun.exe
- NTLM Relay Gat - NTLM Relay Gat is a powerful tool designed to automate the exploitation of NTLM relays using ntlmrelayx.py from the Impacket tool suite. By leveraging the capabilities of ntlmrelayx.py, NTLM Relay Gat streamlines the process of exploiting NTLM relay vulnerabilities, offering a range of functionalities from listing SMB shares to executing commands on MSSQL databases.
- Native Threadpool - Work, timer, and wait callback example using solely Native Windows APIs.
- LoLCerts - A repository of code signing certificates known to have been leaked or stolen, then abused by threat actors
- Living off the False Positive! - Living off the False Positive is an autogenerated collection of false positives sourced from some of the most popular rule sets. The information is categorized along with ATT&CK techniques, rule source, and data source. Entries include details from related rules along with their description and detection logic. See the blog post Introducing LoFP for more info.
- BadExclusionsNWBO - BadExclusionsNWBO is an evolution from BadExclusions to identify folder custom or undocumented exclusions on AV/EDR. An evolution of BadExclusions.
- Remote-buffer-overflow-over-wifi_stack-in-wpa_supplicant-binary-in-android-11-platform-samsung-a20e - Remote buffer overflow over wifi_stack in wpa_supplicant binary in android 11, platform:samsung a20e, stock options so like works out of the box.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- awesome-tunneling - List of ngrok alternatives and other ngrok-like tunneling software and services. Focus on self-hosting.
- gftrace - A command line Windows API tracing tool for Golang binaries.
- AutomatedBadLab - Scripts to provision vulnerable and testing environments using AutomatedLab.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.