Last Week in Security (LWiS) - 2024-04-29
AD Group abuse (@decoder_it), NetNTLM leak attacks (@pfiatde), 'adversary flywheels' (@WHITEHACKSEC), Nemesis 1.0 (@harmj0y + team) and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-22 to 2024-04-29.
News
- Trusted Signing is in Public Preview - Code sign your payloads with Microsoft? Note that your company will need "3 years of tax history" to use the service.
- Multi-tenant organization capabilities now available in Microsoft 365 - This is AD forests for Entra ID with the ability to connect single tenants together. Let the games begin!
- HashiCorp joins IBM to accelerate multi-cloud automation - HashiCorp joins IBM. This comes on the heels of their license changes for Terraform and Vault. 🤔
- FTC Says Ring Employees Illegally Surveilled Customers, Failed to Stop Hackers from Taking Control of Users' Cameras - The FTC charged Ring with privacy violations, including unauthorized employee access to customer videos and inadequate security measures, leading to a proposed order requiring Ring to improve privacy protocols and pay $5.8 million in refunds. Consider using home assistant and Frigate NVR to keep all your security camera footage local.
- FTC Announces Rule Banning Noncompetes - This likely affects many technology workers in the US.
- Google Lays off the Python Team? - It seems they are moving the Python team to Germany? Unclear what the motivations were for these actions.
- How G.M. Tricked Millions of Drivers Into Being Spied On (Including Me) - Another blatant privacy violation that will probably go unpunished.
Techniques and Write-ups
- Hello: I'm your Domain Admin and I want to authenticate against you - A method for exploiting default Distributed COM permissions on DCs to intercept and relay the authentication of users, leading to privilege escalation and RCE (maybe) by leveraging "SilverPotato."
- ETW-ByeBye: Disabling ETW-TI Without PPL - A vulnerability that allows disabling ETW-TI (Event Tracing for Windows Threat Intelligence) logging without Protected Process Light (PPL) requirements, using SeDebug or SeTcb privileges on certain Windows versions. PoC code and detection guidance is provided. Note: this only works on Windows 10, Windows 11 patched this bug.
- JA4T: TCP Fingerprinting - JA4 scanner released. Certainly worth adding to your recon worfklow and automation.
- NetNTLM is still a thing? - Yes. Yes it is. This post gives a good recap of how you can still relay NetNTLM via various methods. Details some less common techniques like leveraging HTTP.SYS for setting up a listener without admin privileges, bypassing the Windows firewall, and using SSH for port forwarding to relay. You aren't checking emails or doing day to day activities with a highly privileged account, right?
- Adversaries sometimes compute gradients. Other times, they rob you. This blog post discusses the concept of an "adversary flywheel," which involves attackers using data science to adapt and optimize their methods based on defensive responses, enhancing their ability to exploit security vulnerabilities efficiently.
- Not the Access You Asked For: How Azure Storage Account Read/Write Permissions Can Be Abused for Privilege Escalation and Lateral Movement This post discusses unexpected techniques that allow an Azure user with Storage Account permissions to abuse them for privilege escalation and lateral movement. Grab the tool: Find-SensitiveAzStorageAccounts.
- Loading DLLs Reflections - Simple article discussing reflective DLL loading to load a DLL into memory without it being written to disk.
- Nemesis 1.0.0 - "...from host modeling, to a streamlined installation process, dashboard improvements, and more!"
- Offensive SaaS Security - Exfiltrating Cleartext Credentials via LogonUserW Hooking - This post details a technique exploiting IAM providers like Azure AD, Okta, and OneLogin using LogonUserW hooking to capture cleartext credentials and insert backdoors in authentication flows.
- Arbitrary 1-click Azure tenant takeover via MS application - Blog post on how reply URLs in Azure Applications can be used as a vector for phishing. The impact of this can range from data leaks to complete tenant takeover; just by luring a victim into clicking on a link. Another disappointing bug bounty case unfortunately.
- Laundering C2 Traffic by FuzzySecurity Good recap of using high-reputation services as your C2 channel.
- Exploiting the NT Kernel in 24H2: New Bugs in Old Code & Side Channels Against KASLR - The kernel address space layout randomization (KASLR) cat and mouse game heats up with a bypass for the new Windows 11 24H2 hardened kernel.
- So I Became a Node: Exploiting Bootstrap Tokens in Azure Kubernetes Service - What can you do if you retrieve a Kubernetes bootstrap token from an AKS pod? This post explore the bootstrap tokens, how they work, and how to exploit them.
- CVE-2024-21111 - Local Privilege Escalation in Oracle VirtualBox - An arbitrary file move vulnerability in the VirtualBox system service service can facilitate privilege escalation on a Windows host.
- How to Crack the Perfect Egg - Some great password cracking methodology.
Tools and Exploits
- GoogleRecaptchaBypass - Solve Google reCAPTCHA in less than 5 seconds! 🚀
- ASPJinjaObfuscator - Heavily obfuscated ASP web shell generation tool.
- ja4tscan - JA4TScan is an active TCP server fingerprinting tool.
- tiny-gpu - A minimal GPU design in Verilog to learn how GPUs work from the ground up.
- AutoAppDomainHijack - Automated .NET AppDomain hijack payload generation.
- ReadWriteDriverSample - Sample driver + user component to demonstrate writing into arbitrary process memory from Kernel via CR3 manipulation (opposed to the usual KeStackAttachProcess API).
- PartyLoader - Threadless shellcode injection tool.
- 24h2-nt-exploit - Exploit targeting NT kernel in 24H2 Windows Insider Preview.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- ics-forensics-tools - Microsoft ICSpector (ICS Forensics Tools framework) is an open-source forensics framework that enables the analysis of Industrial PLC metadata and project files.
- Evidence Collection Environment - This environment is intended to be useful for when you have multiple investigators or external parties adding data for evaluation. Some key features (hopefully) implemented in this setup leverage the Azure Storage legal hold, Azure Storage analytics logging for validation of access by which parties, Azure Key Vault logging with the logs going to a Log Analytics workspace in the resource group.
- DLHell - Local & remote Windows DLL Proxying.
- MS-DOS - The original sources of MS-DOS 1.25, 2.0, and 4.0 for reference purposes.
- cdncheck - A utility to detect various technology for a given IP address.
- CloudInject - This is a simple tool which can be used to inject a DLL into third-party AD connectors to harvest credentials.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.