News

• Taking on the Next Generation of Phishing Scams. Phishing is going to get more difficult, but backwards compatibility will be there for a while longer.
• Wildcard proxy for everyone. Wildcard certificates are useful to hide your specific domains from certificate transparency logs, and wildcard DNS entries do the same for DNS aggregators/change monitors.
• Microsoft Patch Tuesday, May 2022 Edition. Maybe hold off on your domain controllers?

Techniques and Write-ups

• Scheduled Task Tampering. It's possible to add scheduled tasks without logging using the registry and some tricks. However, task execution will still log unless you tamper with ETW in the scheduler process itself. Some cool options to increase red team opsec in this post as well as a nice Sigma rule for defenders.
• Cloudflare Pages, part 1: The fellowship of the secret
• Cloudflare Pages, part 2: The two privescs
• Cloudflare Pages, part 3: The return of the secrets
• Authenticating with certificates when PKINIT is not supported
• New Wine in Old Bottle - Microsoft Sharepoint Post-Auth Deserialization RCE (CVE-2022-29108)
• F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive
• Spoofing SaaS Vanity URLs for Social Engineering Attacks. Some good lure techniques in here.
• Defending the Three Headed Relay
• Azure Virtual Machine Execution Techniques. All major clouds have this "feature."
• Resolving System Service Numbers using the Exception Directory
• Introducing SharpWSUS
• Introducing MalSCCM
• Introducing pyCobaltHound – Let Cobalt Strike unleash the Hound
• PPID Spoofing & BlockDLLs with NtCreateUserProcess
• LDAPSearch Reference
• Learning Machine Learning Part 3: Attacking Black Box Models
• Studying “Next Generation Malware” - NightHawk’s Attempt At Obfuscate and Sleep
• Diving into pre-created computer accounts
• Office365 User Enumeration
• Electron Shellcode Loader
• Fortalice BOFHound Release - Granularize Your Active Directory Reconnaissance Game

Tools and Exploits

• ELFLoader. Be sure to read the blog post.
• hakoriginfinder is a tool for discovering the origin host behind a reverse proxy. Useful for bypassing cloud WAFs.
• SpoolTrigger - Weaponizing for privileged file writes bugs with windows problem reporting
• XLL_Phishing - XLL Phishing Tradecraft
• mitmproxy2swagger - Automagically reverse-engineer REST APIs via capturing traffic
• uru is a payload generation tool that enables you to create payload based on a configuration file.
• pyldapsearch - Tool for issuing manual LDAP queries which offers bofhound compatible output

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Markdoc

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.