News

• Securing our approach to domain fronting within Azure. The last of the major cloud services is killing domain fronting, thus further reducing the number of domains possible to front behind. Fastly is about to see some new customers. With Encrypted Client Hello (ECH) on the horizon, there is hope for a new kind of "fronting".
• Changes to Git commit workflow. A tame title to an alarming update about an attacker with access to git.php.net that was committing backdoors to the php codebase. Good on php for catching this very quickly. How many projects has this happened to and no one has noticed? Does your app depend on those projects?
• Microsoft Applications Bounty Program. Microsoft launches a new bounty program focused on apps. Perhaps in response to the "Important, Spoofing" RCE in Teams from December 2020?
• Encrypted Phone Firm Encrochat Used Signal Protocol. The signal protocol remains unbroken, even by law enforcement. The end user devices however...

Techniques

• House of Mind - Fastbin Variant in 2021. This post (re)introduces GLibC heap exploitation method that works across all versions of the heap allocator and gives a write-what-where primitive. This is dense exploit development content.
• APT Encounters of the Third Kind. Easily the best article of the week. Igor goes from noticing a discrepancy between his test setup and production pcap time vs packet counts to uncovering an in-memory only APT backdoor. If you are wondering what a real advanced persistent threat looks like, this is it.
• SAML XML Injection. If you're testing an app with SSO abilities based on SAML, be sure to read this post.
• PhishCatch: Detecting password reuse from the inside out. By hashing enterprise passwords and storing them locally, and hashing all passwords to compare, this Chrome extension can detect password reuse without compromising any credentials.
• Recovering a full PEM Private Key when half of it is redacted. In just a few hours the wizards of the cryptohack Discord server managed to recover a RSA private key from a partially redacted screenshot. "Whether it’s a single bit leaking with Ladder Leak, or pieces of primes for a Coppersmith attack, partial information exposure of cryptographic private keys is often enough to totally break the crypto protocol. If you find something private, keep it that way."
• Bypassing conditional access by faking device compliance.. This guide shows two different ways to make a device compliant in Microsoft InTune, even if you spoof it as a Commodore64.
• Dumping LSASS in memory undetected using MirrorDump. Using boo and avoiding the classic dumping technique of calling OpenProcess, MirrorDump instead registers as a "legitimate" authentication provider with Windows and uses a handle to itself (lsass.exe) to do the dumping.

Tools and Exploits

• Keep Malware Off Your Disk With SentinelOne’s IDA Pro Memory Loader Plugin. Download files straight from VirusTotal into memory and open in IDA Pro without writing them to disk. Neat!
• ZoomPersistence is an aggressor script and C++ shim to persist as Zoom on a Windows system by moving the user's zoom binary and replacing it with a shim.
• gitrecon is an OSINT tool to get information from a Github or Gitlab profile and find user's email addresses leaked on commits.
• malware_training_vol1 is a work in progress repo of materials for Windows Malware Analysis training (volume 1).
• PoisonApple is a command-line tool to perform various persistence mechanism techniques on macOS. It's missing a few from the new Beyond the good ol' LaunchAgents series, but has others not covered there.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• graphtage is a command-line utility and underlying library for semantically comparing and merging tree-like structures, such as JSON, XML, HTML, YAML, plist, and CSS files. This is sure to be useful in a shell script at some point.

This post is cross-posted on SIXGEN's blog.