LOLBin post from @bohops, new Excel macro tool from @JoeLeonJr, Windows sandbox detection by @LloydLabs, macOS LPE by @0xm1rch, how to use Azure passwords by @kfosaaen, a review of low cost pentests by @_sophron, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-19 to 2020-10-26.
News
- US charges Russian hackers behind NotPetya, KillDisk, OlympicDestroyer attacks. This indictment isn't groundbreaking for its attribution of the 3 attacks to Russian hackers (that was widely assumed), it is however very interesting to see the evidence for such attribution. Clearly, the US government has a lot of access to some of the backends used by the hackers. Bravo. For excerpts, see this twitter thread.
- Multiple vulnerabilities in VMware ESXi. No PoCs yet but this is a potential unauthenticated remote code execution vulnerability in the OpenSLP service on ESXi (port 427).
- Apple Approved Malware. Malware is being deployed using binaries that are notarized (signed) by Apple after passing their review process. This wouldn't be as bad if the signed samples weren't known malware! Additionally, after reporting one sample, the actors simply updated their campaign with a freshly signed sample of the same thing. Clearly, the actors involved have the notarization process figured out and automated. This is a bad look for Apple who tout this notarization feature as a big security selling point.
- Recent and upcoming changes to the Nano projects. Popular ad blocker NanoCore was recently sold to a Turkish developer who immediately changed the privacy policy and modified the code. Browser extensions command great power, and should be carefully scrutinized.
- 1Password for Linux beta is now open. One of the more popular password managers is now available on linux (in beta). For an open source alternative that is available on linux today, check out Bitwarden.
- YouTube-DL Removed From GitHub After DMCA Notice. This is an incredibly useful tool with a wide range of legitimate uses. The complaint says the code can be used to download copyrighted works. This sets a precedent that makes posting software or tools that can be used for malicious acts (nearly everything in every LWiS) potentially subject to take down as well (for ToS violations not DCMA). Looks like people are already using a GitHub "feature" to attach a commit of youtube-dl to the DCMA repo (and of course forks like yt-dlc exist).
Techniques
- Penetration Testing and Low-Cost Freelancing. This post looks at some low cost penetration testing offerings. Like in everything, you get what you pay for. This is a good piece to argue for more funding for higher quality assessments.
- Segmentation Vault: Cloning Thick Client Access. This post discusses a practical method for red teams to compromise thick client applications when they store credential material in “Vault”, using Microsoft OneDrive as an example. This could be useful to download files "out of band" (not using your C2) or to maintain access to OneDrive if access to the target machine is lost.
- Exploring an Assembly Loading Technique and Detection Mechanism for the GfxDownloadWrapper.exe LOLBIN. GfxDownloadWrapper.exe is a binary that is included with Intel video card driver software, and older version could download arbitrary files as well as execute DLLs. This post show how these features were discovered and how defenders can detect their use.
- A Beginners Guide to Gathering Azure Passwords. As cloud adoption grows, red teamers have to adapt. This blog post describes different Azure service and what they have access to. This information comes from the authors of the amazing MicroBurst tool.
- When ntuser.pol leads you to SYSTEM shows a bypass (now patched) to CVE-2020-1317, a group policy local privilege escalation bug for Windows.
Tools and Exploits
- Wraith is a native loader designed to pave the way for the arrival of a Stage-1/Beaconing implant or Stage-2/Post-Ex implant in-memory securely and stealthily. Specially designed to operate in heavily-monitored environments, it is designed with AV Evasion as its primary goal.
- PEzor v2 — New Output Formats and Cobalt Strike Integration. PEzor was already a great tool, and v2 includes new features like a nice cna script to make in-memory execute of nearly any binary a single command. If you haven't checked this out before v2, it is even more valuable now.
- Hot Manchego is a new tool for creating macro-enabled Excel workbooks that use the .NET library EPPlus to bypass many AV solutions.
- Secret fragments: Remote code execution on Symfony based websites. The _fragment endpoint used by Symofny (and therefore lots of PHP based web apps/CMSs) uses an HMAC to verify commands. Unfortunately, lots of sites are using default keys to generate the HMAC, and are therefore vulnerable to RCE. PoC here.
- RegistryStrikesBack allows a red team operator to export valid .reg files for portions of the Windows Registry via a .NET assembly that should run as a standard user. See Segmentation Vault in Techniques for example usage.
- CloneVault allows a red team operator to export and import entries including attributes from Windows Credential Manager. This allows for more complex stored credentials to be exfiltrated and used on an operator system. See Segmentation Vault in Techniques for example usage.
- Announcing PyRDP 1.0. The advanced RDP python library gains features as it reaches 1.0 including CredSSP, Clipboard file carving, headless player support, dynamic certificate cloning, and a new conversion tool to output mp4 videos of RDP sessions from PyRDP captures or even PCAPs.
- CVE-2020-15906 is an authentication bypass for TikiWiki CMS 16.x-21.1. This wiki software is often used internally by dev shops, so this vulnerability could prove very useful on internal engagements. Demo here.
- wsb-detect enables you to detect if you are running in Windows Sandbox ("WSB"). The sandbox is used by Windows Defender for dynamic analysis, and commonly manually by security analysts and alike.
- setsidmapping is a tool to use LsaManageSidNameMapping get LSA to add or remove SID to name mappings. It requires SeTcbPrivilege as well as some other caveats. Not sure what advantages this provides right now, but I'm sure James is cooking up something with this tool.
- procrustes is a bash script that automates the exfiltration of data over dns in case you have blind command execution on a server where all outbound connections except DNS are blocked.
- WSuspicious is a proof of concept program to escalate privileges on a Windows host by abusing WSUS. Details in this blog post.
- Local Privilege Escalation Vulnerability Discovered in VMware Fusion. A nice macOS privilege escalation using VMware Fusion. The bug was patched in September but the PoC is fresh. Code here.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- NTLMRawUnHide is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The following binary network packet capture formats are supported: *.pcap *.pcapng *.cap *.etl.
This post is cross-posted on SIXGEN's blog.