New macOS C2 (@cedowens), Nim implant (@NotoriousRebel1), x64 AMSI bypass in VBA (@rd_pentest), VBA purging tool (@h4wkst3r/@AndrewOliveau), macOS privesc via MS Teams (@theevilbit), Kali tool developer partnership (@kalilinux/@byt3bl33d3r), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-16 to 2020-11-23.
News
- SO-CON 2020 was last Friday and had a ton of good talks. Recordings are available on the conference site for 30 days, and YouTube after that.
- Airbnb Executive Resigned Last Year Over Chinese Request for More Data Sharing. AirBnB is sharing booking data from the moment a reservation is made with China. This gives a lot of lead time to "set up" an apartment or house for surveillance. Any large tech company will soon have to face this decision of what to do about Chinese requests. We have seen how anyone who is unwilling to cooperate is blocked, and then an internal Chinese only copy is propped up.
- Firefox 83 introduces HTTPS-Only Mode. Long time users of the HTTPS Everywhere extension from the EFF will be happy to have this feature available in the browser itself. This feature attempts to load all pages and resources via HTTPS first, instead of the usual HTTP request, 304 redirect, and HTTPS request flow normally seen. There may also be a speed up as one less request/response has to be processed. Chrome has no plans to implement a similar feature.
- Standing up for developers: youtube-dl is back. I didn't expect this. Github/Microsoft has reinstated youtube-dl forks that remove the tests using copyright protected material. They have also changed their DCMA takedown process and created a developer defense fund. This is probably the best response I could have hoped for, and while I'm still leery of Microsoft's ultimate intentions with GitHub, for now at least it is a positive relationship.
- Kali Linux 2020.4 Release. ZSH is now the default shell, a few new tools and version bumps, but the coolest feature is the private partnership with @byt3bl33d3r of the amazing CrackMapExec exclusive to Kali and GitHub sponsors for 30 days after each release.
- ARM-based macOS can run iOS apps + network traffic/cert store is tied to macOS = perfect for iOS app hacking. This isn't really a new capability, since you could proxy web traffic through Burp on a macOS already. Having it all one one machine makes things slightly easier I suppose.
- ZeroSSL offers free TLS certificates. Just like Let'sEncrypt, ZeroSSL now offers free 90 days certificates via the ACME protocol, including wildcard certificates.
Techniques
- OK Google, Build Me a Phishing Campaign. Use of legitimate services for phishing can be effective, as the domains are likely allowed by most enterprise filters.
- Easily Identify Malicious Servers on the Internet with JARM. Salesforce takes its TLS fingerprinting to the next level by actively "scanning" and categorizing The Alexa top 1 million websites as well as known C2 servers to collect JARM fingerprints. Using these, blue teams can enrich data, or even build blocklists. Advanced red teams should be testing their own infrastructure with JARM to make sure it blends in. A Go implementation is available here: jarm-go.
- Dumping Memory with AV - Avast Home Security. The use of AV for red team goals is a special kind of sneaky. The best part of these tricks is the binaries are signed by the AV vendors and categorized as benign by other AVs!
- Purgalicious VBA: Macro Obfuscation With VBA Purging The opposite of EvilClippy which stomps VBA code leaving only the P-cache, this technique stomps the SRP stream (P-cache) removing lots of strings many AV engines and YARA rules flag as malicious. The tool, OfficePurge, is available now.
- Dynamic Invocation in .NET to bypass hooks walks through the concepts of the standard P/invoke and the tricky D/invoke for C# calls to the Windows API. It covers four techniques for bypassing userland hooks, which could prove useful for EDR bypasses.
- Module Stomping in C# is an implementation of the Module Stomping (aka Module Overloading aka DLL Hollowing) shellcode injection technique in C#.
- Implant Roulette Part 1: Nimplant. Nim is an interesting language for payload development. It has the ability to output a variety of other languages (i.e. C, C++) and can cross-compile with small binaries. It also has easy to use obfuscation packages. An example implant (Nimplant) for Mythic is available. Expect to see more Nim for offensive security projects in the future. Get more Nim goodness at: OffensiveNim.
- Shedding light on creating VBA macros. VBA is a strange and difficult language. This post has some tricks to aid in doing low level API work with VBA.
- "I have no idea how to use Git in a professional dev team." This course is great for anyone who has struggled with the complexities of Git. While the example project is a simple website, the concepts are generally applicable to all types of software development. The project comes with a bot that simulates a team, and it's free!
- Making Objective C Calls From Python Standard Libraries (Red Team Edition). With Python 2 still included in the base install of macOS 11.0, the ability to call macOS APIs from python is a useful technique for a red teamer. This research is what lead to the development of MacC2.
- Microsoft Teams for macOS Local Privilege Escalation. XPC strikes again! Checking the PID of the sending process is not enough to verify it is a trusted client.
- ImageMagick - Shell injection via PDF password. File parsing is hard, and when it goes wrong things can go bad. The ImageMagick is no stranger to attacks, and this most recent issue highlights the dangers of parsing untrusted input.
- A Fresh Outlook on Mail Based Persistence. Like the other Office applications, Outlook can run VBA scripts and has triggers that will run functions when email is received. All it takes is some simple string comparisons, and you can email your way to beacons from the target to regain access. Nice!
Tools and Exploits
- Assetnote Wordlists. When performing security testing against an asset, it is vital to have high quality wordlists for content and subdomain discovery. This website provides you with wordlists that are up to date and effective against the most popular technologies on the internet, generated fresh each month!
- IAMFinder enumerates and finds users and IAM roles in a target AWS account. With only the AWS account number of the targeted account, IAMFinder is able to identify users and roles in that environment. Upon successfully identifying an IAM role, IAMFinder can also check if this role can be assumed anonymously. The tool was developed during a red team exercise and it implemented the technique described in this blog.
- Ghostwriter v2.0 Release. Ghostwritter is becoming a serious red team management tool. If you haven't looked into it before, it has some great new features that may help your team's workflow. There are adaptors for CobaltStrike and other tools like CobaltStrikeToGhostWriter.
- BloodHound 4.0 - Azurehound. This is a major feature release for BloodHound, including support for Azure attack primitives in the attack graph with new nodes and edges. There is a nice cheatsheet for the new Azure functionality.
- SwiftSpy is a macOS keylogger, clipboard monitor, and screenshotter written in Swift. Be aware it will cause TCC (Transparency, Control, and Consent) popups!
- DInvisibleRegistry is an implementation of the null byte Run key persistence technique implemented in C# with direct syscalls via D/invoke.
- VDM is a library to manipulate drivers exposing a physical memory read/write primitive to allow the user to call any function in the kernel. Currently the project is using gdrv.sys but can be adapted to use any driver that allows for physical memory read and write by writing 4 wrapper functions.
- HeapsOfFun, an AMSI VBA bypass via the heap, gets an update for x64. Details here.
- reg_hunter is a blueteam operational triage registry hunting/forensic tool written in Rust.
- MachoDecrypt will decrypt mach-o binaries on iOS. Requires a jailbroken iPhone.
- exclude-cdn a tool to filter out CDN hosts from a list consisting of IP's, URL's, and Domains passed via stdin. Useful for bug bounties or external penetration tests.
- Kaspersky_Safe_Money_LPE is an 0day in the Kaspersky "Safe Money" protected browser. Pure AV schadenfreude. Demo here.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- screenity. The most powerful screen recorder & annotation tool for Chrome. It can record your desktop as well, and output to gif. Perfect for those PoC gifs!
- rehex is a cross-platform (Windows, Linux, Mac) hex editor for reverse engineering, and everything else.
This post is cross-posted on SIXGEN's blog.