​In the hopes of providing greater context surrounding the explosion of exploit code for CVE-2021-3156 (Sudo), we have compared it (by sensor hit frequency) to some other exploits that became publicly available and then went on to be used by adversaries. Our sensors typically see these buildup patterns within the security community preceding mass exploitation campaigns and act as a leading indicator. CVE-2021-3156 (Sudo) has had extremely strong human momentum behind it and resembles momentum patterns like those that preceded mass exploitation campaigns. Keep in mind timeframe, CVE-2021-3156 (Sudo) just became publicly available over the last few weeks.  

​Sensors have ingested tradecraft meant to bypass PowerShell ConstrainedLanguage Mode (a security feature) which prevents users from using PowerShell to circumvent or violate UMCI (user mode code integrity). Moreover, this bypass utilizes “System.Management.Automation” which means it will not start powershell.exe. Lastly, this bypass was created by a researcher that is part of the pwncat cluster, which we believe amplifies the social reach of this new bypass.
 
ConstrainedLanguage Bypass: calebstewart/bypass-clm: PowerShell Constrained Language Mode Bypass (github.com)
 
pwncat: calebstewart/pwncat: Fancy reverse and bind shell handler (github.com)
 
ConstrainedLanguage Mode: about_Language_Modes - PowerShell | Microsoft Docs
 
UMCI: Understand WDAC policy rules and file rules (Windows 10) - Windows security | Microsoft Docs
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

reverse-ex/CVE-2021-3156: https://github.com/reverse-ex/CVE-2021-3156
 
Serpentiel/CVE-2021-3156: https://github.com/Serpentiel/CVE-2021-3156
 
mr-r3b00t/CVE-2021-3156: https://github.com/mr-r3b00t/CVE-2021-3156
 
 
Video: https://vimeo.com/504872555


​#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​Two interesting injectors came up in the “Live” sensor feed this am which I haven’t seen before. The first, Reloaded.Injector, injects DLLs into both x86 and x64 targets from the same program. I will have to give this one a try.
 
The second aligns to a strong tactics trend related to evasion, making use of direct system calls. Querying our data, we can see that 134 recently ingested, project repositories contain either a text processing hit for direct system calls or an API profile that indicates the same. An interesting note here is that we are talking “entire projects” and not at a file level. Projects can contain multiple files utilizing different variations of (in this case) direct system calls which our engine also visualizes (file level). To date, our engine has analyzed over half a million malicious files pulled from the live sensors. Defenders should be cognizant of this vector as its social reach continues to amplify to the masses.

 
Reloaded.Injector:
Reloaded-Project/Reloaded.Injector: C# DLL Injection Library capable of injecting x86 DLLs to x86 process from x64 processes. (github.com)
 
directInjectorPOC:
badBounty/directInjectorPOC: Small POC written in C# that performs shellcode injection on x64 processes using direct syscalls as a way to bypass user-land EDR hooks. (github.com)

​ 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Sensors have ingested an exploit PoC that targets:
“7 vulnerabilities found in dnsmasq, an open-source DNS forwarding software in common use. Dnsmasq is very popular, and we have identified approximately 40 vendors whom we believe use dnsmasq in their products, as well as major Linux distributions.” Potential Impact “includes DNS cache poisoning, remote code execution and others. According to our internet-based research, prominent users of dnsmasq seem to include Cisco routers, Android phones, Aruba devices, Technicolor, and Red-Hat, as well as Siemens, Ubiquiti networks, Comcast.” - www.jsof-tech.com
 
PoC:
https://github.com/knqyf263/dnspooq
 
Blog:
https://www.jsof-tech.com/disclosures/dnspooq/
 
Paper:
https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq-Technical-WP.pdf
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

I’m continually impressed by the versatility of the new Hunter module. While using one of our most basic signatures for process injection, we came across some really interesting content that articulates evasion tradecraft. Specifically, this post talks about the different stages of static analysis evasion and how to dynamically load dead-giveaway API calls (VirtualAllocEx, WriteProcessMemory, CreateRemoteThreat, etc...) in a more obscure way. It first looks at using the Windows API call GetProcAddress() to resolve function addresses on the fly and then dives deeper into leveraging the Process Environment Block (PEB). Excellent read if you haven’t seen this blog before.
 
 
Blog:
https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/
 
 
Accompanying Code:
​ https://gist.github.com/christophetd/37141ba273b447ff885c323c0a7aff93
 
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam
 

Sensors ingested an interesting initial access chain that leverages a DLL load via VBS. After, the chain executes leveraging WMI to become a subprocess of svchost.exe (not from WINWORD.EXE in this case), providing a much more opsec friendly, parent-child relationship. I am looking at expanding my research by developing a macro that will covertly inject a process and establish a C2 implant connection. This was an interesting repo to help with the brainstorming for that macro.  
 
Repo:
VBA-DLL-WMI-EXECUTION/shell.cpp at master · mobdk/VBA-DLL-WMI-EXECUTION (github.com)
 
Video Demo:
​https://www.youtube.com/watch?v=0dEMQ_Iht98
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam
 
 
 
 

​Process Herpaderping:
https://github.com/jxy-s/herpaderping

Process-Doppelganging (BlackHat 2017): https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

Process-Doppelganging (BlackHat 2017 Code): https://gist.github.com/hfiref0x/a9911a0b70b473281c9da5daea9a177f

Hunting Process Injection by API Calls:
https://www.exploit-db.com/docs/47983

#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Sensors have started watching a Chinese resource that is focused on endpoint security evasion by manipulating certain features machine learning models rely on (nothing novel). Some of these feature manipulations look to change-up API profiles from commonly used profiles (CreateProcessA with suspended flag is quite effective in our testing) and by using direct system calls. We are making available a JSON set containing the APIs and native binaries mentioned within this post. Modern defenses will need to leverage indicators such as these, paired with automation that defines behaviors to proactively hunt and detect adversary movements. This is not relying on Sysmon to tell you that a process has been tampered with. Do you know what API calls Sysmon actually hooks as Sysmon is just a wrapper? For example, do you know where your blind spots are in regard to process injection? Organizations will need to develop the ability to look at their network’s raw telemetry and then hunt with advanced signatures made up of things like API calls, process contexts, leveraged binaries (native) and other more advanced indicators of malicious behaviors.
 
Repo: Airboi/bypass-av-note: 免杀技术大杂烩---乱拳打死老师傅 (github.com)

​Blog (Uncovering the Unknowns-SPECTREOPS): Uncovering The Unknowns. Mapping Windows API’s to Sysmon Events | by Jonathan Johnson | Posts By SpecterOps Team Members

JSON:

*Heavy Sensor Activity: NEW Arbitrium-RAT – Claimed to be FUD* Sensors are seeing heavy human momentum within the cyber security ecosystem, focused on a new RAT claimed to be fully undetectable. As usual, we are making a link available to the tool, but we are also going to provide a link to a JSON set containing the last 10 hours of our sensor activity (since 12:01am), so context can be gleaned. Note, this dataset is pre-engine processing (raw ingestion) so there will not be any of the more advanced tags applied to the set such as behaviors, API calls, libraries, processes, social reach, etc… Additionally, we have been asked to mirror our threat intel on our website, so it is more easily sharable for people not on LinkedIn. This has also been done.
 
RAT: https://github.com/BenChaliah/Arbitrium-RAT
 
JSON (Live Signals last 10 hours (pre-processing)): File Below