Lightnews — Scholar-powered news

malmoeb.bsky.social @malmoeb.bsky.social · 5h

This is also a simple step that I, as a cloud administrator, can take to identify low-hanging fruit for attackers. Otherwise, you might lull yourself into a false sense of security that can be easily circumvented.

[1] www.claranet.com/us/blog/nopr...

New Tool Release: NoPrompt — Detect MFA & Conditional Access Gaps in Entra ID

“Hackers don’t break in, they log in” is an often-quoted phrase but despite all the known stories involving week access points, many organisations struggle to ensure that strong controls are in place ...

www.claranet.com

2

malmoeb.bsky.social @malmoeb.bsky.social · 5h

There are various tools that allow you to automatically test different login processes, user agents, and resources. I briefly tried NoPrompt over the weekend, and it was super easy to use. [1]

1 1

malmoeb.bsky.social @malmoeb.bsky.social · 5h

For example, certain resources were excluded, allowing attackers to access data despite the policy. In other cases, specific user agents were excluded. The list is relatively long.

1

malmoeb.bsky.social @malmoeb.bsky.social · 5h

In various business email compromise (BEC) cases, we later discovered that although the customer had set up a conditional access (CA) policy to enforce multi-factor authentication, mistakes had been made during the implementation of said policies.

1 1

malmoeb.bsky.social @malmoeb.bsky.social · 1d

I wrote about Linux Capabilities and how to find them on my blog if you want to learn more. [1]

[1] dfir.ch/posts/linux_...

Linux Capabilities Revisited | dfir.ch

Technical blog by Stephan Berger (@malmoeb)

dfir.ch

2

malmoeb.bsky.social @malmoeb.bsky.social · 1d

An attacker can now effectively spawn a root shell over the Python binary. The thing about this technique is that they haven't set a suid bit on a binary, or changed the Python binary. By setting the capabilities, attackers can build powerful backdoors.

1 1

malmoeb.bsky.social @malmoeb.bsky.social · 1d

One way they could regain root access on Linux servers was by adding capabilities to the Python binary, for example:

setcap cap_setuid+ep /usr/bin/python3.12

1 1

malmoeb.bsky.social @malmoeb.bsky.social · 1d

We recently took over an APT investigation from another forensic company. While reviewing analysis reports from the other company, we discovered that the attackers had been active in the network for months and had deployed multiple backdoors.

1 1 4

malmoeb.bsky.social @malmoeb.bsky.social · 2d

[1] specterops.io/wp-content/u...
[2] www.vilkascyber.com/blog/adcs-es...
[3] dfir.ch/posts/tear_d...

specterops.io

malmoeb.bsky.social @malmoeb.bsky.social · 2d

There may be dependencies and technical debt for which there is no quick solution. Nevertheless, I strongly recommend addressing these vulnerabilities. Otherwise, an attacker within the internal network could potentially take over the entire domain within minutes.

1

malmoeb.bsky.social @malmoeb.bsky.social · 2d

Exactly. And believe me, we saw that in our Incident Response cases as well, that threat actors requested a new certificate, and jumped right from zero to domain admin. I wrote about ACDS before, with more tips and tricks for securing your Active Directory environment. [3]

1

malmoeb.bsky.social @malmoeb.bsky.social · 2d

ESC1 is a misconfiguration that allows a regular domain user to request a certificate for a Domain Admin and use it to take control of the entire domain.

ESC1 offers a basic and stealthy method for escalating from a compromised user account to a domain compromise." [2]

1

malmoeb.bsky.social @malmoeb.bsky.social · 2d

One of the most common and impactful of these is ESC1, short for "Domain Escalation Scenario 1," first outlined in the Certified Pre-Owned whitepaper by Will Schroeder and Lee Christensen. [1]

1

malmoeb.bsky.social @malmoeb.bsky.social · 2d

But when misconfigured, AD CS can introduce some of the most dangerous privilege escalation paths in Active Directory.

1

malmoeb.bsky.social @malmoeb.bsky.social · 2d

"Active Directory Certificate Services (AD CS) is the backbone of certificate issuance in Windows environments. When properly configured, it helps enforce secure authentication and encryption.

1

malmoeb.bsky.social @malmoeb.bsky.social · 2d

Second story from a recent coffee break with my pentest colleague. During a retest for a client, they discovered the same ESC1 vulnerability they had reported before. Why is that dangerous and also super critical?

1 1 1

malmoeb.bsky.social @malmoeb.bsky.social · 3d

4/ Attack Surface Reduction –> removing low-hanging fruit, especially when you run the tool from an office network, and you see various admin panels popping up in the results.

[1] github.com/sensepost/go...

GitHub - sensepost/gowitness: 🔍 gowitness - a golang, web screenshot utility using Chrome Headless

🔍 gowitness - a golang, web screenshot utility using Chrome Headless - sensepost/gowitness

github.com

2

malmoeb.bsky.social @malmoeb.bsky.social · 3d

3/ In a previous job, I used to run the predecessor tool EyeWitness from time to time for exactly the reason outlined above. I would recommend that anyone who secures networks take the time to run the tool and go through the output.

1

malmoeb.bsky.social @malmoeb.bsky.social · 3d

2/ In doing so, we found a web interface where any user on the internal network could issue certificates, even for domain admins! So we simply issued a new certificate for the DA and were able to authenticate ourselves."

1

malmoeb.bsky.social @malmoeb.bsky.social · 3d

1/ Coffee break with one of our pentesters. He casually mentioned to me, "The last attack simulation was pretty cool. We used gowitness (a website screenshot utility written in Golang, to generate screenshots of web interfaces) to find internal services [1].

1 1 5

malmoeb.bsky.social @malmoeb.bsky.social · 4d

3/
You can still monitor for modifications to these keys, but you must rely on other mechanisms to check the values of the modified keys.

[1] isc.sans.edu/diary/28558

Sysmon's RegistryEvent (Value Set) - SANS Internet Storm Center

Sysmon's RegistryEvent (Value Set), Author: Didier Stevens

isc.sans.edu

malmoeb.bsky.social @malmoeb.bsky.social · 4d

2/
However, the values of these keys are "Binary Data", as explained by Didier Stevens [1].

If you are building your detection logic with Sysmon and a SIEM, beware of such "blind spots".

1

malmoeb.bsky.social @malmoeb.bsky.social · 4d

1/ During a recent engagement, the customer provided us with access to their extensive data collection in Splunk. One thing I checked was Sysmon’s Event ID 13 (Registry - Value Set) for modifications to various keys used for credential stealing (NetworkProvider, Notification- &, Security Packages).

1

malmoeb.bsky.social @malmoeb.bsky.social · 22d

3/
For example, see this Splunk query here [1], or the KQL query here [2]

[1] research.splunk.com/endpoint/fd4...
[2] gist.github.com/secgroundzer...

1 1

malmoeb.bsky.social @malmoeb.bsky.social · 22d

2/
Yes, you could change it, but if not, we have a cool angle for hunting, as our internal Threat Hunter, Rene Kretzinger, showed me a few days ago.

As visible in the screenshot, it should be clear that something is amiss (minesweeper.exe - Sysinternals).

1 1