malmoeb.bsky.social
@malmoeb.bsky.social
630 followers 990 following 430 posts
Head of Investigations at InfoGuard AG - dfir.ch
Posts Media Videos Starter Packs
An attacker can now effectively spawn a root shell over the Python binary. The thing about this technique is that they haven't set a suid bit on a binary, or changed the Python binary. By setting the capabilities, attackers can build powerful backdoors.
One way they could regain root access on Linux servers was by adding capabilities to the Python binary, for example:

setcap cap_setuid+ep /usr/bin/python3.12
We recently took over an APT investigation from another forensic company. While reviewing analysis reports from the other company, we discovered that the attackers had been active in the network for months and had deployed multiple backdoors.
There may be dependencies and technical debt for which there is no quick solution. Nevertheless, I strongly recommend addressing these vulnerabilities. Otherwise, an attacker within the internal network could potentially take over the entire domain within minutes.
Exactly. And believe me, we saw that in our Incident Response cases as well, that threat actors requested a new certificate, and jumped right from zero to domain admin. I wrote about ACDS before, with more tips and tricks for securing your Active Directory environment. [3]
ESC1 is a misconfiguration that allows a regular domain user to request a certificate for a Domain Admin and use it to take control of the entire domain.

ESC1 offers a basic and stealthy method for escalating from a compromised user account to a domain compromise." [2]
One of the most common and impactful of these is ESC1, short for "Domain Escalation Scenario 1," first outlined in the Certified Pre-Owned whitepaper by Will Schroeder and Lee Christensen. [1]
But when misconfigured, AD CS can introduce some of the most dangerous privilege escalation paths in Active Directory.
"Active Directory Certificate Services (AD CS) is the backbone of certificate issuance in Windows environments. When properly configured, it helps enforce secure authentication and encryption.
Second story from a recent coffee break with my pentest colleague. During a retest for a client, they discovered the same ESC1 vulnerability they had reported before. Why is that dangerous and also super critical?
3/ In a previous job, I used to run the predecessor tool EyeWitness from time to time for exactly the reason outlined above. I would recommend that anyone who secures networks take the time to run the tool and go through the output.
2/ In doing so, we found a web interface where any user on the internal network could issue certificates, even for domain admins! So we simply issued a new certificate for the DA and were able to authenticate ourselves."
1/ Coffee break with one of our pentesters. He casually mentioned to me, "The last attack simulation was pretty cool. We used gowitness (a website screenshot utility written in Golang, to generate screenshots of web interfaces) to find internal services [1].
3/
You can still monitor for modifications to these keys, but you must rely on other mechanisms to check the values of the modified keys.

[1] isc.sans.edu/diary/28558
Sysmon's RegistryEvent (Value Set) - SANS Internet Storm Center
Sysmon's RegistryEvent (Value Set), Author: Didier Stevens
isc.sans.edu
2/
However, the values of these keys are "Binary Data", as explained by Didier Stevens [1].

If you are building your detection logic with Sysmon and a SIEM, beware of such "blind spots".
1/ During a recent engagement, the customer provided us with access to their extensive data collection in Splunk. One thing I checked was Sysmon’s Event ID 13 (Registry - Value Set) for modifications to various keys used for credential stealing (NetworkProvider, Notification- &, Security Packages).
3/
For example, see this Splunk query here [1], or the KQL query here [2]

[1] research.splunk.com/endpoint/fd4...
[2] gist.github.com/secgroundzer...
2/
Yes, you could change it, but if not, we have a cool angle for hunting, as our internal Threat Hunter, Rene Kretzinger, showed me a few days ago.

As visible in the screenshot, it should be clear that something is amiss (minesweeper.exe - Sysinternals).
1/
Love that Minesweeper reference here :) They tried hard to blend in; however, certain metadata about a file is baked into the PE header. Attackers can rename binaries all they want, but fields like original_file_name or inconsistencies in headers often give them away.
5/
The incoming emails will get flagged as spam and moved to the Junk email folder.

This is a sneaky way to circumvent monitoring of audit logs, which look for specific keywords, such as "New-InboxRule". You can read more about it here [2]

[1] x.com/malmoeb/stat...
[2] x.com/malmoeb/stat...
4/
By the way, while typing this short article, I searched a bit around and stumbled upon another tweet from me,where the TA,instead of creating a new Inbox Rule, added email addresses of interest to the list of blocked senders and domains (again via the Set-MailboxJunkEmailConfiguration operation).
3/
So, to make extra sure such (important messages, to the attacker) are reaching the inbox.

I do not frequently see this operation in BEC cases. This might be a good operation for alerting, or at least for a hunting session from time to time.