Using OSQuery for Security Compliance

Osquery, a tool initially developed by Facebook, is an opensource tool that queries an operating system as if it were a relational database. It leverage SQL-like queries to gather Operating System information for performance, security, compliance audit analysis.

Links:

• https://www.uptycs.com/blog/3-useful-ways-osquery-can-help-with-security-compliance
• https://www.uptycs.com/blog/osquery-what-it-is-how-it-works-and-how-to-use-it
• https://www.sans.org/webcasts/leveraging-osquery-for-compliance/
• https://www.sans.org/webcasts/an-easier-way-to-multi-cloud-multi-account-cloud-compliance/
  
• https://www.sans.org/blog/why-automation-compliance-cloud-part-1/
• https://zercurity.medium.com/building-atop-osquery-compliance-monitoring-threat-hunting-and-auditing-dec2d3da4911
• https://zercurity.medium.com/what-is-osquery-ea90270d10de
• https://kifarunix.com/install-osquery-on-ubuntu/
  

Misconfigured ACL for SAM

Windows 10 version 1809 and newer could be affected by this vulnerability. According to Microsoft, an elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This means, we, as non-admin user, don't need to crack the hashes any more; we can use Mimikatz, for instance, to elevate privileges using this extracted data. 

The advisory states that, if successfully exploited, this bug, dubbed by some as HiveNightmare, can be used to:

• Extract and leverage account password hashes.
• Discover the original Windows installation password.
• Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
• Obtain a computer machine account, which can be used in a silver ticket attack.

Or, shorter, "a local authenticated attacker may be able to achieve [local privilege escalation], masquerade as other users, or achieve other security-related impacts." This can be used to thoroughly infect a system with malware, snoop on other users, and so on. 

According to the advisory: "Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created."

US-CERT describes how to detect whether you have VSS shadow copies available, and it involves running vssadmin list shadows as a privileged user and seeing if any shadow copies are listed.

The VSS shadow copies are a key ingredient because the registry hive files are in use by Windows during normal operation, so can't be accessed by a normal user even with the loose ACL. However, if shadow copies available, you'll find you can open copies of the files for inspection thanks to the sloppy ACL.

[ CVE Description ]
 [*] CVE_ID : CVE-2021-36934
 [_] Desc   : Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by an overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to execute arbitrary code with SYSTEM privileges..

 [_] C:2021-07-20 / P:2021-07-20 / L:2021-07-20
 [*] Vuln Risk           : 18.5605
 [*] Exploited [trend]   : 0 [holding]
 [_] Exploit/likehood    : False/None

 [*] Malware sample : 0
 [*] Exploits/POC   : [0]
 [_] Fixes          : [0]
 [_] Threat Actors  : [0]
 [_] CVSS2 / CVSS3  : [ 6.8 / 7.8 ]

 [_] Vuln Products  : [0]

[ CVE Malware Family Info : None ]

[ High_Profile_Vulnerability ]
 [!!!]   CVE-2021-36934 (18.5605) : []


 ** [5] threads completed [2 tasks] / [1.99 KB] within [2.60 sec].
 ** [ 2021-07-22 ]

Two Linux Bugs

Two Linux bugs highlighted today.

• Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909)
  
• CVE-2021-33910: Denial of Service (Stack Exhaustion) in systemd (PID 1)

 

 [*] Searching cve-[['2021-33909', '2021-33910']] vulnerability definitions within Kenna.VI+....


[ CVE Description ]
 [*] CVE_ID : CVE-2021-33909
 [_] Desc   : fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.

 [_] C:2021-06-07 / P:2021-07-20 / L:2021-07-20
 [*] Vuln Risk           : 30.6247
 [*] Exploited [trend]   : 0 [holding]    [Pre_NVD]
 [_] Exploit/likehood    : False/0.1999% confidence

 [*] Malware sample : 0
 [*] Exploits/POC   : [0]
 [_] Fixes          : [4]
 [_] Threat Actors  : [0]
 [_] CVSS2 / CVSS3  : [ 7.2 / 8.4 ]

 [_] Vuln Products  : [0]

[ CVE Malware Family Info : None ]


[ CVE Description ]
 [*] CVE_ID : CVE-2021-33910
 [_] Desc   : basic/unit-name.c in systemd 220 through 248 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.

 [_] C:2021-06-07 / P:2021-07-20 / L:2021-07-20
 [*] Vuln Risk           : 37.5
 [*] Exploited [trend]   : 0 [holding]    [Pre_NVD]
 [_] Exploit/likehood    : False/2.5210% confidence

 [*] Malware sample : 0
 [*] Exploits/POC   : [0]
 [_] Fixes          : [6]
 [_] Threat Actors  : [0]
 [_] CVSS2 / CVSS3  : [ 2.1 / 4.0 ]

 [_] Vuln Products  : [0]

[ CVE Malware Family Info : None ]

[ High_Profile_Vulnerability ]
 [!!!]   CVE-2021-33909 (30.6247) : []
 [!!!]   CVE-2021-33910 (37.5) : []


 ** [5] threads completed [4 tasks] / [4.99 KB] within [3.27 sec].
 ** [ 2021-07-21 ]
 

FragAttacks (fragmentation and aggregation attacks)

FragAttacks is a collection of new security vulnerabilities that affect Wi-Fi devices. This is an adversary that is within range of a victim's Wi-Fi network can abuse these vulnerabilities to steal user information or attack devices. 

Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard and therefore affect most devices. On top of this, several other vulnerabilities were discovered that are caused by widespread programming mistakes in Wi-Fi products. Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.

The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997! Fortunately, the design flaws are hard to abuse because doing so will requires user interaction or is only possible when using uncommon network settings. As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.

Design flaws:

• CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames)
• CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys)
• CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network)

Implementation vulnerabilities allowing the injection of plaintext frames:

• CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network)
• CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network)
• CVE-2020-26140: Accepting plaintext data frames in a protected network
• CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network

Other implementation flaws:

• CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs)
• CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers
• CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments
• CVE-2020-26142: Processing fragmented frames as full frames
• CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames

Links:

• https://www.fragattacks.com/
• https://arstechnica.com/gadgets/2021/05/farewell-to-firewalls-wi-fi-bugs-open-network-devices-to-remote-hacks/
• https://github.com/vanhoefm/fragattacks
  

Attacking and Defending Active Directory: Domain Enumeration with BloodHound

My notes:

• More useful for Blue Team (than Red Team).
• A very noisy domain enumeration tool at network.
• 2 parts: Ingestors and GUI.
• snapshot of the status pf AD.
• Find all Domain Admins
• Show the shortest path to Domain Admins
• Show principals with DCSync rights
• Map domain trusts
• show shortest paths to unconstrained delegation systems
• show shortest paths from kerberoastable users
• show shortestpatch to domain admins from kerberoastable users
• show shortest paths from owned principals
• show shortest paths to domain admins from owned principals
• show shortest paths to high value targets
  

 

. .\SharpHound.ps1

Invoke-BloodHound -CollectionMethod All -Verbose 

c:\neo4j\neo4j-win\bin\neo4j.bat 

bolt:localhost:7687

neo4j:neo4j 

Invoke-BloodHound -CollectionMethod LoggedOn -Verbose

# Avoid detection like ATA

Invoke-BloodHound -CollectionMethod All -ExcludeDC