malmoeb.bsky.social

New Tool Release: NoPrompt — Detect MFA & Conditional Access Gaps in Entra ID “Hackers don’t break in, they log in” is an often-quoted phrase but despite all the known stories involving week access points, many organisations struggle to ensure that strong controls are in place ...

This is also a simple step that I, as a cloud administrator, can take to identify low-hanging fruit for attackers. Otherwise, you might lull yourself into a false sense of security that can be easily circumvented.

[1] www.claranet.com/us/blog/nopr...

There are various tools that allow you to automatically test different login processes, user agents, and resources. I briefly tried NoPrompt over the weekend, and it was super easy to use. [1]

For example, certain resources were excluded, allowing attackers to access data despite the policy. In other cases, specific user agents were excluded. The list is relatively long.

In various business email compromise (BEC) cases, we later discovered that although the customer had set up a conditional access (CA) policy to enforce multi-factor authentication, mistakes had been made during the implementation of said policies.

I wrote about Linux Capabilities and how to find them on my blog if you want to learn more. [1]

[1] dfir.ch/posts/linux_...

An attacker can now effectively spawn a root shell over the Python binary. The thing about this technique is that they haven't set a suid bit on a binary, or changed the Python binary. By setting the capabilities, attackers can build powerful backdoors.

One way they could regain root access on Linux servers was by adding capabilities to the Python binary, for example:

setcap cap_setuid+ep /usr/bin/python3.12

We recently took over an APT investigation from another forensic company. While reviewing analysis reports from the other company, we discovered that the attackers had been active in the network for months and had deployed multiple backdoors.

[1] specterops.io/wp-content/u...
[2] www.vilkascyber.com/blog/adcs-es...
[3] dfir.ch/posts/tear_d...

There may be dependencies and technical debt for which there is no quick solution. Nevertheless, I strongly recommend addressing these vulnerabilities. Otherwise, an attacker within the internal network could potentially take over the entire domain within minutes.

Exactly. And believe me, we saw that in our Incident Response cases as well, that threat actors requested a new certificate, and jumped right from zero to domain admin. I wrote about ACDS before, with more tips and tricks for securing your Active Directory environment. [3]

ESC1 is a misconfiguration that allows a regular domain user to request a certificate for a Domain Admin and use it to take control of the entire domain.

ESC1 offers a basic and stealthy method for escalating from a compromised user account to a domain compromise." [2]

One of the most common and impactful of these is ESC1, short for "Domain Escalation Scenario 1," first outlined in the Certified Pre-Owned whitepaper by Will Schroeder and Lee Christensen. [1]

But when misconfigured, AD CS can introduce some of the most dangerous privilege escalation paths in Active Directory.

"Active Directory Certificate Services (AD CS) is the backbone of certificate issuance in Windows environments. When properly configured, it helps enforce secure authentication and encryption.

Second story from a recent coffee break with my pentest colleague. During a retest for a client, they discovered the same ESC1 vulnerability they had reported before. Why is that dangerous and also super critical?

GitHub - sensepost/gowitness: 🔍 gowitness - a golang, web screenshot utility using Chrome Headless 🔍 gowitness - a golang, web screenshot utility using Chrome Headless - sensepost/gowitness

4/ Attack Surface Reduction –> removing low-hanging fruit, especially when you run the tool from an office network, and you see various admin panels popping up in the results.

[1] github.com/sensepost/go...

3/ In a previous job, I used to run the predecessor tool EyeWitness from time to time for exactly the reason outlined above. I would recommend that anyone who secures networks take the time to run the tool and go through the output.

2/ In doing so, we found a web interface where any user on the internal network could issue certificates, even for domain admins! So we simply issued a new certificate for the DA and were able to authenticate ourselves."

1/ Coffee break with one of our pentesters. He casually mentioned to me, "The last attack simulation was pretty cool. We used gowitness (a website screenshot utility written in Golang, to generate screenshots of web interfaces) to find internal services [1].

Sysmon's RegistryEvent (Value Set) - SANS Internet Storm Center Sysmon's RegistryEvent (Value Set), Author: Didier Stevens

3/
You can still monitor for modifications to these keys, but you must rely on other mechanisms to check the values of the modified keys.

[1] isc.sans.edu/diary/28558

2/
However, the values of these keys are "Binary Data", as explained by Didier Stevens [1].

If you are building your detection logic with Sysmon and a SIEM, beware of such "blind spots".

1/ During a recent engagement, the customer provided us with access to their extensive data collection in Splunk. One thing I checked was Sysmon’s Event ID 13 (Registry - Value Set) for modifications to various keys used for credential stealing (NetworkProvider, Notification- &, Security Packages).

3/
For example, see this Splunk query here [1], or the KQL query here [2]

[1] research.splunk.com/endpoint/fd4...
[2] gist.github.com/secgroundzer...

2/
Yes, you could change it, but if not, we have a cool angle for hunting, as our internal Threat Hunter, Rene Kretzinger, showed me a few days ago.

As visible in the screenshot, it should be clear that something is amiss (minesweeper.exe - Sysinternals).

1/
Love that Minesweeper reference here :) They tried hard to blend in; however, certain metadata about a file is baked into the PE header. Attackers can rename binaries all they want, but fields like original_file_name or inconsistencies in headers often give them away.

5/
The incoming emails will get flagged as spam and moved to the Junk email folder.

This is a sneaky way to circumvent monitoring of audit logs, which look for specific keywords, such as "New-InboxRule". You can read more about it here [2]

[1] x.com/malmoeb/stat...
[2] x.com/malmoeb/stat...

4/
By the way, while typing this short article, I searched a bit around and stumbled upon another tweet from me,where the TA,instead of creating a new Inbox Rule, added email addresses of interest to the list of blocked senders and domains (again via the Set-MailboxJunkEmailConfiguration operation).

3/
So, to make extra sure such (important messages, to the attacker) are reaching the inbox.

I do not frequently see this operation in BEC cases. This might be a good operation for alerting, or at least for a hunting session from time to time.

2/
Additionally, the attacker used the Set-MailboxJunkEmailConfiguration operation to add the target email addresses to this list, as messages from these senders that reach the mailbox are never delivered to the Junk Email folder (via the TrustedSendersAndDomains).