[tl;dr sec] #33 - Splunk's Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers

Hi there,

I hope you’ve been doing well!

Over the past few years I’ve become a big fan of musicals. Recently, I’ve felt like a part of me has been missing since BroadwaySF has delayed their season.

Fortunately, Filmed on Stage has a listing of a ton of plays and musicals you can watch online for free! They have a number of Shakespeare productions, musicals, Cirque du Soleil performances, and even Benedict Cumberbatch in Frankenstein 😍

AppSec

Skyscanner/whispers
Looks for secrets, hardcoded credentials, and dangerous functions in source code and config files. Searches by regexes, allows specifying include/exclude paths, and other useful features.

Web Security

DOM XSS in Gmail with a little help from Chrome
A useful example of grokking complicated front-end code (e.g. Gmail) using browser features and tools like postMessage-logger, to understand how different iframes communicate with each other using the postMessage API.

Researching Polymorphic Images for XSS on Google Scholar
Explorations by Doysensec in embedding XSS payloads in images that survive server-side image processing. source code

Cloud Security

Terraform Foundational Policies Library
HashiCorp announced that they’re releasing a library of 40+ controls based on the CIS Benchmarks for securing common cloud services including networking, databases, storage and compute services.

ScoutSuite 5.8.0 Released
ScoutSuite is a multi-cloud security auditing tool. This version has improved support for AWS, Azure, GCP, and OCI.

RCE to IAM Privilege Escalation in GCP Cloud Build
Abusing a feature of Cloud Build can give you access to the Cloud Build Service Account: supply Python code that’s executed during the build process, use that to exfiltrate the access token for the Cloud Build Service Account, then use that account’s additional permissions. PoC script 

Terraform AWS FIPS Provider
Example Terraform providers with FIPS endpoints enabled. Useful if you’re working with the federal government and need to meet FIPS 140-2 requirements. source code 

salesforce/cloudsplaining
Another nifty tool from Kinnaird McQuade: “an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.”

Use AWS Firewall Manager and VPC security groups to protect your applications hosted on EC2 instances
How to apply common security group rules, audit security groups, and detect unused and redundant rules across your AWS environment. The example walks through creating security group rules that allow SSH access only from the public IP address of the bastion host and setting a policy that prohibits any security group rules that allow SSH access from everywhere.

“When you use Firewall Manager to centrally apply a common security group, you can do things such as ensure that all Application Load Balancers only talk to Amazon CloudFront, or the SSH protocol is only allowed from specific IP ranges, or to give system administrators access to a central database.”

After you put the master set of security group rules in place, you’ll get notification of all non-compliant changes made by developers and can set policies to auto remediate any non-compliant resources.

Finding evil in AWS: A key pair to remember
Nice walkthrough by Expel on how they detected that AWS access keys had been compromised, determined the potential impact, and kicked the attacker out.

One aspect I found especially interesting is that they’ve built an orchestration framework that automatically enriches relevant data, a theme I called out in my BSidesSF 2020 talk as one way many companies are scaling their detection and response efforts. Specifically, they:

• Use a third-party enrichment service for IPs (ipinfo.io)

• Determine if the IAM principal historically tends to use the AWS CLI, console (UI), or the AWS SDK. In some cases manually creating an access key is atypical because infra as code (CloudFormation, Terraform) should be used instead.

• Look for behavioral anomalies: did the principal assume any other roles? What services do they normally interact with? Did they make any interesting API calls? (e.g. calls they don’t normally make, calls that could indicate enumerating an environment).

Expel has another blog post on building a detection strategy for CloudTrail with some tips on useful signals:

Container Security

Everything We Learned Running Istio In Production — Part 1
HelloFresh describes their process of gradually rolling out Istio. Key points:

• Looking at all of Istio’s features can be overwhelming, so choose a few to focus on initially.

• At its core, Istio does 4 main things: connectivity, observability, security, and traffic control. HelloFresh decided to first focus on observability and resilience.

• Deploying and updating config across many teams can be a lot of work, so they wrote a Helm plugin that loads centralized Helm templates and combines them with project-specific values.

• Roll out in stages - Istio can drastically alter the intended behavior at the app level (e.g. when it injects a sidecar proxy), so make sure you don’t break things and that your control plane properly scales as you onboard more microservices.

Red Team

Azure AD Introduction for Red Teamers
“The aim of this article is to briefly present Azure AD and to explore the different attacking paths this new cloud environment offers to pentesters and red teamers.” Includes links to a number of useful tools for performing unauthenticated and authenticated recon and more. 💯 details and write-up.

Guy’s 30 Reverse Engineering Tips & Tricks
Twitter thread by Guy.

ustayready/SharpHose
“SharpHose is a C# password spraying tool designed to be fast, safe, and usable over Cobalt Strike’s execute-assembly. It provides a flexible way to interact with Active Directory using domain-joined and non-joined contexts, while also being able to target specific domains and domain controllers.”

Malware development part 2
“Previously, we’ve created basic Metasploit shellcode launcher in C++ and explored basic techniques which helped to lower detection rate of the compiled executable - payload encoding/encryption, binary signing with custom code-signing certificate and switching to x64 architecture. Now let’s dive deep into dynamic analysis and how to defend against it.”

Blue Team

Splunk Attack Range in a virtualized Ubuntu Guest VM — Guide
“The Splunk Attack Range is a project that allows anyone interested to quickly (automatically) build and deploy a whole Infrastructure stack with various software/tooling to test Cyber Attacks against vulnerable hosts, capture and send event logs from hosts, forward said event data into Splunk and even implement SOAR playbooks.”

The Many Paths Through Maze
CrowdStrike: How to “attack and deobfuscate the various obfuscations leveraged by Maze’s author” using the IDA Pro disassembler and Python.

Zooming in on Observability
Using eBPF for research and blackbox testing to determine how the Zoom Linux client actually works. “We fired up ingraind to monitor our daily Zoom ‘standup’ meeting, and decided to analyse the results in this blog post. We ended up writing some Rust code that helps us decrypt TLS traffic by instrumenting the binary using eBPF uprobes.”

Politics / Privacy

‘I Could Solve Most of Your Problems’: Eric Schmidt’s Pentagon Offensive
Interesting profile of the former Google CEO’s involvement with the U.S. military. No problem is too great to solve, with the potent combination of the right technology and characteristic Silicon Valley humility.

Mozilla examined the privacy of 15 video conferencing apps
The Mozilla researchers judged each video conferencing app by its Minimum Security Standards: Using encryption; providing security updates; requiring strong passwords; managing vulnerabilities; and featuring a privacy policy. Full report

Misc

Psychic Paper
A 15 line XML PoC to escape the iOS sandbox 🔥 

Jukebox by OpenAI
“A neural net that generates music, including rudimentary singing, as raw audio in a variety of genres and artist styles. We’re releasing the model weights and code, along with a tool to explore the generated samples. Jukebox produces a wide range of music and singing styles, and generalizes to lyrics not seen during training. All the lyrics below have been co-written by a language model and OpenAI researchers.”

OpenTitan RTL synthesis with Yosys
“OpenTitan is the first open source project building a transparent, high-quality reference design and integration guidelines for silicon root of trust (RoT) chips. Yosys is a free/libre and open source framework for RTL synthesis tools.”

Startup Offense and Defense in the Recession
Elad Gil presents some figures and stats demonstrating the impact of COVID-19 and its likely continued effects, as well as advice for start-ups to mitigate the damage and take best advantage of the situation.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint