Und3rf10w

Overview

The following content is generated using a preview release of Swimlane's pyattck.

This snippet of data is scoped to the following actor groups:

APT33
APT34
APT39
Charming Kitten

GospelRoom: Data Storage in UEFI NVRAM Variables

Behaviour

Persist data in UEFI NVRAM variables.

Benefits

Stealthy way to store secrets and other data in UEFI.
Will survive a reimaging of the operating system.

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
User loads https://example.com/?code=VALUE
Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user
```
GET /verify/VALUE HTTP/1.1
Host: example.com
```

Introduction

In episode 338 of the 7 Minute Security podcast, I talked about a recent engagement where I helped a customer do a bit of a SIEM solution bake-off. This gist is the companion to that episode, and is broken down into the following two sections:

Questionnaire - a series of questions you can ask SIEM vendors to gather as many data points about their products and services as possible
SIEM tests - a few tests you can conduct on your internal/external network to see if your SIEM solution indeed coughs up alerts on some things it should indeed whine about

	<#
	ImageFileExecutionOptions v1.0
	License: GPLv3
	Author: @netbiosX
	#>
	# Image File Execution Options Injection Persistence Technique
	# https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/

	function Persist-Debugger

	bits 64

	global_start
	_start:
	jmp short message

	print:
	pop rsi
	xor rax,rax
	mov al, 1

	#region Attack validations
	wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe

	Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe

	$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
	Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
	$CimSession \| Remove-CimSession

	winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword

	# This script locates potentially dangerous functions that could introduce a vulnerability if they are used incorrectly.
	#@author: VDA Labs (Michael Fowl)
	#@category Functions

	print "Searching for banned functions..."

	# Microsoft SDL banned.h list.
	blist = (["strcpy", "strcpyA", "strcpyW", "wcscpy", "_tcscpy", "_mbscpy", "StrCpy",
	"StrCpyA", "StrCpyW", "lstrcpy", "lstrcpyA", "lstrcpyW", "_tccpy", "_mbccpy",
	"_ftcscpy", "strcat", "strcatA", "strcatW", "wcscat", "_tcscat", "_mbscat",



	package main

	import (
	"io/ioutil"
	"os"
	"os/exec"
	"strconv"
	"syscall"

	$AutoLoggerName = 'MyAMSILogger'
	$AutoLoggerGuid = "{$((New-Guid).Guid)}"

	New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled
	Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword ([UInt64] (0x8000000000000001 -band ([UInt64]::MaxValue))) -Property 0x41