Security Pills - Issue 48

Release Date: 4th December 2023 | Issue: 48 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

 ⚠️ Read this issue as a webpage to avoid the clipped email version

Hey there 👋,

Here we are with another weekly issue. I hope you enjoyed the little surprise I sent to your inbox yesterday!

As always, sit comfortably and enjoy today’s newsletter with a cup of coffee ☕️. For the best experience, I recommend checking out this edition on our website, as it’s very likely that the email got clipped by your email provider

• 🛠️ Application Security — How to Use OAuth Scopes for Authorizaiton | Taking over a country Kaminsky style | faction.

• 🛡️Blue Team — Best EDR Of The Market | Active Directory: A canary under your hat | IMDSpoof | ReleaseTheHounds.

• ☁️ Cloud Security — Deep dive into EKS Pod Identity feature | Establishing a data perimeter on AWS | This is a security data lake | awskillswitch | cloudlens.

• 🐳 Container Security — Terraform stacks explained | Finding complex attack paths in Kubernetes clusters | kube-bench | managed-kubernetes-auditing-toolkit.

• 🤖 Machine Learning — Conducting Robust Learning for Empire C2 Detection | Introduction to LLM Agents | PentestMuse | privateGPT.

• ⚔️ Red Team — Abuse the Power of DCOM Excel Application | Automating C2 Infrastructure | Phishing the anti-phishers | EvilSlackbot.

• 📦️ Supply Chain — Security best practices for authors of GitHub Actions | FOSS SBOM Management at Mercedes-Benz | vulnerablecode.

• 🕵️ Threat Hunting — Searching for Malicious HTTP Server | FTW Internals for security research and forensics | Defending Azure Active Directory | Okta Logs Decoded | Breach-Report-Collection.

How to Use OAuth Scopes for Authorization
Permit's Daniel Bass explores the appropriate use of OAuth scopes for authorization and cautions against their widespread misuse for detailed, granular authorization, which can lead to scalability challenges and issues with context-specific access control. Daniel suggests employing OAuth scopes primarily for initial access control and recommends complementing this approach with a dynamic authorization system, integrating policies and flexible models such as RBAC, ABAC or ReBAC.

TRAP; RESET; POISON; - Taking over a country Kaminsky style
Timo Longin and the Sec Consult share a DNS Cache Poisoning vulnerability that could have manipulated the name resolution of an entire country. The vulnerability posed risks like redirecting national internet traffic to hostile servers or manipulating DNS to wrongly issue certificates for any domain.

🧰 factionsecurity/faction
Josh Summit releases faction, an open-source tool designed for penetration testing report generation and assessment collaboration. It features automated reporting, real-time collaboration, peer review, change tracking, and customizable templates, among other functionalities.

Best EDR Of The Market
Yazid Benjamaa introduces BEOTM, an open-source Endpoint Detection and Response (EDR) tool, aimed at being a practical platform for understanding and circumventing EDR's user-mode detection methods. The tool incorporates techniques like DLL hooking, thread call stack monitoring, and IAT hooking.

Active Directory: A canary under your hat
Airbus' Quentin Arnould delves into the nuances of detecting Active Directory (AD) enumeration within SOC environments in this three-part blog series:

1. Detecting AD enumeration - Delves into adversaries' use of AD enumeration in attacks and outlines detection strategies, including signature identification, deploying fake AD 'canaries', and monitoring with domain controller audits and System Access Control Lists (SACLs).

2. AD Canaries and DACL backdoors - Focuses on AD Canaries, a detection technique using stealth mechanisms within AD's Discretionary Access Control List to identify unauthorized enumeration by triggering access failure alerts.

3. Improvements and in-production deployment results - Discusses the practical implementation of AD Canaries in a SOC setting, highlighting enhancements in detection, DACL deployment refinements, and the integration of custom scripts for improved SOC operations.

Quentin has also published the PowerShell script that automates required AD object deployments.

🧰 grahamhelton/IMDSpoof
Graham Helton presents a tool designed to spoof AWS's IMDS service. It redirects IMDS traffic to a local server that provides fake data, including honey AWS tokens, for enhanced security detection. This tool is particularly effective for blue teams in AWS setups not using IMDS, providing a strategic advantage by deceiving attackers into believing they're accessing a genuine IMDS service.

🧰 deletehead/ReleaseTheHounds
A Python script that allows users to upload large datasets to the BloodHound CE API for analysis, and provides the ability to query the API for attack paths between specified source and destination objects.

Deep dive into the new Amazon EKS Pod Identity feature
Datadog's Christophe Tafani-Dereeper explores Amazon's EKS Pod Identity feature, a secure alternative to hardcoding IAM credentials for Kubernetes pods in EKS clusters. This feature uses AWS APIs for defining Kubernetes service accounts' permissions, simplifying AWS resource access management and enhancing security. It also integrates seamlessly with AWS SDKs and is supported by the Managed Kubernetes Auditing Toolkit for better oversight of pod-IAM role relationships

Establishing a data perimeter on AWS: Require services to be created only within expected networks
AWS's Harsha Sharma discuss the implementation of preventative controls within the Amazon Virtual Private Cloud (Amazon VPC) to enforce network perimeter controls. This article, part of a series, focuses on ensuring that AWS resources, like Lambda functions, adhere to specific network configurations to maintain security. It also discusses the use of IAM condition keys for VPC settings and the application of detective controls like AWS Config and Security Hub to verify adherence to these security standards.

This is a security data lake
Omer Singer delves into the architecture and benefits of security data lakes, highlighting essential features for consideration, such as integrated security-specific rules engines and versatile analytics capabilities. Additionally, Omer discusses the role of Apache Iceberg, an open table format, in efficiently managing metadata within data lakes. This approach not only streamlines file organization but also offers potential cost savings for SOCs and enhanced query flexibility.

🧰 secengjeff/awskillswitch
Jeffrey Lyon publishes this Lambda function that organizations can implement in a dedicated security account to give their security engineers the ability to delete IAM roles or apply a highly restrictive service control policy (SCP) on any account in their organization.

🧰 one2nc/cloudlens
A terminal-based interface for exploring AWS and GCP services, similar to how k9s operates for Kubernetes.

Terraform stacks, explained
HashiCorp's Sarah Hernandez and Yushuo Huang delve into Terraform Stacks, a new feature to simplify infrastructure provisioning and management at scale. The article explain the usage of this functionality to help users automate and optimize the coordination, deployment, and lifecycle management of interdependent Terraform configurations, reducing the time and overhead of managing infrastructure.

IceKube: Finding complex attack paths in Kubernetes clusters
WithSecure's Mohit Gupta presents IceKube, an open-source tool that identifies security vulnerabilities in Kubernetes clusters. IceKube maps resource configurations and interrelations within a cluster using a graph database, uncovering potential attack paths such as privilege escalations and misconfigurations. Applicable to both EKS and AKS clusters, it can detect sensitive data exposures and specific permission abuses.

🧰 aquasecurity/kube-bench
A tool by Aqua Security that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

🧰 DataDog/managed-kubernetes-auditing-toolkit
Christophe Tafani-Dereeper's all-in-one auditing toolkit for identifying common security issues within managed Kubernetes environments. The tool identifies trust relationships between Kubernetes service accounts and AWS IAM roles, including both IAM Roles for Service Accounts (IRSA) and the newer EKS Pod Identity. Additionally, MKAT can detect hardcoded AWS credentials in Kubernetes resources and assess pods' access to the AWS Instance Metadata Service (IMDS).

Conducting Robust Learning for Empire Command and Control Detection
Palo Alto Networks' research unveils an advanced machine learning (ML) model designed to detect Command and Control (C2) traffic from the PowerShell Empire framework, effectively addressing evasion tactics. This research address the challenge of Malleable C2 profiles used in evasion and resolves it with a Convolutional Neural Network (CNN)-based learning system. The system integrates an Empire C2 fuzzer, generating diverse C2 traffic scenarios, and a data quality monitor ensuring the integrity of training data. By training on both real and simulated adversarial attacks, the model significantly elevates its detection efficacy.

Introduction to LLM Agents
Nvidia's Tanay Varshney offers a comprehensive overview of LLM-powered agents. The author breaks down the key components of these agents, including their core, memory module, and planning module. It explores different use cases, illustrating with examples like question-answering systems, collaborative agent swarms and AI-driven authoring tools, among others.

🧰 pentestmuse-ai/PentestMuse
An AI-driven tool designed for executing penetration testing tasks guided by user inputs.

🧰 imartinez/privateGPT
Iván Martínez's PrivateGPT, is an open-source AI tool enabling offline, private document querying with Large Language Models (LLMs), ensuring data privacy by keeping all data within the execution environment. It offers a versatile API, including a high-level API for easy document ingestion and chat completions, and a low-level API designed for building complex pipelines.

Lateral Movement: Abuse the Power of DCOM Excel Application
SpecterOps' Raj Patel explores a lateral movement technique leveraging DCOM's 'ActivateMicrosoftApp()' method in Excel. This method is used for unauthorized system access and maintaining persistence in legacy environments. Patel also outlines mitigation strategies, emphasizing the importance of configuring the user identity property in Excel to limit privileges, and apply the concept of least privilege to limit the number of local administrators with access to workstations and servers.

Automating C2 Infrastructure with Terraform, Nebula, Caddy and Cobalt Strike
d3d shares how to create a fully automated C2 (Command and Control) infrastructure for offensive security operations using Terraform alongside Nebula's encrypted communication layer.

Phishing the anti-phishers: Exploiting anti-phishing tools for internal access
Tanner Emek and Rojan Rijjal reveal how anti-phishing tools, typically used as proxies or reporting services, can be manipulated to gain unauthorized access to SaaS services within organizations. The authors demonstrate the exploitation of email verification processes that lack proper authentication. They detail how, by signing up with a ‘phishing@’ email and manipulating email security gateways, they gained access to Atlassian workspaces, obtaining sensitive data. In another case study, they illustrate how the email security gateway itself can be leveraged to distribute phishing emails from seemingly trusted sources, using services like Amazon SES.

🧰 Drew-Sec/EvilSlackbot
A Slack attack framework for conducting red team and phishing exercises within Slack workspaces.

Security best practices for authors of GitHub Actions
GitHub's Matthew Manning outlines essential security measures for GitHub Actions authors. Key recommendations include enabling Dependabot for dependency monitoring and vulnerability detection, using CodeQL or similar tools for code scanning, promptly addressing critical alerts, establishing a security policy, and enforcing multi-factor authentication for maintainers.

FOSS SBOM Managemet at Mercedes-Benz
Mercedes-Benz's Nicolas Krischker introduces their Free and Open Source Software (FOSS) manifesto, which is integral to the development of their FOSS Disclosure Portal. The portal's aim is to enable the direct and frequent exchange of FOSS information straight from the CI/CD pipeline to developers, product & application owners, and suppliers. To achieve this, they have created a central inventory of FOSS SBOMs for all companies within the Mercedes-Benz group. This inventory can be analyzed for identified security issues.

🧰 nexB/vulnerablecode
An open database of software packages that are affected by known vulnerabilities. It comes with tools for gathering, refining, and keeping the database updated with the latest vulnerability data. You can check its documentation for detailed information and advanced functionalities.

The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses
Fox-IT's Margit Hazenbroek discusses a method to detect malicious HTTP servers by identifying typos in HTTP responses. Using the Levenshtein distance, a spelling-checking model, the team analyzed 800,000 HTTP responses, identifying common anomalies in response headers like 'Expired' instead of 'Expires.' The study reveals that these textual errors, while not definitive indicators of malicious activity, can be integrated into broader detection frameworks. This approach helps in fingerprinting servers hosting nefarious activities, such as those mimicking legitimate software responses to evade detection​.

ETW internals for security research and forensics
Trail of Bits' Yarden Shafir provides a comprehensive look into Event Tracing for Windows (ETW) and its vital role in enhancing EDR solutions. This article delves into the internal workings and functionalities of ETW, emphasizing strategies used to identify which ETW providers are active, and how this can be used by attackers to bypass ETW-based EDRs.

Defending Azure Active Directory (Entra ID)
Rezonate's Ron Marom offers a comprehensive guide on Azure AD audit logs and walks through over ten threat scenarios, including brute force attacks, password spray attacks and scenarios involving disabled user accounts, each paired with specific hunting queries. Additionally, the author also provides insights into Azure AD's Privileged Identity Management and the risks associated with single-password authentication and Azure AD sync abuse.

Ron has also published a collection of scripts for efficiently extracting logs from Azure AD Tenants.

Okta Logs Decoded: Unveiling Identity Threats Through Threat Hunting
Rezonate's Ori Amiga and Ron Marom provide a guide detao;omg the process of extracting critical data from Okta logs to identify threats, such as brute force, MFA fatigue, and privilege escalation via impersonation, among others. The authors present 9 top-relevant threat scenarios to monitor, including the relevant Okta events, specific MITRE ATT&CK techniques, and PostgreSQL queries for identifying pertinent data in the logs.

🧰 BushidoUK/Breach-Report-Collection
A collection of companies that disclose adversary TTPs after they have been breached. Including links to the reports, useful for analytics of intrusions launched by adversaries with measurable effects and impact.

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.

Thanks,
Sebas
@0xroot | @secpillsnews