MaverisLabs
Research from Maveris Team Members. Connect Fearlessly.

Introduction

At Maveris Labs, you’ve typically seen us write about the technical aspects of our cyber security and IT related research. Today, we are going to share something a little more casual. I’d like to discuss how a few coworkers and I used Google Forms, Sheets, and Apps Script to spread a little cheer. The principles laid out in this post may inspire someone reading to do creative things with all the free services Google offers.

Background

Given the holiday season and our inability to congregate due to Covid-19, the folks at Maveris decided to throw a week of virtual holiday festivities, dubbed “Maveristmas”. These festivities included daily competitions where participants could submit entries to be later voted on by peers to earn points (or what we like to call “Magical Maveris Medallions’’) for a chance to win a plethora of prizes. …


During a recent engagement with a client, we had one of the usual discoveries of passwords stored in clear-text on a users workstation. Red Teamers know this is an ubiquitous issue and one of the first few things searched for when we gain access to a user’s workstation. This problem is amplified as the size of the organization grows; the more users there are, the more likely a user stores passwords in clear-text. Even if it is drilled into the users’ heads and they are aware of this security risk, some just seem impervious and have the attitude, “Oh, I am definitely not going to be the one to get hacked”. …


For Red Teams, Penetration Testers, and Security Researchers

Bash is the command line interface so many of us use daily during our operations. Yet, how often are you at a loss of remembering what command was run during that thing that you worked so hard to achieve? Or how easily can you retrieve the time and date you executed a nmap scan against your target? The Red Team community, as of late, has been apt to apply systematic logging across their infrastructure to keep track of their Command and Control usage, and folks much more clever than I have gone above and beyond to automate alerting based on logs from their Redirectors and C2 agents through the RedELK project. …


Today, it is becoming more and more common for Penetration Testers, Security Researchers, Red Teams, and the like to require some sort of tunneling in and out of an organization’s infrastructure. Internal Red Teams, especially, who may need to cordon off their Command and Control Infrastructure will likely employ SSH (or VPN, but that will be a different post) tunnels from their External Infrastructure (such as callback servers, web hosting, mail, etc) to the Internal assets. Setting up these tunnels can become quite convoluted and difficult to manage, especially once the number of hops or jumps between servers increase.

Tunneling

Image for post
Image for post
Cascading SSH Tunnels can be a real pain in the hind-parts

For the purpose of this blog post, an environment as depicted below has been set up. The goal is to ensure beacons from the Victims can reach the teamserver host embedded deep in a corporate datacenter. …


TL;DR: I purchased a cheap domain that was very similar to a company’s domain. If the domain was used during a Red Team operation, as a C2 domain it would have blended in with noise. However, before I could use it, I was in an administrative proceeding due to a Domain Dispute. The dispute was based on an ICANN policy that was created to protect trademarks from people purchasing domains in “bad faith”. I choose the option to settle and transfer the domain to the company at no additional cost. As a Red Teamer, in the future if I plan to purchase a domain that is similar to a company for any reason, I plan to search the WIPO site to see if there are other proceedings filed by that company. …


The problem with Long Fat Networks

Image for post
Image for post

A few years ago, I was involved in a consulting project with a large company in the healthcare industry that was in the middle of a data center migration. After the networks and servers were stood up at the new location they needed to migrate massive amounts of data in bulk so the company secured a pair of OC192 circuits, providing nearly 10Gbps of throughput in each direction on each circuit.

Everything seemed to be in order, so they began transferring data. To their surprise, they were only seeing throughput in the tens of megabits per second, even on servers connected to the network via gigabit Ethernet switches. After exhausting all the normal troubleshooting steps, they decided to bring in a fresh set of eyes. What we discovered may seem counter-intuitive: this company’s pipes were just too big. …


Recently, I was willingly forwarded a phishing email (for science!) which contained a ZIP attachment, requesting the recipient to update their contact information:

Image for post
Image for post
Screenshot of initial phishing email

The hyperlink pointed to https://weitblicker.com/wp-content/uploads/2019/10/goes/JVC_83860.zip . Inside this ZIP, was a heavily obfuscated VBS file (found [here] if you’d like to follow along).


Image for post
Image for post

I just want to put it out there first, I love VirusTotal. I use it in both my professional career and in my personal life. When I have been busy and requested by family to investigate some “phishy” email or anything possibly malicious, I have been known to respond with the simple “Have you thrown it up in VirusTotal and seen what it says?”. I am aware that some organizations have used this same check as the starting point for their analysis process. For example, a Defender gets forwarded a phishing email with a link to investigate. The Defender creates the tracking ticket and starts the workflow in their “analysis checklist”. They just want to get through this investigation and close out the ticket. The Defender may not even think about looking at the other things surrounding the email as in whats the content, where did it come from, what are the email headers, and other indicators. The decision to continue or close the investigation has now become all about the outcome of the scan of over 70 AV scanners on VirusTotal. The results (most likely) return that all 70 plus AV scanners claim the link is clean (not one flag). Defender quickly marks all is clear and closes the ticket. In many cases, this might be a quick solution and is not a bad starting point but can provide many false negatives. This post is designed to reveal how VirusTotal is just a tool that aids in analysis and should not be a “one-stop-shop” in determining if content is malicious. …


CVE-2019-17123

Summary

During an engagement with one of Maveris’ customers, the Maveris Red Team discovered an Email Header Injection vulnerability in the eGain Web API that allows attackers to send specially crafted emails through otherwise trusted Mail Servers. Email Header Injection through the eGain Web API enables an attacker to spoof emails as organization employees, set unintended Subjects, and even send attachments. Depending on the architecture of the underlying infrastructure used to run an eGain application, this vulnerability could allow attackers to circumvent email filters and protections.

Email Header Injection is a vulnerability most notably introduced by the backend Server’s failure to properly sanitize user input. In the case of eGain’s Web API, the backend did not properly sanitize the input of the form parameters of the API URL: /system/ws/v11/ss/email. This allowed the Maveris Red Team to inject a Carriage Return 0x0D and Line Feed 0x0A byte into the fromName value and write custom headers, successfully crafting a new email using the hosting organizations backend Email Servers. …


Tl,dr; Toying with some VBA AMSI bypasses from the internet were not working as expected, so I decided to walk through to see where it was failing and wrote my own AMSI bypass based off the works of https://codewhitesec.blogspot.com/2019/07/heap-based-amsi-bypass-in-vba.html, https://secureyourit.co.uk/wp/2019/05/10/dynamic-microsoft-office-365-amsi-in-memory-bypass-using-vba/, and https://www.contextis.com/en/blog/amsi-bypass. The purpose of the blog post is to bring light to this Bypass so defenders and Microsoft are aware of it, and for Penetration Testers/Security Professionals to use in engagements to yet again display that AMSI (and in broader context, AV and the like) is not enough alone to secure an environment. Ok, let’s get started…

As I am writing this, it should be made known that according to Dan @ https://codewhitesec.blogspot.com/2019/07/heap-based-amsi-bypass-in-vba.html, Microsoft’s official position is that AMSI is not a security boundary, and numerous AMSI bypasses are out there. This journey began during the tail end of silentbreaksec‘s Malware Dark Side Ops course (great course I might add) I attended during the final DerbyCon. During the course, myself and another attendee were messing around with a Macro-based dropper and discovered that simple string mutation (which was the norm for evading Defender years ago) was no longer enough to ensure our payload would circumvent detection. Initial tests against an up-to-date Win 10 v. 1903 system showed that existing bypasses would either crash or get flagged immediately by Defender (as they should). While I didn’t spend too much more time mucking with the bypass during the rest of DerbyCon, I did have a strong desire to come back to this problem when I finally had the chance. …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store