If you are unfamiliar it was a toolkit that @digbei & I started development in 2017 & got postponed due to my health (github.com/glinares/Offic…)
After I move this summer I will have some time to dig it back up & continue 1/N
@digbei Office exploitation has change for the better since those 2 years & checking out some of my code I see that AMSI has done good work to detect & deter a lot of development (good job @secbughunter & his team)
However #Hephaestus will change in order to adapt to this.
@digbei@secbughunter The toolkit will focus on being a bridge for other tools that are used to gain initial access.
Post exploitation #Hephaestus will have modules to do tasks thru Office such as recon, persistence, code exec, code tunneling, etc.
@digbei@secbughunter Instead of releasing it as one toolkit we decided to break it up into components to help with faster release and help other tools be more successful.
- A VBA Polymorph Tool that will take the evasion / anti-analysis methods and allow tools to encode their output with them
@digbei@secbughunter - A Office Persistent Tool - to allow you to have your payloads be persistent with Office components
- An Outlook Email C2C Tool - to allow coms via email to trigger events / actions
@digbei@secbughunter So to summarize how this would work is red team exploits box with an initial access tool.
Post exploitation in order to avoid AV / PSP and other detections you would drop Hephaestus elements - which would use VBA, Office API, and Office components to do activites for you.
@digbei@secbughunter One of the things added to the toolkit would be Corp-Espionage modules.
The toolkit can be used to find, extract/copy, & exfil documents as they are written.
Since many AV engines look for traditional malware - testing these persistent data theft via VBA has worked rather well.
@digbei@secbughunter AV & Office defenses still typically look for dropped/executed files/commands so by exploiting macros and VBA that look like traditional business components (ie staying in Office and doing Office related activites) attackers can still win and that is a huge opportunity.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
12 years ago my life was saved by Hurricane Sandy when I was supposed to be in a building performing incident response that got blown up.
There are not many public stories of physically targeted incidents directly related to cybersecurity but they exist.
This is the story
In August of 2012, Kaspersky and Symantec both discovered a relatively new malware named W32.DistTrack this would later be infamously known as Shamoon Wiper.
It's now public that Shamoon hit several middle eastern companies including Saudi Aramco.
I was on the original IR team
As now disclosed by others who were on the team, the attack probably originated by targeting IT workers and was planned for months. The delivery mechanism was advanced and targeted specifically for each target.
In October of 2012 I was asked to go to Saudi Arabia to do IR
I have now heard of 2 extortion attempts originating from the AI girlfriend site Muah breach.
Both victims are devs & they received emails with credible data to confirm they have seen their sensitive content
One requested the victim give them VPN access
A 🧵
Security teams should be aware of sensitive breaches like this - as this can now jeopardize their entire company
Work with your team to put in place work place awareness and a safe place to have employees report extortion.
Extortions at this stage can also include false accusations - an attacker could easily put out content to make a victim seem like they were an individual in the dump even though they weren't.
They can use this to attack someone's reputation and use it for leverage as well.
Since I'm 6 drinks in for 20 bucks, let me tell you all about the story of how the first Microsoft Office 2007 vulnerability was discovered, or how it wasn't.
This was a story I was gonna save for a book but fuck it, I ain't gonna write it anyways.
So my first month at working at eEye in late 2006 good ol Microsoft announced Office 2007.
They said they added a shit ton of security including safe int, sandboxing, code analysis, and malformed doc detection.
I told my boss I was gonna break it.
So I started fuzzing by hand
I'm the kind of sicko who can open a Microsoft office document in a hex editor and start telling you what it is all about just by scrolling down.
I have spent an embarrassing amount of time looking at BIFF format in a hex editor, trust me it's nothing special
A 🧵I wanted to share one of my more recent successful red team campaigns so others can test & tabletop
The client, like many others recently, implemented an approved internal AI interface for code questions and searches
This was essentially a wrapped chatGPT UI + file search
The site was 3rd party developed and has several implementations before rolling out in stages to all departments
For this scenario the goal was to compromise a separate dev and finance team with limited access in order to gain access to the production environment and financials
The attack first created a spoofed Google cloud and email to appear similar to the 3rd party company who used this service.
At this point a spoofed email was sent to several junior developers and low level HR people on the target teams posing as the AI portal dev team.
It's 11pm and the VC bros next to me are starting a company and are gonna roll out WordPress as their CRM, and they think they can manage it themselves with a Microsoft Azure cloud and MongoDB. None of them have admin experience
💀💀💀💀
This is at a hotel bar
They are in the carbon footprint reduction industry, I have no clue wtaf that involves but it sounds like a lot of cold calling and selling people materials from what I heard
Guys they are discussing WordPress security and how one is their previous companies had to wipe everything "because a baddie broke their WordPress and shit"
Are these your sandboxes leaking out information that allows attackers to visibly fingerprint your environment and evade analysis?
This 🧵is a deep dive into this method and why I find it relatively primitive yet, elegant & efficient as a sandbox system bypass.
For those watchful eyes, they might have noticed the leaked information in the above screenshot is XML format of the entire system settings.
How much settings? 118,000 bytes worth detailing everything from Hardware, Firmware, BIOS, manufacturers, PNP devices, printers etc.
This information comes from Microsoft Windows System Assessment Tool aka WinSAT. It has been implemented since Windows Vista and can be read all about here: