🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• Elastic Agent Skills - Elastic 🔍 Show Kagi Synopsis
  The provided article discusses the security considerations of using AI coding agents, particularly within cybersecurity workflows.
  
  **What Happened:**
  The article highlights that AI coding agents, when integrated into security operations, pose significant risks because they operate with real credentials, shell access, and user permissions. This environment makes them vulnerable to unexpected behavior and malicious exploitation.
  
  **Who is Affected:**
  **Organizations and security teams** that deploy AI coding agents for security tasks are directly affected. This includes any user who runs these agents, as the agents can access and process sensitive data, including PII, credentials, and regulated information.
  
  **Security Implications:**
  - **Data Exposure:** Security data processed by agents can contain sensitive information like PII and embedded credentials. This data may enter the model's context and potentially be sent to third-party APIs, necessitating involvement from infosec and compliance teams.
  - **Prompt Injection:** AI agents process attacker-controlled input (e.g., alert data, file contents), making them susceptible to prompt injection attacks. Research indicates that context files alone can be used for promptware persistence.
  - **Privilege Escalation:** Agents operating with broad privileges, especially those with broad response privileges or extensive API access, pose a significant risk if compromised or misdirected.
  - **Unintended Actions:** Unexpected agent behavior can lead to data breaches or system compromise due to the agent's access to credentials and shell execution capabilities.
  
  **Technical Details:**
  - AI agents can have access to **real credentials and shell access**, often with the full permissions of the user running them.
  - They process **attacker-controlled input** from various security data sources.
  - **Prompt injection** is an inherent risk, and context files can be exploited for persistence.
  - Default configurations often include broad access to **shell execution, file system writes, and internet access**.
  
  **What Defenders Should Know:**
  Defenders should be aware of the following and take proactive measures:
  - **Conduct Threat Modeling:** Evaluate the agent's data access, action capabilities, and potential for unexpected behavior. Referencing guidance like CISA's joint recommendations for deploying AI systems securely is advised 【1】.
  - **Monitor Data Flows:** Be mindful of what data flows through the agent, especially sensitive or regulated information, and involve infosec and compliance teams.
  - **Mitigate Prompt Injection:** Understand that attacker-controlled input is a reality and can be exploited.
  - **Scope Privileges Tightly:** Grant API keys the minimum required privileges, favoring read-only access initially until behavior is validated 【1】.
  - **Restrict Tool Access and Network Reach:** Limit the agent's available tools and network capabilities to reduce the attack surface 【1】.
  - **Use Non-Production Environments:** Test AI skills in isolated environments (e.g., Serverless trial projects, dev clusters) before deploying them with live security data 【1】.
  - **Audit Open-Source Skills:** The open-source nature of these skills allows for auditing their functionality before execution 【1】.
• WSL, COM Hooking, & RTTI - Jonathan Johnson 🔍 Show Kagi Synopsis
  This cybersecurity article details a method for hooking the `CreateLxProcess` COM method within the Windows Subsystem for Linux (WSL) service, particularly when symbols are unavailable 【1】.
  
  **What Happened:**
  The author needed to gather telemetry on the `CreateLxProcess` COM method's invocation. Standard API hooking methods are difficult without symbols, prompting the exploration of alternative techniques. The solution involved using C++'s Run-Time Type Information (RTTI) to locate and hook the target function within the `wslservice.exe` process, even without debugging symbols 【1】 【1】.
  
  **Who is Affected:**
  This technique is relevant to **users and administrators of WSL**, especially those concerned with **security monitoring and incident response**. The ability to execute Linux processes via WSL without launching `wsl.exe` directly has security implications, as it can be exploited by attackers 【1】.
  
  **Security Implications:**
  The primary security implication is that **attackers can leverage the `CreateLxProcess` COM method to execute Linux processes stealthily**, bypassing traditional monitoring that might focus on `wsl.exe` 【1】. The lack of robust telemetry sources for WSL2, due to its Hyper-V foundation, exacerbates this issue, making it harder to detect such activities 【1】 【1】.
  
  **Technical Details:**
  - **WSL Architecture:** WSL2 relies on Hyper-V for its internal workings. Communication between WSL clients and the `wslservice.exe` server occurs via COM 【1】.
  - **COM Interface:** Both WSL1 and WSL2 use the same COM class and CLSID for executing behaviors. The `ILxssUserSession::CreateLxProcess` method is the key entry point, which then dispatches to different backend implementations for WSL1 and WSL2 【1】.
  - **The Challenge:** The `wslservice.exe` binary, which handles these COM calls, does not ship with symbols, making direct function hooking difficult 【1】.
  - **RTTI Solution:** Run-Time Type Information (RTTI) is a C++ feature that allows for the identification of an object's type and the location of its virtual function table (vtable) at runtime, even without symbols. By scanning the binary for RTTI metadata, specifically the `_RTTITypeDescriptor` and `_RTTICompleteObjectLocator` structures, one can find the vtable for interfaces like `ILxssUserSession` 【1】 【1】.
  - **Hooking Process:** The author used RTTI to locate the vtable for `ILxssUserSession` and then patched the `CreateLxProcess` function at its fixed offset within that vtable. This provides a reliable method for hooking across different binary versions, assuming the interface and method offset remain consistent 【1】 【1】.
  
  **What Defenders Should Know:**
  - **WSL as an Attack Vector:** Defenders must be aware that WSL can be used to execute Linux processes, and the COM interface provides a less conspicuous method than directly invoking `wsl.exe` 【1】.
  - **Telemetry Gaps:** There are limited native telemetry sources for WSL2 activity due to its Hyper-V architecture 【1】 【1】.
  - **API Hooking as a Defense:** Techniques like API hooking, even if less common, can be crucial for gaining visibility into WSL activities when native telemetry is insufficient 【1】 【1】.
  - **Understanding RTTI:** Knowledge of RTTI can be valuable for reverse engineering and security analysis, enabling the identification of functions and interfaces in binaries that lack symbols 【1】 【1】.
• Ghost in the PPL - LSASS Memory Dump - The content posted at the URL is controlled by Clément Labro. 🔍 Show Kagi Synopsis
  This article details a method for extracting memory dumps from the **LSASS (Local Security Authority Subsystem Service)** process, even when it's protected by **Protected Process Light (PPL)** in modern Windows versions 【1】. The initial goal of achieving arbitrary code execution within LSASS was abandoned due to complexity, shifting to the more practical objective of creating a memory dump, which is sufficient for credential recovery 【1】.
  
  **Who is Affected:**
  The technique targets **Windows systems** where LSASS runs as a PPL-protected process. This includes modern versions of Windows that implement PPL for enhanced security of critical system processes 【1】.
  
  **Security Implications:**
  The primary security implication is the **compromise of credentials**. By successfully dumping the LSASS memory, an attacker can extract sensitive information like passwords, hashes, and Kerberos tickets, which can then be used for **privilege escalation and lateral movement** within a network 【1】. This bypasses a significant security measure (PPL) designed to protect these credentials.
  
  **Technical Details:**
  The core of the exploit involves using the `MiniDumpWriteDump` function from `dbghelp.dll` to create a memory dump 【1】. However, obtaining the necessary handles for a protected process like LSASS is challenging 【1】.
  
  The exploit chain involves several steps:
  * **Loading `xolehlp.dll` into LSASS:** This is achieved by manipulating the **WinSock2 API's Autodial feature** through registry modifications (`AutodialDll`). This DLL contains a function, `WriteDumpThread`, which can initiate a memory dump 【1】.
  * **Triggering the Autodial DLL load:** LSASS can be tricked into loading the Autodial DLL by performing specific network operations that involve **SSPI (Security Support Provider Interface)**, particularly when checking certificate revocation lists via HTTP 【1】.
  * **Invoking `MiniDumpWriteDump` indirectly:** The `xolehlp.dll!WriteDumpThread` function, which has a manageable number of arguments, is used to call `MiniDumpWriteDump`. This function reads dump type and location from the registry 【1】.
  * **Resolving function addresses dynamically:** To avoid hard-coded offsets, the exploit dynamically resolves the address of `WriteDumpThread` by locating its call to `QueueUserWorkItem` within `xolehlp.dll` 【1】.
  * **Exploiting vulnerabilities:** The overall exploit chain relies on a **use-after-free vulnerability in `keyiso.dll`** to trigger the `WriteDumpThread` function. This is combined with other techniques, including information disclosure in `ncryptprov.dll` and opportunistic locking on `lsass.exe` to detect dump initiation 【1】.
  
  **What Defenders Should Know:**
  * **PPL is not foolproof:** While PPL is a strong defense, it can be bypassed through sophisticated user-mode exploitation techniques 【1】.
  * **Monitor LSASS activity:** Defenders should monitor for unusual activity related to LSASS, such as unexpected DLL loads or attempts to access its memory. Tools like System Informer can enumerate modules in protected processes without kernel drivers, which can aid in detection 【1】.
  * **Registry and Service Monitoring:** Monitoring changes to the WinSock2 registry keys and the status of services like KeyIso can provide early warning signs.
  * **Understand SSPI and Network Operations:** Be aware that certain network operations, especially those involving SSPI and certificate validation, can inadvertently trigger LSASS to load external DLLs 【1】.
  * **Patching and Updates:** Keeping systems updated is crucial, as the exploit relies on specific vulnerabilities in components like `keyiso.dll` and `ncryptprov.dll` 【1】. The article notes that more recent research has introduced alternative methods for code injection into PPL processes, rendering this specific proof-of-concept less relevant but highlighting the ongoing evolution of such attacks 【1】.
• Analysis of the Spear-Phishing and KakaoTalk-Linked Threat Campaign by the Konni Group - Genians Security Center 🔍 Show Kagi Synopsis
  A sophisticated spear-phishing campaign orchestrated by the **Konni APT group** has been identified, leveraging North Korea-themed lures and exploiting the **KakaoTalk PC application** for propagation 【1】.
  
  **What Happened:**
  The attack chain begins with **spear-phishing emails** that appear to be official notices. These emails entice recipients to open a malicious **LNK file**. Upon execution, this LNK file downloads and runs remote access trojans (RATs), including variants of **EndRAT, RftRAT, and RemcosRAT** 【1】. These RATs establish persistence on the victim's system, steal sensitive information and internal documents, and then **abuse the victim's KakaoTalk PC application** to send malicious files to their contacts, thereby turning victims into unwitting distributors of the malware 【1】.
  
  **Who is Affected:**
  The primary targets are **individuals and organizations** receiving spear-phishing emails from the Konni APT group. The attack specifically impacts users who have **KakaoTalk PC installed**, as their accounts are compromised and used for further malware distribution, potentially affecting their entire contact list 【1】.
  
  **Security Implications:**
  This campaign presents significant security risks due to its **multi-stage nature, long-term persistence capabilities, and the exploitation of trusted communication channels** like KakaoTalk 【1】. The theft of sensitive data can lead to severe data breaches. Furthermore, the ability to use compromised users for secondary distribution bypasses many traditional security measures and erodes trust in communication platforms 【1】.
  
  **Technical Details:**
  - **Initial Access:** Spear-phishing emails containing malicious LNK files disguised as documents 【1】.
  - **LNK File Execution:** The LNK file uses PowerShell to decode an XOR-obfuscated payload, drops a decoy PDF, downloads additional malware from a Command and Control (C2) server (e.g., `drfeysal[.]com`), and establishes persistence via a Scheduled Task 【1】.
  - **Malware Used:** Primarily AutoIt-based RATs such as EndRAT, RftRAT, and RemcosRAT, which offer capabilities like file management, remote shell access, data exfiltration, and persistence 【1】.
  - **Evasion Techniques:** The AutoIt script is compiled and disguised as a PDF file with dummy data to evade static analysis and signature-based detection 【1】.
  - **Persistence Mechanisms:** Achieved through Scheduled Tasks, Windows Startup folder entries, and masquerading as legitimate processes 【1】.
  - **C2 Infrastructure:** The attackers utilize C2 servers hosted in multiple countries, communicating over custom socket protocols on ports 80 or 443 to blend with normal traffic 【1】.
  - **Lateral Propagation:** The attackers exploit KakaoTalk PC sessions to send malicious files to the victim's contacts, often using North Korea-related lures 【1】.
  
  **What Defenders Should Know:**
  - **EDR is Crucial:** Static file-based detection is insufficient. Defenders need **Endpoint Detection and Response (EDR)** solutions capable of behavior-based detection to identify anomalous activities such as abnormal process creation, script execution, C2 communication, and persistence mechanisms 【1】.
  - **Email Security and User Awareness:** Strengthen policies regarding the execution of attachments from spear-phishing emails. Enhance user training to recognize disguised shortcut files and social engineering tactics 【1】.
  - **Behavioral Monitoring:** Implement robust monitoring for **information theft, long-term persistence, and unusual file access or transfer patterns** 【1】.
  - **Messenger Platform Security:** Establish security guidelines for file transfers via messenger platforms and review session protection for critical personnel 【1】.
  - **Integrated Defense Strategy:** A multilayered defense approach combining Indicators of Compromise (IoCs), Machine Learning, and behavior-based detection is essential to counter these multi-stage attacks from initial access through secondary propagation 【1】.
• Seeking Victim Information in Steam Malware Investigation - Federal Bureau of Investigation 🔍 Show Kagi Synopsis
  The FBI's Seattle Division is investigating a **Steam malware incident** where a threat actor embedded malicious code within several Steam games. The investigation primarily targets users who installed these games between **May 2024 and January 2026** 【1】.
  
  **Who is Affected:**
  The individuals affected are **users who installed specific Steam games** that contained the malware. The identified games include:
  - BlockBlasters
  - Chemia
  - Dashverse/DashFPS
  - Lampy
  - Lunara
  - PirateFi
  - Tokenova 【1】
  
  **Security Implications:**
  The primary security implication is that users who installed these games may have had their systems compromised by malware. The FBI is legally mandated to identify victims of federal crimes, and these victims may be eligible for services, restitution, and rights under federal or state law 【1】.
  
  **Technical Details:**
  The article does not provide specific technical details about the malware itself, such as its type, capabilities, or how it operates. It only states that the malware was embedded within the identified Steam games 【1】.
  
  **What Defenders Should Know:**
  Defenders and potential victims are advised to:
  - **Be cautious of unknown individuals** requesting financial or personal information online.
  - **Treat online investment advice with extreme caution**.
  - **Do not pay additional fees or taxes** if you believe you are a victim of fraud, especially if attempting to withdraw money.
  - **Do not pay for services that claim to recover lost funds**.
  - **Report suspicious activities** to the FBI Internet Crime Complaint Center (IC3) at [www.ic3.gov](https://www.ic3.gov/) 【1】.
  
  Individuals who believe they have been victimized or have relevant information are encouraged to fill out a form provided by the FBI or contact Steam_Malware@fbi.gov. Victim identities will be kept confidential 【1】.
• VMkatz: Extract Windows credentials directly from VM memory snapshots and virtual disks - nikaiw 🔍 Show Kagi Synopsis
  VMkatz is a cybersecurity tool designed to extract Windows secrets directly from virtual machine (VM) files without needing to exfiltrate the entire VM. This is particularly useful in red team engagements where network bandwidth is limited and the risk of detection during large data transfers is high 【1】.
  
  **What Happened:**
  VMkatz addresses the challenge of extracting sensitive data from large VM files. Traditionally, security professionals would have to download entire VM disk images or memory snapshots, mount them locally, and then use analysis tools. This process is time-consuming and increases the risk of being detected by security operations centers (SOCs) 【1】. VMkatz allows for in-place extraction of credentials and secrets directly from the VM files, wherever they are stored (e.g., on a NAS or hypervisor) 【1】.
  
  **Who is Affected:**
  The tool is designed for **red team operators** and **penetration testers** who need to exfiltrate sensitive information during engagements. It also implicitly affects **organizations** whose virtualized environments might be targeted, as the tool can be used to compromise their systems by extracting credentials 【1】.
  
  **Security Implications:**
  The primary security implication is the **ease and stealth with which sensitive Windows credentials can be extracted**. This includes:
  - **NTLM hashes**: Used for authentication and can be cracked offline or relayed.
  - **DPAPI master keys**: Used to encrypt sensitive data, allowing attackers to decrypt files and credentials.
  - **Kerberos tickets**: Can be used to impersonate users and gain access to resources.
  - **Cached domain credentials**: Allow for offline authentication to the domain.
  - **LSA secrets**: Contain service account passwords and auto-logon credentials.
  - **Active Directory hashes (NTDS.dit)**: Full compromise of domain credentials 【1】.
  
  By extracting these secrets directly from VM files, attackers can gain elevated privileges, move laterally within a network, and access sensitive data without triggering alerts associated with large data transfers 【1】.
  
  **Technical Details:**
  VMkatz is a single, static binary, approximately 2.5 MB in size 【1】. It supports a wide range of input formats and sources, including:
  - **Memory snapshots**: VMware snapshots (`.vmsn`, `.vmem`), VirtualBox saved states (`.sav`), QEMU/KVM core dumps, and Hyper-V saved states/memory dumps 【1】.
  - **Virtual disks**: VMware (`.vmdk`), VirtualBox (`.vdi`), QEMU/KVM (`.qcow2`), and Hyper-V (`.vhdx`, `.vhd`) 【1】.
  - **Direct disk access**: VMFS-6 raw SCSI devices on ESXi and LVM block devices 【1】.
  - **Registry hives**: `SAM`, `SYSTEM`, `SECURITY` 【1】.
  - **LSASS minidumps** 【1】.
  - **Entire VM directories** 【1】.
  
  The tool supports **Windows XP SP3 through Windows Server 2025** 【1】. It works by:
  1. **Process Discovery**: Locating processes like `lsass.exe` in memory 【1】.
  2. **Page Table Walking**: Translating virtual to physical memory addresses, including handling pagefile resolution for paged-out credentials 【1】.
  3. **LSASS Extraction**: Mapping LSASS memory, finding relevant DLLs, and decrypting credentials using various algorithms (3DES-CBC, AES-CBC, etc.) 【1】.
  4. **Disk Extraction**: Parsing virtual disk containers, locating Windows hives, and decrypting hashes using the boot key 【1】. For ESXi, it can read VMFS-6 devices directly, bypassing file locks 【1】.
  5. **NTDS Extraction**: Natively parsing the `NTDS.dit` file and `SYSTEM` hive from domain controller disks to extract AD hashes 【1】.
  
  VMkatz can output extracted secrets in various formats, including plain text, `pwdump` format (`ntlm`), and `hashcat`-ready formats (`hashcat`) 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware of VMkatz and similar tools that enable in-place credential extraction from VM files. Key defensive considerations include:
  - **Securing VM files**: Implement strict access controls on hypervisor hosts, NAS devices, and datastores where VM files are stored. Limit direct access to these locations, especially for non-administrative personnel 【1】.
  - **Monitoring hypervisor/NAS activity**: Monitor for the execution of unauthorized binaries on hypervisor hosts or NAS devices. Unusual file access patterns or the presence of small, unknown executables should be investigated 【1】.
  - **Understanding VM snapshot security**: While VMkatz can extract secrets from snapshots, the primary defense is to minimize the retention of sensitive snapshots and ensure they are properly secured if kept 【1】.
  - **VBS/Credential Guard**: For enhanced security, enable **Virtualization-Based Security (VBS)** and **Credential Guard** on Windows VMs. VMkatz has known limitations with VBS-enabled VMs, as it struggles to recover credentials from memory dumps due to nested Hyper-V page tables 【1】. However, SAM extraction from virtual disks still works when the VM is powered off 【1】.
  - **Least Privilege**: Enforce the principle of least privilege for user accounts within VMs and for administrative access to hypervisors. This limits the impact of any compromised credentials 【1】.
  - **Endpoint Detection and Response (EDR)**: Deploy EDR solutions that can monitor for suspicious process behavior and file access on hypervisor hosts.