πŸ”’
There are new articles available, click to refresh the page.
Before yesterdayBad Sector Labs Blog

Last Week in Security (LWiS) - 2022-05-16

17 May 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous 2 weeks. This post covers 2022-05-02 to 2022-05-16.

News

Techniques and Write-ups

Tools and Exploits

  • ELFLoader. Be sure to read the blog post.
  • hakoriginfinder is a tool for discovering the origin host behind a reverse proxy. Useful for bypassing cloud WAFs.
  • SpoolTrigger - Weaponizing for privileged file writes bugs with windows problem reporting
  • XLL_Phishing - XLL Phishing Tradecraft
  • mitmproxy2swagger - Automagically reverse-engineer REST APIs via capturing traffic
  • uru is a payload generation tool that enables you to create payload based on a configuration file.
  • pyldapsearch - Tool for issuing manual LDAP queries which offers bofhound compatible output

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-02

3 May 2022 at 03:30
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-25 to 2022-05-02.

News

Techniques and Write-ups

Tools and Exploits

  • BeaconDownloadSync is a fine-tuned control mechanism for syncing files from the Cobalt Strike Downloads entries in the data model.
  • minbeacon is a work in progress of constructing a minimal http(s) beacon for Cobalt Strike.
  • CS-Remote-OPs-BOF is an addition to TrustedSec's CS-Situational-Awareness-BOFs that modify systems (injection, persistence, etc).
  • Dylib_Runner is Swift code to run a dylib on disk.
  • okta-sprayer is a Python3 Script to perform a password spray against an okta instance.
  • nimc2 is a c2 fully written in nim.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • pyscript. Python directly in HTML (via a WASM shim).
  • O365-Doppelganger is a quick handy script to harvest credentials off of a user during a Red Team and get execution of a file from the user.
  • ecapture can capture SSL/TLS text content without CA cert using eBPF.
  • howdy is Windows Helloβ„’ style facial authentication for Linux.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-25

26 April 2022 at 16:00
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-18 to 2022-04-25.

News

Techniques and Write-ups

Tools and Exploits

  • KrbRelayUp is a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
  • memray is a memory profiler for Python. Not specifically security related, but very cool.
  • Issue 2274: Linux: watch_queue filter OOB write (and other bugs). Google Project Zero found another Linux LPE. This one affects kernel from 5.8 to 2022-03-11 (5.16.15, 5.15.29, 5.10.106). PoC exploit is included, but may be unstable.
  • C2-Tool-Collection is a collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques. This is from Outflank so you know its going to be good.
  • cdnstrip is a tool for striping CDN IPs from a list of IP Addresses.
  • elfpack does ELF Binary Section Docking for Stageless Payload Delivery.
  • HalosUnhooker is a Halos Gate-based NTAPI Unhooker.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • htmlq is like jq, but for HTML. Uses CSS selectors to extract bits of content from HTML files.
  • KDStab is a BOF combination of KillDefender and Backstab.
  • ADReaper is a fast enumeration tool for Windows Active Directory Pentesting written in Go.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-18

19 April 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-11 to 2022-04-18.

News

Techniques and Write-ups

Tools and Exploits

  • frostbyte is a POC project that combines different defense evasion techniques to build better redteam payloads.
  • msprobe is a tool for finding all things on-prem Microsoft products for password spraying and enumeration.
  • spooler-splenumforms-iov is a memory corruption vulnerability in windows spooler service that was patched on most recent Microsoft Patch Tuesday, 2022-04-12.
  • SharpWnfScan dumps Windows Notification Facility subscription information from process.
  • stunner is a tool to test and exploit STUN, TURN and TURN over TCP servers.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • cdn-proxy is a tool that can be used by web app pentesters to create a copy of a targeted website with CDN and WAF restrictions disabled.
  • ADInspect is a PowerShell script that automates the security assessment of Microsoft Active Directory environments.
  • maat is an open-source symbolic execution framework. Bonus, the project's site uses m.css like this blog!
  • wpgarlic is a proof-of-concept WordPress plugin fuzzer.
  • ShadowClone - Unleash the power of cloud. Distribute your long running tasks dynamically across thousands of serverless functions and gives you the results within seconds where it would have taken hours to complete.
  • SSOh-No is a tool for user enumeration and password spraying tool for testing Azure AD.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-11

12 April 2022 at 03:54
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-04 to 2022-04-11.

News

Techniques and Write-ups

Tools and Exploits

  • ARCInject can overwrite a process's recovery callback and execute with WER.
  • Jeeves is made for looking to Time-Based Blind SQLInjection through recon.
  • bore is a simple CLI tool for making tunnels to localhost.
  • ransomware-simulator is a ransomware simulator written in Golang.
  • SwiftInMemoryLoading is a Swift implementation of in-memory Mach-O loading on macOS. Blog post soon?
  • inflate.py artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.
  • com_inject performs process injection via Component Object Model (COM) IRundown::DoCallback(). Blog post here.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • WeakestLink is a browser extension that extracts users from LinkedIn company pages.
  • uncover quickly discovers exposed hosts on the internet using multiple search engines.
  • sub3suite is a research-grade suite of tools for Subdomain Enumeration, OSINT Information gathering & Attack Surface Mapping that supports both manual and automated analysis on variety of target types with many available features & tools.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-04

5 April 2022 at 03:08
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-28 to 2022-04-04.

News

Techniques and Write-ups

Tools and Exploits

  • Introducing PoshC2 v8.0. BOF compatibility, and a very slick Linux loader make version 8 worth checking out.
  • CVE-2022-1015 Local privilege escalation PoC for a bug in the nf_tables component of the linux kernel. More details here.
  • Smug_Fu3k is a HTML smuggling generator.
  • Introducing PacketStreamer: distributed packet capture for cloud-native platforms. tcpdump is perhaps my favorite debugging tool, but with the #distributed #microservices world we live in now, it can be hard to actually get packets from where you need them. PacketStreamer aims to be a universal packet forwarder to enable network visibility and debugging.
  • DDexec is a technique to run binaries filelessly and stealthily on Linux by tricking dd into pwning itself (reflective injection).
  • boopkit is a Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin.
  • nim-loader is a WIP shellcode loader in nim with EDR evasion techniques.
  • Dump-Chrome-Cookies a modified version of CookieBro and scripts to leverage it to dump Chrome cookies. Check out the blog post for more info.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Melody is a language that compiles to regular expressions and aims to be more easily readable and maintainable.
  • Rip Raw is a small tool to analyze the memory of compromised Linux systems.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-03-28

29 March 2022 at 03:35
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-21 to 2022-03-28.

News

Techniques and Write-ups

Tools and Exploits

  • tetanus is a Mythic C2 agent targeting Linux and Windows hosts written in Rust.
  • DelegationBOF uses LDAP to check a domain for known abusable Kerberos delegation settings. Currently, it supports RBCD, Constrained, Constrained w/Protocol Transition, and Unconstrained Delegation checks.
  • OffensivePascal is a Pascal Offsec repo for malware dev and red teaming 🚩.
  • CVE-2019-0708 is a BlueKeep proof of concept allowing pre-auth RCE on Windows 7.
  • YouMayPasser is an x64 implementation of Gargoyle. Don't sleep on this one ;)
  • ctfd-parser is a python script to dump all the challenges locally of a CTFd-based Capture the Flag.
  • wireproxy is a Wireguard client that exposes itself as a socks5 proxy
  • TCC-ClickJacking is a proof of concept for a clickjacking attack on macOS.
  • DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Cronos-Rootkit is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.
  • reverse_ssh is a cross platform RAT that uses SSH as the transport protocol. This allows the use of native SSH with all the niceties that SSH offers (port forwarding, scp, etc).
  • ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON.
  • OffensiveNotion uses Notion as a platform for offensive operations.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-03-21

22 March 2022 at 03:35
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-14 to 2022-03-21.

News

Techniques and Write-ups

Tools and Exploits

  • CustomKeyboardLayoutPersistence can achieve execution using a custom keyboard layout, tested in Windows 11 Home version 21H2. Warning: there is no code related to the uninstallation process in the PoC.
  • Group3r can find vulnerabilities in AD Group Policy, but do it better than Grouper2 did.
  • Malfrat's OSINT Map is an update to the OSINT Framework <https://osintframework.com/>. OSINT-Map is the GitHub repo if you'd like to contribute.
  • oxide A PoC packer written in Rust!
  • AtlasC2 is a C# C2 Framework centered around Stage 1 operations.
  • poro is a tool to scan publicly accessible assets on your AWS cloud environment.
  • snoop Secretly record audio and video with chromium based browsers. Be sure to check out VOODOO, the macOS Man in the Browser Framework as well.
  • Coeus is an ADSI based Situational Awareness toolkit for domain environments with modularity in mind. Allows for the enumeration of users/groups/computers as well as some common misconfigurations including roasting (AS-REP, kerber) and delegation (Constrained, Unconstrained, RCBD) attacks.
  • xepor is a web routing framework for reverse engineers and security researchers, brings the best of mitmproxy & Flask.
  • LeakedHandlesFinder is a leaked Windows processes handles identification tool. Useful for identify new LPE vulnerabilities during a pentest or simply as a new research process. Currently supports exploiting (autopwn) procesess leaked handles spawning a new arbitrary process (cmd.exe default).
  • AutoSmuggle is a utility to craft HTML smuggled files for Red Team engagements.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • rust_bof. Cobalt Strike Beacon Object Files (BOFs) written in rust with rust core and alloc.
  • S1EM. This project is a SIEM with SIRP and Threat Intel, all in one.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-03-14

15 March 2022 at 03:35
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-28 to 2022-03-14.

News

Techniques and Write-ups

Tools and Exploits

  • Removing PowerShell Comments, Whitespace, and Handles. A simple script to help make your Powershell less detectible.
  • oxasploits. All of these exploits are originally coded by oxagast / Marshall Whittaker. Some of them were already known vulnerabilities that they took and re-evaluated then wrote an exploit for them that they thought was more functional or logical in some way. Some of these vulnerabiltiies are partial PoC exploits that will make something crash, but not actually get root. Some will straight drop you at a root shell. None of this code should ever under any circumstances be run in a production environment, or on a system that you do not have express permission to run a penetration test on.
  • RunOF is a .NET application that is able to load arbitrary BOFs, pass arguments to them, execute them and collect and return any output. For more details check out Introducing RunOF – Arbitrary BOF tool.
  • graphql-cop is a small Python utility to run common security tests against GraphQL APIs.
  • nrich is a command-line tool to quickly analyze all IPs in a file and see which ones have open ports/ vulnerabilities. Can also be fed data from stdin to be used in a data pipeline.
  • donut this is a donut fork that contains syscall support for AMSI/WDLP patching.
  • SyscallPack is a BOF and some shellcode for full DLL unhooking using dynamic syscalls.
  • SysWhispers3 is SysWhispers on Steroids - AV/EDR evasion via direct system calls.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • iocscraper is a python tool that enables you to extract IOCs and intelligence from different data sources.
  • litefuzz is a multi-platform fuzzer for poking at userland binaries and servers.
  • BlueTeam.Lab is a Blue Team detection lab created with Terraform and Ansible in Azure.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-02-28

1 March 2022 at 04:35
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-21 to 2022-02-28.

News

Techniques and Write-ups

Tools and Exploits

  • Fennec is an artifact collection tool written in Rust to be used during incident response on nix based systems. fennec allows you to write a configuration file that contains how to collect artifacts.
  • TeamsImplant is a stealthy teams implant that proxies the urlmon.dll that teams uses compile and throw this bad boy in the teams directory as urlmon.dll and you got yourself a persistence backdoor whenever teams runs by a user or at startup.
  • aws-cloudsaga is for AWS customers to test security controls and alerts within their Amazon Web Services (AWS) environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).
  • Nimcrypt2 is yet another PE packer/loader designed to bypass AV/EDR. An improvement on the original Nimcrypt project, with the main improvements being the use of direct syscalls and the ability to load regular PE files as well as raw shellcode.
  • Jbin-website-secret-scraper will gather all the URLs from the website and then it will try to expose the secret data from them such as API keys, API secrets, API tokens and many other juicy information.
  • LdapSignCheck is a Beacon Object File to scan a Domain Controller to see if LdapEnforceChannelBinding or LdapServerIntegrity has been modified to mitigate against relaying attacks.
  • YaraDbg.dev is a free web-based Yara debugger to help security analysts to write hunting or detection rules with less effort and more confidence. By using YaraDbg, you can perform a thorough root-cause-analysis (RCA) on why some of your Yara rules did or did not match with a specific file. It can also help you to better maintain a large set of yara rules.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • PowerBruteLogon is a powershell port of win-brute-logon which can brute force local accounts on a Windows machine. The Administrator account, if enabled, is exempt from lockout.
  • opensquat s an opensource Intelligence (OSINT) security tool to identify cyber squatting threats to specific companies or domains, such as Phishing campaigns, Domain squatting, Typo squatting, Bitsquatting, IDN homograph attacks, Doppenganger domains, and Other brand/domain related scams.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-02-22

23 February 2022 at 04:35
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-14 to 2022-02-22.

News

Techniques and Write-ups

Tools and Exploits

  • Athena is a fully-featured cross-platform agent designed using the .NET 6. Athena is designed for Mythic 2.2 and newer. Crossplatform operations with Athena has all the details.
  • IgnoreAppLocker.dll is a DLL to launch a cmd.exe as NT AUTHORITYSERVICE, which doesn't get blocked or logged by AppLocker, and neither do any processes launched by this cmd.exe process.
  • PELoader is a PELoader implement various shellcode injection techniques, and use libpeconv library to load encrypted PE files instead of injecting shellcode into remote thread.
  • kraken is a dockerized multi-platform distributed brute-force password cracking system with a web front end.
  • bflat is a concoction of Roslyn - the "official" C# compiler that produces .NET executables - and NativeAOT (nΓ©e CoreRT) - the ahead of time compiler for .NET based on CoreCLR. Thanks to this, you get access to the latest C# features using the high performance CoreCLR GC and native code generator (RyuJIT). C# as you know it but with Go-inspired tooling (small, selfcontained, and native executables).
  • BananaPhone is a go variant of Hells gate! (directly calling windows kernel functions, but from Go!) - not new, but now with Halo's gate!

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • lossless-cut aims to be the ultimate cross platform FFmpeg GUI for extremely fast and lossless operations on video, audio, subtitle and other related media files. The main feature is lossless trimming and cutting of video and audio files, which is great for saving space by rough-cutting your large video files taken from a video camera, GoPro, drone, etc. It lets you quickly extract the good parts from your videos and discard many gigabytes of data without doing a slow re-encode and thereby losing quality. Not offsec related, but useful!
  • fastfinder is a lightweight tool made for threat hunting, live forensics and triage on both Windows and Linux Platforms.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-02-14

15 February 2022 at 03:45
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-07 to 2022-02-14.

News

Techniques and Write-ups

Tools and Exploits

  • KrbRelay is a framework for Kerberos relaying. The relaying game just got a whole lot more interesting. The demo is very impressive.
  • CobaltBus is a Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus.
  • TymSpecial is a SysWhispers integrated shellcode loader w/ ETW patching, anti-sandboxing, & spoofed code signing certificates
  • PPL_Sandboxer is a A small C POC to make Defender Useless by removing Token privileges and lowering Token Integrity.
  • SpoolFool is an exploit for CVE-2022-21999 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE) that should work by default on all Windows desktop versions up to the 2022-02-08 patch.
  • hygieia is a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.
  • pdfrip is a fast PDF password cracking utility equipped with commonly encountered password format builders and dictionary attacks.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation.
  • monorepo.tools. "Everything you need to know about monorepos, and the tools to build them." With a bit of nudging to use Nx because the team the wrote this is selling Nx (but honestly Nx looks pretty awesome).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-02-07

8 February 2022 at 01:57
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-31 to 2022-02-07.

News

Techniques and Write-ups

Tools and Exploits

  • authz0 is an automated authorization test tool. Unauthorized access can be identified based on URLs and Roles & Credentials.
  • SharpLdapWhoami is a "WhoAmI" that functions by asking the LDAP service on a domain controller. I'm not 100% sure what this would be useful for without testing it.
  • EvilSelenium is a new project that weaponizes Selenium to abuse Chrome - steal cookies, dump creds, take screenshots, add SSH keys to GitHub, etc.
  • shelloverreversessh is a simple implant which connects back to an OpenSSH server, requests a port be forwarded to it from the server, and serves up SOCKS4a or a shell to forwarded connections.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • reave is a post-exploitation framework tailored for hypervisor endpoints. Interesting concept, I'll be following it.
  • GoodHound uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation.
  • ShadowCoerce is an MS-FSRVP coercion abuse PoC. Not sure how I missed this one.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-01-31

1 February 2022 at 01:25
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-25 to 2022-01-31.

News

Techniques and Write-ups

Tools and Exploits

  • stratus-red-team is "Atomic Red Teamβ„’" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.
  • T.D.P. - Thread Description Poisoning uses SetThreadDescription and GetThreadDescription functions to hide the payload from memory scanners.
  • CVE-2022-21882 is the win32k LPE bypass CVE-2021-1732.
  • NimGetSyscallStub gets fresh Syscalls from a fresh ntdll.dll copy. This code can be used as an alternative to the already published awesome tools NimlineWhispers and NimlineWhispers2 by @ajpc500 or ParallelNimcalls.
  • DefenderStop is a C# project to stop the defender service using via token impersonation.
  • PurplePanda fetches resources from different cloud/saas applications focusing on permissions in order to identify privilege escalation paths and dangerous permissions in the cloud/saas configurations. Note that PurplePanda searches both privileges escalation paths within a platform and across platforms.
  • NimPackt-v1 is a Nim-based packer for .NET (C#) executables and shellcode targeting Windows. It automatically wraps the payload in a Nim binary that is compiled to Native C and as such harder to detect and reverse engineer.
  • wholeaked. s a file-sharing tool that allows you to find the responsible person in case of a leakage. I could see this being useful for sending multiple copies of phishing documents and seeing which ones end up on Virus Total or similar sites.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • hobbits is a multi-platform GUI for bit-based analysis, processing, and visualization. This reminds me of the 010 Editor and its templates.
  • spraycharles a low and slow password spraying tool, designed to spray on an interval over a long period of time.
  • cent or Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place.
  • Frida HandBook is an amazing resource for all things binary instrumentation.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-01-25

26 January 2022 at 02:35
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-18 to 2022-01-25.

News

Techniques

Tools and Exploits

  • chrome-bandit is a proof of concept to show how your saved passwords on Google Chrome and other Chromium-based browsers can easily be stolen by any malicious program on macOS.
  • TREVORproxy is a SOCKS proxy written in Python that randomizes your source IP address. Round-robin your evil packets through SSH tunnels or give them billions of unique source addresses!
  • chronorace is a tool to accurately perform timed race conditions to circumvent application business logic. Well timed race conditions can allow for uncovering all kinds of interesting edge cases. Here is a good example.
  • RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array.
  • Sliver v1.5.0. This release has a lot of cool changes. My favorite is BOF support!
  • FunctionStomping is a new shellcode injection technique. Given as C++ header or standalone Rust program. Currently undetected by hollows-hunter.
  • SharpGhosting is Process Ghosting (x64 only) in C#.
  • CVE-2021-45467: CWP CentOS Web Panel – preauth RCE. File inclusion + directory traversal = RCE.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-01-18

19 January 2022 at 00:09
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-10 to 2022-01-18.

News

  • Illegal Activities of members of an organized criminal community stopped (REvil) [Russian, fsb.ru] The FSB claims that due to recent "joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized." You can even see video of the takedowns on YouTube. While 14 individuals were arrested, it's too soon to see if this will impact REvils operations. If it does, what prompted Russia to finally take action? Google translate of the FSB releases says the "basis for the search activities was the appeal of the competent US authorities."
  • HTTP Protocol Stack Remote Code Execution Vulnerability. Patch tuesday brought with it an unauthenticated RCE in Window's http.sys drivers for Windows 10 (1809+) and Server (2019+). What looks like a crash PoC is available here, complete with a pointless 17 second sleep.
  • Coming Soon: New Security Update Guide Notification System. Microsoft is making it easier to get notifications of changes to security update guides but the biggest news is that this system no longer requires a Live ID. A separate email/password combo can be used for the new system.
  • Exploiting IndexedDB API information leaks in Safari 15. "Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session." WebKit is slowly becoming the internet explorer of the modern browsers. PoC code here.

Techniques

Tools and Exploits

  • azure-function-proxy is a basic proxy as an azure function serverless app to use *[.]azurewebsites[.]net domain for phishing.
  • Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique. This loader has a bunch of nice features and is far beyond the typical loader released on Github.
  • ParallelNimcalls is a Nim version of MDSec's Parallel Syscall PoC. Last week it was in C++ and C#, now it's in Nim!

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • vapi is a Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios.
  • reFlutter is a Flutter Reverse Engineering Framework for iOS and Android apps. This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-01-10

11 January 2022 at 04:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-03 to 2022-01-10.

News

Techniques

Tools and Exploits

  • inject-assembly is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly.
  • rathole is a lightweight, stable and high-performance reverse proxy for NAT traversal, written in Rust. An alternative to frp and ngrok.
  • insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces. More details here.
  • SysmonSimulator is a Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.
  • PowerRemoteDesktop is a Remote Desktop client entirely coded in PowerShell. This could be useful for restricted environments like virtual desktops.
  • Hunt-Sleeping-Beacons is a project to identify beacons which are unpacked at runtime or running in the context of another process.
  • defender-detectionhistory-parser is a parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables. First one to write this as a BOF wins.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
  • domains is (probably) the world’s single largest Internet domains dataset.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-01-03

4 January 2022 at 04:25
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-20 to 2022-01-03.

News

Techniques

Tools and Exploits

  • KaynLdr is a Reflective Loader written in C / ASM. It uses direct syscalls to allocate virtual memory as RW and changes it to RX. It erases the DOS and NT Headers to make it look less suspicious in memory.
  • WMEye is a post exploitation tool that uses WMI Event Filter and MSBuild Execution for lateral movement.
  • hayabusa is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs. Reminds me of chainsaw.
  • Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches. This loader forces Java agents to be loaded and can inject Java or JVMTI agents into Java processes (Sun/Oracle HotSpot or OpenJ9).
  • Invoke-Bof loads any Beacon Object File using Powershell!
  • Inject_Dylib is Swift code to programmatically perform dylib injection.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Pentest Collaboration Framework is an open source, cross-platform, and portable toolkit for automating routine processes when carrying out vulnerability testing.
  • Registry-Spy is a cross-platform registry browser for raw Windows registry files written in Python.
  • iptable_evil is a very specific backdoor for iptables that allows all packets with the evil bit set, no matter the firewall rules. While this specific implementation is modeled on a joke RFC, the code could easily be modified to be more stealthy/useful.
  • Narthex is a modular & minimal dictionary generator for Unix and Unix-like operating system written in C and Shell. It contains autonomous Unix-style programs for the creation of personalized dictionaries that can be used for password recovery & security assessments.
  • whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.
  • The HatSploit Framework is a modular penetration testing platform that enables you to write, test, and execute exploit code.
  • TokenUniverse is an advanced tool for working with access tokens and Windows security policy.
  • LACheck is a multithreaded C# .NET assembly local administrative privilege enumeration. That's underselling it though, this has lots of cool enumeration capabilities such as remote EDR driver enumeration.
  • Desktop environment in the browser. This is just... wow. Code here: daedalOS.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2021-12-20

21 December 2021 at 03:25
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-14 to 2021-12-20.

News

Techniques

Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • awspx is a graph-based tool for visualizing effective access and resource relationships in AWS environments.
  • mariana-trench is Facebook's security focused static analysis tool for Android and Java applications.
  • adPEAS. Note this is not part of the "official" PEAS toolset. It's a Powershell tool to automate Active Directory enumeration.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

❌