πŸ”’
❌
There are new articles available, click to refresh the page.
Before yesterdayBad Sector Labs Blog

Last Week in Security (LWiS) - 2022-07-25

26 July 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-07-18 to 2022-07-25.

News

Techniques and Write-ups

Tools and Exploits

  • DiagTrackEoP - another way to abuse SeImpersonate privilege.
  • terry-the-terraformer A Python CLI tool for deploying red team infrastructure across multiple cloud providers, all integrated with a virtual Nebula network.
  • IAM-Deescalate IAM-Deescalate helps mitigate privilege escalation risk in AWS identity and access management (IAM). More info here.
  • RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows (patched in the July 2022 patch).
  • AlanFramework - A C2 post-exploitation framework. This framework has been around for a while, but last week became open source (Attribution-NonCommercial-NoDerivatives 4.0 International).
  • Lastenzug - Socks4a proxy leveraging PIC, Websockets and static obfuscation on assembly level.
  • CVE-2022-34918-LPE-PoC - This exploit has been written for the kernel Linux ubuntu 5.15.0-39-generic. More details here.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • ropr - A blazing fastβ„’ multithreaded ROP Gadget finder. ropper / ropgadget alternative.
  • RedGuard "is a derivative work of the C2 facility pre-flow control technology." Looks a lot like RedWarden?

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-07-18

19 July 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-07-05 to 2022-07-18.

News

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Raycast is a blazingly fast, totally extendable launcher. It lets you complete tasks, calculate, share common links, and much more.
  • cervantes is an opensource collaborative platform for pentesters or red teams who want to save time to manage their projects, clients, vulnerabilities and reports in one place.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-07-05

5 July 2022 at 21:45
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-27 to 2022-07-05.

News

Techniques and Write-ups

Tools and Exploits

  • PINKPANTHER Windows x64 handcrafted token stealing kernel-mode shellcode. Be sure to check out the caveats.
  • the-poor-mans-obfuscator - Binary & scripts associated with "The Poor Man's Obfuscator" presentation.
  • TripleCross - A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
  • CVE-2019-7040 + CVE-2021-21042. POCs and exploit code for Microsoft Internet Explorer & Microsoft Word (in DOCX & RTF formats).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • awsEnum - Enumerate AWS cloud resources based on provided credentials.
  • nali - An offline tool for querying IP geographic information and CDN provider.
  • maldev-for-dummies - A workshop about Malware Development.
  • ExtractedDefender - An attempt to group extracted data from Defender for research purposes.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-06-27

28 June 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-20 to 2022-06-27.

News

Techniques and Write-ups

Tools and Exploits

  • Add WerFault Silent Process Exit: --werfault to nanodump. You can now force WerFault.exe to dump LSASS for you.
  • FLOSS Version 2.0. "Over the last few months, we've added new functionality and improved the tool's performance. In this blog post we will share exciting new features and improvements including a new string deobfuscation technique, simplified tool usage, and much faster result output."
  • awesome-hacker-search-engines - A list of search engines useful during Penetration testing, vulnerability assessments, red team operations, bug bounty, and more.
  • kernel-mii - Cobalt Strike (CS) Beacon Object File (BOF) foundation for kernel exploitation using CVE-2021-21551.
  • Chrome-Android-and-Windows-0day-RCE-SBX - Chrome Android and (patched) Windows 0day RCE+SBX... from the DPRK (in 2021).
  • Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs.
  • callback_injection-Csharp - this repo is to cover the other undocumented or published / in different languages to achieve shellcode injection via windows callback functions.
  • tlsx - Fast and configurable TLS grabber focused on TLS based data collection.
  • dismember - πŸ”ͺ Scan memory for secrets and more (linux).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Damn Vulnerable DeFi - The offensive security playground for decentralized finances. Learn up and get those massive bounties. Also check out CryptoVulhub.
  • HTTPLoot - An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and "loot" secrets out of the client-facing code of sites.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-06-20

21 June 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-14 to 2022-06-20.

News

Techniques and Write-ups

Tools and Exploits

  • DFSCoerce - PoC for MS-DFSNM coerce authentication using NetrDfsRemoveStdRoot method. This can be used when the Spooler service is disable, and RPC filters prevent PetitPotam/File Server VSS authentication elicitation.
  • CVE-2022-26937 - Windows Network File System crash PoC.
  • hunter-1 (l)user hunter using WinAPI calls only.
  • cloud-middleware-dataset. This project contains cloud middleware (i.e. agents installed by cloud security providers) used across the major cloud service providers (Azure, AWS and GCP).
  • Ekko. A small sleep obfuscation technique that uses CreateTimerQueueTimer to queue up the ROP chain that performs Sleep obfuscation. Detection: patriot.
  • NlsCodeInjectionThroughRegistry Dll injection through code page id modification in registry. Based on jonas lykk research.
  • Using macros and constexpr to make API hashing a bit more friendly.
  • antnium - A C2 framework and RAT written in Go. Slides about the development process here.
  • aced is a tool to parse and resolve a single targeted Active Directory principal's DACL. Aced will identify interesting inbound access allowed privileges against the targeted account, resolve the SIDS of the inbound permissions, and present that data to the operator.
  • SliverKeylogger is a Sliver C2 extension to log keystrokes on Windows.
  • OfficeIMO Fast and easy to use cross-platform .NET library that creates or modifies Microsoft Word and later also Excel files without installing any software. This could be useful to automate phishing lures.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • AlternativeShellcodeExec - Alternative Shellcode Execution Via Callbacks.
  • Sealighter - Sysmon-Like research tool for ETW.
  • npmdomainchecker - Checks all maintainers of all NPM packages for hijackable domains.
  • snallybuckster - Locate interesting files in grayhatwarfare.com open S3 buckets and Azure blobs automatically!
  • NoteThief - Grab unsaved Notepad contents with a Beacon Object File.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-06-14

15 June 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-06 to 2022-06-14.

News

Techniques and Write-ups

Tools and Exploits

  • CVE-2022-23222 - Linux Kernel eBPF Local Privilege Escalation.
  • CVE-2022-30075 - Tp-Link Archer AX50 Authenticated RCE (CVE-2022-30075).
  • apk-instrumentation Some tools to rewrite code of release APK packages.
  • dot The Deepfake Offensive Toolkit.
  • VX-API Malware rapid development framework. "We've released the vx-underground "VX-API", a Windows malware rapid application development framework written in C/C++. It is a compilation of code written by @smelly__vx & @am0nsec. A lot of work needs to be done (including a ReadMe file). More to come."
  • Dogwalk-rce-poc 🐾Dogwalk PoC (using diagcab file to obtain RCE on windows).
  • sourcegraph-scripts Scripts for Sourcegraph search results. Useful for static analysis.
  • kcthijacklib - A Small Library For a Cleaner Execution.
  • collector - Utility to analyse, ingest and push out credentials from common data sources during an internal penetration test.
  • FirmLoader is an IDA plugin that allows to automatically identify parts of the memory for the firmware images extracted from microcontrollers.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • np - A tool to parse, deduplicate, and query multiple port scans.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-06-06

7 June 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-30 to 2022-06-06.

News

Techniques and Write-ups

Tools and Exploits

  • COM-Hunter - COM Hijacking voodoo.
  • VoightKampff - Beating Google ReCaptcha and the funCaptcha using AWS Rekognition.
  • Nidhogg Nidhogg is an all-in-one simple to use rootkit for red teams.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-31

1 June 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-23 to 2022-05-31.

News

  • Rapid Response: Microsoft Office RCE - β€œFollina” MSDT Attack. Follina aka CVE-2022-30190 is an RCE vector that uses the Microsoft Support Diagnostic Tool via a URL handler in a Word document (no macro) to execute code. There is more analysis here as well as official guidance. follina.py is the PoC.
  • Welcome to the next generation of ngrok. The popular tunneling utility used to exposed local ports to the public internet released version 3 with some cool new features. Oauth and OpenID support with a few command line switches make authentication easy. Ngrok has been used to host short lived phishing pages by threat actors in the past.
  • Broadcom to Acquire VMware for Approximately $61 Billion in Cash and Stock. If anyone witnessed the Symantec acquisition br Broadcom this is scary if you use any VMware products (vCenter, Carbon Black, etc). For what it's worth I've been using Proxmox at home and in production for a while and it's pretty great.
  • How I hacked CTX and PHPass Modules. This is a great example of how NOT to conduct "security research." By deploying malicious packages that actively harvested sensitive environment variables, this crosses the line and I would not consider it "good faith" research. However, the automated techniques used to target package registries are relatively low effort for an extremely high impact. The next attacker will not claim "research" and will use this access for ransomware or worse.
  • FTC fines Twitter $150M for using 2FA info for targeted advertising. Twitter used its 2FA phone numbers for advertising and got caught. I suppose when you loose 221 million USD a year you get desperate and every piece of data is up for sale.
  • Serious security vulnerability in Tails 5.0. Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information. 5.1 will be released 2022-05-31.

Techniques and Write-ups

Tools and Exploits

  • DeepSleep is a variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC.
  • VLANPWN is a VLAN attack toolkit (double tagging and DTP hijacking).
  • mempeek is a command line tool that resembles a debugger as well as Cheat Engine, to search for values in memory.
  • KaynStrike is a User Defined Reflective Loader for Cobalt Strike Beacon that spoofs the thread start address and frees itself after entry point was executed.
  • freeBokuLoader is a simple BOF that tries to free the memory region where the User Defined Reflective Loader is stored.
  • Shelltropy - A technique of hiding malicious shellcode via Shannon encoding.
  • MachoBins is designed to provide information on Mac lolbins, similar to https://gtfobins.github.io/ or https://lolbas-project.github.io/, but specifically for Mac!
  • NimlineWhispers3 - A tool for converting SysWhispers3 syscalls for use with Nim projects.
  • CdpSvcLPE - Windows Local Privilege Escalation via CdpSvc service (Writeable SYSTEM path Dll Hijacking).

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • BofRoast - Beacon Object Files for roasting Active Directory.
  • BatchGuard - Batch file AV evasion and obfuscation solution.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-30

31 May 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-23 to 2022-05-30.

News

Techniques and Write-ups

Tools and Exploits

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-23

24 May 2022 at 02:35
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-16 to 2022-05-23.

News

Techniques and Write-ups

Tools and Exploits

  • ghostrings - Ghidra scripts for recovering string definitions in Go binaries. More info in this blog post.
  • Mortar Loader v2. Lots of improvements to this loader in version 2.
  • SharpEventPersist. Persistence by writing/reading shellcode from Event Log.
  • DynamicWrapperDotNet. Dynamically Loads Assembly and Calls Methods from JScript.
  • bin2memfd. Encodes a program (which can be a script, despite the name) to a Perl or Python script which sticks it in a Linux memfd and runs it. The goal is to enable staged implants to be run with curl | perl, or something similar.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • BinAbsInspector - Vulnerability Scanner for Binaries.
  • Labtainers - Docker-based cyber lab framework.
  • privaxy - (work in progress) Privaxy is the next generation tracker and advertisement blocker. It blocks ads and trackers by MITMing HTTP(s) traffic.
  • Argus is a lightweight monitor to notify of new software releases via Gotify/Slack messages and/or WebHooks.
  • Red-Lambda - Leveraging AWS Lambda Function URLs for C2 Redirection.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-16

17 May 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous 2 weeks. This post covers 2022-05-02 to 2022-05-16.

News

Techniques and Write-ups

Tools and Exploits

  • ELFLoader. Be sure to read the blog post.
  • hakoriginfinder is a tool for discovering the origin host behind a reverse proxy. Useful for bypassing cloud WAFs.
  • SpoolTrigger - Weaponizing for privileged file writes bugs with windows problem reporting
  • XLL_Phishing - XLL Phishing Tradecraft
  • mitmproxy2swagger - Automagically reverse-engineer REST APIs via capturing traffic
  • uru is a payload generation tool that enables you to create payload based on a configuration file.
  • pyldapsearch - Tool for issuing manual LDAP queries which offers bofhound compatible output

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-02

3 May 2022 at 03:30
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-25 to 2022-05-02.

News

Techniques and Write-ups

Tools and Exploits

  • BeaconDownloadSync is a fine-tuned control mechanism for syncing files from the Cobalt Strike Downloads entries in the data model.
  • minbeacon is a work in progress of constructing a minimal http(s) beacon for Cobalt Strike.
  • CS-Remote-OPs-BOF is an addition to TrustedSec's CS-Situational-Awareness-BOFs that modify systems (injection, persistence, etc).
  • Dylib_Runner is Swift code to run a dylib on disk.
  • okta-sprayer is a Python3 Script to perform a password spray against an okta instance.
  • nimc2 is a c2 fully written in nim.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • pyscript. Python directly in HTML (via a WASM shim).
  • O365-Doppelganger is a quick handy script to harvest credentials off of a user during a Red Team and get execution of a file from the user.
  • ecapture can capture SSL/TLS text content without CA cert using eBPF.
  • howdy is Windows Helloβ„’ style facial authentication for Linux.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-25

26 April 2022 at 16:00
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-18 to 2022-04-25.

News

Techniques and Write-ups

Tools and Exploits

  • KrbRelayUp is a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
  • memray is a memory profiler for Python. Not specifically security related, but very cool.
  • Issue 2274: Linux: watch_queue filter OOB write (and other bugs). Google Project Zero found another Linux LPE. This one affects kernel from 5.8 to 2022-03-11 (5.16.15, 5.15.29, 5.10.106). PoC exploit is included, but may be unstable.
  • C2-Tool-Collection is a collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques. This is from Outflank so you know its going to be good.
  • cdnstrip is a tool for striping CDN IPs from a list of IP Addresses.
  • elfpack does ELF Binary Section Docking for Stageless Payload Delivery.
  • HalosUnhooker is a Halos Gate-based NTAPI Unhooker.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • htmlq is like jq, but for HTML. Uses CSS selectors to extract bits of content from HTML files.
  • KDStab is a BOF combination of KillDefender and Backstab.
  • ADReaper is a fast enumeration tool for Windows Active Directory Pentesting written in Go.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-18

19 April 2022 at 03:59
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-11 to 2022-04-18.

News

Techniques and Write-ups

Tools and Exploits

  • frostbyte is a POC project that combines different defense evasion techniques to build better redteam payloads.
  • msprobe is a tool for finding all things on-prem Microsoft products for password spraying and enumeration.
  • spooler-splenumforms-iov is a memory corruption vulnerability in windows spooler service that was patched on most recent Microsoft Patch Tuesday, 2022-04-12.
  • SharpWnfScan dumps Windows Notification Facility subscription information from process.
  • stunner is a tool to test and exploit STUN, TURN and TURN over TCP servers.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • cdn-proxy is a tool that can be used by web app pentesters to create a copy of a targeted website with CDN and WAF restrictions disabled.
  • ADInspect is a PowerShell script that automates the security assessment of Microsoft Active Directory environments.
  • maat is an open-source symbolic execution framework. Bonus, the project's site uses m.css like this blog!
  • wpgarlic is a proof-of-concept WordPress plugin fuzzer.
  • ShadowClone - Unleash the power of cloud. Distribute your long running tasks dynamically across thousands of serverless functions and gives you the results within seconds where it would have taken hours to complete.
  • SSOh-No is a tool for user enumeration and password spraying tool for testing Azure AD.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-11

12 April 2022 at 03:54
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-04 to 2022-04-11.

News

Techniques and Write-ups

Tools and Exploits

  • ARCInject can overwrite a process's recovery callback and execute with WER.
  • Jeeves is made for looking to Time-Based Blind SQLInjection through recon.
  • bore is a simple CLI tool for making tunnels to localhost.
  • ransomware-simulator is a ransomware simulator written in Golang.
  • SwiftInMemoryLoading is a Swift implementation of in-memory Mach-O loading on macOS. Blog post soon?
  • inflate.py artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.
  • com_inject performs process injection via Component Object Model (COM) IRundown::DoCallback(). Blog post here.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • WeakestLink is a browser extension that extracts users from LinkedIn company pages.
  • uncover quickly discovers exposed hosts on the internet using multiple search engines.
  • sub3suite is a research-grade suite of tools for Subdomain Enumeration, OSINT Information gathering & Attack Surface Mapping that supports both manual and automated analysis on variety of target types with many available features & tools.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-04

5 April 2022 at 03:08
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-28 to 2022-04-04.

News

Techniques and Write-ups

Tools and Exploits

  • Introducing PoshC2 v8.0. BOF compatibility, and a very slick Linux loader make version 8 worth checking out.
  • CVE-2022-1015 Local privilege escalation PoC for a bug in the nf_tables component of the linux kernel. More details here.
  • Smug_Fu3k is a HTML smuggling generator.
  • Introducing PacketStreamer: distributed packet capture for cloud-native platforms. tcpdump is perhaps my favorite debugging tool, but with the #distributed #microservices world we live in now, it can be hard to actually get packets from where you need them. PacketStreamer aims to be a universal packet forwarder to enable network visibility and debugging.
  • DDexec is a technique to run binaries filelessly and stealthily on Linux by tricking dd into pwning itself (reflective injection).
  • boopkit is a Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin.
  • nim-loader is a WIP shellcode loader in nim with EDR evasion techniques.
  • Dump-Chrome-Cookies a modified version of CookieBro and scripts to leverage it to dump Chrome cookies. Check out the blog post for more info.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Melody is a language that compiles to regular expressions and aims to be more easily readable and maintainable.
  • Rip Raw is a small tool to analyze the memory of compromised Linux systems.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-03-28

29 March 2022 at 03:35
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-21 to 2022-03-28.

News

Techniques and Write-ups

Tools and Exploits

  • tetanus is a Mythic C2 agent targeting Linux and Windows hosts written in Rust.
  • DelegationBOF uses LDAP to check a domain for known abusable Kerberos delegation settings. Currently, it supports RBCD, Constrained, Constrained w/Protocol Transition, and Unconstrained Delegation checks.
  • OffensivePascal is a Pascal Offsec repo for malware dev and red teaming 🚩.
  • CVE-2019-0708 is a BlueKeep proof of concept allowing pre-auth RCE on Windows 7.
  • YouMayPasser is an x64 implementation of Gargoyle. Don't sleep on this one ;)
  • ctfd-parser is a python script to dump all the challenges locally of a CTFd-based Capture the Flag.
  • wireproxy is a Wireguard client that exposes itself as a socks5 proxy
  • TCC-ClickJacking is a proof of concept for a clickjacking attack on macOS.
  • DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Cronos-Rootkit is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.
  • reverse_ssh is a cross platform RAT that uses SSH as the transport protocol. This allows the use of native SSH with all the niceties that SSH offers (port forwarding, scp, etc).
  • ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON.
  • OffensiveNotion uses Notion as a platform for offensive operations.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-03-21

22 March 2022 at 03:35
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-14 to 2022-03-21.

News

Techniques and Write-ups

Tools and Exploits

  • CustomKeyboardLayoutPersistence can achieve execution using a custom keyboard layout, tested in Windows 11 Home version 21H2. Warning: there is no code related to the uninstallation process in the PoC.
  • Group3r can find vulnerabilities in AD Group Policy, but do it better than Grouper2 did.
  • Malfrat's OSINT Map is an update to the OSINT Framework <https://osintframework.com/>. OSINT-Map is the GitHub repo if you'd like to contribute.
  • oxide A PoC packer written in Rust!
  • AtlasC2 is a C# C2 Framework centered around Stage 1 operations.
  • poro is a tool to scan publicly accessible assets on your AWS cloud environment.
  • snoop Secretly record audio and video with chromium based browsers. Be sure to check out VOODOO, the macOS Man in the Browser Framework as well.
  • Coeus is an ADSI based Situational Awareness toolkit for domain environments with modularity in mind. Allows for the enumeration of users/groups/computers as well as some common misconfigurations including roasting (AS-REP, kerber) and delegation (Constrained, Unconstrained, RCBD) attacks.
  • xepor is a web routing framework for reverse engineers and security researchers, brings the best of mitmproxy & Flask.
  • LeakedHandlesFinder is a leaked Windows processes handles identification tool. Useful for identify new LPE vulnerabilities during a pentest or simply as a new research process. Currently supports exploiting (autopwn) procesess leaked handles spawning a new arbitrary process (cmd.exe default).
  • AutoSmuggle is a utility to craft HTML smuggled files for Red Team engagements.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • rust_bof. Cobalt Strike Beacon Object Files (BOFs) written in rust with rust core and alloc.
  • S1EM. This project is a SIEM with SIRP and Threat Intel, all in one.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-03-14

15 March 2022 at 03:35
By: Erik

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-28 to 2022-03-14.

News

Techniques and Write-ups

Tools and Exploits

  • Removing PowerShell Comments, Whitespace, and Handles. A simple script to help make your Powershell less detectible.
  • oxasploits. All of these exploits are originally coded by oxagast / Marshall Whittaker. Some of them were already known vulnerabilities that they took and re-evaluated then wrote an exploit for them that they thought was more functional or logical in some way. Some of these vulnerabiltiies are partial PoC exploits that will make something crash, but not actually get root. Some will straight drop you at a root shell. None of this code should ever under any circumstances be run in a production environment, or on a system that you do not have express permission to run a penetration test on.
  • RunOF is a .NET application that is able to load arbitrary BOFs, pass arguments to them, execute them and collect and return any output. For more details check out Introducing RunOF – Arbitrary BOF tool.
  • graphql-cop is a small Python utility to run common security tests against GraphQL APIs.
  • nrich is a command-line tool to quickly analyze all IPs in a file and see which ones have open ports/ vulnerabilities. Can also be fed data from stdin to be used in a data pipeline.
  • donut this is a donut fork that contains syscall support for AMSI/WDLP patching.
  • SyscallPack is a BOF and some shellcode for full DLL unhooking using dynamic syscalls.
  • SysWhispers3 is SysWhispers on Steroids - AV/EDR evasion via direct system calls.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • iocscraper is a python tool that enables you to extract IOCs and intelligence from different data sources.
  • litefuzz is a multi-platform fuzzer for poking at userland binaries and servers.
  • BlueTeam.Lab is a Blue Team detection lab created with Terraform and Ansible in Azure.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

❌