❌

Normal view

There are new articles available, click to refresh the page.
Before yesterdayBad Sector Labs Blog

Last Week in Security (LWiS) - 2024-03-25

By: Erik
26 March 2024 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-18 to 2024-03-25.

News

  • Unveiling malware behavior trends - Analyzing a Windows dataset of over 100,000 malicious files by Elastic Security Labs.
  • Introducing STAR-FS The Bank of England announced the introduction of a new regulatory framework, STAR-FS, to support the financial sector in its cyber resilience operations.
  • GoFetch - A new vulnerability baked into Apple's M-series of chips that allows attackers (and/or userspace applications) to extract secret keys from Macs. It looks like there are mitigation flags that can be set to mitigate this for sensitive cryptographic calls. Time will tell if they are effective/implemented.
  • The US Department of Justice is suing Apple β€” read the full lawsuit here - Will this lead to a more open iOS? Maybe, but it will be years before anything (if anything) changes.

Techniques and Write-ups

Tools and Exploits

  • WhoIsWho - Alternatives to the command whoami
  • dropper- Project that generates Malicious Office Macro Enabled Dropper for DLL SideLoading and Embed it in Lnk file to bypass MOTW
  • Perfect DLL Proxy - Perfect DLL Proxying using forwards with absolute paths. [I'm partial to Spartacus]
  • Jigsaw - Hide shellcode by shuffling bytes into a random array and reconstruct at runtime
  • IoDllProxyLoad - DLL proxy load example using the Windows thread pool API, I/O completion callback with named pipes, and C++/assembly
  • OpenTIDE - Open Threat Informed Detection Engineering is the European Commission DIGIT.S2 (Security Operations) open source initiative to build a rich ecosystem of tooling and data supporting Cyber Threat Detections.
  • HttpRemotingObjRefLeak - Additional resources for leaking and exploiting ObjRefs via HTTP .NET Remoting CVE-2024-29059.
  • Pwned by the Mail Carrier - Compromising exchange with some defensive guidance on adjusting ACEs to limit Exchange's AD permissions and establishing security boundaries for Tier Zero assets. Jonas is on a tear lately.
  • Another Dll Proxying Tool - DLL proxying for lazy people
  • nimvoke - Indirect syscalls + DInvoke made simple.
  • ActionsCacheBlasting - Proof-of-concept code for research into GitHub Actions Cache poisoning.
  • CVE-2023-36424 - Windows Kernel Pool (clfs.sys) Corruption Privilege Escalation.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • SO-CON 2024 - SO-CON 2024 presentations released. Videos coming soon!
  • The Top 100+ Developer Tools 2023 - Looking for a research target inspiration? "This year we analyzed well over 12 million data points shared by you - the StackShare community - to bring you these rankings."
  • Devika - Devika is an Agentic AI Software Engineer that can understand high-level human instructions, break them down into steps, research relevant information, and write code to achieve the given objective. Devika aims to be a competitive open-source alternative to Devin by Cognition AI.
  • VoiceCraft: Zero-Shot Speech Editing and Text-to-Speech in the Wild - VoiceCraft is a token infilling neural codec language model, that achieves state-of-the-art performance on both speech editing and zero-shot text-to-speech (TTS) on in-the-wild data including audiobooks, internet videos, and podcasts. The model weights aren't out yet but should be by the end of the month. This is going to make vishing deadly.
  • lumentis - AI powered one-click comprehensive docs from transcripts and text.
  • Cobalt Strike Resources - Various resources to enhance Cobalt Strike's functionality and its ability to evade antivirus/EDR detection.
  • bincapz - Enumerate binary capabilities, including malicious behaviors.
  • Mutual TLS (mTLS) Go client - How to build an mTLS Go client that uses the Windows certificate store.
  • Windows vs Linux Loader Architecture - Side-by-side comparison of the Windows and Linux (GNU) Loaders.
  • Twikit - Simple API wrapper to interact with twitter's unofficial API. You can log in to Twitter using your account username, email address and password and use most features on Twitter, such as posting and retrieving tweets, liking and following users. Curious on how long this will last.
  • tracecat - 😼 The AI-native, open source alternative to Tines / Splunk SOAR.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

Last Week in Security (LWiS) - 2024-03-18

By: Erik
19 March 2024 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-11 to 2024-03-18.

News

Techniques and Write-ups

Tools and Exploits

  • BlueSpy - Proof of concept to record and replay audio from a bluetooth device without the legitimate user's awareness.
  • Introducing AzurEnum - The latest Azure tool - Intended to give pentesters/red teamers a good idea of the main security issues of an azure tenant and its permission structure. The code is here.
  • Gungnir - Gungnir is a command-line tool written in Go that continuously monitors certificate transparency (CT) logs for newly issued SSL/TLS certificates.
  • SymProcAddress - Zero EAT touch way to retrieve function addresses (GetProcAddress on steroids)
  • anfs - Asynchronous NFSv3 client in pure Python
  • Pixel_GPU_Exploit - Android 14 kernel exploit for Pixel7/8 Pro.
  • GamingServiceEoP - Exploit for arbitrary folder move in GamingService component of Xbox. GamingService is not default service. If service is installed on system it allows low privilege users to escalate to system.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Mythic Community Overview - Mythic agent capability matrix. Cool project for those that develop their own agents for Mythic.
  • localsend - An open-source cross-platform alternative to AirDrop
  • FindMeAccess - Finding gaps in Azure/M365 MFA requirements for different resources, client ids, and user agents. The tool is mostly based off Spray365's auditing logic.
  • PurpleLab - PurpleLab is an efficient and readily deployable lab solution, providing a swift setup for cybersecurity professionals to test detection rules, simulate logs, and undertake various security tasks, all accessible through a user-friendly web interface
  • DetectDee - Hunt down social media accounts by username, email or phone across social networks.
  • Moriarty - Moriarty is designed to enumerate missing KBs, detect various vulnerabilities, and suggest potential exploits for Privilege Escalation in Windows environments.
  • Miaow - Project Miaow is a prove of concept to escalate privileges in Microsoft Azure using an ARM template deployment
  • Payload Wizard - AI assistant that utilizes GPT language models to interpret and generate cybersecurity payloads πŸͺ„. Github repo is here.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

Last Week in Security (LWiS) - 2024-03-11

By: Erik
12 March 2024 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-04 to 2024-03-11.

News

Techniques and Write-ups

Tools and Exploits

  • Parasite-Invoke - Hide your P/Invoke signatures through other people's signed assemblies
  • ADeleginator - A companion tool that uses ADeleg to find insecure trustee and resource delegations in Active Directory
  • Misconfiguration Manager - Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance.
  • yasha - Yet another security header analyzer.
  • nemesis - Nemesis agent for Mythic.
  • NimPlant v1.3 - "a lot of code refactoring and various enhancements."
  • brew-lpe-via-periodic - Brew Local Privilege Escalation exploit on Intel macOS.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Are We Helping? Interesting perspective. Thought provoking notes about the current state of infosec.
  • Freyja Purple Team Agent - Freyja is a Golang, Purple Team agent that compiles into Windows, Linux and macOS x64 executables.
  • Introducing CloudGrappler: A Powerful Open-Source Threat Detection Tool for Cloud Environments - Potential framework for those smaller teams that need a solution to look for known evil in their cloud environments. The question is, where do you get those indicators while they're still relevant?
  • gitlab-secrets - This tool analyzes a given Gitlab repository and searches for dangling or force-pushed commits containing potential secret or interesting information.
  • dockerc - container image to single executable compiler.
  • PoolParty - A set of fully-undetectable process injection techniques abusing Windows Thread Pools.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

Last Week in Security (LWiS) - 2024-03-04

By: Erik
5 March 2024 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-26 to 2024-03-04.

News

Techniques and Write-ups

Tools and Exploits

  • RKS - A script to automate keystrokes through a graphical desktop program (evilrdp may be a better choice).
  • SilverSamlForger - Silver SAML Forger is C# tool that helps you create custom SAML responses. It can be used to implement the Silver SAML attack.
  • dnsx 1.2.0 - This release adds the -recon flag which could eliminate/augment other tools in your recon pipeline.
  • MultCheck - Identifies bad bytes from static analysis with any Anti-Virus scanner.
  • SharpLansweeperDecrypt - Automatically extract and decrypt all configured scanning credentials of a Lansweeper instance.
  • mail-in-the-middle - Typo squating + mail = shells. See the Mail in the Middle post for more info.
  • Nemesis-Download-Watcher - Watches the Downloads folder for any new files and inserts it into Nemesis for analysis.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

Last Week in Security (LWiS) - 2024-02-26

By: Erik
27 February 2024 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-19 to 2024-02-26.

News

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • SploitScan - is a sophisticated cybersecurity utility designed to provide detailed information on vulnerabilities and associated proof-of-concept (PoC) exploits.
  • greenmask - PostgreSQL dump and obfuscation tool.
  • wddbfs - Mount a sqlite database as a filesystem.
  • ADeleg - Active Directory delegation management tool
  • Projected File System - Solid write up on the ProjFS provider which provides various types of data to access with I/O APIs.
  • 365Inspect - A PowerShell script that automates the security assessment of Microsoft Office 365 environments.
  • go-secdump - Tool to remotely dump secrets from the Windows registry
  • SmuggleFuzz - A customizable and rapid HTTP downgrade smuggling scanner written in Go.
  • AzureAssess - "...gain a comprehensive understanding of your Azure resources and their security configurations."
  • Subdominator - "The Internets #1 Subdomain Takeover Tool"

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

Last Week in Security (LWiS) - 2024-02-19

By: Erik
20 February 2024 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-12 to 2024-02-19.

News

  • Free Nginx - It seems the maintainer of nginx is forking. Limited details at announcing freenginx.org - This seems to have stemmed over F5/Nginx issuing CVEs for experiemental QUIC code and Maxim not liking that. Here is the advisory, you be the judge.
  • Snap Trap: The Hidden Dangers Within Ubuntu's Package Suggestion System - "We've examined the command-not-found package that is installed by default in Ubuntu, which suggests packages to install for unrecognized commands. Our findings reveal that besides searching for apt packages, it also queries the Snap Store for snap packages. Given that any user can upload to the Snap Store, an attacker could potentially manipulate the command-not-found package to recommend their own malicious package. This blog discusses the suggestion mechanism, how an attacker might exploit it, the risks associated with installing a malicious snap package, and our discovery that an attacker could impersonate 26% of the commands from apt packages."
  • [UNVERIFIED] someone just leaked a bunch of internal Chinese government documents on GitHub - This could be spicy. No code, but lots of docs.
  • Backdoors that let cops decrypt messages violate human rights, EU court says - The "confidentiality of communications is an essential element of the right to respect for private life and correspondence," and requiring messages to be decrypted by law enforcement "cannot be regarded as necessary in a democratic society."
  • CVE Crowd - Picks up where cvetrends left off (killed by twitter API limits). CVE trends uses the "fediverse" (mastodon) for its data.

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • NullSection - NullSection is an Anti-Reversing tool that applies a technique that overwrites the section header with nullbytes.
  • sessionless - TokenSigner is a Burp Suite extension for editing, signing, verifying various signed web tokens.
  • Forgejo forks its own path forward - Forgejo was a soft-fork of Gitea, but is now a fully independent hard-fork.
  • sicat - The useful exploit finder.
  • A final Kubernetes census - Cool data analysis of exposed kubernetes nodes has come to an end.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

Last Week in Security (LWiS) - 2024-02-12

By: Erik
13 February 2024 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-07 to 2024-02-12.

News

Techniques and Write-ups

Tools and Exploits

  • ParentProcessValidator.cpp - This C++ code snippet demonstrates how to verify if an executable is launched by explorer.exe to enhance security during red team operations.
  • EternelSuspention - a simple poc showcasing the ability of an admin to suspend EDR's protected processes.
  • NidhoggScript - NidhoggScript is a tool to generate "script" file that allows execution of multiple commands for Nidhogg. Nidhogg is an all-in-one simple to use rootkit.
  • TPM-Sniffing - Retrieving Bitlocker keys from the TPM using SPI, I2C or LPC communications requires an understanding of the specific protocol supported by the TPM chip, as well as the device's make and model.
  • conditional-love - An AWS metadata enumeration tool.
  • gocheck - GoCheck a blazingly fastβ„’ alternative to Matterpreter's DefenderCheck which identifies the exact bytes that Windows Defender AV by feeding byte slices to MpCmdRun.exe
  • NTLM Relay Gat - NTLM Relay Gat is a powerful tool designed to automate the exploitation of NTLM relays using ntlmrelayx.py from the Impacket tool suite. By leveraging the capabilities of ntlmrelayx.py, NTLM Relay Gat streamlines the process of exploiting NTLM relay vulnerabilities, offering a range of functionalities from listing SMB shares to executing commands on MSSQL databases.
  • Native Threadpool - Work, timer, and wait callback example using solely Native Windows APIs.
  • LoLCerts - A repository of code signing certificates known to have been leaked or stolen, then abused by threat actors
  • Living off the False Positive! - Living off the False Positive is an autogenerated collection of false positives sourced from some of the most popular rule sets. The information is categorized along with ATT&CK techniques, rule source, and data source. Entries include details from related rules along with their description and detection logic. See the blog post Introducing LoFP for more info.
  • BadExclusionsNWBO - BadExclusionsNWBO is an evolution from BadExclusions to identify folder custom or undocumented exclusions on AV/EDR. An evolution of BadExclusions.
  • Remote-buffer-overflow-over-wifi_stack-in-wpa_supplicant-binary-in-android-11-platform-samsung-a20e - Remote buffer overflow over wifi_stack in wpa_supplicant binary in android 11, platform:samsung a20e, stock options so like works out of the box.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • awesome-tunneling - List of ngrok alternatives and other ngrok-like tunneling software and services. Focus on self-hosting.
  • gftrace - A command line Windows API tracing tool for Golang binaries.
  • AutomatedBadLab - Scripts to provision vulnerable and testing environments using AutomatedLab.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

Last Week in Security (LWiS) - 2024-02-07

By: Erik
8 February 2024 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-29 to 2024-02-07.

News

  • AnyDesk Incident Response 2-2-2024 - An RMM company, AnyDesk, was breached. "Customers Urged to Reset Passwords." Is breaching the upstream RMM company the ultimate traitorware?
  • Ivanti - We're up to four (4) CVEs. CISA is ordering everyone to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks. Even Assetnote is getting in the action with a new authentication bypass. What a mess!
  • Thanksgiving 2023 security incident - Threat actor utilized stolen credentials from the October 2023 Okta compromise to access Cloudflare's network. TLDR - Threat actors were in Cloudflare's internal wiki, bug database, and established persistent access to the Atlassian server but 2FA prevented most lateral movement. Cloudflare even returned the hardware that was connected to a console server the actors attempted but failed to gain access to. Now that is serious remediation!
  • First look: Windows 11 is getting native macOS or Linux-like Sudo command - The Sudo, β€œsuperuser do,” command is coming to Windows 11 as part of the developer settings. Embrace, extend, and extinguish.
  • Externalizing the Google Domain Tiers Concept - Google's Security Team has introduced the concept of Domain Tiers to categorize approximately 10,000 domains based on sensitivity, helping prioritize security efforts. The tiering system, with five levels (Tier 0 being the highest sensitivity), aids in identifying potential vulnerabilities and influences Google Vulnerability Reward payouts. This is really dope!
  • Hundreds of network operators' credentials found circulating in the Dark Web - An attacker named 'Snow' compromised RIPE NCC account credentials, leading to a three-hour service outage and over 1,572 compromised customer credentials across various regional internet registries. Fun times.
  • Vastaamo hacker traced via 'untraceable' Monero transactions, police says - "KRP did not disclose the exact mechanism for tracing the Monero transactions, citing the need to protect sensitive investigative techniques that can prove invaluable in future cases. Thus, the exact methods involved are unclear." However, the suspect used a centralize exchange to exchange between BTC and XMR and eventually an email address linked to a server managed by the suspect. Seems like a lot of opportunities to find the suspect other than breaking XMR privacy, and I highly doubt that has happened. Binance Will Delist XMR on 2024-02-20, which may be related. Reminder: the Universal Declaration of Human Rights Article 12 states privacy is a universal human right and not a crime. Using XMR for crimes is a crime, the same way using USD cash for crimes is a crime.
  • Arrests in $400M SIM-Swap Tied to Heist at FTX?. Three Americans charged with orchestrating SIM-swapping attacks resulting in over $400 million of stolen crypto, likely from FTX. The attacks took place between March 2021 and April 2023. There is no excuse to use SMS based 2FA for anything important after all these SIM swaps. Phone companies are not the place to outsource your identity verification!
  • Qualys TRU Discovers Important Vulnerabilities in GNU C Library's syslog(). The two technical write ups are linked at the bottom of the post. Put CVE-2023-6246, CVE-2023-6779, and CVE-2023-6780 on your PoC watch list as they will be nice Linux LPEs.
  • Finance worker pays out $25 million after video call with deepfake 'chief financial officer'. The best deepfake we know about. Put this on your "why you should care" slide for your next vishing assessment.

Techniques and Write-ups

Tools and Exploits

  • RoleCrawl - PowerShell tool designed to audit User and Group role assignments in Azure, covering both subscription and resource scopes.
  • hfinder - Help recon of hostnames from specific ASN or CIDR, thanks to Robtex and BGP.HE
  • ThievingFox - A collection of post-exploitation tools to gather credentials from various password managers and windows utilities. Came with a blog post.
  • IntelRAGU - An open-source initiative to document and share experiments to apply Retrieval Augmented Generation (RAG) techniques to Threat Intelligence searching capabilities.
  • arachne is a Mythic webshell payload for Windows (aspx) and Linux (php). When run alone, the arachne container reaches out to the specified URL to issue tasking. When an agent links via P2P to an arachne agent, then that agent will remotely reach out to the specified URL to issue tasking. Check out the blog: Spinning Webs β€” Unveiling Arachne for Web Shell C2.
  • ReverseSocks5 - Single executable reverse SOCKS5 proxy written in Golang. This is v2 which adds SOCKS5 support.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • certstream-server-go - This project aims to be a drop-in replacement for the certstream server by Calidog. This tool aggregates, parses, and streams certificate data from multiple certificate transparency logs via websocket connections to the clients.
  • SigFinder - Identify binaries with Authenticode digital signatures signed to an internal CA/domain. This could be useful when pillaging SCCM distribution point servers.
  • wirez - redirect all TCP/UDP traffic of any program to SOCKS5 proxy.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

Last Week in Security (LWiS) - 2024-01-30

By: Erik
31 January 2024 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-22 to 2024-01-30.

News

Techniques and Write-ups

Tools and Exploits

  • SOAPHound - This made some noise this week. A custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
  • InjectKit - Modified versions of the Cobalt Strike Process Injection Kit
  • Stardust - A modern 64-bit position independent implant template. Came with a good blog if you want to take a look here.
  • Grroxy - Another competitor to Burpsuite Pro? Caido is another one that comes to mind.
  • Frameless BITB - A new approach to Browser In The Browser (BITB) without the use of iframes, allowing the bypass of traditional framebusters implemented by login pages like Microsoft and the use with Evilginx. Even came with a demo.
  • CsWhispers - Source generator to add D/Invoke and indirect syscall methods to a C# project.
  • EventLogCrasher - Proof of concept for a bug, that allows any user to crash the Windows Event Log service of any other Windows 10/Windows Server 2022 machine on the same domain. The crash occurs in wevtsvc!VerifyUnicodeString when an attacker sends a malformed UNICODE_STRING object to the ElfrRegisterEventSourceW method exposed by the RPC-based EventLog Remoting Protocol.
  • ExecIT - Execute shellcode files with rundll32.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Understanding Windows x64 Assembly - Add this to your Windows programming reading list.
  • Trimarc Whitepaper: Owner or Pwnd? - This whitepaper touches on all aspects of AD ownership: Organizational Units (OUs), Computers, Groups, Users, AD Certificate Services (ADCS), Group Policy Objects (GPOs), and even Active Directory Integrated DNS (ADI DNS).
  • jsoncrack.com - ✨ Innovative and open-source visualization application that transforms various data formats, such as JSON, YAML, XML, CSV and more, into interactive graphs.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

Last Week in Security (LWiS) - 2024-01-23

By: Erik
24 January 2024 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-15 to 2024-01-23.

News

Techniques and Write-ups

Tools and Exploits

  • Cobalt-Strike-Profiles-for-EDR-Evasion - Some ideas to modify CS profiles to bypass simple EDR checks. However, if you want to use SourcePoint I'm not sure I would trust the copy in this random repository...
  • GraphStrike - Cobalt Strike HTTPS beaconing over Microsoft Graph API implemented as a user defined reflective loader (URDL). Appreciate the Why? section on this one. Better hope those Blue team network sensors have really good anomaly detection, because this will use legitimate microsoft domains for C2. However, now you have Microsoft's threat team to deal with, and there has been some discussion that they will ban accounts that conduct C2 over their API if they detect it.
  • hi_my_name_is_keyboard. Zero click Bluetooth exploits for Android prior to the 2023-12-05 security patch (and Android <= 10 forever). Nice close access method to get payloads on an Android phone (assuming the target won't notice their screen acting up on its own). It also works against macOS and iOS (iOS < 17.2, Magic Keyboard Firmware < 2.0.6) if you can trigger it exactly when the computer/phone attempts to connect with an Apple Magic keyboard via Bluetooth.
  • slippy-book-exploit - CVE-2023-44451, CVE-2023-52076: RCE Vulnerability affected popular Linux Distros including Mint, Kali, Parrot, Manjaro etc. EPUB File Parsing Directory Traversal Remote Code Execution.
  • atril_cbt-inject-exploit - CVE-2023-44452, CVE-2023-51698: CBT File Parsing Argument Injection that affected Popular Linux Distros.
  • Awaiting the Awaitables - Building the AwaitFuscator. I doubt this is practical for programs of any complexity, but it's got to be one of the most bizarre obfuscators since the movfuscator. Code here.
  • proxy-helper-the-sequel - Port/rework of proxy-helper plugin for hak5 Pineapples.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • How to protect Evilginx using Cloudflare and HTML Obfuscation - Some solid OPSEC tips on protecting your RTA infrastructure.
  • Realm - Realm is a cross platform Red Team engagement platform with a focus on automation and reliability. This was in the LWiS 2023-10-24, but the ShmooCon talk is what bubbled it back up for me and made me really look into it. The docs look great and I plan to play with this one very soon.
  • GHunt - Recently got an update (OAuth based instead of cookies). Check it out!
  • ADCSync - Use ESC1 to perform a makeshift DCSync and dump hashes.
  • RemoteRegSave - A .NET implementation to dump SAM, SYSTEM, SECURITY registry hives from a remote host.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

Last Week in Security (LWiS) - 2024-01-15

By: Erik
16 January 2024 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-08 to 2024-01-15.

News

Techniques and Write-ups

Tools and Exploits

  • Kiosk Tooling. Next time you only have a browser and need to break out, browse to this site for some potential quick wins.
  • CS-Aggressor-Scripts - Aggressor Scripts for Cobalt Strike (that post data to a Slack Channel).
  • OpenVoice - Instant voice cloning by MyShell. I have warned of this, and now it is here and easy to use. Vishing will never be the same.
  • BobTheSmuggler - "Bob the Smuggler": A tool that leverages HTML Smuggling Attack and allows you to create HTML files with embedded 7z/zip archives. The tool would compress your binary (EXE/DLL) into 7z/zip file format, then XOR encrypt the archive and then hides inside PNG/GIF image file format (Image Polyglots).
  • SuperSharpShares - SuperSharpShares is a tool designed to automate enumerating domain shares, allowing for quick verification of accessible shares by your associated domain account.
  • pinvoke.dev - Code-generated P/Invoke signatures.
  • DFSCoerce-exe-2 - DFSCoerce exe revisited version with custom authentication.
  • raddebugger - A native, user-mode, multi-process, graphical debugger.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • FlowMate - a BurpSuite extension that brings taint analysis to web applications, by tracking all parameters send to a target application and matches their occurrences in the responses.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

Last Week in Security (LWiS) - 2024-01-10

By: Erik
10 January 2024 at 20:35

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-01 to 2024-01-10.

News

Techniques and Write-ups

Tools and Exploits

  • CVE-MAKER - Tool to find CVEs and Exploits. It's a CLI.
  • SharpGhostTask - A C# port from Invoke-GhostTask.
  • Handly - Abuse leaked token handles. Token handles in MSSQL's process (sqlservr.exe) can be abused to change security context and escalate privileges both locally and in the domain.
  • SSH-Snake - A self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.
  • Swarm - Formerly known as axiom, swarm is the next generation of distributed cloud scanning and attack surface monitoring.
  • Moriarty - Moriarty is a comprehensive .NET tool that extends the functionality of Watson and Sherlock, originally developed by @_RastaMouse. It is designed to enumerate missing KBs, detect various vulnerabilities, and suggest potential exploits for Privilege Escalation in Windows environments.
  • pendulum - Linux Sleep Obfuscation.
  • CanaryTokenScanner - CanaryTokenScanner is a script designed to proactively identify Canary Tokens within office documents (docx, xlsx, pptx).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • One Supply Chain Attack to Rule Them All - How self-hosted runners + supply chain attack led to these bounty hunters pwning a ton of orgs. Dope write-up!
  • sessionprobe - A multi-threaded tool designed for penetration testing and bug bounty hunting. It evaluates user privileges in web applications by taking a session token and checking access across a list of URLs, highlighting potential authorization issues.
  • msoffcrypto-tool - Python tool and library for decrypting MS Office files with passwords or other keys.
  • ContinuousMage - Continuousmage is automated testing PoC for the Mythic framework.
  • jsluice - Extract URLs, paths, secrets, and other interesting bits from JavaScript.
  • COFF-Loader - A reimplementation of Cobalt Strike's Beacon Object File (BOF) Loader.
  • DirtyCLR - An App Domain Manager Injection DLL PoC on steroids and it came with a blog post.
  • deskhop - Fast Desktop Switching Device.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2024-01-01

By: Erik
2 January 2024 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week(s). This post covers 2023-12-04 to 2024-01-01.

News

Techniques and Write-ups

Tools and Exploits

  • sleepy - A lexer and parser for Sleep. Read more here.
  • A (beta) Canarytoken for Active Directory Credentials. Perhaps one of the most effective canary tokens yet. Slightly more complicated than just dropping a file, but it will be extremely effective in catching red teams and adversaries.
  • frinet - Frida-based tracer for easier reverse-engineering on Android, iOS, Linux, Windows and most related architectures.
  • Christmas - By splitting up the injection actions across different spawned processes, none of the spawned processes generate enough signal to trip EDR (in theory).
  • sj - A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files. See this post for more info.
  • Ghidriff: Ghidra Binary Diffing Engine. Back in my day, BinDiff was paid software. This is a great addition to your reverse engineering/diffing toolbox, and fully open source!
  • bbs - bbs is a router for SOCKS and HTTP proxies. It exposes a SOCKS5 (or HTTP CONNECT) service and forwards incoming requests to proxies or chains of proxies based on the request's target. Routing can be configured with a PAC script (if built with PAC support), or through a JSON file.
  • SignToolEx - Patching "signtool.exe" to accept expired certificates for code-signing.
  • WMIProcessWatcher - A CIA tradecraft technique to asynchronously detect when a process is created using WMI.
  • Marble - The CIA's Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools.
  • Def1nit3lyN0tAJa1lbr3akTool - A jailbreak tool for all arm64 devices on iOS 16.0 to iOS 16.5.
  • Amnesiac - Amnesiac is a post-exploitation framework entirely written in PowerShell and designed to assist with lateral movement within Active Directory environments.
  • SharePoint Pre-Auth Code Injection RCE chain CVE-2023-29357 & CVE-2023-24955 PoC - Sharepoint RCE.
  • EDRSilencer - A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server. This is similar to shutter (shoutout to @naksyn).
  • Ghidra 11.0. 11.0 brings the "Bsim" binary similarity tool, better Go binary support, and initial Rust binary support.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Linpmem is a linux memory acquisition tool.
  • tailspin - πŸŒ€ A log file highlighter.
  • CLR_Heap_encryption. This is a POC for a CLR sleep obfuscation attempt. It use IHostMemoryManager interface to control the memory allocated by the CLR. Turns out you can use both ICorRuntimeHost and ICLRRuntimeHost at the same time, so we can still use ICorRuntimeHost to run an assembly from memory while having all the benefits from ICLRRuntimeHost.
  • sheye - Opensource assets and vulnerability scanning tool.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-12-04

By: Erik
5 December 2023 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-11-27 to 2023-12-04.

News

  • About the security content of iOS 17.1.2 and iPadOS 17.1.2. Two webkit vulnerabilities may have been exploited in the wild. Not to be outdone, Chrome patched their sixth 0day this year. Browsers are where the data is and the most frequent way users execute untrusted code, so its where the high value exploitation is as well.

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • windiff - Web-based tool that allows comparing symbol, type and syscall information of Microsoft Windows binaries across different versions of the OS.
  • PySQLRecon - Offensive MSSQL toolkit written in Python, based off SQLRecon.
  • Kerberos.NET - A Kerberos implementation built entirely in managed code.
  • Scudo is a C++ class that encrypts and dynamically executes functions. This open-source repository offers a concise solution for securing and executing encrypted functions in your codebase.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-11-29

By: Erik
30 November 2023 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-11-13 to 2023-11-29.

News

Techniques and Write-ups

Tools and Exploits

  • Kerbeus-BOF - BOF for Kerberos abuse (an implementation of some important features of the Rubeus).
  • LocklessBof - A Beacon Object File (BOF) implementation of Lockless by HarmJ0y, designed to enumerate open file handles and facilitate the fileless download of locked files.
  • LyinEagle - BETA C2 server that uses the legitimate FIN7 Griffon JScript as its implant.
  • badgerDAPS - Brute Ratel LDAP filtering and sorting tool. Easily take BR log output and pull hostnames for ease of use with other red team tooling. Supports OU filtering and removes disabled hosts.
  • AI Exploits - A collection of real world AI/ML exploits for responsibly disclosed vulnerabilities.
  • ProcessStomping - A variation of ProcessOverwriting to execute shellcode on an executable's section.
  • DumpS1.ps1 - Uses a CoSetProxyBlanket to call the dump function in SentinelAgent.exe to dump a PID to disk. Requires local admin. Love the traitorware aspect here.
  • Proof of concept exploit for CVE-2023-46214 - Authenticated RCE. Comes with a blog.
  • CoercedPotatoRDLL - Reflective DLL to privesc from NT Service to SYSTEM using SeImpersonateToken privilege
  • Pcapan: a PCAP analysis helper - Filter out known good and find suspicious connections in pcaps.
  • waveterm - An open-source, cross-platform terminal for seamless workflows. Reminds me of an open source warp.
  • genpatch - genpatch is IDA plugin that generates a python script for patching binary.
  • faction - Pen Test Report Generation and Assessment Collaboration.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-11-13

By: Erik
14 November 2023 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-11-06 to 2023-11-13.

News

Techniques and Write-ups

Tools and Exploits

  • Nuclei AI - Browser Extension - Browser Extension for Rapid Nuclei Template Generation (requires a cloud account).
  • fastsync - Fast synchronization across networks using speedy compression, lots of parallelization and fast hashmaps for keeping track of things internally.
  • MAAS - Malware As A Service. This project describes a DevOps approach which leverages the CI/CD capabilities of gitlab to build a malware artifact generation pipeline.
  • SharpVeeamDecryptor - Decrypt Veeam database passwords.
  • proxyhub - An advanced [Finder | Checker | Server] tool for proxy servers, supporting both HTTP(S) and SOCKS protocols. 🎭
  • Bobber - Evilginx database monitoring with exfiltration automation.
  • SharpReflectivePEInjection - Reflectively load and execute PEs locally and remotely bypassing EDR hooks
  • CVE-2023-32629 & CVE-2023-2640: Privilege escalation - Ubuntu Privilege Escalation bash one-liner
  • .NetConfigLoader - List of .Net application signed by Microsoft that can be used to load a dll via a .config file (AppDomain Hijacking). Ideal for EDR/AV evasion and execution policy bypass.
  • Bloodhound_Community_Docker - Generator of docker-compose file to allow secure configurations and multi-deployment strategy.
  • CVE-Half-Day-Watcher - a security tool designed to highlight the risk of early exposure of Common Vulnerabilities and Exposures (CVEs) in the public domain.
  • GoSleepyCrypt - In-memory sleep encryption and heap encryption for Go applications through a shellcode function.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • the !CVE Program - The mission of the !CVE Program is to provide a common space for cybersecurity !vulnerabilities that are not acknowledged by vendors but still are serious security issues.
  • hakrevdns - Small, fast tool for performing reverse DNS lookups en masse.
  • RoastInTheMiddle- Roast in the Middle is a rough proof of concept (not attack-ready) that implements a man-in-the-middle ARP spoof to intercept AS-REQ's to modify and replay to perform a Kerberoast or Sessionroast attack.
  • Implementing Tic Tac Toe with 170mb of HTML - no JS or CSS 🀯

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-11-06

By: Erik
7 November 2023 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-10-24 to 2023-11-06.

News

Techniques and Write-ups

Tools and Exploits

  • Defender-Exclusions-Creator-BOF - A BOF to add or remove Windows Defender exclusions.
  • cookie-monster - BOF to steal browser cookies.
  • GhostTask - Create/modify scheduled tasks directly in the registry to avoid event logs and alerts.
  • LdrLockLiberator - A collection of techniques for escaping or otherwise forgoing Loader Lock while executing your code from DllMain.
  • Kernel_VADInjector - Windows 10 DLL Injector via Driver utilizing VAD and hiding the loaded driver.
  • maliciousCodeMatchingMFA - A small executable to trick a user to authenticate using code matching MFA.
  • PsMapExec - The cme saga continues. This project is in powershell and inspired by CrackMapExec.
  • cuddlephish - Weaponized Browser-in-the-Middle (BitM) for Penetration Testers.
  • pandora - A red team tool that assists into extracting/dumping master credentials and/or entries from different password managers.
  • WIP Mockingjay BOF Conversion - Cobalt Strike Beacon Object File (BOF) Conversion of the Mockingjay Process Injection Technique.
  • LdrLibraryEx - A small x64 library to load dll's into memory.
  • ReleaseTheHounds - Tool to upload large datasets and interact with BloodHound CE API.
  • sshx - A secure web-based, collaborative terminal.
  • DayBird - Extension functionality for the NightHawk operator client.
  • porch-pirate - Porch Pirate is the most comprehensive recon / OSINT client and framework for Postman that facilitates the automated discovery and exploitation of API endpoints and secrets committed to workspaces, collections, requests, users and teams. Porch Pirate can be used as a client or be incorporated into your own applications.
  • NerfDefender - BOF and C++ implementation of the Windows Defender sandboxing technique described by Elastic Security Labs/Gabriel Landau.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • hashcathelper - Got some creds? Has a couple different modules. One allows operators to insert new relationships into an existing BloodHound database such as when users have the same password. Improve those screenshots!
  • postleaks - Search for sensitive data in Postman public library.
  • OffensiveGo - Looking to do some offensive dev in go? Start here. Notable golang tools at the bottom such as sliver and merlin.
  • Hijacking Someone Else's DCSync - Friendly reminder that your AADConnect server are tier 0 assets. Pwn the AADConnect server -> wait for cloud takeoff -> catch hashes in flight.
  • Mido - The Secure Microsoft Windows Downloader.
  • Exploring SCCM by Unobfuscating Network Access Accounts - These Network Access Accounts (NAA) accounts have been very fruitful lately...
  • PyMeta - Pymeta will search the web for files on a domain to download and extract metadata. This technique can be used to identify: domains, usernames, software/version numbers and naming conventions.
  • LME - Logging Made Easy (LME) is a free and open logging and protective monitoring solution serving all organizations. Good resource for a detection lab (RIP), but very manual setup.
  • Get-LoggedOn.py - Lookup logged in users using itm4n's session enum via registry.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-10-24

By: Erik
25 October 2023 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-10-09 to 2023-10-23.

News

Techniques and Write-ups

Tools and Exploits

  • legba - A multiprotocol credentials bruteforcer / password sprayer and enumerator.
  • pico_dma - Autonomous pre-boot DMA attack hardware implant for M.2 slot based on PicoEVB development board.
  • Kernel Driver Utility v1.4.0 - 4 new providers and a dump command!
  • Proxy-DLL-Loads - A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.
  • Jomungand - Shellcode Loader with memory evasion.
  • NovaLdr - Threadless Module Stomping In Rust with some features.
  • WolfPack - WolfPack combines the capabilities of Terraform and Packer to streamline the deployment of red team redirectors on a large scale.
  • FalconHound - FalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool.
  • GraphRunner - A Post-exploitation Toolset for Interacting with the Microsoft Graph API.
  • EvilSln - A New Exploitation Technique for Visual Studio Projects.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • GATOR - GCP Attack Toolkit for Offensive Research, a tool designed to aid in research and exploiting Google Cloud Environments.
  • CVE-2023-36723 - PoC for arbitrary directory creation bug in Windows Container Manager service.
  • tinyproxy - a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems.
  • SMBLibrary - Free, Open Source, User-Mode SMB 1.0/CIFS, SMB 2.0, SMB 2.1 and SMB 3.0 server and client library.
  • Shaco - Shaco is a linux agent for havoc.
  • realm - Realm is a cross platform Red Team engagement platform with a focus on automation and reliability.
  • CoercedPotato - From Patate (LOCAL/NETWORK SERVICE) to SYSTEM by abusing SeImpersonatePrivilege on Windows 10, Windows 11 and Server 2022.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-10-09

By: Erik
10 October 2023 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-10-02 to 2023-10-09.

News

Techniques and Write-ups

Exploring the STSAFE-A110 Analysing I2C communications between host and the secure element - Some physical device hacking with a logic analyzer to read I2C of a secure element.

Tools and Exploits

  • linWinPwn - Bash script that automates a number of Active Directory Enumeration and Vulnerability checks. Will be interesting if they keep up with this project. Interesting new project since it's using the new NetExec . Will other tools do the same?
  • LatLoader - PoC module to demonstrate automated lateral movement with the Havoc C2 framework.
  • sccmhunter v.0.0.2 - Updated Admin Module - SCCM is the gift that keeps on giving. This is a new easy way to execute commands on managed machines (Administration Service API).
  • archive_pwn - A Python-based tool to create zip, tar and cpio archives to exploit common archive library issues and developer mistakes. Blog Post.
  • SmmBackdoorNg - Updated version of System Management Mode backdoor for UEFI based platforms: old dog, new tricks.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Browser cache smuggling - Interesting payload delivery technique.
  • Registry Attack Vectors(RTC0018) - A big list of interesting reg keys.
  • Kerberos 102 - Overview Three part blog series on kerberos, delegation, and cross-realm. You can never read enough about kerberos.
  • ted_api - TED is a limited general purpose reverse engineering API, and hybrid debugger, that allows for inspection and modification of a program's inner workings. TED carries out its functionality by being injected into a target process and starting a gRPC server, which clients can then connect to.
  • agent - SSH Session Monitoring Daemon.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-10-03

By: Erik
26 September 2023 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-09-19 to 2023-10-03.

News

Techniques and Write-ups

Tools and Exploits

  • ExtractBitlockerKeys - Post-ex script to automatically extract the bitlocker recovery keys from a domain.
  • transitiveObjectControl.py - Given transitive object control: output info on last hop, chain length, and type.
  • MaldevAcademyLdr.1 - The team at Maldev Academy drop their first "openly released" loader.
  • LOLBins- The LOLBins CTI-Driven (Living-Off-the-Land Binaries Cyber Threat Intelligence Driven) is a project that aims to help cyber defenders understand how LOLBin binaries are used by threat actors during an intrusion in a graphical and digestible format for the TIPs platform using the STIX format.
  • proxy_calls - Proof of Concept - Custom Call Stack for LoadLibrary with TrySubmitThreadpoolCallback/TpSimpleTryPost.
  • LDAPWordlistHarvester - A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.
  • REC2 - New rust-based C2 (Yes another C2). Uses VirusTotal and Mastodon APIs.
  • HeaderLessPE - A memory PE loading technique using HVNC.
  • CVE-2023-29357- Patched June 2023 but... Microsoft SharePoint Server priv esc.
  • JonMon - @jsecurity101 with a tool drop for defenders/attackers. "...collection of open-source telemetry sensors designed to provide users with visibility into the operations and activity of their Windows systems". Add this to your maldev boxes to see what defenders could be collecting on your actions.
  • AD_Miner - Use your existing neo4j DB to find some quick wins (may not work well against large environments based on our testing).
  • Sub7 - Source code for SubSeven 2.1.3 (if you're feeling nostalgic).
  • CVE-2023-32364-macos-app-sandbox-escape - Exploit for CVE-2023-32364.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Windows Hook Events. Short read by Mr. Yosifovich. Discusses the SetWinEventHook API in Windows for intercepting and processing user interface-related events.
  • haylxon. Gowitness replacement? Blazing-fast tool to grab screenshots of your domain list right from terminal.
  • graftcp. A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy.
  • VcenterKit. vCenter Comprehensive Penetration and Exploitation Toolkit.
  • go-exploit. A Go-based Exploit Framework.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-09-19

By: Erik
20 September 2023 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-09-11 to 2023-09-19.

News

Techniques and Write-ups

Tools and Exploits

  • EchoDrv - Exploitation of echo_driver.sys.
  • Caro-Kann - Encrypted shellcode Injection to avoid Kernel triggered memory scans
  • malrdp-deploy - Automated (kinda) deployment of MalRDP infrastructure with Terraform & Ansible
  • Periscope - Fully Integrated Adversarial Operations Toolkit (C2, stagers, agents, ephemeral infrastructure, phishing engine, and automation). Note: purposely broken by the author.
  • NetExec - Crack Map Exec fork with different maintainers. Queue the drama.
  • POSTDump is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • donut-decryptor - Retrieve inner payloads from Donut samples
  • TierZeroTable - About Table of AD and Azure assets and whether they belong to Tier Zero
  • Evilginx3-Phishlets - This repository provides penetration testers and red teams with an extensive collection of dynamic phishing templates designed specifically for use with Evilginx3.
  • tracker-radar - Good for OSINT.
  • GPOZaurr - Group Policy Eater is a PowerShell module that aims to gather information about Group Policies but also allows fixing issues that you may find in them.
  • electroniz3r - Take over macOS Electron apps' TCC permissions.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-09-11

By: Erik
12 September 2023 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-08-28 to 2023-09-11.

News

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • PurpleOps - An open-source self-hosted purple team management web application.
  • Sekiryu - Comprehensive toolkit for Ghidra headless.
  • Supernova - Real shellcode encryption tool.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-08-29

By: Erik
30 August 2023 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-08-07 to 2023-08-29.

News

Techniques and Write-ups

Tools and Exploits

  • Ensemble - A Bug Bounty Platform that allows hunters to issue commands over a geo-distributed cluster. Gives some botnet like feels πŸ€”.
  • ContainYourself - DEF CON 31 Tool. Abuses the Windows containers framework to bypass EDRs.
  • NoFilter - DEF CON 31 Tool. Abuses the Windows Filtering Platform for privilege escalation.
  • DllNotificationInjection - DEF CON 31 Tool. POC of a new β€œthreadless” process injection technique.
  • CloudRecon - DEF CON 31 Tool. Suite of tools for red teamers and bug hunters to find ephemeral and development assets in their campaigns and hunts.
  • EasyEASM DEF CON 31 Tool. Zero-dollar attack surface management tool. "The industry is dominated by $30k vendors selling "Attack Surface Management," but OG bug bounty hunters and red teamers know the truth" πŸ‘€
  • gssapi-abuse - DEF CON 31 Tool. Impersonating AD users on *nix based hosts? Noice. Looks like rubeus was updated as well.
  • DoubleDrive - BH23 Tool. A fully-undetectable ransomware that utilizes OneDrive to encrypt target files.
  • apppoolcreddecrypt - A POC to show how IIS App Pool credentials are decrypted without appcmd.exe.
  • NtRemoteLoad - Remote Shellcode injector using indirect native syscalls to inject shellcode into another process (based on HWSyscalls by ShorSec)
  • konstellation - Konstellation is a configuration-driven CLI tool to enumerate cloud resources and store the data into Neo4j. Think Bloodhound for k8s.
  • mellon - Open Supervised Device Protocol attack tool (and the Elvish word for friend).
  • CVE-2023-36874_BOF - Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE.
  • SharpShellPipe - This lightweight C# demo application showcases interactive remote shell access via named pipes and the SMB protocol.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-08-07

By: Erik
8 August 2023 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-07-31 to 2023-08-07.

News

Techniques and Write-ups

Tools and Exploits

  • daphne - Proof-of-Concept to evade auditd by tampering via ptrace.
  • apollon - Proof-of-Concept to evade auditd by writing /proc/PID/mem.
  • web-check - 🌐 All-in-one OSINT tool for analyzing any website.
  • grove - A Software as a Service (SaaS) log collection framework from Hashicorp.
  • EmailFlare - Send emails from your domain through Cloudflare for free. Self host on your account.
  • ACCD - Active C&C Detector. Includes a deck on how it works.
  • RogueSliver - A suite of tools to disrupt campaigns using the Sliver C2 framework.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-07-31

By: Erik
1 August 2023 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-07-17 to 2023-07-31.

News

Techniques and Write-ups

Tools and Exploits

  • Introducing BucketLoot - An Automated Cloud Bucket Inspector.
  • KRBUACBypass - UAC Bypass By Abusing Kerberos Tickets.
  • CVE-2023-35078-Exploit-POC - Remote Unauthenticated API Access vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions - Version 11.4 releases 11.10, 11.9 and 11.8.
  • dcomhijack - Lateral Movement Using DCOM and DLL Hijacking.
  • AADInternals OSINT. This web based tool will extract openly available information for the given tenant.
  • LdrFunctionEx - "should evade EAF and maybe (haven't tested it) EATGuard"
  • DarkWidow - Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing.
  • StackRot - CVE-2023-3269: Linux kernel privilege escalation vulnerability. [First published in 2023-07-10 LWiS - Now includes an exploit]
  • TGSThief - My implementation of the GIUDA project (Ask a TGS on behalf of another user without password) in C++.
  • msi-search - This tool simplifies the task for red team operators and security teams to identify which MSI files correspond to which software and enables them to download the relevant file to investigate local privilege escalation vulnerabilities through MSI repairs. Read more about MSI repair vulnerabilities at Escalating Privileges via Third-Party Windows Installers.
  • S4UTomato - Escalate Service Account To LocalSystem via Kerberos.
  • WSPCoerce - PoC to coerce authentication from Windows hosts using MS-WSP.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • canTot - quick and dirty canbus h4xing framework.
  • chrome-sbx-db - A Collection of Chrome Sandbox Escape POCs/Exploits for learning.
  • GIUDA - Ask a TGS on behalf of another user without password.
  • Frack - Keep and Maintain your breach data.
  • exe_to_dll - Converts a EXE into DLL.
  • dploot - DPAPI looting remotely in Python.
  • sysplant - Your syscall factory.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-07-17

By: Erik
18 July 2023 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-07-10 to 2023-07-17.

News

Techniques and Write-ups

Tools and Exploits

  • BOF_Development_Docker - A VSCode devcontainer for development of COFF files with batteries included.
  • BlackLotus is an innovative UEFI Bootkit designed specifically for Windows. It incorporates a built-in Secure Boot bypass and Ring0/Kernel protection to safeguard against any attempts at removal.
  • WubbabooMark - Debugger Anti-Detection Benchmark.
  • HadesLdr - Shellcode Loader Implementing Indirect Dynamic Syscall, API Hashing, Fileless Shellcode retrieving using Winsock2.
  • curlshell - reverse shell using curl.
  • BadZure - BadZure orchestrates the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-07-10

By: Erik
11 July 2023 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-06-26 to 2023-07-10.

News

Techniques and Write-ups

Tools and Exploits

  • ShellGhost - A memory-based evasion technique which makes shellcode invisible from process start to end.
  • StackRot - CVE-2023-3269: Linux kernel privilege escalation vulnerability.
  • CVE-2023-28252 - Common Log File System (CLFS) LPE for Windows patched in April 2023.
  • evilgophish - evilginx + gophish. Bow with evilginx3 support!
  • shortscan - An IIS short filename enumeration tool.
  • BOFMask is a proof-of-concept for masking Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF).
  • BounceBack - β†•οΈπŸ€« Stealth redirector for your red team operation security.
  • TeamsPhisher - Send phishing messages and attachments to Microsoft Teams users.
  • clauneck - A tool for scraping emails, social media accounts, and much more information from websites using Google Search Results.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Artemis - A modular web reconnaissance tool and vulnerability scanner.
  • golddigger is a simple tool used to help quickly discover sensitive information in files recursively. Originally written to assist in rapidly searching files obtained during a penetration test.
  • mailpit - An email and SMTP testing tool with API for developers.
  • multitail - Tail on steroids.
  • kbtls - Establishes mutually trusted TLS connections based on a pre-shared connection key.
  • skyhook - A round-trip obfuscated HTTP file transfer setup built to bypass IDS detections.
  • webhook is a lightweight incoming webhook server to run shell commands.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-06-26

By: Erik
27 June 2023 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-06-12 to 2023-06-26.

News

Techniques and Write-ups

Tools and Exploits

  • SSH-Harvester - Harvest passwords automatically from OpenSSH server. More details here.
  • CVE-2023-29343 - LPE in Sysmon version 14.14.
  • CVE-2023-20178 - PoC for Arbitrary File Delete vulnerability in Cisco Secure Client (tested on 5.0.01242) and Cisco AnyConnect (tested on 4.10.06079).
  • Jormungandr is a kernel implementation of a COFF loader, allowing kernel developers to load and execute their COFFs in the kernel.
  • NimExec - Fileless Command Execution for Lateral Movement in Nim.
  • CS_COFFLoader - a COFF loader written in C#.
  • Spartacus-v2.0.0. Not a new tool but a big release for the DLL/COM Hijacking Toolkit (2.0 added COM hijacking).
  • bof-launcher - Beacon Object File (BOF) launcher - library for executing BOF files in C/C++/Zig applications.
  • GhostFart - Unhook NTDLL without triggering "PspCreateProcessNotifyRoutine".

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • msLDAPDump - LDAP enumeration tool implemented in Python3.
  • SharpToken - Windows Token Stealing Expert.
  • docker-swarm-proxy - What if you wanted a docker exec, but for Docker swarm? - Control any node in the swarm from your CLI.
  • PageSplit - Splitting and executing shellcode across multiple pages.
  • ropci - So, you think you have MFA? AAD/ROPC/MFA bypass testing tool.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-06-15

By: Erik
16 June 2023 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week(s). This post covers 2023-05-22 to 2023-06-15.

News

MOVEIt

Techniques and Write-ups

Tools and Exploits

  • CVExploits Search - Your comprehensive database for CVE exploits from across the internet.
  • cloudfoxable - Create your own vulnerable by design AWS penetration testing playground.
  • CVE-2023-2825 - GitLab CVE-2023-2825 PoC. This PoC leverages a path traversal vulnerability to retrieve the /etc/passwd file from a system running GitLab 16.0.0.
  • CVE-2023-20887 - VMWare vRealize Network Insight Pre-Authenticated RCE (CVE-2023-20887).
  • elevationstation - elevate to SYSTEM any way we can!
  • SharpFtpC2 - A Streamlined FTP-Driven Command and Control Conduit for Interconnecting Remote Systems.
  • limba - compile-time control flow obfuscation using mba.
  • Banshee - Experimental Windows x64 Kernel Driver/Rootkit.
  • RDPCredentialStealer - steals credentials provided by users in RDP using API Hooking with Detours in C++.
  • HiddenDesktop - HVNC for Cobalt Strike.
  • DropSpawn_BOF - CobaltStrike BOF to spawn Beacons using DLL Application Directory Hijacking.
  • Terminator - Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes.
  • superman - Kill processes protected by antivirus during offensive activities.
  • Blackout - kill anti-malware protected processes (BYOVD).
  • EPI - Process injection through entry points hijacking.
  • Ruy-Lopez This repository contains the Proof-of-Concept(PoC) for a new approach to completely prevent DLLs from being loaded into a newly spawned process.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • mcfridafee
  • plane - Open Source JIRA, Linear and Height Alternative. Plane helps you track your issues, epics, and product roadmaps in the simplest way possible.
  • PythonMemoryModule - pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory.
  • deepsecrets - Secrets scanner that understands code.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

❌
❌