โŒ

Normal view

There are new articles available, click to refresh the page.
Before yesterdayBad Sector Labs Blog

Last Week in Security (LWiS) - 2022-11-28

By: Erik
29 November 2022 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-11-14 to 2022-11-28.

News

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • nuvola is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax.
  • ofrak is a binary analysis and modification platform that combines the ability to unpack, analyze, modify, and repack binaries.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-11-14

By: Erik
15 November 2022 at 04:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-11-07 to 2022-11-14.

News

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • squarephish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.
  • Digital detritus. As a digital hoarder (look at me right now trying to collect and label all the relevant security stuff from last week) this post resinated with me.
  • GPT-4 Rumors From Silicon Valley. AI is getting scary.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-11-08

By: Erik
9 November 2022 at 04:58

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-31 to 2022-11-08.

News

Techniques and Write-ups

Tools and Exploits

  • Volumiser is a command line tool and interactive console GUI for listing, browsing and extracting files from common virtual machine hard disk image formats.
  • katana - A next-generation crawling and spidering framework from projectdiscovery.
  • KeeFarceReborn - A standalone DLL that exports databases in cleartext once injected in the KeePass process.
  • CVE-2022-33679 One day based on RC4 is still considered harmfrul.
  • stager_libpeconv A basic meterpreter protocol stager using the libpeconv library by hasherezade for reflective loading.
  • CVE-2022-40146_Exploit_Jar. Apache Batik SSRF to RCE Jar Exploit.
  • awsrecon - Tool for reconnaissance of AWS cloud environments.
  • exe_who - Executables on Disk? Bleh ๐Ÿคฎ.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • The Information Security Kardashev Scale. Interesting way to tier out cybersecurity.
  • PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.
  • Kernelhub ๐ŸŒดKernel privilege escalation vulnerability collection, with compilation environment, demo GIF map, vulnerability details, executable file (Windows only).
  • grace It's strace, with colors.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-10-31

By: Erik
1 November 2022 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-17 to 2022-10-31.

This week I reviewed 368 blog posts and 2213 tweets to find only the best and most relevant items to include here.

News

  • Forthcoming OpenSSL Releases. Behind this simple title is a spooky Halloween statement: "OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL." OpenSSL 3+ isn't that widespread yet, but this might be an interesting bug.
  • Privacy Gateway: a privacy preserving proxy built on Internet standards. Domain fronting/hiding just went legit. Currently the relay domains are unique to the applications (and thus not useful for censor evasion) but there is no technical reason that has to remain the case. Check out the first implementation here. Keep in mind with this Cloudflare positions itself to collect that delicious metadata (although they seem to be actively trying to actually "don't be evil" - hopefully that continues).
  • Check out our new Microcorruption challenges!. Excellent embedded security CTF!
  • Stable Channel Update for Desktop. A good reminder to stay on top of your Chrome updates. Or use Firefox developer edition to break all the ROP gadgets.
  • Apple clarifies security update policy: Only the latest OSes are fully patched. Apple going full opposite of the "still supports 16 bit DOS applications from 1993" stance of Microsoft and only fully patching the latest OS they release. Enterprises that use macOS can't be pleased by this, as even with developer betas there may be issues with production workflows on the latest OS version for some time after release. Hardware than can't be upgrade is now forever vulnerable? 2017 MacBook Pros are unable to be updated and aren't that old...
  • It's here: Dark Mode Process Explorer!

Techniques and Write-ups

Tools and Exploits

  • guac aggregates software security metadata into a high fidelity graph database.
  • Open-Obfuscator: A free and open-source obfuscator for mobile applications. A free and open-source solution for obfuscating mobile applications. Also some of the best looking docs I've seen in a long time.
  • Free: Dastardly from Burp Suite is a free, lightweight web application security scanner for your CI/CD pipeline, from the makers of Burp Suite.
  • TerraLdr - Payload Loader Designed With Advanced Evasion Features.
  • BOF-herpaderping - Beacon Object File partial implementation of process herpaderping technique.
  • Spartacus - DLL Hijacking Discovery Tool.
  • siphon โš—๏ธ Intercept stdin/stdout/stderr for any process.
  • SharpC2. This looks to be a rewrite/less featured version of Rastamouse's collab with xpn that was also called SharpC2 (now pulled from GitHub)?

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • caOptics - Azure AD Conditional Access gap analyzer
  • Sandman is a NTP based backdoor for red team engagements in hardened networks.
  • potto A minimum cross-platform implementation of COM (Component Object Model), DI/IOC framework.
  • vhs Your CLI home video recorder ๐Ÿ“ผ

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-10-24

By: Erik
24 October 2022 at 21:13

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-17 to 2022-10-24.

This week I reviewed 372 blog posts and 2144 tweets to find only the best and most relevant items to include here.

News

Techniques and Write-ups

Tools and Exploits

  • Azure-AccessPermissions - Easy to use PowerShell script to enumerate access permissions in an Azure Active Directory environment. Check out the blog post for details.
  • cypherhound - Python3 terminal application that contains 200+ Neo4j cyphers for BloodHound data sets
  • ScreenshotBOF - An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file.
  • SharpEfsPotato - Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
  • PatchThatAMSI - This repo contains 6 AMSI patches, both force the triggering of a conditional jump inside AmsiOpenSession() that close the Amsi scanning session. The 1st patch by corrupting the Amsi context header and the 2nd patch by changing the string "AMSI" that will be compared to the Amsi context header to "D1RK". The other just set ZF to 1.
  • ScubaGear - Automation to assess the state of your M365 tenant against CISA's baselines.
  • Bitmancer - Nim Library for Offensive Security Development.
  • GetFGPP - Get Fine Grained Password Policy.
  • syser - syser debugger x32/x64 ring3 with source level debugging/watch view/struct view.
  • webpty - A secure webshell. Built for legitimate access, I could see it adopted for red team uses.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • linen.dev - Google-searchable Slack alternative for Communities.
  • usbsas - Tool and framework for securely reading untrusted USB mass storage devices.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-10-17

By: Erik
18 October 2022 at 02:20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-10 to 2022-10-17.

This week I reviewed 336 blog posts and 2350 tweets to find only the best and most relevant items to include here.

News

Techniques and Write-ups

Tools and Exploits

  • CVE-2022-40684 - A proof of concept exploit for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager.
  • XorStringsNET - Easy XOR string encryption for NET based binaries.
  • akamai-security-research - This repository includes code and IoCs that are the product of research done in Akamai's various security research teams. Includes a fresh Windows Workstation Service Elevation of Privilege Vulnerability.
  • RedEye - is a visual analytic tool supporting Red & Blue Team operations from CISA.
  • CVE-2022-41852 - Remote Code Execution in JXPath Library (CVE-2022-41852) Proof of Concept.
  • WAMBam - Tooling related to the WAM Bam - Recovering Web Tokens From Office blog post.
  • RustHound - Active Directory data collector for BloodHound written in rust. ๐Ÿฆ€
  • PsyloDbg is a very simple Windows Debugger that currently only monitor for debug events.
  • Add SCCM NTLM Relay Attack #1425. This is a little known but very cool attack I expect to work for decades to come.
  • AtomPePacker - A Highly capable Pe Packer.
  • Janus is a pre-build event that performs string obfuscation during compile time. This project is based off the CIA's Marble Framework.
  • ProvisionAppx. Some fun lateral movement?!
  • ShadowSpray - A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Oh my Git! An open source game about learning Git!. A resource for new (or even old) team members to help learn git.
  • ElectricEye - Continuously monitor your AWS attack surface and evaluate services for configurations that can lead to degradation of confidentiality, integrity or availability. All results can be exported to Security Hub, JSON, CSV, Databases, and more for further aggregation and analysis.
  • wiresocks A sock, with a wire, so you can tunnel all you desire. This is a great solution that may be even better than proxycap et al.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-10-10

By: Erik
11 October 2022 at 03:45

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-03 to 2022-10-10.

News

Techniques and Write-ups

Tools and Exploits

  • VMware vCenter Server Platform Services Controller Unsafe Deserialization vulnerability. "A post-authentication java deserialization vulnerability exists in the data handler of the psc (Platform Services Controller) service."
  • ObfLoader - MAC, IPv4, UUID shellcode Loaders and Obfuscators to obfuscate the shellcode and using some native API to converts it to it binary format and loads it.
  • aftermath is a free macOS IR framework from Jamf.
  • GooFuzz is a tool to perform fuzzing with an OSINT approach, managing to enumerate directories, files, subdomains or parameters without leaving evidence on the target's server and by means of advanced Google searches (Google Dorking).
  • GitFive - ๐Ÿ™ Track down GitHub users.
  • eviltree - A python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches.
  • Caught somewhere in time: Hunting for timer-queue timers. Timers are the "default" method rats use to sleep in memory. If you can detect suspect timers, you can probably find some interesting things. Code here.
  • Added simple command to test CVE_2022_33679.. Now you can run 'askrc4' and exploit CVE-2022-33679 (KDC allows an interposing attacker to downgrade to RC4 MD4 encryption in compromising the user's TGT session key resulting in EoP). See this tweet <https://twitter.com/m3g9tr0n/status/1577783061919457281> and this project zero post.
  • vba2clr - Running .NET from VBA.
  • LockSmith - ObjectiveC CLI tool for interacting with macOS Keychain. I was just struggling with this a few weeks ago! Be sure to check out the slides in the repo.
  • palera1n - iOS 15.0-15.3.1 tethered checkm8 "jailbreak" (rootless is 15.0-15.7 semi-tethered, no tweaks),
  • ShadowSpray - A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
  • RITM - Roast in the Middle.
  • dissect - This project is a meta package, it will install all other Dissect modules with the right combination of versions.
  • SharpNTLMRawUnHide - C# version of NTLMRawUnHide.
  • NimShellcodeFluctuation - ShellcodeFluctuation PoC ported to Nim.
  • MinHook.NET - A C# port of the MinHook API hooking library (now with D/Invoke).
  • HavocNotion - A simple ExternalC2 POC for Havoc C2. Communicates over Notion using a custom python agent, handler and extc2 channel.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • AoratosWin - A tool that removes traces of executed applications on Windows OS.
  • wodat - Windows Oracle Database Attack Toolkit.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-10-03

By: Erik
4 October 2022 at 03:52

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-26 to 2022-10-03.

News

Techniques and Write-ups

Tools and Exploits

  • Iscariot Suite is a collection of tools to enhance and augment trusted open-source and commercial Blue Team/Sysadmin products, turning them into traitorware to achieve offensive security goals.
  • Havoc. This is the much anticipated C2 from @C5pider. It also supports Third Party Agents.
  • ASNMap - A Golang CLI tool for speedy reconnaissance using ASN data.
  • constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.
  • VirusTotalC2 Abusing VirusTotal API to host our C2 traffic, useful for bypassing blocking firewall rules if VirusTotal is in the target white list, and in case you don't have C2 infrastructure, now you have a free one.
  • AzTokenFinder is a small tool to extract JWT (or JWT like looking data) from different processes, like PowerShell, Excel, Word or others.
  • Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods.
  • ChTimeStamp - Changing the Creation time and the Last Written time of a dropped file by the timestamp of other one , like the "kernel32.dll" timestamp.
  • ADSrunner - Write a UUIDs bytes array "*" collected to the Alternate Data Stream of the current binary , then the ADS Runner will get the DATA tranfert it into a char table nice UUIDS shellcode and Run it.
  • FileLessRemoteShellcode - Run Fileless Remote Shellcode directly in memory with Module Unhooking, Module Stomping, No New Thread. This repository contains the TeamServer and the Stager.
  • DumpThatLSASS - Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk, plus functions and strings obfuscation, it contains Anti-sandbox, if you run it under unperformant Virtual Machine you need to uncomment the code related to it and recompile.
  • airstrike is a basic stage 0 implant.
  • KnownDllUnhook - Replace the .txt section of the current loaded modules from KnownDllsto bypass edrs.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • monkey365 provides a tool for security consultants to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews.
  • lemmeknow. The fastest way to identify anything!
  • jot - Rapid note management for the terminal.
  • SnaffPoint - A tool for pointesters to find candies in SharePoint.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-09-26

By: Erik
27 September 2022 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-19 to 2022-09-26.

News

Techniques and Write-ups

Tools and Exploits

  • AutoHoneyPoC. Automatically generate "HoneyPoC" scripts to catch people running things without understanding them.
  • SandboxSpy. Code for profiling sandboxes - Initially an idea to profile sandboxes, the code is written to take enviromental variables and send them back in a Base32 string over HTTP to an endpoint.
  • githubC2 - Abusing Github API to host our C2 traffic, useful for bypassing blocking firewall rules if github is in the target white list , and in case you don't have C2 infrastructure, now you have a free one.
  • monomorph- MD5-Monomorphic Shellcode Packer - all payloads have the same MD5 hash.
  • FilelessRemotePE - Loading Fileless Remote PE from URI to memory with argument passing and ETW patching and NTDLL unhooking and No New Thread technique.
  • mordor-rs - Rusty Hell's Gate / Halo's Gate / Tartarus' Gate and FreshyCalls / Syswhispers2 Library.
  • GwisinMsi - PoC MSI payload based on ASEC/AhnLab's blog post.
  • BloodHound.py-Kerberos - A Python based ingestor for BloodHound, now with kerberos support on Linux.
  • DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
  • CVE-2022-2588 This linux LPE effects 3.17 to 5.19 (Ubuntu 17-22).
  • Cronos PoC for a new sleep obfuscation technique leveraging waitable timers to evade memory scanners.
  • spycast A crossplatform mDNS enumeration tool.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • bbot - OSINT automation for hackers.
  • NetCoreServer - Ultra fast and low latency asynchronous socket server & client C# .NET Core library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and 10K connections problem solution.
  • A Free Pen Testing Learning Platform. Spin up your own cloud scenarios using these free templates.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-09-19

By: Erik
20 September 2022 at 03:50

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-05 to 2022-09-19.

News

Techniques and Write-ups

Tools and Exploits

  • Mimikatz update. Now you can dump plaintext Citrix passwords from memory. Best part is you don't even need elevated rights for the current use context! If anyone has this as a BOF, DM me!
  • ldapnomnom - Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP).
  • CVE-2022-37706-LPE-exploit - A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04) - NOTE: only for enlightenment window manager (Tizen based TVs and... thats it?).
  • MasqueradingPEB - Maquerade any legitimate Windows binary by changing some fields in the PEB structure.
  • CVE North Stars - Leveraging CVEs as North Stars in vulnerability discovery and comprehension.
  • ExecRemoteAssembly - Execute Remote Assembly with args passing and with AMSI and ETW patching.
  • Teamsniper is a tool for fetching keywords in a Microsoft Teams such as (passwords, emails, database, etc.).
  • DylibHijackTest - Discover DYLD_INSERT_LIBRARIES hijacks on macOS.
  • Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code, and is developed for offensive security engagements such as Red/Purple Teams. What separates Codecepticon from other obfuscators is that it targets the source code rather than the compiled executables, and was developed specifically for AV/EDR evasion.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-09-12

By: Erik
12 September 2022 at 23:45

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-06 to 2022-09-12.

News

Techniques and Write-ups

Tools and Exploits

  • Athena v0.2. A big update to an up and coming Mythic C2 agent.
  • pfBlockerNG Unauth RCE Vulnerability. This is only vulnerable on the LAN side of the firewall, unless you have some strange WAN rules that allow access to the pfblockerNG pages from WAN. Patched in 2022-06, its still a bad vulnerability. Poc here.
  • QUEST KACE Desktop Authority Pre-Auth Remote Code Execution (CVE-2021-44031). Pre-Auth RCE is the flavor of the week it seems.
  • Tool Release - Monkey365. Monkey 365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex admin panels from the start.
  • Command injection vulnerability in Netgear R6200_v2 and R6300v2 routers. Authenticated and LAN side only it looks like.
  • Sandbox_Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in the assembly of IOCs, understanding attack movement and in threat hunting.
  • cobaltstrike-headless - Aggressorscript that turns the headless aggressor client into a (mostly) functional cobalt strike client.
  • CVE-2022-27925 - Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-27925)
  • TangledWinExec - This repository is for investigation of Windows process execution techniques. Most of PoCs are given a name corresponding to the technique. WmiSpawn is brand new and looks very interesting.
  • chameleon provides better content discovery by using wappalyzer's set of technology fingerprints alongside custom wordlists tailored to each detected technologies.
  • autobloody - Tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound. "Automatic" and "Exploit" are two words that when used together cause me great concern.
  • evilgophish - evilginx2 + gophish.
  • rust_syscalls Single stub direct and indirect syscalling with runtime SSN resolving for windows.
  • HideProcessHook - DLL that hooks the NtQuerySystemInformation API and hides a process name.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • ContainerSSH: Launch containers on demand. ContainerSSH launches a new container for each SSH connection in Kubernetes, Podman, or Docker. The user is transparently dropped in the container and the container is removed when the user disconnects. Authentication and container configuration are dynamic using webhooks, no system users required.
  • TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts.
  • buildg - Interactive debugger for Dockerfile, with support for IDEs (VS Code, Emacs, Neovim, etc.).
  • wappalyzergo - A high performance go implementation of Wappalyzer Technology Detection Library.
  • Ekko_CFG_Bypass A PoC for adding NtContinue to CFG allowed list in order to make Ekko work in a CFG protected process

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-09-06

By: Erik
7 September 2022 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-08-29 to 2022-09-06.

News

Techniques and Write-ups

Tools and Exploits

  • SSD Advisory - Linux CONFIG_WATCH_QUEUE LPE. A vulnerability in the way Linux handles the CONFIG_WATCH_QUEUE allows local attackers to reach a race condition and use this to elevate their privileges to root. PoC and Exploit included.
  • EvilnoVNC - Ready to go Phishing Platform built on noVNC. Why intercept creds when you can have your victim use a real browser you control?
  • PXEThief is a set of tooling that can extract passwords from the Operating System Deployment functionality in Microsoft Endpoint Configuration Manager. You'll probably also want configmgr-cryptderivekey-hashcat-module, a Hashcat module that can crack a password used to derive an AES-128 key with CryptDeriveKey from CryptoAPI.
  • MsSettingsDelegateExecute. Bypass UAC on Windows 10/11 x64 using ms-settings DelegateExecute registry key.
  • NoFaxGiven. Code Execution & Persistence in NETWORK SERVICE FAX Service.
  • CVE-2022-2639-PipeVersion. It was taken down before I even got to it. Untested. Kernels 3.13 to 5.18 are vulnerable (fix committed 2022-04-15).
  • Origami - Packer compressing .net assemblies, (ab)using the PE format for data storage. Updated last week with .NET Core support, Costura support, and a simplified loader.
  • reinschauer - A PoC to remotely control Windows machines over Websockets.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • SCMKit allows the user to specify the Source Code Management system and attack module to use, along with specifying valid credentials (username/password or API key) to the respective SCM system. Currently, the SCM systems that SCMKit supports are GitHub Enterprise, GitLab Enterprise and Bitbucket Server. The attack modules supported include reconnaissance, privilege escalation and persistence.
  • Headway Self-hostable maps stack, powered by OpenStreetMap.
  • Use TouchID to Authenticate sudo on macOS. Your TouchID equipped Mac can easily be configured to use your fingerprint to approve sudo commands.
  • The Immediate Sound of Distant Hammers. The first sci-fi short story from Universal Shards in over a year!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-08-30

By: Erik
31 August 2022 at 02:21

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-07-25 to 2022-08-30.

News

Techniques and Write-ups

Tools and Exploits

  • TamperingSyscalls is a 2 part novel project consisting of argument spoofing and syscall retrieval which both abuse EH in order to subvert EDRs. This project consists of both of these projects in order to provide an alternative solution to direct syscalls.
  • EntropyFix is a tool with no ascii art that reduces the entropy of your payload.
  • BlueHound is an open-source tool that helps blue teams pinpoint the security issues that actually matter. By combining information about user permissions, network access and unpatched vulnerabilities, BlueHound reveals the paths attackers would take if they were inside your network.
  • AceLdr Cobalt Strike UDRL for memory scanner evasion. [This is the best UDRL yet.]
  • Hijack Libs - The database contains 341 Sideloading, 88 Environment Variable, 8 Phantom and 5 Search Order entries.
  • Burp2Malleable Quick python utility I wrote to turn HTTP requests from burp suite into Cobalt Strike Malleable C2 profiles.
  • ExportDumper A small tool to dump the export table of PE files. The primary use case was intended for use within DLL proxying.
  • WFH - Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit, to assist in potentially identifying common โ€œvulnerabilitiesโ€ or โ€œfeaturesโ€ within Windows executables. WFH currently has the capability to automatically identify potential Dynamic Linked Library (DLL) sideloading and Component Object Model (COM) hijacking opportunities at scale.
  • jscythe - Abuse the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code.
  • DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege. Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged.
  • SilentHound - Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
  • jwt-reauth is a Burp plugin to cache authentication tokens from an "auth" URL, and then add them as headers on all requests going to a certain scope.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-07-25

By: Erik
26 July 2022 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-07-18 to 2022-07-25.

News

Techniques and Write-ups

Tools and Exploits

  • DiagTrackEoP - another way to abuse SeImpersonate privilege.
  • terry-the-terraformer A Python CLI tool for deploying red team infrastructure across multiple cloud providers, all integrated with a virtual Nebula network.
  • IAM-Deescalate IAM-Deescalate helps mitigate privilege escalation risk in AWS identity and access management (IAM). More info here.
  • RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows (patched in the July 2022 patch).
  • AlanFramework - A C2 post-exploitation framework. This framework has been around for a while, but last week became open source (Attribution-NonCommercial-NoDerivatives 4.0 International).
  • Lastenzug - Socks4a proxy leveraging PIC, Websockets and static obfuscation on assembly level.
  • CVE-2022-34918-LPE-PoC - This exploit has been written for the kernel Linux ubuntu 5.15.0-39-generic. More details here.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • ropr - A blazing fastโ„ข multithreaded ROP Gadget finder. ropper / ropgadget alternative.
  • RedGuard "is a derivative work of the C2 facility pre-flow control technology." Looks a lot like RedWarden?

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-07-18

By: Erik
19 July 2022 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-07-05 to 2022-07-18.

News

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Raycast is a blazingly fast, totally extendable launcher. It lets you complete tasks, calculate, share common links, and much more.
  • cervantes is an opensource collaborative platform for pentesters or red teams who want to save time to manage their projects, clients, vulnerabilities and reports in one place.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-07-05

By: Erik
5 July 2022 at 21:45

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-27 to 2022-07-05.

News

Techniques and Write-ups

Tools and Exploits

  • PINKPANTHER Windows x64 handcrafted token stealing kernel-mode shellcode. Be sure to check out the caveats.
  • the-poor-mans-obfuscator - Binary & scripts associated with "The Poor Man's Obfuscator" presentation.
  • TripleCross - A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
  • CVE-2019-7040 + CVE-2021-21042. POCs and exploit code for Microsoft Internet Explorer & Microsoft Word (in DOCX & RTF formats).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • awsEnum - Enumerate AWS cloud resources based on provided credentials.
  • nali - An offline tool for querying IP geographic information and CDN provider.
  • maldev-for-dummies - A workshop about Malware Development.
  • ExtractedDefender - An attempt to group extracted data from Defender for research purposes.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-06-27

By: Erik
28 June 2022 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-20 to 2022-06-27.

News

Techniques and Write-ups

Tools and Exploits

  • Add WerFault Silent Process Exit: --werfault to nanodump. You can now force WerFault.exe to dump LSASS for you.
  • FLOSS Version 2.0. "Over the last few months, we've added new functionality and improved the tool's performance. In this blog post we will share exciting new features and improvements including a new string deobfuscation technique, simplified tool usage, and much faster result output."
  • awesome-hacker-search-engines - A list of search engines useful during Penetration testing, vulnerability assessments, red team operations, bug bounty, and more.
  • kernel-mii - Cobalt Strike (CS) Beacon Object File (BOF) foundation for kernel exploitation using CVE-2021-21551.
  • Chrome-Android-and-Windows-0day-RCE-SBX - Chrome Android and (patched) Windows 0day RCE+SBX... from the DPRK (in 2021).
  • Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs.
  • callback_injection-Csharp - this repo is to cover the other undocumented or published / in different languages to achieve shellcode injection via windows callback functions.
  • tlsx - Fast and configurable TLS grabber focused on TLS based data collection.
  • dismember - ๐Ÿ”ช Scan memory for secrets and more (linux).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Damn Vulnerable DeFi - The offensive security playground for decentralized finances. Learn up and get those massive bounties. Also check out CryptoVulhub.
  • HTTPLoot - An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and "loot" secrets out of the client-facing code of sites.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-06-20

By: Erik
21 June 2022 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-14 to 2022-06-20.

News

Techniques and Write-ups

Tools and Exploits

  • DFSCoerce - PoC for MS-DFSNM coerce authentication using NetrDfsRemoveStdRoot method. This can be used when the Spooler service is disable, and RPC filters prevent PetitPotam/File Server VSS authentication elicitation.
  • CVE-2022-26937 - Windows Network File System crash PoC.
  • hunter-1 (l)user hunter using WinAPI calls only.
  • cloud-middleware-dataset. This project contains cloud middleware (i.e. agents installed by cloud security providers) used across the major cloud service providers (Azure, AWS and GCP).
  • Ekko. A small sleep obfuscation technique that uses CreateTimerQueueTimer to queue up the ROP chain that performs Sleep obfuscation. Detection: patriot.
  • NlsCodeInjectionThroughRegistry Dll injection through code page id modification in registry. Based on jonas lykk research.
  • Using macros and constexpr to make API hashing a bit more friendly.
  • antnium - A C2 framework and RAT written in Go. Slides about the development process here.
  • aced is a tool to parse and resolve a single targeted Active Directory principal's DACL. Aced will identify interesting inbound access allowed privileges against the targeted account, resolve the SIDS of the inbound permissions, and present that data to the operator.
  • SliverKeylogger is a Sliver C2 extension to log keystrokes on Windows.
  • OfficeIMO Fast and easy to use cross-platform .NET library that creates or modifies Microsoft Word and later also Excel files without installing any software. This could be useful to automate phishing lures.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • AlternativeShellcodeExec - Alternative Shellcode Execution Via Callbacks.
  • Sealighter - Sysmon-Like research tool for ETW.
  • npmdomainchecker - Checks all maintainers of all NPM packages for hijackable domains.
  • snallybuckster - Locate interesting files in grayhatwarfare.com open S3 buckets and Azure blobs automatically!
  • NoteThief - Grab unsaved Notepad contents with a Beacon Object File.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-06-14

By: Erik
15 June 2022 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-06 to 2022-06-14.

News

Techniques and Write-ups

Tools and Exploits

  • CVE-2022-23222 - Linux Kernel eBPF Local Privilege Escalation.
  • CVE-2022-30075 - Tp-Link Archer AX50 Authenticated RCE (CVE-2022-30075).
  • apk-instrumentation Some tools to rewrite code of release APK packages.
  • dot The Deepfake Offensive Toolkit.
  • VX-API Malware rapid development framework. "We've released the vx-underground "VX-API", a Windows malware rapid application development framework written in C/C++. It is a compilation of code written by @smelly__vx & @am0nsec. A lot of work needs to be done (including a ReadMe file). More to come."
  • Dogwalk-rce-poc ๐ŸพDogwalk PoC (using diagcab file to obtain RCE on windows).
  • sourcegraph-scripts Scripts for Sourcegraph search results. Useful for static analysis.
  • kcthijacklib - A Small Library For a Cleaner Execution.
  • collector - Utility to analyse, ingest and push out credentials from common data sources during an internal penetration test.
  • FirmLoader is an IDA plugin that allows to automatically identify parts of the memory for the firmware images extracted from microcontrollers.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • np - A tool to parse, deduplicate, and query multiple port scans.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-06-06

By: Erik
7 June 2022 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-30 to 2022-06-06.

News

Techniques and Write-ups

Tools and Exploits

  • COM-Hunter - COM Hijacking voodoo.
  • VoightKampff - Beating Google ReCaptcha and the funCaptcha using AWS Rekognition.
  • Nidhogg Nidhogg is an all-in-one simple to use rootkit for red teams.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-31

By: Erik
1 June 2022 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-23 to 2022-05-31.

News

  • Rapid Response: Microsoft Office RCE - โ€œFollinaโ€ MSDT Attack. Follina aka CVE-2022-30190 is an RCE vector that uses the Microsoft Support Diagnostic Tool via a URL handler in a Word document (no macro) to execute code. There is more analysis here as well as official guidance. follina.py is the PoC.
  • Welcome to the next generation of ngrok. The popular tunneling utility used to exposed local ports to the public internet released version 3 with some cool new features. Oauth and OpenID support with a few command line switches make authentication easy. Ngrok has been used to host short lived phishing pages by threat actors in the past.
  • Broadcom to Acquire VMware for Approximately $61 Billion in Cash and Stock. If anyone witnessed the Symantec acquisition br Broadcom this is scary if you use any VMware products (vCenter, Carbon Black, etc). For what it's worth I've been using Proxmox at home and in production for a while and it's pretty great.
  • How I hacked CTX and PHPass Modules. This is a great example of how NOT to conduct "security research." By deploying malicious packages that actively harvested sensitive environment variables, this crosses the line and I would not consider it "good faith" research. However, the automated techniques used to target package registries are relatively low effort for an extremely high impact. The next attacker will not claim "research" and will use this access for ransomware or worse.
  • FTC fines Twitter $150M for using 2FA info for targeted advertising. Twitter used its 2FA phone numbers for advertising and got caught. I suppose when you loose 221 million USD a year you get desperate and every piece of data is up for sale.
  • Serious security vulnerability in Tails 5.0. Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information. 5.1 will be released 2022-05-31.

Techniques and Write-ups

Tools and Exploits

  • DeepSleep is a variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC.
  • VLANPWN is a VLAN attack toolkit (double tagging and DTP hijacking).
  • mempeek is a command line tool that resembles a debugger as well as Cheat Engine, to search for values in memory.
  • KaynStrike is a User Defined Reflective Loader for Cobalt Strike Beacon that spoofs the thread start address and frees itself after entry point was executed.
  • freeBokuLoader is a simple BOF that tries to free the memory region where the User Defined Reflective Loader is stored.
  • Shelltropy - A technique of hiding malicious shellcode via Shannon encoding.
  • MachoBins is designed to provide information on Mac lolbins, similar to https://gtfobins.github.io/ or https://lolbas-project.github.io/, but specifically for Mac!
  • NimlineWhispers3 - A tool for converting SysWhispers3 syscalls for use with Nim projects.
  • CdpSvcLPE - Windows Local Privilege Escalation via CdpSvc service (Writeable SYSTEM path Dll Hijacking).

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • BofRoast - Beacon Object Files for roasting Active Directory.
  • BatchGuard - Batch file AV evasion and obfuscation solution.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-23

By: Erik
24 May 2022 at 02:35

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-16 to 2022-05-23.

News

Techniques and Write-ups

Tools and Exploits

  • ghostrings - Ghidra scripts for recovering string definitions in Go binaries. More info in this blog post.
  • Mortar Loader v2. Lots of improvements to this loader in version 2.
  • SharpEventPersist. Persistence by writing/reading shellcode from Event Log.
  • DynamicWrapperDotNet. Dynamically Loads Assembly and Calls Methods from JScript.
  • bin2memfd. Encodes a program (which can be a script, despite the name) to a Perl or Python script which sticks it in a Linux memfd and runs it. The goal is to enable staged implants to be run with curl | perl, or something similar.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • BinAbsInspector - Vulnerability Scanner for Binaries.
  • Labtainers - Docker-based cyber lab framework.
  • privaxy - (work in progress) Privaxy is the next generation tracker and advertisement blocker. It blocks ads and trackers by MITMing HTTP(s) traffic.
  • Argus is a lightweight monitor to notify of new software releases via Gotify/Slack messages and/or WebHooks.
  • Red-Lambda - Leveraging AWS Lambda Function URLs for C2 Redirection.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-16

By: Erik
17 May 2022 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous 2 weeks. This post covers 2022-05-02 to 2022-05-16.

News

Techniques and Write-ups

Tools and Exploits

  • ELFLoader. Be sure to read the blog post.
  • hakoriginfinder is a tool for discovering the origin host behind a reverse proxy. Useful for bypassing cloud WAFs.
  • SpoolTrigger - Weaponizing for privileged file writes bugs with windows problem reporting
  • XLL_Phishing - XLL Phishing Tradecraft
  • mitmproxy2swagger - Automagically reverse-engineer REST APIs via capturing traffic
  • uru is a payload generation tool that enables you to create payload based on a configuration file.
  • pyldapsearch - Tool for issuing manual LDAP queries which offers bofhound compatible output

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-05-02

By: Erik
3 May 2022 at 03:30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-25 to 2022-05-02.

News

Techniques and Write-ups

Tools and Exploits

  • BeaconDownloadSync is a fine-tuned control mechanism for syncing files from the Cobalt Strike Downloads entries in the data model.
  • minbeacon is a work in progress of constructing a minimal http(s) beacon for Cobalt Strike.
  • CS-Remote-OPs-BOF is an addition to TrustedSec's CS-Situational-Awareness-BOFs that modify systems (injection, persistence, etc).
  • Dylib_Runner is Swift code to run a dylib on disk.
  • okta-sprayer is a Python3 Script to perform a password spray against an okta instance.
  • nimc2 is a c2 fully written in nim.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • pyscript. Python directly in HTML (via a WASM shim).
  • O365-Doppelganger is a quick handy script to harvest credentials off of a user during a Red Team and get execution of a file from the user.
  • ecapture can capture SSL/TLS text content without CA cert using eBPF.
  • howdy is Windows Helloโ„ข style facial authentication for Linux.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-25

By: Erik
26 April 2022 at 16:00

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-18 to 2022-04-25.

News

Techniques and Write-ups

Tools and Exploits

  • KrbRelayUp is a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
  • memray is a memory profiler for Python. Not specifically security related, but very cool.
  • Issue 2274: Linux: watch_queue filter OOB write (and other bugs). Google Project Zero found another Linux LPE. This one affects kernel from 5.8 to 2022-03-11 (5.16.15, 5.15.29, 5.10.106). PoC exploit is included, but may be unstable.
  • C2-Tool-Collection is a collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques. This is from Outflank so you know its going to be good.
  • cdnstrip is a tool for striping CDN IPs from a list of IP Addresses.
  • elfpack does ELF Binary Section Docking for Stageless Payload Delivery.
  • HalosUnhooker is a Halos Gate-based NTAPI Unhooker.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • htmlq is like jq, but for HTML. Uses CSS selectors to extract bits of content from HTML files.
  • KDStab is a BOF combination of KillDefender and Backstab.
  • ADReaper is a fast enumeration tool for Windows Active Directory Pentesting written in Go.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-18

By: Erik
19 April 2022 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-11 to 2022-04-18.

News

Techniques and Write-ups

Tools and Exploits

  • frostbyte is a POC project that combines different defense evasion techniques to build better redteam payloads.
  • msprobe is a tool for finding all things on-prem Microsoft products for password spraying and enumeration.
  • spooler-splenumforms-iov is a memory corruption vulnerability in windows spooler service that was patched on most recent Microsoft Patch Tuesday, 2022-04-12.
  • SharpWnfScan dumps Windows Notification Facility subscription information from process.
  • stunner is a tool to test and exploit STUN, TURN and TURN over TCP servers.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • cdn-proxy is a tool that can be used by web app pentesters to create a copy of a targeted website with CDN and WAF restrictions disabled.
  • ADInspect is a PowerShell script that automates the security assessment of Microsoft Active Directory environments.
  • maat is an open-source symbolic execution framework. Bonus, the project's site uses m.css like this blog!
  • wpgarlic is a proof-of-concept WordPress plugin fuzzer.
  • ShadowClone - Unleash the power of cloud. Distribute your long running tasks dynamically across thousands of serverless functions and gives you the results within seconds where it would have taken hours to complete.
  • SSOh-No is a tool for user enumeration and password spraying tool for testing Azure AD.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-11

By: Erik
12 April 2022 at 03:54

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-04 to 2022-04-11.

News

Techniques and Write-ups

Tools and Exploits

  • ARCInject can overwrite a process's recovery callback and execute with WER.
  • Jeeves is made for looking to Time-Based Blind SQLInjection through recon.
  • bore is a simple CLI tool for making tunnels to localhost.
  • ransomware-simulator is a ransomware simulator written in Golang.
  • SwiftInMemoryLoading is a Swift implementation of in-memory Mach-O loading on macOS. Blog post soon?
  • inflate.py artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.
  • com_inject performs process injection via Component Object Model (COM) IRundown::DoCallback(). Blog post here.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • WeakestLink is a browser extension that extracts users from LinkedIn company pages.
  • uncover quickly discovers exposed hosts on the internet using multiple search engines.
  • sub3suite is a research-grade suite of tools for Subdomain Enumeration, OSINT Information gathering & Attack Surface Mapping that supports both manual and automated analysis on variety of target types with many available features & tools.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-04-04

By: Erik
5 April 2022 at 03:08

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-28 to 2022-04-04.

News

Techniques and Write-ups

Tools and Exploits

  • Introducing PoshC2 v8.0. BOF compatibility, and a very slick Linux loader make version 8 worth checking out.
  • CVE-2022-1015 Local privilege escalation PoC for a bug in the nf_tables component of the linux kernel. More details here.
  • Smug_Fu3k is a HTML smuggling generator.
  • Introducing PacketStreamer: distributed packet capture for cloud-native platforms. tcpdump is perhaps my favorite debugging tool, but with the #distributed #microservices world we live in now, it can be hard to actually get packets from where you need them. PacketStreamer aims to be a universal packet forwarder to enable network visibility and debugging.
  • DDexec is a technique to run binaries filelessly and stealthily on Linux by tricking dd into pwning itself (reflective injection).
  • boopkit is a Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin.
  • nim-loader is a WIP shellcode loader in nim with EDR evasion techniques.
  • Dump-Chrome-Cookies a modified version of CookieBro and scripts to leverage it to dump Chrome cookies. Check out the blog post for more info.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Melody is a language that compiles to regular expressions and aims to be more easily readable and maintainable.
  • Rip Raw is a small tool to analyze the memory of compromised Linux systems.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-03-28

By: Erik
29 March 2022 at 03:35

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-21 to 2022-03-28.

News

Techniques and Write-ups

Tools and Exploits

  • tetanus is a Mythic C2 agent targeting Linux and Windows hosts written in Rust.
  • DelegationBOF uses LDAP to check a domain for known abusable Kerberos delegation settings. Currently, it supports RBCD, Constrained, Constrained w/Protocol Transition, and Unconstrained Delegation checks.
  • OffensivePascal is a Pascal Offsec repo for malware dev and red teaming ๐Ÿšฉ.
  • CVE-2019-0708 is a BlueKeep proof of concept allowing pre-auth RCE on Windows 7.
  • YouMayPasser is an x64 implementation of Gargoyle. Don't sleep on this one ;)
  • ctfd-parser is a python script to dump all the challenges locally of a CTFd-based Capture the Flag.
  • wireproxy is a Wireguard client that exposes itself as a socks5 proxy
  • TCC-ClickJacking is a proof of concept for a clickjacking attack on macOS.
  • DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Cronos-Rootkit is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.
  • reverse_ssh is a cross platform RAT that uses SSH as the transport protocol. This allows the use of native SSH with all the niceties that SSH offers (port forwarding, scp, etc).
  • ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON.
  • OffensiveNotion uses Notion as a platform for offensive operations.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

โŒ
โŒ