โŒ

Reading view

There are new articles available, click to refresh the page.

Last Week in Security (LWiS) - 2023-05-22

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-05-09 to 2023-05-22.

News

Techniques and Write-ups

Tools and Exploits

  • CypherDog - PoSh BloodHound Dog Whisperer.
  • buzzer is a fuzzer toolchain that allows to write eBPF fuzzing strategies.
  • keepass-password-dumper - Original PoC for CVE-2023-32784 (keepass master password disclosure).
  • PPLFaultDumpBOF - Takes the original PPLFault and the original included DumpShellcode and combines it all into a BOF targeting cobalt strike.
  • PPEnum - Simple BOF to read the protection level of a process.
  • ADCSKiller - An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer.
  • Chimera - Automated DLL Sideloading Tool With EDR Evasion Capabilities.
  • chromecookiestealer - Steal/Inject Chrome cookies over the DevTools (--remote-debugging-port) protocol.
  • GoBelt - Golang programmatically invoking the SwiftBelt-JXA macOS system enumerator project (Golang running SwiftBelt-JXA via cgo).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • avred - Analyse your malware to chirurgicaly obfuscate it.
  • smbcrawler is no-nonsense tool that takes credentials and a list of hosts and 'crawls' (or 'spiders') through those shares.
  • Goshawk is a static analyze tool to detect memory corruption bugs in C source codes. It utilizes NLP to infer custom memory management functions and uses data flow analysis to abstract their behaviors and then adopts these summaries to enhance bug detection.
  • dumpulator - An easy-to-use library for emulating memory dumps. Useful for malware analysis (config extraction, unpacking) and dynamic analysis in general (sandboxing).
  • EC2StepShell is an AWS post-exploitation tool for getting high privileges reverse shells in public or private EC2 instances. It works by sending commands to EC2 instances using ssm:SendCommand and then retrieves the output using ssm:ListCommandInvocations or ssm:GetCommandInvocation.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-05-09

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-05-01 to 2023-05-09.

News

Techniques and Write-ups

Tools and Exploits

  • sccmhunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain. The basic function of the tool is to query LDAP with the find module for potential SCCM related assets.
  • exec2shell - Extracts TEXT section of a PE, ELF, or Mach-O executable to shellcode.
  • chophound - Some scripts to support with importing large datasets into BloodHound.
  • HASH - HASH (HTTP Agnostic Software Honeypot).
  • cloudtoolkit - Cloud Penetration Testing Toolkit.
  • CVE-2023-0386 - Privilege escalation exploit for Ubuntu 22.04.
  • PECheck - A tool to verify and create PE Checksums for Portable Executable (PE) files.
  • CustomEntryPoint - Select any exported function in a dll as the new dll's entry point.
  • resocks - mTLS-Encrypted Back-Connect SOCKS5 Proxy.
  • stealthscraper - A social media scraper that attempts to be stealthy by simulating a user using gui automation.
  • Freeze.rs - Freeze.rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-05-01

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-04-17 to 2023-05-01.

News

Techniques and Write-ups

Tools and Exploits

  • Introducing BloodHound 4.3 โ€” Get Global Admin More Often. More Azure and MS Graph features!
  • ScareCrow. Not a new tool but a big update to the payload creation framework for v5.0.
  • nanodump - Not new, but the recent updates allows for PPL dumping!
  • DCVC2 - A Golang Discord C2 unlike any other. DCVC2 uses RTP packets over a voice channel to transmit all data leaving no operational traces in text chats.
  • maskcat - Utility tool for Hashcat Masks and Password Cracking.
  • mac-monitor - Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to reduce noise.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • highlight - highlight.io: The open source, full-stack monitoring platform. Error monitoring, session replay, logging and more. I haven't seen a self-hostable web session recording system before highlight.
  • KeePwn - A python tool to automate KeePass discovery and secret extraction.
  • Maintaining this site fucking sucks. This guy needs my blog CI/CD pipeline. When I finish a blog post it's one command to publish it and set up the env for next week. Maybe, just maybe, you don't need all that javascript (hint: there isn't a single line of functional javascript on this site).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-04-17

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-04-10 to 2023-04-17.

News

Techniques and Write-ups

Tools and Exploits

  • PatchlessCLRLoader - .NET assembly loader with patchless AMSI and ETW bypass. Also comes in BOF form: PatchlessInlineExecute-Assembly.
  • KillerVuln2 - Files for PoC of vulnerability in Intel Killer Performance Suite
  • PowerShell-Obfuscation-Bible - A collection of techniques, examples and a little bit of theory for manually obfuscating PowerShell scripts to achieve AV evasion, compiled for educational purposes. The contents of this repository are the result of personal research, including reading materials online and conducting trial-and-error attempts in labs and pentests.
  • 2D-Injector - Hiding unsigned DLL inside a signed DLL.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • scriptkiddi3 - Streamline your recon and vulnerability detection process with SCRIPTKIDDI3, A recon and initial vulnerability detection tool built using shell script and open source tools.
  • BackupOperatorToolkit - contains different techniques allowing you to escalate from Backup Operator to Domain Admin
  • homebox - Homebox is the inventory and organization system built for the Home User.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-04-10

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-03-20 to 2023-04-10.

News

Techniques and Write-ups

Tools and Exploits

  • Tool Release - shouganaiyo-loader: A Tool to Force JVM Attaches. Inject your own Java code into processes that have disabled the agent attach API.
  • PoC for CVE-2023-28206 - exploit for an out-of-bounds write in the IOSurfaceAccelerator, allowing a malicious actor to execute arbitrary code with kernel privileges on macOS/iOS by utilizing a specially crafted application. Note this is just a kernel panic PoC.
  • EPScalate - Exploit for elevation of privilege vulnerability in QuickHeal's Seqrite EPS.
  • OffensiveCpp - This repo contains C/C++ snippets that can be handy in specific offensive scenarios.
  • Implant execution via PrintBrm.exe - use PrintBrm to extract & execute an implant from an ISO.
  • EntropyReducer - Reduce Entropy And Obfuscate Your Payload With Serialized Linked Lists.
  • PhoenixC2 - Command & Control-Framework created for collaboration in python3. This looks very alpha.
  • HardHatC2 - A C# Command & Control framework. Another alpha C2, but this one has a lot of features in the agent already.
  • dir2json - Tool for efficient directory enumeration. Read the blog post.
  • DPAPISnoop - A C# tool to output crackable DPAPI hashes from user MasterKeys.
  • GodPotato - ImpersonatePrivilege == SYSTEM. At this point I think its just a feature of Windows.
  • Chaos-Rootkit - x64 ring0 Rootkit with Process Hiding and Privilege Escalation Capabilities.
  • rogue - A barebones template of 'rogue' aka a simple recon and agent deployment I built to communicate over ICMP. Well, without the ICMP code.
  • wmiexec-Pro - Lateral movement with WMI using only port 135.
  • inline-syscall - Inline syscalls made for MSVC supporting x64 and x86.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • serge - A web interface for chatting with Alpaca through llama.cpp. Fully dockerized, with an easy to use API.
  • Game Hacks: Among Us - IL2CPP Walkthrough. The same techniques can be used to locate sensitive data and craft exploits in more serious applications.
  • espanso - Cross-platform Text Expander written in Rust.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-03-20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-03-07 to 2023-03-20.

News

Techniques and Write-ups

Tools and Exploits

  • MacOSThreatTrack - Bash tool used for proactive detection of malicious activity on macOS systems.
  • Updates to C2-Tool-Collection - Psm: BOF to show detailed information on a specific process ID; ReconAD: BOF that uses ADSI to query Active Directory (AD and GC) objects and attributes.
  • Azure-App-Tools - Collection of tools to use with Azure Applications. Just updated with an IPFS dropper.
  • ekko-rs - Rusty Ekko - Sleep Obfuscation in Rust.
  • PSBits - Windows 10 offline admin creation? ๐Ÿ˜ˆ Why not?! Everything happens through built-in offlinelsa and offlinesam DLLs. Official, but not very documented.
  • Elevate-System-Trusted-BOF - This BOF can be used to elevate the current beacon to SYSTEM and obtain the TrustedInstaller group privilege. The impersonation is done through the SetThreadToken API.
  • Black-Angel-Rootkit - Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.
  • bootdoor - An initial proof of concept of a bootkit based on Cr4sh's DMABackdoorBoot.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • ScrapPY is a Python utility for scraping manuals, documents, and other sensitive PDFs to generate wordlists that can be utilized by offensive security tools to perform brute force, forced browsing, and dictionary attacks against targets. The tool dives deep to discover keywords and phrases leading to potential passwords or hidden directories.
  • Demystifying Security Research - Part 1. This resonated with me, with a heavy emphasis on blog posts and tweets.
  • UPnProxyChain - A tool to create a SOCKS proxy server out of UPnProxy vulnerable device(s).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-03-07

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past 2 weeks. This post covers 2023-02-20 to 2023-03-07.

News

Techniques and Write-ups

Tools and Exploits

  • MemFiles - A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk.
  • Amsi-Killer - a "lifetime AMSI bypass."
  • Thunderstorm - Modular framework to exploit UPS devices. Only 2 exploits for now.
  • msidump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner.
  • lolbin-poc - Small PoC of using a Microsoft signed executable as a lolbin.
  • Kraken - a modular multi-language webshell coded by @secu_x11.
  • DroppedConnection - Emulates a Cisco ASA Anyconnect VPN service, accepting any credentials (and logging them) before serving VBS to the client that gets executed in the context of the user.
  • Timeroast - Scripts that execute timeroasting and trustroasting attack techniques by discovering weak computer or trust passwords within an Active Directory domain.
  • AtomLdr - A DLL loader with advanced evasive features.
  • bootlicker - A generic UEFI bootkit used to achieve initial usermode execution. It works with modifications.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Locksmith. A tiny tool to identify and remediate common misconfigurations in Active Directory Certificate Services. Quick wins for Sysadmins!
  • APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.
  • Coercer. A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods. #onetorullethemall
  • curl-impersonate - A special build of curl that can impersonate Chrome & Firefox.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-02-21

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-02-13 to 2023-02-21.

News

  • New legal framework for reporting IT vulnerabilities. Belgium's CSIRT can give researchers legal protection granted they meet some conditions when reporting (ethics stuff like acting without intent to harm, no public disclosure without consent, etc). To see this codified in law is awesome. Hack the planet!
  • ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions published. HFS+ file parsing could lead to remote code execution. As ClamAV is used in many mail gateways, the potential to get code execution by emailing an HFS+ file is exiting/terrifying.
  • telnet-client. The Google Chrome team put a telnet client into Chrome. Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should.
  • [Twitter] Activision was breached December 4th, 2022.. How'd they do it? SMS phishing, and you can see the screenshots in the tweet. All it takes is one, however, the attackers appear to have their access from a different location (i.e. no code running on the user's system). Would your systems catch this (impossible travel, etc)?
  • GoDaddy says a multi-year breach hijacked customer websites and accounts. Ever since GoDaddy bought and then tried to resell me a domain I searched for on their site in 2012 I have sworn to never touch them. Intuition was right on.

Techniques and Write-ups

Tools and Exploits

  • CVE-2022-44666 - Write-up for another forgotten Windows vulnerability (0day): Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape, which was not fully fixed as CVE-2022-44666 in the patches released on December, 2022.
  • ntqueueapcthreadex-ntdll-gadget-injection - This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.
  • Split - Apply a divide and conquer approach to bypass EDRs.
  • COFF_With_Exception_handler.c. Make your BOFs safer.
  • LsaParser - A shitty (and old) lsass parser. [authors original description]
  • NimPlant - A light-weight first-stage C2 implant written in Nim.
  • ThreadlessInject-BOF - BOF implementation of @_EthicalChaos_'s ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023.
  • graphcat - Generate graphs and charts based on password cracking result.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-02-13

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-02-06 to 2023-02-13.

News

Techniques and Write-ups

Tools and Exploits

  • TeamFiltration V3.5.0 - Improve All the Things!. Lots of new features and improvements to this cross-platform framework for enumerating, spraying, exfiltrating, and backdooring Office 365 Azure AD accounts.
  • ThreadlessInject - Threadless Process Injection using remote function hooking.
  • LPE via StorSvc - Windows Local Privilege Escalation via StorSvc service (writable SYSTEM path DLL Hijacking).
  • FilelessPELoader - Loading Remote AES Encrypted PE in memory, decrypt and run it.
  • D1rkSleep - Improved version of EKKO by @5pider that Encrypts only Image Sections.
  • HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.
  • firefly is an advanced black-box fuzzer and not just a standard asset discovery tool. Firefly provides the advantage of testing a target with a large number of built-in checks to detect behaviors in the target.
  • UnhookingPatch - Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime.
  • OperatorsKit - Collection of Beacon Object Files (BOF) for Cobalt Strike.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • wildebeest is an ActivityPub and Mastodon-compatible server.
  • grepmarx - A source code static analysis platform for AppSec enthusiasts.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-02-06

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-01-30 to 2023-02-06.

News

  • Taking the next step: OSS-Fuzz in 2023. Increased bounties for integrating projects into OSS-Fuzz. Nice!
  • Dutch Police Read Messages of Encrypted Messenger 'Exclu'. If you messenger is not open source and the server is not self-hosted, someone could be reading your messages. Yes, this includes Signal (what is actually running on the servers?).
  • CVE-2023-0045. Speculative execution bugs are going to be with us for a while. "The current implementation of the prctl syscall for speculative control fails to protect the user against attackers executing before the mitigation. The seccomp mitigation also fails in this scenario."
  • An important next step on our AI journey. Google's response to ChatGPT is... a blog post and no working product? Meanwhile, I'm out here having GPT-3 write my commit messages.
  • Checksum mismatches on .tar.gz files. GitHub temporarily broke a lot of deployments after changing the default compression algorithm for releases. The change has been reverted, but showed how fragile the some software release ecosystems are and how reliant they are on a single third party.

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • FirmAE - Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis.
  • wa-tunnel -Tunneling Internet traffic over Whatsapp.
  • RToolZ - A Stealthy Lsass Dumper - can abuse ProcExp152.sys driver to dump PPL Lsass, no dbghelp.lib calls.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-01-30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-01-23 to 2023-01-30.

News

Techniques and Write-ups

Tools and Exploits

  • gato GitHub Self-Hosted Runner Enumeration and Attack Tool. More information in this post.
  • starhound-importer - Import data from SharpHound and AzureHound using CLI instead of GUI BloodHound using "BloodHound's code". Detail here.
  • azbelt - AAD related enumeration in Nim.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-01-23

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-01-16 to 2023-01-23.

News

  • how to completely own an airline in 3 easy steps. The US "No fly list" was found on an exposed jenkins server belonging to CommuteAir. 80MB of NOFLY.CSV. Classic.
  • Introducing LogSlash and The End of Traditional Logging. An interesting idea so save the "meaning" of a series of logs without all the raw data. I think large firms will still be saving all the raw data as all their detections are built on it, but I like the idea.
  • HC-tree. A very non-descriptive title for a really cool feature. HC-tree is a high performance backend for SQLite that enables concurrency, replication, and massive size SQLite DBs. There aren't many small applications that shouldn't be using SQLite today as their DB, but with HC-tree, there will be almost none that need anything but SQLite.
  • Visual Studio Spell Checker Preview Now Available. Misspellers of the world, untie! (it won't help in this case... oh well.)
  • Pirate Bay Proxy Portal Taken Down by Github. Opinions of The Pirate Bay aside, GitHub took down a page that was hosting links to proxies, not even The Pirate Bay itself. The Tor Project is still on GitHub. Strange to see where the line is drawn sometimes.

Techniques and Write-ups

Tools and Exploits

  • CVE-2022-42864 - Proof-of-concept for the CVE-2022-42864 IOHIDFamily race condition that was fixed in iOS 16.2 / macOS Ventura 13.1. Read more at Diabolical Cookies.
  • Credmaster2. Your favorite credential spraying tool is back with more plugins.
  • pdtm - ProjectDiscovery's Open Source Tool Manager.
  • Caido - A lightweight web security auditing toolkit. Built from the ground up in Rust, Caido aims to help security professionals and enthusiasts audit web applications with efficiency and ease.
  • Silhouette is a POC that mitigates the use of physical memory to dump credentials from LSASS.
  • git-sim: Visually simulate Git operations in your own repos. Complex git operations can be scary. They're less scary if you can see a pretty picture of what is happening.
  • a.socks.proxy.shellcode is SOCKS4 server in shellcode for armv5, armv7, mipseb, and x64.
  • SeeProxy - Golang reverse proxy with CobaltStrike malleable profile validation.
  • golddigger is a simple tool used to help quickly discover sensitive information in files recursively.
  • APCLdr - Payload Loader With Evasion Features.
  • CVE-2023-0179-PoC. This is the Linux CVE from last week where the PoC was pulled. It's out now!

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • git-cliff - A highly customizable Changelog Generator that follows Conventional Commit specifications โ›ฐ๏ธ
  • sh4d0wup - Signing-key abuse and update exploitation framework. This thing is fully featured and scary!
  • ulexecve is a userland execve() implementation which helps you execute arbitrary ELF binaries on Linux from userland without the binaries ever having to touch storage. This is useful for red-teaming and anti-forensics purposes.
  • SANS SEC760: Advanced Exploit Development for Penetration Testers - Review. The review isn't the interesting part here, its section 3: Recommendations that are gold.
  • infisical โ™พ Infisical is an open-source, end-to-end encrypted tool to sync secrets and configs across your team and infrastructure.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-01-16

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-01-09 to 2023-01-16.

News

Techniques and Write-ups

Tools and Exploits

  • secret_handshake - A prototype malware C2 channel using x509 certificates over mTLS.
  • phishim is a phishing tool which reduces configuration time and bypasses most types of MFA by running a chrome tab on the server that the user unknowingly interacts with.
  • CoffLoader - an implementation of in-house CoffLoader supporting CobaltStrike standard BOF and BSS initialized variables.
  • latma - Lateral movement analyzer (LATMA) collects authentication logs from the domain and searches for potential lateral movement attacks and suspicious activity. The tool visualizes the findings with diagrams depicting the lateral movement patterns.
  • gophish - GoPhish automation.
  • CVE-2023-0179: Linux kernel stack buffer overflow in nftables: PoC and writeup. PoC has been pulled for the time being, but as this effects Linux from ~2019 and later, it could be a pretty widespread LPE and potentially some LAN crashes or RCE.
  • LocalPotato is coming soon! - Watch this space.
  • Issue 2361: XNU race condition in vm_map_copy_overwrite_unaligned allows writing to read-only mappings. Ian Beer drops his "MacDirtyCow" which is already being used in the jailbreaking scene to do non-persistent tweaks.
  • OffensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises. Version 2 just dropped.
  • Open Sourcing Incident Management system. The HARP incident management system, designed to help teams quickly and effectively respond to and resolve any incidents that may occur, specifically in the tech industry, is now open source!

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Crassus - Windows privilege escalation discovery tool
  • ShellWasp is a tool to help build shellcode that utilizes Windows syscalls, while overcoming the portability problem associated with Windows syscalls. ShellWasp is built for 32-bit, WoW64.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-01-09

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-01-02 to 2023-01-09.

News

Techniques and Write-ups

Tools and Exploits

  • iCDump. A Modern Objective-C Class Dump. Blog here.
  • UnhookingPatch - Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime.
  • HellHall is a combination of HellsGate and indirect syscalls.
  • WalkerGate is a method to take syscall with memory parsing of ntdll.
  • zsyscall is an implementation of the Hell's Gate VX technique. The main difference with the original implementation is the use of the zsyscall procedure instead of HellsGate and HellDescent for using syscalls.
  • SOC-Multitool - A free and open source tool to aid in SOC investigations!
  • Alcatraz is a x64 binary obfuscator that is able to obfuscate various different pe formats.
  • sub-scout is a simple bash script to automate your inital recon and extend your attack surface using popular tools made by infosec community.
  • MITRE_ATTACK_CLI - CLI Search for Security Operators of MITRE ATT&CK URLs.
  • nuclearpond is a utility leveraging Nuclei to perform internet wide scans for the cost of a cup of coffee.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • A New PyRDP Release: The Rudolph Desktop Protocol!. The gosecure RSS feed was slow on this one?
  • KubeStalk discovers Kubernetes and related infrastructure based attack surface from a black-box perspective.
  • NTLMRecon - A tool for performing light brute-forcing of HTTP servers to identify commonly accessible NTLM authentication endpoints.
  • smudge - Passive OS detection based on SYN packets without Transmitting any Data

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2023-01-02

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-12-12 to 2023-01-02.

News

Techniques and Write-ups

Tools and Exploits

  • Avoiding Detection with Shellcode Mutator. By randomly adding nops or nop equivalent instructions, ShellcodeMutator can break yara rules that look for specific assembly sequences in shellcode.
  • Dirty-Vanity - A POC for the new injection technique, abusing windows fork API to evade EDRs. See the slides from BlackHat EU here.
  • DirCreate2System - Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting.
  • CVE-2022-2602-Kernel-Exploit and CVE-2022-2602 are Linux LPEs for Linux kernel upstream stable 5.4.x, 5.15.x, and later versions. 5.10.x may be vulnerable as well.
  • Cohab_Processes - A small Aggressor script to help Red Teams identify foreign processes on a host machine.
  • CaFeBiBa - COFF parser - a COFF parser for binaries compiled with MSVC.
  • Offensive-Rust - Various offensive techniques in Rust.
  • ASRenum-BOF - Cobalt Strike BOF that identifies Attack Surface Reduction (ASR) rules, actions, and exclusion locations.
  • CVE-2022-42046 - CVE-2022-42046 Proof of Concept of wfshbr64.sys local privilege escalation via DKOM.
  • linux_injector - A simple ptrace-less shared library injector for x64 Linux.
  • Venom is a library that meant to perform evasive communication using stolen browser socket.
  • wanderer - An open-source process injection enumeration tool written in C#.
  • Invoke-Retractor - Build a Seatbelt executable containing only commands you specify.
  • WTSRM2 - Writing Tiny Small Reliable Malware 2. This has a ton of cool features, worth a look.
  • PassTheChallenge - Recovering NTLM hashes from Credential Guard. See the blog post for more details.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-12-12

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-12-05 to 2022-12-12.

News

  • Apple advances user security with powerful new data protections. This is a great step forward for a company who has marketed "privacy" but technically had some work to do. While iMessage has always been end-to-end encrypted, iCloud backups, which contain all your iMessages conveniently have not been. Thus, with a simple court order, all your iPhone contents are available to any legally valid request. With this change, everything except Email, Contacts, and Calendar are encrypted on iCloud, rendering those data requests useless. iMessage Contact Key Verification feels a lot like Signal, and security key support for iCloud accounts is long overdue. While none of these steps are groundbreaking, Apple is pushing the boundaries for "mainstream" tech privacy.
  • ChatGPT bid for bogus bug bounty is thwarted. It was inevitable. Perhaps bugs will be triaged by AI soon, and the AIs can fight it out amongst themselves.
  • Anker's Eufy lied to us about the security of its security cameras. Last week's story was only about the notification image, but it appears that you could get an unencrypted stream URL from Eufy cameras that worked over the internet until recently. So much for local only. I repeat: Put your cameras on a VLAN without egress, and VPN in to view them - trust no one.
  • Releasing Semgrep 1.0. Now you have no excuse for not using it to find vulns.

Techniques and Write-ups

Tools and Exploits

  • RedditC2 - Abusing Reddit API to host the C2 traffic, since most of the blue-team members use Reddit, it might be a great way to make the traffic look legit.
  • emailGPT - a quick and easy interface to generate emails with ChatGPT.
  • noseyparker is a command-line program that finds secrets and sensitive information in textual data and Git history.
  • CVE-2022-44721 Crowdstrike Falcon Uninstaller.
  • DCOMPotato - Exploit collection for some Service DCOM Object local privilege escalation vulnerabilities (SeImpersonatePrivilege abuse).
  • WindowSpy is a Cobalt Strike Beacon Object File meant for targetted user surveillance. The goal of this project was to trigger surveillance capabilities only on certain targets, e.g. browser login pages, confidential documents, vpn logins etc.
  • Wiretap is a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • BlueMap helps penetration testers and red teamers to perform Azure auditing, discovery & enumeration, and exploitation in interactive mode that saves complex opsec and overhead that usually exists in Azure penetration testing engagements.
  • TProxy is an interception proxy for TCP traffic. It can be used to monitor, drop, modify or inject packets in an existing TCP connection. For monitoring purposes, TProxy has the ability to decrypt incoming TLS traffic and re-encrypt outgoing packets. It also leverages Wireshark dissectors to build a dissection tree of each intercepted packet.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-12-05

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-11-28 to 2022-12-05.

News

Techniques and Write-ups

Tools and Exploits

  • SysmonEoP - Proof of Concept for arbitrary file delete/write in Sysmon (CVE-2022-41120).
  • Visual Studio Code: Remote Code Execution. Jypiter notebook links could have led to RCE in vscode when clicked.
  • SilentMoonwalk is a PoC implementation of a true call stack spoofer, implementing a technique to remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow. Want it in rust? Try Unwinder.
  • PrintNotifyPotato - Another potato, using PrintNotify COM service for lifting rights.
  • BumbleCrypt - A Bumblebee-inspired Crypter.
  • google_lure.py - Generate phishing lures that exploit open-redirects from www.google.com using Google Docs.
  • NimDllSideload allows you to easily generate Nim DLLs you can use sideloading/proxy loading. If you're unfamiliar with what DLL sideloading is, take a gander at this blog post.
  • Defender_Exclusions-BOF - A BOF to determine Windows Defender exclusions.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Neton is a tool for getting information from Internet connected sandboxes.
  • kubeshark , the API Traffic Viewer for kubernetes, provides deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster. Think of a combination of Chrome Dev Tools, TCPDump and Wireshark, re-invented for Kubernetes.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-11-28

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-11-14 to 2022-11-28.

News

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • nuvola is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax.
  • ofrak is a binary analysis and modification platform that combines the ability to unpack, analyze, modify, and repack binaries.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-11-14

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-11-07 to 2022-11-14.

News

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • squarephish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.
  • Digital detritus. As a digital hoarder (look at me right now trying to collect and label all the relevant security stuff from last week) this post resinated with me.
  • GPT-4 Rumors From Silicon Valley. AI is getting scary.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-11-08

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-31 to 2022-11-08.

News

Techniques and Write-ups

Tools and Exploits

  • Volumiser is a command line tool and interactive console GUI for listing, browsing and extracting files from common virtual machine hard disk image formats.
  • katana - A next-generation crawling and spidering framework from projectdiscovery.
  • KeeFarceReborn - A standalone DLL that exports databases in cleartext once injected in the KeePass process.
  • CVE-2022-33679 One day based on RC4 is still considered harmfrul.
  • stager_libpeconv A basic meterpreter protocol stager using the libpeconv library by hasherezade for reflective loading.
  • CVE-2022-40146_Exploit_Jar. Apache Batik SSRF to RCE Jar Exploit.
  • awsrecon - Tool for reconnaissance of AWS cloud environments.
  • exe_who - Executables on Disk? Bleh ๐Ÿคฎ.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • The Information Security Kardashev Scale. Interesting way to tier out cybersecurity.
  • PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.
  • Kernelhub ๐ŸŒดKernel privilege escalation vulnerability collection, with compilation environment, demo GIF map, vulnerability details, executable file (Windows only).
  • grace It's strace, with colors.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-10-31

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-17 to 2022-10-31.

This week I reviewed 368 blog posts and 2213 tweets to find only the best and most relevant items to include here.

News

  • Forthcoming OpenSSL Releases. Behind this simple title is a spooky Halloween statement: "OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL." OpenSSL 3+ isn't that widespread yet, but this might be an interesting bug.
  • Privacy Gateway: a privacy preserving proxy built on Internet standards. Domain fronting/hiding just went legit. Currently the relay domains are unique to the applications (and thus not useful for censor evasion) but there is no technical reason that has to remain the case. Check out the first implementation here. Keep in mind with this Cloudflare positions itself to collect that delicious metadata (although they seem to be actively trying to actually "don't be evil" - hopefully that continues).
  • Check out our new Microcorruption challenges!. Excellent embedded security CTF!
  • Stable Channel Update for Desktop. A good reminder to stay on top of your Chrome updates. Or use Firefox developer edition to break all the ROP gadgets.
  • Apple clarifies security update policy: Only the latest OSes are fully patched. Apple going full opposite of the "still supports 16 bit DOS applications from 1993" stance of Microsoft and only fully patching the latest OS they release. Enterprises that use macOS can't be pleased by this, as even with developer betas there may be issues with production workflows on the latest OS version for some time after release. Hardware than can't be upgrade is now forever vulnerable? 2017 MacBook Pros are unable to be updated and aren't that old...
  • It's here: Dark Mode Process Explorer!

Techniques and Write-ups

Tools and Exploits

  • guac aggregates software security metadata into a high fidelity graph database.
  • Open-Obfuscator: A free and open-source obfuscator for mobile applications. A free and open-source solution for obfuscating mobile applications. Also some of the best looking docs I've seen in a long time.
  • Free: Dastardly from Burp Suite is a free, lightweight web application security scanner for your CI/CD pipeline, from the makers of Burp Suite.
  • TerraLdr - Payload Loader Designed With Advanced Evasion Features.
  • BOF-herpaderping - Beacon Object File partial implementation of process herpaderping technique.
  • Spartacus - DLL Hijacking Discovery Tool.
  • siphon โš—๏ธ Intercept stdin/stdout/stderr for any process.
  • SharpC2. This looks to be a rewrite/less featured version of Rastamouse's collab with xpn that was also called SharpC2 (now pulled from GitHub)?

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • caOptics - Azure AD Conditional Access gap analyzer
  • Sandman is a NTP based backdoor for red team engagements in hardened networks.
  • potto A minimum cross-platform implementation of COM (Component Object Model), DI/IOC framework.
  • vhs Your CLI home video recorder ๐Ÿ“ผ

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-10-24

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-17 to 2022-10-24.

This week I reviewed 372 blog posts and 2144 tweets to find only the best and most relevant items to include here.

News

Techniques and Write-ups

Tools and Exploits

  • Azure-AccessPermissions - Easy to use PowerShell script to enumerate access permissions in an Azure Active Directory environment. Check out the blog post for details.
  • cypherhound - Python3 terminal application that contains 200+ Neo4j cyphers for BloodHound data sets
  • ScreenshotBOF - An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file.
  • SharpEfsPotato - Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
  • PatchThatAMSI - This repo contains 6 AMSI patches, both force the triggering of a conditional jump inside AmsiOpenSession() that close the Amsi scanning session. The 1st patch by corrupting the Amsi context header and the 2nd patch by changing the string "AMSI" that will be compared to the Amsi context header to "D1RK". The other just set ZF to 1.
  • ScubaGear - Automation to assess the state of your M365 tenant against CISA's baselines.
  • Bitmancer - Nim Library for Offensive Security Development.
  • GetFGPP - Get Fine Grained Password Policy.
  • syser - syser debugger x32/x64 ring3 with source level debugging/watch view/struct view.
  • webpty - A secure webshell. Built for legitimate access, I could see it adopted for red team uses.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • linen.dev - Google-searchable Slack alternative for Communities.
  • usbsas - Tool and framework for securely reading untrusted USB mass storage devices.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-10-17

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-10 to 2022-10-17.

This week I reviewed 336 blog posts and 2350 tweets to find only the best and most relevant items to include here.

News

Techniques and Write-ups

Tools and Exploits

  • CVE-2022-40684 - A proof of concept exploit for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager.
  • XorStringsNET - Easy XOR string encryption for NET based binaries.
  • akamai-security-research - This repository includes code and IoCs that are the product of research done in Akamai's various security research teams. Includes a fresh Windows Workstation Service Elevation of Privilege Vulnerability.
  • RedEye - is a visual analytic tool supporting Red & Blue Team operations from CISA.
  • CVE-2022-41852 - Remote Code Execution in JXPath Library (CVE-2022-41852) Proof of Concept.
  • WAMBam - Tooling related to the WAM Bam - Recovering Web Tokens From Office blog post.
  • RustHound - Active Directory data collector for BloodHound written in rust. ๐Ÿฆ€
  • PsyloDbg is a very simple Windows Debugger that currently only monitor for debug events.
  • Add SCCM NTLM Relay Attack #1425. This is a little known but very cool attack I expect to work for decades to come.
  • AtomPePacker - A Highly capable Pe Packer.
  • Janus is a pre-build event that performs string obfuscation during compile time. This project is based off the CIA's Marble Framework.
  • ProvisionAppx. Some fun lateral movement?!
  • ShadowSpray - A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Oh my Git! An open source game about learning Git!. A resource for new (or even old) team members to help learn git.
  • ElectricEye - Continuously monitor your AWS attack surface and evaluate services for configurations that can lead to degradation of confidentiality, integrity or availability. All results can be exported to Security Hub, JSON, CSV, Databases, and more for further aggregation and analysis.
  • wiresocks A sock, with a wire, so you can tunnel all you desire. This is a great solution that may be even better than proxycap et al.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-10-10

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-03 to 2022-10-10.

News

Techniques and Write-ups

Tools and Exploits

  • VMware vCenter Server Platform Services Controller Unsafe Deserialization vulnerability. "A post-authentication java deserialization vulnerability exists in the data handler of the psc (Platform Services Controller) service."
  • ObfLoader - MAC, IPv4, UUID shellcode Loaders and Obfuscators to obfuscate the shellcode and using some native API to converts it to it binary format and loads it.
  • aftermath is a free macOS IR framework from Jamf.
  • GooFuzz is a tool to perform fuzzing with an OSINT approach, managing to enumerate directories, files, subdomains or parameters without leaving evidence on the target's server and by means of advanced Google searches (Google Dorking).
  • GitFive - ๐Ÿ™ Track down GitHub users.
  • eviltree - A python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches.
  • Caught somewhere in time: Hunting for timer-queue timers. Timers are the "default" method rats use to sleep in memory. If you can detect suspect timers, you can probably find some interesting things. Code here.
  • Added simple command to test CVE_2022_33679.. Now you can run 'askrc4' and exploit CVE-2022-33679 (KDC allows an interposing attacker to downgrade to RC4 MD4 encryption in compromising the user's TGT session key resulting in EoP). See this tweet <https://twitter.com/m3g9tr0n/status/1577783061919457281> and this project zero post.
  • vba2clr - Running .NET from VBA.
  • LockSmith - ObjectiveC CLI tool for interacting with macOS Keychain. I was just struggling with this a few weeks ago! Be sure to check out the slides in the repo.
  • palera1n - iOS 15.0-15.3.1 tethered checkm8 "jailbreak" (rootless is 15.0-15.7 semi-tethered, no tweaks),
  • ShadowSpray - A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
  • RITM - Roast in the Middle.
  • dissect - This project is a meta package, it will install all other Dissect modules with the right combination of versions.
  • SharpNTLMRawUnHide - C# version of NTLMRawUnHide.
  • NimShellcodeFluctuation - ShellcodeFluctuation PoC ported to Nim.
  • MinHook.NET - A C# port of the MinHook API hooking library (now with D/Invoke).
  • HavocNotion - A simple ExternalC2 POC for Havoc C2. Communicates over Notion using a custom python agent, handler and extc2 channel.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • AoratosWin - A tool that removes traces of executed applications on Windows OS.
  • wodat - Windows Oracle Database Attack Toolkit.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-10-03

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-26 to 2022-10-03.

News

Techniques and Write-ups

Tools and Exploits

  • Iscariot Suite is a collection of tools to enhance and augment trusted open-source and commercial Blue Team/Sysadmin products, turning them into traitorware to achieve offensive security goals.
  • Havoc. This is the much anticipated C2 from @C5pider. It also supports Third Party Agents.
  • ASNMap - A Golang CLI tool for speedy reconnaissance using ASN data.
  • constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.
  • VirusTotalC2 Abusing VirusTotal API to host our C2 traffic, useful for bypassing blocking firewall rules if VirusTotal is in the target white list, and in case you don't have C2 infrastructure, now you have a free one.
  • AzTokenFinder is a small tool to extract JWT (or JWT like looking data) from different processes, like PowerShell, Excel, Word or others.
  • Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods.
  • ChTimeStamp - Changing the Creation time and the Last Written time of a dropped file by the timestamp of other one , like the "kernel32.dll" timestamp.
  • ADSrunner - Write a UUIDs bytes array "*" collected to the Alternate Data Stream of the current binary , then the ADS Runner will get the DATA tranfert it into a char table nice UUIDS shellcode and Run it.
  • FileLessRemoteShellcode - Run Fileless Remote Shellcode directly in memory with Module Unhooking, Module Stomping, No New Thread. This repository contains the TeamServer and the Stager.
  • DumpThatLSASS - Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk, plus functions and strings obfuscation, it contains Anti-sandbox, if you run it under unperformant Virtual Machine you need to uncomment the code related to it and recompile.
  • airstrike is a basic stage 0 implant.
  • KnownDllUnhook - Replace the .txt section of the current loaded modules from KnownDllsto bypass edrs.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • monkey365 provides a tool for security consultants to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews.
  • lemmeknow. The fastest way to identify anything!
  • jot - Rapid note management for the terminal.
  • SnaffPoint - A tool for pointesters to find candies in SharePoint.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-09-26

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-19 to 2022-09-26.

News

Techniques and Write-ups

Tools and Exploits

  • AutoHoneyPoC. Automatically generate "HoneyPoC" scripts to catch people running things without understanding them.
  • SandboxSpy. Code for profiling sandboxes - Initially an idea to profile sandboxes, the code is written to take enviromental variables and send them back in a Base32 string over HTTP to an endpoint.
  • githubC2 - Abusing Github API to host our C2 traffic, useful for bypassing blocking firewall rules if github is in the target white list , and in case you don't have C2 infrastructure, now you have a free one.
  • monomorph- MD5-Monomorphic Shellcode Packer - all payloads have the same MD5 hash.
  • FilelessRemotePE - Loading Fileless Remote PE from URI to memory with argument passing and ETW patching and NTDLL unhooking and No New Thread technique.
  • mordor-rs - Rusty Hell's Gate / Halo's Gate / Tartarus' Gate and FreshyCalls / Syswhispers2 Library.
  • GwisinMsi - PoC MSI payload based on ASEC/AhnLab's blog post.
  • BloodHound.py-Kerberos - A Python based ingestor for BloodHound, now with kerberos support on Linux.
  • DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
  • CVE-2022-2588 This linux LPE effects 3.17 to 5.19 (Ubuntu 17-22).
  • Cronos PoC for a new sleep obfuscation technique leveraging waitable timers to evade memory scanners.
  • spycast A crossplatform mDNS enumeration tool.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • bbot - OSINT automation for hackers.
  • NetCoreServer - Ultra fast and low latency asynchronous socket server & client C# .NET Core library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and 10K connections problem solution.
  • A Free Pen Testing Learning Platform. Spin up your own cloud scenarios using these free templates.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-09-19

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-05 to 2022-09-19.

News

Techniques and Write-ups

Tools and Exploits

  • Mimikatz update. Now you can dump plaintext Citrix passwords from memory. Best part is you don't even need elevated rights for the current use context! If anyone has this as a BOF, DM me!
  • ldapnomnom - Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP).
  • CVE-2022-37706-LPE-exploit - A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04) - NOTE: only for enlightenment window manager (Tizen based TVs and... thats it?).
  • MasqueradingPEB - Maquerade any legitimate Windows binary by changing some fields in the PEB structure.
  • CVE North Stars - Leveraging CVEs as North Stars in vulnerability discovery and comprehension.
  • ExecRemoteAssembly - Execute Remote Assembly with args passing and with AMSI and ETW patching.
  • Teamsniper is a tool for fetching keywords in a Microsoft Teams such as (passwords, emails, database, etc.).
  • DylibHijackTest - Discover DYLD_INSERT_LIBRARIES hijacks on macOS.
  • Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code, and is developed for offensive security engagements such as Red/Purple Teams. What separates Codecepticon from other obfuscators is that it targets the source code rather than the compiled executables, and was developed specifically for AV/EDR evasion.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-09-12

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-06 to 2022-09-12.

News

Techniques and Write-ups

Tools and Exploits

  • Athena v0.2. A big update to an up and coming Mythic C2 agent.
  • pfBlockerNG Unauth RCE Vulnerability. This is only vulnerable on the LAN side of the firewall, unless you have some strange WAN rules that allow access to the pfblockerNG pages from WAN. Patched in 2022-06, its still a bad vulnerability. Poc here.
  • QUEST KACE Desktop Authority Pre-Auth Remote Code Execution (CVE-2021-44031). Pre-Auth RCE is the flavor of the week it seems.
  • Tool Release - Monkey365. Monkey 365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex admin panels from the start.
  • Command injection vulnerability in Netgear R6200_v2 and R6300v2 routers. Authenticated and LAN side only it looks like.
  • Sandbox_Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in the assembly of IOCs, understanding attack movement and in threat hunting.
  • cobaltstrike-headless - Aggressorscript that turns the headless aggressor client into a (mostly) functional cobalt strike client.
  • CVE-2022-27925 - Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-27925)
  • TangledWinExec - This repository is for investigation of Windows process execution techniques. Most of PoCs are given a name corresponding to the technique. WmiSpawn is brand new and looks very interesting.
  • chameleon provides better content discovery by using wappalyzer's set of technology fingerprints alongside custom wordlists tailored to each detected technologies.
  • autobloody - Tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound. "Automatic" and "Exploit" are two words that when used together cause me great concern.
  • evilgophish - evilginx2 + gophish.
  • rust_syscalls Single stub direct and indirect syscalling with runtime SSN resolving for windows.
  • HideProcessHook - DLL that hooks the NtQuerySystemInformation API and hides a process name.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • ContainerSSH: Launch containers on demand. ContainerSSH launches a new container for each SSH connection in Kubernetes, Podman, or Docker. The user is transparently dropped in the container and the container is removed when the user disconnects. Authentication and container configuration are dynamic using webhooks, no system users required.
  • TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts.
  • buildg - Interactive debugger for Dockerfile, with support for IDEs (VS Code, Emacs, Neovim, etc.).
  • wappalyzergo - A high performance go implementation of Wappalyzer Technology Detection Library.
  • Ekko_CFG_Bypass A PoC for adding NtContinue to CFG allowed list in order to make Ekko work in a CFG protected process

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2022-09-06

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-08-29 to 2022-09-06.

News

Techniques and Write-ups

Tools and Exploits

  • SSD Advisory - Linux CONFIG_WATCH_QUEUE LPE. A vulnerability in the way Linux handles the CONFIG_WATCH_QUEUE allows local attackers to reach a race condition and use this to elevate their privileges to root. PoC and Exploit included.
  • EvilnoVNC - Ready to go Phishing Platform built on noVNC. Why intercept creds when you can have your victim use a real browser you control?
  • PXEThief is a set of tooling that can extract passwords from the Operating System Deployment functionality in Microsoft Endpoint Configuration Manager. You'll probably also want configmgr-cryptderivekey-hashcat-module, a Hashcat module that can crack a password used to derive an AES-128 key with CryptDeriveKey from CryptoAPI.
  • MsSettingsDelegateExecute. Bypass UAC on Windows 10/11 x64 using ms-settings DelegateExecute registry key.
  • NoFaxGiven. Code Execution & Persistence in NETWORK SERVICE FAX Service.
  • CVE-2022-2639-PipeVersion. It was taken down before I even got to it. Untested. Kernels 3.13 to 5.18 are vulnerable (fix committed 2022-04-15).
  • Origami - Packer compressing .net assemblies, (ab)using the PE format for data storage. Updated last week with .NET Core support, Costura support, and a simplified loader.
  • reinschauer - A PoC to remotely control Windows machines over Websockets.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • SCMKit allows the user to specify the Source Code Management system and attack module to use, along with specifying valid credentials (username/password or API key) to the respective SCM system. Currently, the SCM systems that SCMKit supports are GitHub Enterprise, GitLab Enterprise and Bitbucket Server. The attack modules supported include reconnaissance, privilege escalation and persistence.
  • Headway Self-hostable maps stack, powered by OpenStreetMap.
  • Use TouchID to Authenticate sudo on macOS. Your TouchID equipped Mac can easily be configured to use your fingerprint to approve sudo commands.
  • The Immediate Sound of Distant Hammers. The first sci-fi short story from Universal Shards in over a year!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

โŒ