Last Week in Security (LWiS) - 2025-08-25
WebClient deep dive (@0xthirteen), 2x RCE chains in Commvault (@chudyPB), how to rob a hotel (@dmcxblue), MSI patch/protocol handler RCE (@johnnyspandex), self-relaying (@_logangoins), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-08-18 to 2025-08-25.
News
- DOM-based Extension Clickjacking: Your Password Manager Data at Risk - As password manager adoption grows, so does the value in finding ways to trick them into giving up credentials. Hardware tokens are the best defense, followed by a password manager and a separate 2nd factor app on your mobile device. Much less convenient, much more secure.
- Meta signs over $10 billion cloud deal with Google, source says - Are Google's in-house AI chips (Tensor Processing Units - TPUs) the shovels of the AI era?
- Intel and Trump Administration Reach Historic Agreement to Accelerate American Technology and Manufacturing Leadership - The $10 billion USD deal is roughly equivalent to the cost to the US government of the General Motors bailout (2009-2013), except there is no (current) global economic crisis and this deal is not to save 100,000+ jobs. Is the only US company with a hope of creating advanced semiconductor manufacturing domestically "too big to fail?"
- Russia orders state-backed MAX messenger app, a WhatsApp rival, pre-installed on phones and tablets - WhatsApp calls are experiencing extreme packet loss in Russia, likely in an effort to push users to MAX.
- Kryptos K4: The Solution Auction - If you are unfamiliar with Kryptos, this documentary is a must watch and the channel for the past 8 years has been exceptional. Now you can be the 2nd person ever to know the solution of Kryptos K4, for the right price that is.
Techniques and Write-ups
- Will WebClient Start - Everyone's favorite service to use in an NTLM relay, but can you start it as a low privileged user? No is the answer, but the investigation into the WebClient service was very well done. The signature red background of a Ludus lab can be seen in the EFS properties screenshot. 😊
- Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP - Speaking of relaying, this is a neat trick to "self-relay" in order to get an authenticated LDAP session with a domain controller. Again, love to see Ludus empowering researchers. 😊
- Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer - Attackers always take a risk when enumerating permissions of AWS tokens if those actions log in CloudTrail, as the simple act of enumeration may trigger a detection. Thus, if there is a way to enumerate permissions without any CloudTrail logs, attackers can gain information without notifying defenders. As of July 2025, resource-explorer-2:ListResources now logs to CloudTrail by default.
- Guess Who Would Be Stupid Enough To Rob The Same Vault Twice? Pre-Auth RCE Chains in Commvault - Four CVEs across two pre-auth RCE chains for a Data Protection or Cyber Resilience solution. Ouch.
- How to Rob a Hotel - These end-to-end walkthroughs are rare, and make me yearn for the write ups of Phineas Fisher.
- Delinea Protocol Handler - MSI Strikes Back - These protocol handler attacks could be an amazing initial access vector if you were confident your target organization uses the software. The patch trick for misexec is evergreen, stash that away.
- DLL ForwardSideloading - You've gotta love when built in Windows binaries are susceptible to a form of DLL sideloading. I could see this being used in both droppers and persistence mechanisms to obfuscate the execution trace of a tool.
Tools and Exploits
- ludus_k3s - Role for creating a k3s cluster in Ludus.
- ludus_litterbox_role - A role for deploying LitterBox - a comprehensive malware analysis sandbox - on Windows systems within Ludus lab environments.
- PhrackCTF - Binary Exploitation Phrack CTF Challenge.
- pyghidra-mcp - Python Command-Line Ghidra MCP.
- legba 1.1.0 - A multiprotocol credentials bruteforcer / password sprayer and enumerator. 🥷. The 1.1.0 release brings a ton of improvements!
- vCenterHound - Collect infrastructure and permissions data from vCenter and export it as a BloodHound‑compatible graph using Custom Nodes/Edges.
- DllShimmer - Weaponize DLL hijacking easily. Backdoor any function in any DLL.
- CreateProcessAsPPL - This is the loader that supports running a program with Protected Process Light (PPL) protection functionality.
- RtlHijack - Alternative Read and Write primitives using Rtl* functions the unintended way.
- DeviceToken - Request device ticket/token using the device's MSA.
- bhopengraph - A python library to create BloodHound OpenGraphs.
- BlockEDRTraffic - Two tools written in C that block network traffic for blacklisted EDR processes, using either Windows Defender Firewall (WDF) or Windows Filtering Platform (WFP).
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- BruteForceAI - Advanced LLM-powered brute-force tool combining AI intelligence with automated login attacks.
- ATEAM - A Python reconnaissance tool designed to discover Azure services and attribute tenant ownership information based on their responses.
- Hey… quick question, why are anime catgirls blocking my access to the Linux kernel? - In the cat and mouse game of bot defense, Anubis is but a minor annoyance for bot operators.
- facade is an enterprise-security anomaly detection system developed by Google. It is a high-precision deep-learning-based machine learning system used in a number of applications across Google. It is used as a last line of defense against insider threats, as an ACL recommendation system, and as a way to detect account compromise.
- defcon33_silence_kill_edr - A workshop from DEF CON 33 on how to silence and kill EDRs.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.