Search:

Last Week in Security (LWiS) - 2025-08-04

AEM RCE (@infosec_au), Intune cert abuse (@_dirkjan), Entra tradecraft (@hotnops), LLMs for R&D (@kyleavery_), File System API research (@Print3M_), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-07-28 to 2025-08-04.

News

Techniques and Write-ups

Tools and Exploits

  • ntp-fingerprinter - Script to fingerprint NTP servers.
  • scepreq - SCEP request tool for AD CS and Intune.
  • CobaltStrikeBeaconCppSource - Out-of-the-box CobaltStrike Beacon source code use C++.
  • crush - The glamorous AI coding agent for your favorite terminal 💘.
  • SCCM_SQL_Collector - PoC script to demonstrate collection of SCCM attack paths that can be viewed in BH with OpenGraph.
  • OpenImporter - Middleware utility for enriching and uploading data gathered with arbitrary collectors.
  • MSSQLHound - PowerShell collector for adding MSSQL attack paths to BloodHound with OpenGraph.
  • TinyRequest - Lightweight HTTP client with modern GUI for Linux.
  • EXEfromCER - PoC that downloads an executable from a public SSL certificate.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • EncroCam - Privacy security camera based on commodity hardware.
  • mkcertWeb - Web based user interface for mkcert CLI internal CA.
  • labshock - OT Security Lab for ICS networks.
  • AutoRMM - AutoRMM is a collection of scripts and instructions we are organizing, to test delivery mechanisms for RMM and screen sharing tools, along with post exploitation strategies for blue and red teams wanting to more realistically simulate adversary capabilities using these strategies.
  • Universal Paperclips - A shockingly fun text based "game" based on the Paperclip maximizer thought experiment.
  • Every Reason Why I Hate AI and You Should Too - The praise for Apple is interesting, given that Siri has been an embarrassment for years. "I, too, could score 100% on a multiple-choice exam if you let me Google all the answers." Yes, but could you achieve gold-medal standard at the International Mathematical Olympiad? I don't think so, even with a year to do it an not 8 hours. Like most things, the "truth" (whatever that is) is probably somewhere in the middle of the hype-train conductors and the doomers.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

page 1 | older articles »