Last Week in Security (LWiS) - 2020-07-06

A new DLL hijacking finder from @CTXIS, the dangers of window.opener.postMessage by @zoczus, Windows Telemetry LPE by @vm_call, certutil.exe LOLBin replacement from @gal_kristal, a digital sticky note reader from @two06, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-29 to 2020-07-06. MITRE ATT&CK techniques are in brackets where appropriate.



Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Secretive is an app for storing and managing SSH keys in the Secure Enclave. It is inspired by the sekey project, but rewritten in Swift with no external dependencies and with a handy native management app. If you have a Mac or manage Macs this is another level of protection for SSH keys, and Macs without a secure enclave can use other sources such as a Yubikey.
  • velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries. A simple to deploy single binary agent and server for incident response.

This post is cross-posted on SIXGEN's blog.