Last Week in Security (LWiS) - 2020-10-05

Sysmon exploit by @0x00dtm, physical smartcard/kerberos attack tools by @_EthicalChaos_, UACMe update (and Defender bypasses) by @hFireF0X, dynamic instrumentation by @rh0main, a new checksec from @mtarral, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-09-28 to 2020-10-05.


  • UHS hospitals hit by reported country-wide Ryuk ransomware attack. Two weeks ago was the first possible death related to ransomware. There are at least three being reported due to this. Of note, while many ransomware crews stated they would not target hospitals when the pandemic started, Ryuk remained silent.
  • Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. Cybersecurity firms now need to register as money services to legally make ransomware payments, and "payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial."
  • OST Map from Intezer connects threat actors with the tools they use. This is an interesting resource for adversary emulation purposes. If you enjoy this you may also like the CyberWar Map.
  • Sectigo to Be Acquired by GI Partners. The Root CA shell game continues (Sectigo used to be Comodo). This will trigger another round of compliance checks.
  • Escaping strings in Bash using !:q. A quick tip for bash users.
  • Code scanning is now available!. GitHub code scanning attempts to find vulnerabilities in your code via static analysis before it gets deployed. They are using the acquisition of Semmle to push CodeQL even further. This proactive approach is a good thing for security.


Tools and Exploits

  • SIEGMA aims to automate the creation of SIEM rule consumables by leveraging a pre-defined set of configurations/mappings and by utilizing the sigma rule format and engine.
  • DecryptRDCManager is a .NET port of Decrypt-RDCMan.ps1 which was written by Ben Turner and Rich Hicks. This tool will decrypt credentials from Remote Desktop Manager by using the functionality from the RDCMan.DLL.
  • Fork-n-Run. This is great raw C# material for building into your own tools (PPID spoofing, BlockDLLs, argument spoofing, comms via pipes).
  • MFASweep is a PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled. Depending on how conditional access policies and other multi-factor authentication settings are configured some protocols may end up being left single factor. It also has an additional check for ADFS configurations and can attempt to log in to the on-prem ADFS server if detected. Be warned, this will attempt 7 authentications, so be sure to use a correct password or possibly get locked out! Blog post here.
  • AggressiveGadgetToJScript is a Cobalt Strike Aggressor script to generate GadgetToJScript payloads. It uses the QueueUserAPC injection method and injects into notepad.exe (you should change this).
  • bitleaker is a complete physical attack tool (bootable USB) that leverages CVE-2018-6622 (BIOS sleep TPM bug) and the new CVE-2020-0526 to enable the mounting of Bitlocker encrypted drives without the user's password which is normally required. If devices are out of your physical control (work from home, travel) this bug/exploit applies to you. Update your systems to the latest BIOS firmware, disable sleep in the BIOS, or use BitLocker with a PIN to mitigate this.
  • GLORP is a command line HTTP intercept proxy. The idea is to provide a CLI based tool for when you wanna-look-at-this-thing-real-quick and not fire up yet another full-fat container/vm/whatever with Burp and so forth. Looking for more GUI? Read on...
  • hetty is an HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty community. Currently in the early stages, this is an interesting project to watch.
  • Raccine is a simple ransomware vaccine that kills the process tree that invokes vssadmin or wmic calls to delete volume shadow copies by registering as a debugger for vssadmin and wmic. This is a neat trick that will likely work against many ransomware variants.
  • elsa is a minimal, fast and secure runtime for Javascript and Typescript written in Go. This could be used to create an embedded scripting environment in your Go malware a la gscript.
  • sploit is a Go package that aids in binary analysis and exploitation. Think of it as the start of a Go version of pwntools.
  • feroxbuster is a fast, simple, recursive content discovery tool written in Rust.
  • CSharp-CmdLineHelper-Parser is a "no frills" 1 class-only, C# .NET command line parser with support for - and / args, switches only, and Name : Values. This will be useful for small C# projects.
  • is a complete checksec tool in python with rich terminal output. It supports PE and ELF files and there is an exe in the Github release.
  • Docker-eyeOS runs iOS (xnu-arm64) in a Docker container! Supports KVM + iOS kernel debugging (GDB)! It's like having your own local Corellium.
  • A New Tool for Password Spraying Emulation. Spray at scale using GCP/AWS with this new tool from Praetorian. Code here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Vulmap is an online local vulnerability scanner. It's aimed at organizations to do vulnerability scanning across their fleets, but it can also be used for one off checks to see what is available to privesc.
  • grinder is a python framework to automatically discover and enumerate hosts from different back-end systems (Shodan, Censys). Add this to your enumeration pipeline.
  • GHunt is a tool to investigate Google Accounts given only an email.

This post is cross-posted on SIXGEN's blog.