Last Week in Security (LWiS) - 2021-05-03

Policy change (@github), Marauder's map (@Jean_Maes_1994), Null byte injection in GoAhead (@luker983), in-mem DLL loader (@scythe_io), Firebase fronting (@shantanukhande), Source Engine client RCE (@4lpine), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-04-26 to 2021-05-03.


  • A call for feedback on our policies around exploits and malware. The Microsoft owned GitHub has taken down a few exploits in the past (all against Microsoft products I believe). While there are lots of hot takes on infosec twitter about how this is the end of hosting exploits on GitHub, from my reading GitHub is being about as reasonable as a Microsoft owned company can be at this stage. If we see projects being removed at a higher rate after this, perhaps those hot takes will be warranted. I find it somewhat ironic that git was built as a way to share code peer-to-peer (decentralized) and we as a community have turned to one centralized git host for nearly all our code.
  • The IRS Wants Help Hacking Cryptocurrency Hardware Wallets. I find it interesting the IRS is looking for "repeatable, consistent" process to break hardware devices designed to store secrets and launches Operation Hidden Treasure, while there are maybe other issues to focus on.
  • Why Google Should Stop Logging Contact-Tracing Data. After all the cryptographic work to ensure contract-tracing apps would preserve privacy, Google goes and dumps all the temporary identifiers into logs readable by phone manufacturers and other "privileged" apps. Who would have thought that a massive surveillance system on every smartphone would be potentially abused (surprised-pickachu.jpg).


Tools and Exploits

  • DripLoader is an evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection, but does use direct syscalls. By using "standard" looking allocations and APIs, along with delays, DripLoader makes it difficult of EDRs to detect malicious activity during loading. It may be worth borrowing some of these techniques for your own custom loader.
  • vaf is a "very advanced fuzzer" written in Nim. While not as featured as ffuf I enjoy seeing more Nim projects.
  • SharpNamedPipePTH is a C# version of the tool to use Pass-the-Hash for authentication on a local Named Pipe for user Impersonation. There is a blog post for explanation (from LWiS 2020-04-19).
  • memory-module-loader is an implementation of a Windows loader that can load dynamic-link libraries (DLLs) directly from memory. The loader exposed by the Windows operating system can only load modules from disk via LoadLibrary or LoadLibraryEx. However, it is entirely possible to load libraries from memory instead. This is one such implementation. This loader supports loading resources as well.
  • MicroBackdoor is a C2 tool for Windows targets with an easily customizable codebase and small footprint. Micro Backdoor consists of a server, client, and dropper. It wasn't designed as replacement for your favorite post-exploitation tools but rather as really minimalistic thing with all of the basic features in less than 5000 lines of code.
  • DoUCMe leverages the NetUserAdd Win32 API to create a new computer account. This is done by setting the usri1_priv of the USER_INFO_1 type to 0x1000. The primary goal is to avoid the normal detection of new user created events (4720). This will hide the user in the Control Panel and the lusrmgr.msc Snap In. It will show up in the Group Listing, but not as a user.
  • interactsh is an open-source solution for out of band data extraction, A tool designed to detect bugs that cause external interaction (blind SQLi, blind CMDi, SSRF, etc). Interactsh is an alternative to Burp Collaborator with potential to tie into other tools (i.e. nuclei).

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • paragon is a red team engagement platform with the goal of unifying offensive tools behind a simple UI. This project looks really cool, and does a ton of the heavy lifting that everyone who has though, "I'll write my own implant/c2" has run into. I'm surprised this hasn't gotten more press (or maybe I've just missed it?).
  • SniperPhish is a phishing platform that has a few more features than the favorite Gophish, like an advanced web page builder to customize credential harvesting. I have yet to find a phishing platform that allows for "inbox management" (i.e. replying to emails via the web interface).

This post is cross-posted on SIXGEN's blog.