Last Week in Security (LWiS) - 2022-01-03

New RE training (@ZeroPeril), macOS Gatekeeper bypass (@ethicalhax + @patrickwardle), remote PS (@dazzyddos), LastPass breach? (@WPalant), Log4j to pwn Unifi (@sprocket_ed), O365 file spoof for phishing (@mrd0x), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-12-20 to 2022-01-03.



Tools and Exploits

  • KaynLdr is a Reflective Loader written in C / ASM. It uses direct syscalls to allocate virtual memory as RW and changes it to RX. It erases the DOS and NT Headers to make it look less suspicious in memory.
  • WMEye is a post exploitation tool that uses WMI Event Filter and MSBuild Execution for lateral movement.
  • hayabusa is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs. Reminds me of chainsaw.
  • Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches. This loader forces Java agents to be loaded and can inject Java or JVMTI agents into Java processes (Sun/Oracle HotSpot or OpenJ9).
  • Invoke-Bof loads any Beacon Object File using Powershell!
  • Inject_Dylib is Swift code to programmatically perform dylib injection.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Pentest Collaboration Framework is an open source, cross-platform, and portable toolkit for automating routine processes when carrying out vulnerability testing.
  • Registry-Spy is a cross-platform registry browser for raw Windows registry files written in Python.
  • iptable_evil is a very specific backdoor for iptables that allows all packets with the evil bit set, no matter the firewall rules. While this specific implementation is modeled on a joke RFC, the code could easily be modified to be more stealthy/useful.
  • Narthex is a modular & minimal dictionary generator for Unix and Unix-like operating system written in C and Shell. It contains autonomous Unix-style programs for the creation of personalized dictionaries that can be used for password recovery & security assessments.
  • whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.
  • The HatSploit Framework is a modular penetration testing platform that enables you to write, test, and execute exploit code.
  • TokenUniverse is an advanced tool for working with access tokens and Windows security policy.
  • LACheck is a multithreaded C# .NET assembly local administrative privilege enumeration. That's underselling it though, this has lots of cool enumeration capabilities such as remote EDR driver enumeration.
  • Desktop environment in the browser. This is just... wow. Code here: daedalOS.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.