Last Week in Security (LWiS) - 2022-01-10

More JDNI to RCE (@jfrog), parallel loader (@peterwintrsmith and @cube0x0), MS signed phishing docs (@ptrpieter and @_DaWouw), IP-takeover vulns (@sebsalla), driver loading BOF dev (@cerbersec), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-03 to 2022-01-10.

News

Techniques

Tools and Exploits

  • inject-assembly is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly.
  • rathole is a lightweight, stable and high-performance reverse proxy for NAT traversal, written in Rust. An alternative to frp and ngrok.
  • insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces. More details here.
  • SysmonSimulator is a Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.
  • PowerRemoteDesktop is a Remote Desktop client entirely coded in PowerShell. This could be useful for restricted environments like virtual desktops.
  • Hunt-Sleeping-Beacons is a project to identify beacons which are unpacked at runtime or running in the context of another process.
  • defender-detectionhistory-parser is a parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables. First one to write this as a BOF wins.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
  • domains is (probably) the world’s single largest Internet domains dataset.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.