Last Week in Security (LWiS) - 2022-02-07

EXE in LNK embeds (@x86matthew), LinkedIn Slink phishers (@briankrebs), Apollo 2.0 (@djhohnstein), modern relaying (@Jean_Maes_1994), exfil with Power Automate (@varonis), sandboxing defender (@GabrielLandau), SysWhispers rundown (@KlezVirus), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-31 to 2022-02-07.

News

Techniques and Write-ups

Tools and Exploits

  • authz0 is an automated authorization test tool. Unauthorized access can be identified based on URLs and Roles & Credentials.
  • SharpLdapWhoami is a "WhoAmI" that functions by asking the LDAP service on a domain controller. I'm not 100% sure what this would be useful for without testing it.
  • EvilSelenium is a new project that weaponizes Selenium to abuse Chrome - steal cookies, dump creds, take screenshots, add SSH keys to GitHub, etc.
  • shelloverreversessh is a simple implant which connects back to an OpenSSH server, requests a port be forwarded to it from the server, and serves up SOCKS4a or a shell to forwarded connections.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • reave is a post-exploitation framework tailored for hypervisor endpoints. Interesting concept, I'll be following it.
  • GoodHound uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation.
  • ShadowCoerce is an MS-FSRVP coercion abuse PoC. Not sure how I missed this one.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.