Last Week in Security (LWiS) - 2022-02-14

Prevent IP takeover (@infosec_au), Windows LPE via handles (@last0x00), Exception Oriented Programming (@BillDemirkapi and @x86matthew), Bloodhound 4.1 (@_wald0), object overloading (@_xpn_), arb file write on DCs (@Junior_Baines), KrbRelay (@cube0x0), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-07 to 2022-02-14.

News

Techniques and Write-ups

Tools and Exploits

  • KrbRelay is a framework for Kerberos relaying. The relaying game just got a whole lot more interesting. The demo is very impressive.
  • CobaltBus is a Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus.
  • TymSpecial is a SysWhispers integrated shellcode loader w/ ETW patching, anti-sandboxing, & spoofed code signing certificates
  • PPL_Sandboxer is a A small C POC to make Defender Useless by removing Token privileges and lowering Token Integrity.
  • SpoolFool is an exploit for CVE-2022-21999 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE) that should work by default on all Windows desktop versions up to the 2022-02-08 patch.
  • hygieia is a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.
  • pdfrip is a fast PDF password cracking utility equipped with commonly encountered password format builders and dictionary attacks.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation.
  • monorepo.tools. "Everything you need to know about monorepos, and the tools to build them." With a bit of nudging to use Nx because the team the wrote this is selling Nx (but honestly Nx looks pretty awesome).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.