Last Week in Security (LWiS) - 2022-03-14

Embedded reversing (@zi0Black), SQL injection despite prepared statements (@Dooflin5), AutoWarp Azure token leak (@Yanir_), Viscosity DPAPI defeat (@checkymander), password tricks without mimikatz (@n00py1), Chakra exploitation (@33y0re), rethinking phishing assessments (@matterpreter), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-02-28 to 2022-03-14.

News

Techniques and Write-ups

Tools and Exploits

  • Removing PowerShell Comments, Whitespace, and Handles. A simple script to help make your Powershell less detectible.
  • oxasploits. All of these exploits are originally coded by oxagast / Marshall Whittaker. Some of them were already known vulnerabilities that they took and re-evaluated then wrote an exploit for them that they thought was more functional or logical in some way. Some of these vulnerabiltiies are partial PoC exploits that will make something crash, but not actually get root. Some will straight drop you at a root shell. None of this code should ever under any circumstances be run in a production environment, or on a system that you do not have express permission to run a penetration test on.
  • RunOF is a .NET application that is able to load arbitrary BOFs, pass arguments to them, execute them and collect and return any output. For more details check out Introducing RunOF – Arbitrary BOF tool.
  • graphql-cop is a small Python utility to run common security tests against GraphQL APIs.
  • nrich is a command-line tool to quickly analyze all IPs in a file and see which ones have open ports/ vulnerabilities. Can also be fed data from stdin to be used in a data pipeline.
  • donut this is a donut fork that contains syscall support for AMSI/WDLP patching.
  • SyscallPack is a BOF and some shellcode for full DLL unhooking using dynamic syscalls.
  • SysWhispers3 is SysWhispers on Steroids - AV/EDR evasion via direct system calls.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • iocscraper is a python tool that enables you to extract IOCs and intelligence from different data sources.
  • litefuzz is a multi-platform fuzzer for poking at userland binaries and servers.
  • BlueTeam.Lab is a Blue Team detection lab created with Terraform and Ansible in Azure.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.