Last Week in Security (LWiS) - 2022-05-02

GitHub OAuth token hack, security.txt RFC (@EdOverflow), channel binding bypass for LDAP (@lowercase_drm), #ExtraReplica (@sagitz_, @shirtamari, @nirohfeld, @ronenshh), Windows kernel driver fun (@_xpn_), prefetch on Apple Silicon (@jose_vicarte and team), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-25 to 2022-05-02.

News

Techniques and Write-ups

Tools and Exploits

  • BeaconDownloadSync is a fine-tuned control mechanism for syncing files from the Cobalt Strike Downloads entries in the data model.
  • minbeacon is a work in progress of constructing a minimal http(s) beacon for Cobalt Strike.
  • CS-Remote-OPs-BOF is an addition to TrustedSec's CS-Situational-Awareness-BOFs that modify systems (injection, persistence, etc).
  • Dylib_Runner is Swift code to run a dylib on disk.
  • okta-sprayer is a Python3 Script to perform a password spray against an okta instance.
  • nimc2 is a c2 fully written in nim.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • pyscript. Python directly in HTML (via a WASM shim).
  • O365-Doppelganger is a quick handy script to harvest credentials off of a user during a Red Team and get execution of a file from the user.
  • ecapture can capture SSL/TLS text content without CA cert using eBPF.
  • howdy is Windows Helloâ„¢ style facial authentication for Linux.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.