Last Week in Security (LWiS) - 2022-05-23

Nighthawk 0.2 (@MDSecLabs), Parallels VM escape write-up (@ret2systems), Rust supply chain attack (@juanandres_gs), DPAPI entropy capture (@merrillmatt011), HVCI "work-around" (@33y0re), S4U2* attacks (@theluemmel), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-16 to 2022-05-23.


Techniques and Write-ups

Tools and Exploits

  • ghostrings - Ghidra scripts for recovering string definitions in Go binaries. More info in this blog post.
  • Mortar Loader v2. Lots of improvements to this loader in version 2.
  • SharpEventPersist. Persistence by writing/reading shellcode from Event Log.
  • DynamicWrapperDotNet. Dynamically Loads Assembly and Calls Methods from JScript.
  • bin2memfd. Encodes a program (which can be a script, despite the name) to a Perl or Python script which sticks it in a Linux memfd and runs it. The goal is to enable staged implants to be run with curl | perl, or something similar.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • BinAbsInspector - Vulnerability Scanner for Binaries.
  • Labtainers - Docker-based cyber lab framework.
  • privaxy - (work in progress) Privaxy is the next generation tracker and advertisement blocker. It blocks ads and trackers by MITMing HTTP(s) traffic.
  • Argus is a lightweight monitor to notify of new software releases via Gotify/Slack messages and/or WebHooks.
  • Red-Lambda - Leveraging AWS Lambda Function URLs for C2 Redirection.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.