Last Week in Security (LWiS) - 2022-06-20

ASP .NET audit (@frycos), iOS ROP ⛓️ (@inversecos), EnumDisplayMonitors to run 🐚code (@Marco_Ramilli), pcap for problem solving (@DebugPrivilege), RPC vuln (@s1ckb017), 🎣 for persistence (@matterpreter), Azure attack paths (@ZephrFish), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-14 to 2022-06-20.

News

Techniques and Write-ups

Tools and Exploits

  • DFSCoerce - PoC for MS-DFSNM coerce authentication using NetrDfsRemoveStdRoot method. This can be used when the Spooler service is disable, and RPC filters prevent PetitPotam/File Server VSS authentication elicitation.
  • CVE-2022-26937 - Windows Network File System crash PoC.
  • hunter-1 (l)user hunter using WinAPI calls only.
  • cloud-middleware-dataset. This project contains cloud middleware (i.e. agents installed by cloud security providers) used across the major cloud service providers (Azure, AWS and GCP).
  • Ekko. A small sleep obfuscation technique that uses CreateTimerQueueTimer to queue up the ROP chain that performs Sleep obfuscation. Detection: patriot.
  • NlsCodeInjectionThroughRegistry Dll injection through code page id modification in registry. Based on jonas lykk research.
  • Using macros and constexpr to make API hashing a bit more friendly.
  • antnium - A C2 framework and RAT written in Go. Slides about the development process here.
  • aced is a tool to parse and resolve a single targeted Active Directory principal's DACL. Aced will identify interesting inbound access allowed privileges against the targeted account, resolve the SIDS of the inbound permissions, and present that data to the operator.
  • SliverKeylogger is a Sliver C2 extension to log keystrokes on Windows.
  • OfficeIMO Fast and easy to use cross-platform .NET library that creates or modifies Microsoft Word and later also Excel files without installing any software. This could be useful to automate phishing lures.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • AlternativeShellcodeExec - Alternative Shellcode Execution Via Callbacks.
  • Sealighter - Sysmon-Like research tool for ETW.
  • npmdomainchecker - Checks all maintainers of all NPM packages for hijackable domains.
  • snallybuckster - Locate interesting files in grayhatwarfare.com open S3 buckets and Azure blobs automatically!
  • NoteThief - Grab unsaved Notepad contents with a Beacon Object File.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.