Last Week in Security (LWiS) - 2022-07-05

In the wild 0days (@maddiestone), new Win11 primitive (@yarden_shafir), Cloudflare ZeroTrust for C2 (@zux0x3a), macOS LPEs (@LinusHenze + @zhuowei + Jack Dates of @ret2systems), SCCM abuse (@subat0mik + @_Mayyhem), Diamond Tickets (@4ndr3w6S), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-27 to 2022-07-05.

News

Techniques and Write-ups

Tools and Exploits

  • PINKPANTHER Windows x64 handcrafted token stealing kernel-mode shellcode. Be sure to check out the caveats.
  • the-poor-mans-obfuscator - Binary & scripts associated with "The Poor Man's Obfuscator" presentation.
  • TripleCross - A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
  • CVE-2019-7040 + CVE-2021-21042. POCs and exploit code for Microsoft Internet Explorer & Microsoft Word (in DOCX & RTF formats).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • awsEnum - Enumerate AWS cloud resources based on provided credentials.
  • nali - An offline tool for querying IP geographic information and CDN provider.
  • maldev-for-dummies - A workshop about Malware Development.
  • ExtractedDefender - An attempt to group extracted data from Defender for research purposes.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.