Last Week in Security (LWiS) - 2022-07-25

The end of PPLdump (@itm4n), beacon detection (@domchell), 30k Wordpress XXS+SQLi (@MrTuxracer), string encryption in c++ (@mcbroom_evan), create a DLL hijack (@x86matthew), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-07-18 to 2022-07-25.

News

Techniques and Write-ups

Tools and Exploits

  • DiagTrackEoP - another way to abuse SeImpersonate privilege.
  • terry-the-terraformer A Python CLI tool for deploying red team infrastructure across multiple cloud providers, all integrated with a virtual Nebula network.
  • IAM-Deescalate IAM-Deescalate helps mitigate privilege escalation risk in AWS identity and access management (IAM). More info here.
  • RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows (patched in the July 2022 patch).
  • AlanFramework - A C2 post-exploitation framework. This framework has been around for a while, but last week became open source (Attribution-NonCommercial-NoDerivatives 4.0 International).
  • Lastenzug - Socks4a proxy leveraging PIC, Websockets and static obfuscation on assembly level.
  • CVE-2022-34918-LPE-PoC - This exploit has been written for the kernel Linux ubuntu 5.15.0-39-generic. More details here.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • ropr - A blazing fastâ„¢ multithreaded ROP Gadget finder. ropper / ropgadget alternative.
  • RedGuard "is a derivative work of the C2 facility pre-flow control technology." Looks a lot like RedWarden?

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.