Last Week in Security (LWiS) - 2022-08-30

AceLdr (@kyleavery_), DLL fun (@Wietze + @ConsciousHacker), CI/CD pwnage (@smarticu5), Kerberos LPE (@monoxgas + @tiraniddo), Burp ➡️ C2 profile (@codex_tf2), AD CS + PIV (@_EthicalChaos_), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-07-25 to 2022-08-30.

News

Techniques and Write-ups

Tools and Exploits

  • TamperingSyscalls is a 2 part novel project consisting of argument spoofing and syscall retrieval which both abuse EH in order to subvert EDRs. This project consists of both of these projects in order to provide an alternative solution to direct syscalls.
  • EntropyFix is a tool with no ascii art that reduces the entropy of your payload.
  • BlueHound is an open-source tool that helps blue teams pinpoint the security issues that actually matter. By combining information about user permissions, network access and unpatched vulnerabilities, BlueHound reveals the paths attackers would take if they were inside your network.
  • AceLdr Cobalt Strike UDRL for memory scanner evasion. [This is the best UDRL yet.]
  • Hijack Libs - The database contains 341 Sideloading, 88 Environment Variable, 8 Phantom and 5 Search Order entries.
  • Burp2Malleable Quick python utility I wrote to turn HTTP requests from burp suite into Cobalt Strike Malleable C2 profiles.
  • ExportDumper A small tool to dump the export table of PE files. The primary use case was intended for use within DLL proxying.
  • WFH - Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit, to assist in potentially identifying common “vulnerabilities” or “features” within Windows executables. WFH currently has the capability to automatically identify potential Dynamic Linked Library (DLL) sideloading and Component Object Model (COM) hijacking opportunities at scale.
  • jscythe - Abuse the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code.
  • DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege. Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged.
  • SilentHound - Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
  • jwt-reauth is a Burp plugin to cache authentication tokens from an "auth" URL, and then add them as headers on all requests going to a certain scope.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.