Last Week in Security (LWiS) - 2022-10-24

Untangling Azure Permissions (@0xcsandker), V8 and JS internals of Chrome (@jack_halon), MS Office Online Server RCE chain (@IndiShell1046), ManageEngine Decryptor (@W9HAX), SharedMemUtils (@x86matthew), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-17 to 2022-10-24.

This week I reviewed 372 blog posts and 2144 tweets to find only the best and most relevant items to include here.

News

Techniques and Write-ups

Tools and Exploits

  • Azure-AccessPermissions - Easy to use PowerShell script to enumerate access permissions in an Azure Active Directory environment. Check out the blog post for details.
  • cypherhound - Python3 terminal application that contains 200+ Neo4j cyphers for BloodHound data sets
  • ScreenshotBOF - An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file.
  • SharpEfsPotato - Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
  • PatchThatAMSI - This repo contains 6 AMSI patches, both force the triggering of a conditional jump inside AmsiOpenSession() that close the Amsi scanning session. The 1st patch by corrupting the Amsi context header and the 2nd patch by changing the string "AMSI" that will be compared to the Amsi context header to "D1RK". The other just set ZF to 1.
  • ScubaGear - Automation to assess the state of your M365 tenant against CISA's baselines.
  • Bitmancer - Nim Library for Offensive Security Development.
  • GetFGPP - Get Fine Grained Password Policy.
  • syser - syser debugger x32/x64 ring3 with source level debugging/watch view/struct view.
  • webpty - A secure webshell. Built for legitimate access, I could see it adopted for red team uses.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • linen.dev - Google-searchable Slack alternative for Communities.
  • usbsas - Tool and framework for securely reading untrusted USB mass storage devices.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.