Last Week in Security (LWiS) - 2023-01-02

x64dbg scripts and plugins (@_n1ghtw0lf), ShellcodeMutator (@m0rv4i), Dirty-Vanity (@eliran_nissan), Windows Kernel dev 101 (@V3ded), detailed Chrome exploitation (@jack_halon), PassTheChallenge (@ly4k_) and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-12-12 to 2023-01-02.


Techniques and Write-ups

Tools and Exploits

  • Avoiding Detection with Shellcode Mutator. By randomly adding nops or nop equivalent instructions, ShellcodeMutator can break yara rules that look for specific assembly sequences in shellcode.
  • Dirty-Vanity - A POC for the new injection technique, abusing windows fork API to evade EDRs. See the slides from BlackHat EU here.
  • DirCreate2System - Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting.
  • CVE-2022-2602-Kernel-Exploit and CVE-2022-2602 are Linux LPEs for Linux kernel upstream stable 5.4.x, 5.15.x, and later versions. 5.10.x may be vulnerable as well.
  • Cohab_Processes - A small Aggressor script to help Red Teams identify foreign processes on a host machine.
  • CaFeBiBa - COFF parser - a COFF parser for binaries compiled with MSVC.
  • Offensive-Rust - Various offensive techniques in Rust.
  • ASRenum-BOF - Cobalt Strike BOF that identifies Attack Surface Reduction (ASR) rules, actions, and exclusion locations.
  • CVE-2022-42046 - CVE-2022-42046 Proof of Concept of wfshbr64.sys local privilege escalation via DKOM.
  • linux_injector - A simple ptrace-less shared library injector for x64 Linux.
  • Venom is a library that meant to perform evasive communication using stolen browser socket.
  • wanderer - An open-source process injection enumeration tool written in C#.
  • Invoke-Retractor - Build a Seatbelt executable containing only commands you specify.
  • WTSRM2 - Writing Tiny Small Reliable Malware 2. This has a ton of cool features, worth a look.
  • PassTheChallenge - Recovering NTLM hashes from Credential Guard. See the blog post for more details.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.