Last Week in Security (LWiS) - 2023-01-09

Korea's browser-ex problem (@WPalant), Prox-Ez (@b1two_ + @YofBalibump), car hacks (@samwcyo), Azure privesc (@_wald0), tons of direct syscall techniques, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-01-02 to 2023-01-09.


Techniques and Write-ups

Tools and Exploits

  • iCDump. A Modern Objective-C Class Dump. Blog here.
  • UnhookingPatch - Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime.
  • HellHall is a combination of HellsGate and indirect syscalls.
  • WalkerGate is a method to take syscall with memory parsing of ntdll.
  • zsyscall is an implementation of the Hell's Gate VX technique. The main difference with the original implementation is the use of the zsyscall procedure instead of HellsGate and HellDescent for using syscalls.
  • SOC-Multitool - A free and open source tool to aid in SOC investigations!
  • Alcatraz is a x64 binary obfuscator that is able to obfuscate various different pe formats.
  • sub-scout is a simple bash script to automate your inital recon and extend your attack surface using popular tools made by infosec community.
  • MITRE_ATTACK_CLI - CLI Search for Security Operators of MITRE ATT&CK URLs.
  • nuclearpond is a utility leveraging Nuclei to perform internet wide scans for the cost of a cup of coffee.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • A New PyRDP Release: The Rudolph Desktop Protocol!. The gosecure RSS feed was slow on this one?
  • KubeStalk discovers Kubernetes and related infrastructure based attack surface from a black-box perspective.
  • NTLMRecon - A tool for performing light brute-forcing of HTTP servers to identify commonly accessible NTLM authentication endpoints.
  • smudge - Passive OS detection based on SYN packets without Transmitting any Data

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.