Last Week in Security (LWiS) - 2023-02-13

Phishing in 2023 (@0xcsandker), SaltStack A-Salt (Alex Hill - @SkylightCyber), LocalPotato (@decoder_it + @elad_shamir), install4j XXE (@frycos), LPE in Avast (@Denis_Skvortcov), learning Semgrep (@jrozner), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-02-06 to 2023-02-13.

News

Techniques and Write-ups

Tools and Exploits

  • TeamFiltration V3.5.0 - Improve All the Things!. Lots of new features and improvements to this cross-platform framework for enumerating, spraying, exfiltrating, and backdooring Office 365 Azure AD accounts.
  • ThreadlessInject - Threadless Process Injection using remote function hooking.
  • LPE via StorSvc - Windows Local Privilege Escalation via StorSvc service (writable SYSTEM path DLL Hijacking).
  • FilelessPELoader - Loading Remote AES Encrypted PE in memory, decrypt and run it.
  • D1rkSleep - Improved version of EKKO by @5pider that Encrypts only Image Sections.
  • HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.
  • firefly is an advanced black-box fuzzer and not just a standard asset discovery tool. Firefly provides the advantage of testing a target with a large number of built-in checks to detect behaviors in the target.
  • UnhookingPatch - Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime.
  • OperatorsKit - Collection of Beacon Object Files (BOF) for Cobalt Strike.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • wildebeest is an ActivityPub and Mastodon-compatible server.
  • grepmarx - A source code static analysis platform for AppSec enthusiasts.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.