Last Week in Security (LWiS) - 2023-03-07

Cobalt Strike 4.8 (@gregdarwin), Timeroasting, Mythic 3.0 (@its_a_feature_), LastPass breach saga continues, CosmosDB XSS to account takeover (@Creastery), 😈 chrome extension (@mattfriz), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past 2 weeks. This post covers 2023-02-20 to 2023-03-07.

News

Techniques and Write-ups

Tools and Exploits

  • MemFiles - A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk.
  • Amsi-Killer - a "lifetime AMSI bypass."
  • Thunderstorm - Modular framework to exploit UPS devices. Only 2 exploits for now.
  • msidump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner.
  • lolbin-poc - Small PoC of using a Microsoft signed executable as a lolbin.
  • Kraken - a modular multi-language webshell coded by @secu_x11.
  • DroppedConnection - Emulates a Cisco ASA Anyconnect VPN service, accepting any credentials (and logging them) before serving VBS to the client that gets executed in the context of the user.
  • Timeroast - Scripts that execute timeroasting and trustroasting attack techniques by discovering weak computer or trust passwords within an Active Directory domain.
  • AtomLdr - A DLL loader with advanced evasive features.
  • bootlicker - A generic UEFI bootkit used to achieve initial usermode execution. It works with modifications.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Locksmith. A tiny tool to identify and remediate common misconfigurations in Active Directory Certificate Services. Quick wins for Sysadmins!
  • APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.
  • Coercer. A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods. #onetorullethemall
  • curl-impersonate - A special build of curl that can impersonate Chrome & Firefox.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.