Last Week in Security (LWiS) - 2023-05-22

From DA to EA (@_wald0), CS OPSEC (@joehowwolf), CS BOFs in BRC4 (@NVISOsecurity), Avast LPE (@Denis_Skvortcov), LOLBINs in AV (@nas_bench), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-05-09 to 2023-05-22.

News

Techniques and Write-ups

Tools and Exploits

  • CypherDog - PoSh BloodHound Dog Whisperer.
  • buzzer is a fuzzer toolchain that allows to write eBPF fuzzing strategies.
  • keepass-password-dumper - Original PoC for CVE-2023-32784 (keepass master password disclosure).
  • PPLFaultDumpBOF - Takes the original PPLFault and the original included DumpShellcode and combines it all into a BOF targeting cobalt strike.
  • PPEnum - Simple BOF to read the protection level of a process.
  • ADCSKiller - An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer.
  • Chimera - Automated DLL Sideloading Tool With EDR Evasion Capabilities.
  • chromecookiestealer - Steal/Inject Chrome cookies over the DevTools (--remote-debugging-port) protocol.
  • GoBelt - Golang programmatically invoking the SwiftBelt-JXA macOS system enumerator project (Golang running SwiftBelt-JXA via cgo).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • avred - Analyse your malware to chirurgicaly obfuscate it.
  • smbcrawler is no-nonsense tool that takes credentials and a list of hosts and 'crawls' (or 'spiders') through those shares.
  • Goshawk is a static analyze tool to detect memory corruption bugs in C source codes. It utilizes NLP to infer custom memory management functions and uses data flow analysis to abstract their behaviors and then adopts these summaries to enhance bug detection.
  • dumpulator - An easy-to-use library for emulating memory dumps. Useful for malware analysis (config extraction, unpacking) and dynamic analysis in general (sandboxing).
  • EC2StepShell is an AWS post-exploitation tool for getting high privileges reverse shells in public or private EC2 instances. It works by sending commands to EC2 instances using ssm:SendCommand and then retrieves the output using ssm:ListCommandInvocations or ssm:GetCommandInvocation.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.