Last Week in Security (LWiS) - 2023-07-17

Microsoft O365 was compromised for a few months for 25 customers, block EDR DLL loading (@ShitSecure), stashing shellcode in 3D models (@TrustedSec), AMSI bypasses (@pfiatde), Atlassian Companion macOS RCE (@_r3ggi), the smallest C# binary (@washi_dev), >350 blogs monitored, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-07-10 to 2023-07-17.

News

Techniques and Write-ups

Tools and Exploits

  • BOF_Development_Docker - A VSCode devcontainer for development of COFF files with batteries included.
  • BlackLotus is an innovative UEFI Bootkit designed specifically for Windows. It incorporates a built-in Secure Boot bypass and Ring0/Kernel protection to safeguard against any attempts at removal.
  • WubbabooMark - Debugger Anti-Detection Benchmark.
  • HadesLdr - Shellcode Loader Implementing Indirect Dynamic Syscall, API Hashing, Fileless Shellcode retrieving using Winsock2.
  • curlshell - reverse shell using curl.
  • BadZure - BadZure orchestrates the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.