Last Week in Security (LWiS) - 2023-09-19

Cobalt Strike 4.9, 38TB of internal MS data, a crazy phish, an Okta toolkit, macOS LPE, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-09-11 to 2023-09-19.

News

Techniques and Write-ups

Tools and Exploits

  • EchoDrv - Exploitation of echo_driver.sys.
  • Caro-Kann - Encrypted shellcode Injection to avoid Kernel triggered memory scans
  • malrdp-deploy - Automated (kinda) deployment of MalRDP infrastructure with Terraform & Ansible
  • Periscope - Fully Integrated Adversarial Operations Toolkit (C2, stagers, agents, ephemeral infrastructure, phishing engine, and automation). Note: purposely broken by the author.
  • NetExec - Crack Map Exec fork with different maintainers. Queue the drama.
  • POSTDump is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • donut-decryptor - Retrieve inner payloads from Donut samples
  • TierZeroTable - About Table of AD and Azure assets and whether they belong to Tier Zero
  • Evilginx3-Phishlets - This repository provides penetration testers and red teams with an extensive collection of dynamic phishing templates designed specifically for use with Evilginx3.
  • tracker-radar - Good for OSINT.
  • GPOZaurr - Group Policy Eater is a PowerShell module that aims to gather information about Group Policies but also allows fixing issues that you may find in them.
  • electroniz3r - Take over macOS Electron apps' TCC permissions.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.