Last Week in Security (LWiS) - 2023-10-03

Nighthawk update (@MDSecLabs), Teams external splash bypass, MSI LPEs, and Zip+LNKs (@pfiatde), SCCM takeover (@_Mayyhem), .NET obfuscation (@eversinc33), JonMon (@jsecurity101), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-09-19 to 2023-10-03.


Techniques and Write-ups

Tools and Exploits

  • ExtractBitlockerKeys - Post-ex script to automatically extract the bitlocker recovery keys from a domain.
  • - Given transitive object control: output info on last hop, chain length, and type.
  • MaldevAcademyLdr.1 - The team at Maldev Academy drop their first "openly released" loader.
  • LOLBins- The LOLBins CTI-Driven (Living-Off-the-Land Binaries Cyber Threat Intelligence Driven) is a project that aims to help cyber defenders understand how LOLBin binaries are used by threat actors during an intrusion in a graphical and digestible format for the TIPs platform using the STIX format.
  • proxy_calls - Proof of Concept - Custom Call Stack for LoadLibrary with TrySubmitThreadpoolCallback/TpSimpleTryPost.
  • LDAPWordlistHarvester - A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.
  • REC2 - New rust-based C2 (Yes another C2). Uses VirusTotal and Mastodon APIs.
  • HeaderLessPE - A memory PE loading technique using HVNC.
  • CVE-2023-29357- Patched June 2023 but... Microsoft SharePoint Server priv esc.
  • JonMon - @jsecurity101 with a tool drop for defenders/attackers. "...collection of open-source telemetry sensors designed to provide users with visibility into the operations and activity of their Windows systems". Add this to your maldev boxes to see what defenders could be collecting on your actions.
  • AD_Miner - Use your existing neo4j DB to find some quick wins (may not work well against large environments based on our testing).
  • Sub7 - Source code for SubSeven 2.1.3 (if you're feeling nostalgic).
  • CVE-2023-32364-macos-app-sandbox-escape - Exploit for CVE-2023-32364.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Windows Hook Events. Short read by Mr. Yosifovich. Discusses the SetWinEventHook API in Windows for intercepting and processing user interface-related events.
  • haylxon. Gowitness replacement? Blazing-fast tool to grab screenshots of your domain list right from terminal.
  • graftcp. A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy.
  • VcenterKit. vCenter Comprehensive Penetration and Exploitation Toolkit.
  • go-exploit. A Go-based Exploit Framework.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.