Last Week in Security (LWiS) - 2023-10-24

Windows LPE (@chompie1337), TPM Bitlocker deepdive (@itm4n@infosec.exchange), unhooking effects (@dazzyddos), CastGuard (@gsuberland@chaos.social), Apple OTA -> kernel hack (@patch1t), FalconHound (@olafhartong), GraphRunner (@dafthack), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-10-09 to 2023-10-23.

News

Techniques and Write-ups

Tools and Exploits

  • legba - A multiprotocol credentials bruteforcer / password sprayer and enumerator.
  • pico_dma - Autonomous pre-boot DMA attack hardware implant for M.2 slot based on PicoEVB development board.
  • Kernel Driver Utility v1.4.0 - 4 new providers and a dump command!
  • Proxy-DLL-Loads - A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.
  • Jomungand - Shellcode Loader with memory evasion.
  • NovaLdr - Threadless Module Stomping In Rust with some features.
  • WolfPack - WolfPack combines the capabilities of Terraform and Packer to streamline the deployment of red team redirectors on a large scale.
  • FalconHound - FalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool.
  • GraphRunner - A Post-exploitation Toolset for Interacting with the Microsoft Graph API.
  • EvilSln - A New Exploitation Technique for Visual Studio Projects.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • GATOR - GCP Attack Toolkit for Offensive Research, a tool designed to aid in research and exploiting Google Cloud Environments.
  • CVE-2023-36723 - PoC for arbitrary directory creation bug in Windows Container Manager service.
  • tinyproxy - a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems.
  • SMBLibrary - Free, Open Source, User-Mode SMB 1.0/CIFS, SMB 2.0, SMB 2.1 and SMB 3.0 server and client library.
  • Shaco - Shaco is a linux agent for havoc.
  • realm - Realm is a cross platform Red Team engagement platform with a focus on automation and reliability.
  • CoercedPotato - From Patate (LOCAL/NETWORK SERVICE) to SYSTEM by abusing SeImpersonatePrivilege on Windows 10, Windows 11 and Server 2022.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.