Last Week in Security (LWiS) - 2023-11-06

In-line PE runner (@s4ntiago_p), Citrix Bleed (@assetnote ), Cisco IOS XE PoC (@JamesHorseman2), LDAP auth (@lowercase_drm), fuzzer fundamentals (@h0mbre_), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-10-24 to 2023-11-06.

News

Techniques and Write-ups

Tools and Exploits

  • Defender-Exclusions-Creator-BOF - A BOF to add or remove Windows Defender exclusions.
  • cookie-monster - BOF to steal browser cookies.
  • GhostTask - Create/modify scheduled tasks directly in the registry to avoid event logs and alerts.
  • LdrLockLiberator - A collection of techniques for escaping or otherwise forgoing Loader Lock while executing your code from DllMain.
  • Kernel_VADInjector - Windows 10 DLL Injector via Driver utilizing VAD and hiding the loaded driver.
  • maliciousCodeMatchingMFA - A small executable to trick a user to authenticate using code matching MFA.
  • PsMapExec - The cme saga continues. This project is in powershell and inspired by CrackMapExec.
  • cuddlephish - Weaponized Browser-in-the-Middle (BitM) for Penetration Testers.
  • pandora - A red team tool that assists into extracting/dumping master credentials and/or entries from different password managers.
  • WIP Mockingjay BOF Conversion - Cobalt Strike Beacon Object File (BOF) Conversion of the Mockingjay Process Injection Technique.
  • LdrLibraryEx - A small x64 library to load dll's into memory.
  • ReleaseTheHounds - Tool to upload large datasets and interact with BloodHound CE API.
  • sshx - A secure web-based, collaborative terminal.
  • DayBird - Extension functionality for the NightHawk operator client.
  • porch-pirate - Porch Pirate is the most comprehensive recon / OSINT client and framework for Postman that facilitates the automated discovery and exploitation of API endpoints and secrets committed to workspaces, collections, requests, users and teams. Porch Pirate can be used as a client or be incorporated into your own applications.
  • NerfDefender - BOF and C++ implementation of the Windows Defender sandboxing technique described by Elastic Security Labs/Gabriel Landau.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • hashcathelper - Got some creds? Has a couple different modules. One allows operators to insert new relationships into an existing BloodHound database such as when users have the same password. Improve those screenshots!
  • postleaks - Search for sensitive data in Postman public library.
  • OffensiveGo - Looking to do some offensive dev in go? Start here. Notable golang tools at the bottom such as sliver and merlin.
  • Hijacking Someone Else's DCSync - Friendly reminder that your AADConnect server are tier 0 assets. Pwn the AADConnect server -> wait for cloud takeoff -> catch hashes in flight.
  • Mido - The Secure Microsoft Windows Downloader.
  • Exploring SCCM by Unobfuscating Network Access Accounts - These Network Access Accounts (NAA) accounts have been very fruitful lately...
  • PyMeta - Pymeta will search the web for files on a domain to download and extract metadata. This technique can be used to identify: domains, usernames, software/version numbers and naming conventions.
  • LME - Logging Made Easy (LME) is a free and open logging and protective monitoring solution serving all organizations. Good resource for a detection lab (RIP), but very manual setup.
  • Get-LoggedOn.py - Lookup logged in users using itm4n's session enum via registry.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.