Last Week in Security (LWiS) - 2023-11-29

2x macOS TCC bypasses (@gergely_kalman), Okta 🥷 (@nickvangilder), pcap analysis helper (@bartavelle), Mythic and Merlin C2 updates (@its_a_feature_ + @Ne0nd0g) and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-11-13 to 2023-11-29.

News

Techniques and Write-ups

Tools and Exploits

  • Kerbeus-BOF - BOF for Kerberos abuse (an implementation of some important features of the Rubeus).
  • LocklessBof - A Beacon Object File (BOF) implementation of Lockless by HarmJ0y, designed to enumerate open file handles and facilitate the fileless download of locked files.
  • LyinEagle - BETA C2 server that uses the legitimate FIN7 Griffon JScript as its implant.
  • badgerDAPS - Brute Ratel LDAP filtering and sorting tool. Easily take BR log output and pull hostnames for ease of use with other red team tooling. Supports OU filtering and removes disabled hosts.
  • AI Exploits - A collection of real world AI/ML exploits for responsibly disclosed vulnerabilities.
  • ProcessStomping - A variation of ProcessOverwriting to execute shellcode on an executable's section.
  • DumpS1.ps1 - Uses a CoSetProxyBlanket to call the dump function in SentinelAgent.exe to dump a PID to disk. Requires local admin. Love the traitorware aspect here.
  • Proof of concept exploit for CVE-2023-46214 - Authenticated RCE. Comes with a blog.
  • CoercedPotatoRDLL - Reflective DLL to privesc from NT Service to SYSTEM using SeImpersonateToken privilege
  • Pcapan: a PCAP analysis helper - Filter out known good and find suspicious connections in pcaps.
  • waveterm - An open-source, cross-platform terminal for seamless workflows. Reminds me of an open source warp.
  • genpatch - genpatch is IDA plugin that generates a python script for patching binary.
  • faction - Pen Test Report Generation and Assessment Collaboration.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.