Last Week in Security (LWiS) - 2024-01-01

Ghidriff (@clearbluejar), Linux exploitation (@kevin_backhouse), win32 keylogger (@_ixty_), BLUFFS bluetooth exploit (@francozappa), sleep lexer and parser (@mcbroom_evan), ring0 from VBA (@0xDISREL), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week(s). This post covers 2023-12-04 to 2024-01-01.


Techniques and Write-ups

Tools and Exploits

  • sleepy - A lexer and parser for Sleep. Read more here.
  • A (beta) Canarytoken for Active Directory Credentials. Perhaps one of the most effective canary tokens yet. Slightly more complicated than just dropping a file, but it will be extremely effective in catching red teams and adversaries.
  • frinet - Frida-based tracer for easier reverse-engineering on Android, iOS, Linux, Windows and most related architectures.
  • Christmas - By splitting up the injection actions across different spawned processes, none of the spawned processes generate enough signal to trip EDR (in theory).
  • sj - A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files. See this post for more info.
  • Ghidriff: Ghidra Binary Diffing Engine. Back in my day, BinDiff was paid software. This is a great addition to your reverse engineering/diffing toolbox, and fully open source!
  • bbs - bbs is a router for SOCKS and HTTP proxies. It exposes a SOCKS5 (or HTTP CONNECT) service and forwards incoming requests to proxies or chains of proxies based on the request's target. Routing can be configured with a PAC script (if built with PAC support), or through a JSON file.
  • SignToolEx - Patching "signtool.exe" to accept expired certificates for code-signing.
  • WMIProcessWatcher - A CIA tradecraft technique to asynchronously detect when a process is created using WMI.
  • Marble - The CIA's Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools.
  • Def1nit3lyN0tAJa1lbr3akTool - A jailbreak tool for all arm64 devices on iOS 16.0 to iOS 16.5.
  • Amnesiac - Amnesiac is a post-exploitation framework entirely written in PowerShell and designed to assist with lateral movement within Active Directory environments.
  • SharePoint Pre-Auth Code Injection RCE chain CVE-2023-29357 & CVE-2023-24955 PoC - Sharepoint RCE.
  • EDRSilencer - A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server. This is similar to shutter (shoutout to @naksyn).
  • Ghidra 11.0. 11.0 brings the "Bsim" binary similarity tool, better Go binary support, and initial Rust binary support.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Linpmem is a linux memory acquisition tool.
  • tailspin - 🌀 A log file highlighter.
  • CLR_Heap_encryption. This is a POC for a CLR sleep obfuscation attempt. It use IHostMemoryManager interface to control the memory allocated by the CLR. Turns out you can use both ICorRuntimeHost and ICLRRuntimeHost at the same time, so we can still use ICorRuntimeHost to run an assembly from memory while having all the benefits from ICLRRuntimeHost.
  • sheye - Opensource assets and vulnerability scanning tool.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.