Last Week in Security (LWiS) - 2024-01-30

Fastly to block domain fronting 🔜, EDR bypass via VEH (@VirtualAllocEx), BOFHound enhancements (@Tw1sm), Frameless BITB (@waelmas01), Asus ndays (@suidpit + @Th3Zer0), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-22 to 2024-01-30.


Techniques and Write-ups

Tools and Exploits

  • SOAPHound - This made some noise this week. A custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
  • InjectKit - Modified versions of the Cobalt Strike Process Injection Kit
  • Stardust - A modern 64-bit position independent implant template. Came with a good blog if you want to take a look here.
  • Grroxy - Another competitor to Burpsuite Pro? Caido is another one that comes to mind.
  • Frameless BITB - A new approach to Browser In The Browser (BITB) without the use of iframes, allowing the bypass of traditional framebusters implemented by login pages like Microsoft and the use with Evilginx. Even came with a demo.
  • CsWhispers - Source generator to add D/Invoke and indirect syscall methods to a C# project.
  • EventLogCrasher - Proof of concept for a bug, that allows any user to crash the Windows Event Log service of any other Windows 10/Windows Server 2022 machine on the same domain. The crash occurs in wevtsvc!VerifyUnicodeString when an attacker sends a malformed UNICODE_STRING object to the ElfrRegisterEventSourceW method exposed by the RPC-based EventLog Remoting Protocol.
  • ExecIT - Execute shellcode files with rundll32.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Understanding Windows x64 Assembly - Add this to your Windows programming reading list.
  • Trimarc Whitepaper: Owner or Pwnd? - This whitepaper touches on all aspects of AD ownership: Organizational Units (OUs), Computers, Groups, Users, AD Certificate Services (ADCS), Group Policy Objects (GPOs), and even Active Directory Integrated DNS (ADI DNS).
  • - ✨ Innovative and open-source visualization application that transforms various data formats, such as JSON, YAML, XML, CSV and more, into interactive graphs.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.