Last Week in Security (LWiS) - 2024-02-12

LDAP tradecraft (@domchell), CreateRemoteThread saftey (@m417z), Lab automation (@W9HAX), LoFP (@br0k3ns0und), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-07 to 2024-02-12.


Techniques and Write-ups

Tools and Exploits

  • ParentProcessValidator.cpp - This C++ code snippet demonstrates how to verify if an executable is launched by explorer.exe to enhance security during red team operations.
  • EternelSuspention - a simple poc showcasing the ability of an admin to suspend EDR's protected processes.
  • NidhoggScript - NidhoggScript is a tool to generate "script" file that allows execution of multiple commands for Nidhogg. Nidhogg is an all-in-one simple to use rootkit.
  • TPM-Sniffing - Retrieving Bitlocker keys from the TPM using SPI, I2C or LPC communications requires an understanding of the specific protocol supported by the TPM chip, as well as the device's make and model.
  • conditional-love - An AWS metadata enumeration tool.
  • gocheck - GoCheck a blazingly fast™ alternative to Matterpreter's DefenderCheck which identifies the exact bytes that Windows Defender AV by feeding byte slices to MpCmdRun.exe
  • NTLM Relay Gat - NTLM Relay Gat is a powerful tool designed to automate the exploitation of NTLM relays using from the Impacket tool suite. By leveraging the capabilities of, NTLM Relay Gat streamlines the process of exploiting NTLM relay vulnerabilities, offering a range of functionalities from listing SMB shares to executing commands on MSSQL databases.
  • Native Threadpool - Work, timer, and wait callback example using solely Native Windows APIs.
  • LoLCerts - A repository of code signing certificates known to have been leaked or stolen, then abused by threat actors
  • Living off the False Positive! - Living off the False Positive is an autogenerated collection of false positives sourced from some of the most popular rule sets. The information is categorized along with ATT&CK techniques, rule source, and data source. Entries include details from related rules along with their description and detection logic. See the blog post Introducing LoFP for more info.
  • BadExclusionsNWBO - BadExclusionsNWBO is an evolution from BadExclusions to identify folder custom or undocumented exclusions on AV/EDR. An evolution of BadExclusions.
  • Remote-buffer-overflow-over-wifi_stack-in-wpa_supplicant-binary-in-android-11-platform-samsung-a20e - Remote buffer overflow over wifi_stack in wpa_supplicant binary in android 11, platform:samsung a20e, stock options so like works out of the box.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • awesome-tunneling - List of ngrok alternatives and other ngrok-like tunneling software and services. Focus on self-hosting.
  • gftrace - A command line Windows API tracing tool for Golang binaries.
  • AutomatedBadLab - Scripts to provision vulnerable and testing environments using AutomatedLab.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.