Last Week in Security (LWiS) - 2024-03-11

Midnight Blizzard vs Microsoft, Fuzzer dev (@h0mbre_), Browserless Entra flow (@_wald0), SCCM one-stop-shop (@subat0mik + @_Mayyhem + @garrfoster), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-04 to 2024-03-11.

News

Techniques and Write-ups

Tools and Exploits

  • Parasite-Invoke - Hide your P/Invoke signatures through other people's signed assemblies
  • ADeleginator - A companion tool that uses ADeleg to find insecure trustee and resource delegations in Active Directory
  • Misconfiguration Manager - Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance.
  • yasha - Yet another security header analyzer.
  • nemesis - Nemesis agent for Mythic.
  • NimPlant v1.3 - "a lot of code refactoring and various enhancements."
  • brew-lpe-via-periodic - Brew Local Privilege Escalation exploit on Intel macOS.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Are We Helping? Interesting perspective. Thought provoking notes about the current state of infosec.
  • Freyja Purple Team Agent - Freyja is a Golang, Purple Team agent that compiles into Windows, Linux and macOS x64 executables.
  • Introducing CloudGrappler: A Powerful Open-Source Threat Detection Tool for Cloud Environments - Potential framework for those smaller teams that need a solution to look for known evil in their cloud environments. The question is, where do you get those indicators while they're still relevant?
  • gitlab-secrets - This tool analyzes a given Gitlab repository and searches for dangling or force-pushed commits containing potential secret or interesting information.
  • dockerc - container image to single executable compiler.
  • PoolParty - A set of fully-undetectable process injection techniques abusing Windows Thread Pools.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.