Last Week in Security (LWiS) - 2024-03-25

CI/CD attacks (@bishopfox), IdP pwnage (@_xpn_), on-prem exchange attacks (@Jonas_B_K), Windows privesc (@p1k4l4), SCCM in GOAD (@M4yFly), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-18 to 2024-03-25.


  • Unveiling malware behavior trends - Analyzing a Windows dataset of over 100,000 malicious files by Elastic Security Labs.
  • Introducing STAR-FS The Bank of England announced the introduction of a new regulatory framework, STAR-FS, to support the financial sector in its cyber resilience operations.
  • GoFetch - A new vulnerability baked into Apple's M-series of chips that allows attackers (and/or userspace applications) to extract secret keys from Macs. It looks like there are mitigation flags that can be set to mitigate this for sensitive cryptographic calls. Time will tell if they are effective/implemented.
  • The US Department of Justice is suing Apple — read the full lawsuit here - Will this lead to a more open iOS? Maybe, but it will be years before anything (if anything) changes.

Techniques and Write-ups

Tools and Exploits

  • WhoIsWho - Alternatives to the command whoami
  • dropper- Project that generates Malicious Office Macro Enabled Dropper for DLL SideLoading and Embed it in Lnk file to bypass MOTW
  • Perfect DLL Proxy - Perfect DLL Proxying using forwards with absolute paths. [I'm partial to Spartacus]
  • Jigsaw - Hide shellcode by shuffling bytes into a random array and reconstruct at runtime
  • IoDllProxyLoad - DLL proxy load example using the Windows thread pool API, I/O completion callback with named pipes, and C++/assembly
  • OpenTIDE - Open Threat Informed Detection Engineering is the European Commission DIGIT.S2 (Security Operations) open source initiative to build a rich ecosystem of tooling and data supporting Cyber Threat Detections.
  • HttpRemotingObjRefLeak - Additional resources for leaking and exploiting ObjRefs via HTTP .NET Remoting CVE-2024-29059.
  • Pwned by the Mail Carrier - Compromising exchange with some defensive guidance on adjusting ACEs to limit Exchange's AD permissions and establishing security boundaries for Tier Zero assets. Jonas is on a tear lately.
  • Another Dll Proxying Tool - DLL proxying for lazy people
  • nimvoke - Indirect syscalls + DInvoke made simple.
  • ActionsCacheBlasting - Proof-of-concept code for research into GitHub Actions Cache poisoning.
  • CVE-2023-36424 - Windows Kernel Pool (clfs.sys) Corruption Privilege Escalation.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • SO-CON 2024 - SO-CON 2024 presentations released. Videos coming soon!
  • The Top 100+ Developer Tools 2023 - Looking for a research target inspiration? "This year we analyzed well over 12 million data points shared by you - the StackShare community - to bring you these rankings."
  • Devika - Devika is an Agentic AI Software Engineer that can understand high-level human instructions, break them down into steps, research relevant information, and write code to achieve the given objective. Devika aims to be a competitive open-source alternative to Devin by Cognition AI.
  • VoiceCraft: Zero-Shot Speech Editing and Text-to-Speech in the Wild - VoiceCraft is a token infilling neural codec language model, that achieves state-of-the-art performance on both speech editing and zero-shot text-to-speech (TTS) on in-the-wild data including audiobooks, internet videos, and podcasts. The model weights aren't out yet but should be by the end of the month. This is going to make vishing deadly.
  • lumentis - AI powered one-click comprehensive docs from transcripts and text.
  • Cobalt Strike Resources - Various resources to enhance Cobalt Strike's functionality and its ability to evade antivirus/EDR detection.
  • bincapz - Enumerate binary capabilities, including malicious behaviors.
  • Mutual TLS (mTLS) Go client - How to build an mTLS Go client that uses the Windows certificate store.
  • Windows vs Linux Loader Architecture - Side-by-side comparison of the Windows and Linux (GNU) Loaders.
  • Twikit - Simple API wrapper to interact with twitter's unofficial API. You can log in to Twitter using your account username, email address and password and use most features on Twitter, such as posting and retrieving tweets, liking and following users. Curious on how long this will last.
  • tracecat - 😼 The AI-native, open source alternative to Tines / Splunk SOAR.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.