Last Week in Security (LWiS) - 2024-04-08

Evilginx + GoPhish (@mrgretzky), Ghostwriter updates (@cmaddalena), Intune EPM privesc (@synzack21 + team) 🎣 page bot defense (@fin3ss3g0d), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-01 to 2024-04-08.


Techniques and Write-ups

Tools and Exploits

  • Security Advisory YSA-2024-01 YubiKey Manager Privilege Escalation - "any browser windows opened by YubiKey Manager GUI may also be elevated with Administrator privileges depending on the browser in use. This issue can be used by an attacker to escalate local attacks and increase the impact of browser based attacks."
  • Burp2API - Converting your Burp Suite projects into JSON APIs.
  • nimfilt - A collection of modules and scripts to help with analyzing Nim binaries.
  • Evilginx 3.3 - Go & Phish - Evilginx has an official integration with GoPhish!
  • APK Downloader - APK downloader from few sources
  • No-Consolation - A BOF that runs unmanaged PEs inline. Updated this week to automatically encrypt and store binaries in memory which allows multiple runs of the same binary without having to send it to target each time.
  • interceptor - Sample Rust Hooking Engine.
  • Aplos - Aplos an extremely simple fuzzer for Windows binaries.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • CVE-2024-28085 - WallEscape vulnerability in util-linux.
  • VolWeb - A centralized and enhanced memory analysis platform.
  • secator is a task and workflow runner used for security assessments. It supports dozens of well-known security tools and it is designed to improve productivity for pentesters and security researchers.
  • kasld - Kernel Address Space Layout Derandomization (KASLD) - A collection of various techniques to infer the Linux kernel base virtual address as an unprivileged local user, for the purpose of bypassing Kernel Address Space Layout Randomization (KASLR).
  • SignSaboteur - Burp Suite extension for editing, signing, verifying various signed web tokens
  • Blauhaunt - A tool collection for filtering and visualizing logon events. Designed to help answering the "Cotton Eye Joe" question (Where did you come from where did you go) in Security Incidents and Threat Hunts
  • Physsec Methodology A public, open source physical security methodology
  • Microsoft-Extractor-Suite - A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.
  • Microsoft-Analyzer-Suite - A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID
  • ARL - Injecting a DLL into a process directly from memory rather than from disk

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.