Last Week in Security (LWiS) - 2024-04-29

AD Group abuse (@decoder_it), NetNTLM leak attacks (@pfiatde), 'adversary flywheels' (@WHITEHACKSEC), Nemesis 1.0 (@harmj0y + team) and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-22 to 2024-04-29.

News

Techniques and Write-ups

Tools and Exploits

  • GoogleRecaptchaBypass - Solve Google reCAPTCHA in less than 5 seconds! 🚀
  • ASPJinjaObfuscator - Heavily obfuscated ASP web shell generation tool.
  • ja4tscan - JA4TScan is an active TCP server fingerprinting tool.
  • tiny-gpu - A minimal GPU design in Verilog to learn how GPUs work from the ground up.
  • AutoAppDomainHijack - Automated .NET AppDomain hijack payload generation.
  • ReadWriteDriverSample - Sample driver + user component to demonstrate writing into arbitrary process memory from Kernel via CR3 manipulation (opposed to the usual KeStackAttachProcess API).
  • PartyLoader - Threadless shellcode injection tool.
  • 24h2-nt-exploit - Exploit targeting NT kernel in 24H2 Windows Insider Preview.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • ics-forensics-tools - Microsoft ICSpector (ICS Forensics Tools framework) is an open-source forensics framework that enables the analysis of Industrial PLC metadata and project files.
  • Evidence Collection Environment - This environment is intended to be useful for when you have multiple investigators or external parties adding data for evaluation. Some key features (hopefully) implemented in this setup leverage the Azure Storage legal hold, Azure Storage analytics logging for validation of access by which parties, Azure Key Vault logging with the logs going to a Log Analytics workspace in the resource group.
  • DLHell - Local & remote Windows DLL Proxying.
  • MS-DOS - The original sources of MS-DOS 1.25, 2.0, and 4.0 for reference purposes.
  • cdncheck - A utility to detect various technology for a given IP address.
  • CloudInject - This is a simple tool which can be used to inject a DLL into third-party AD connectors to harvest credentials.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.