Last Week in Security (LWiS) - 2024-06-17

Nighthawk 0.3 (@MDSecLabs), Musl heap exploit (@NCCsecurityUS), Copilot chat 💉 (@wunderwuzzi23), allowPrivilegeEscalation in K8s (@christophetd), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-06-10 to 2024-06-17.

News

Techniques and Write-ups

Tools and Exploits

  • Voidgate - A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes (such as msfvenom) by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.
  • Hunt-Sleeping-Beacons - Aims to identify sleeping beacons.
  • Invoke-ADEnum - Automate Active Directory Enumeration.
  • QRucible - Python utility that generates "imageless" QR codes in various formats.
  • RdpStrike - Positional Independent Code to extract clear text password from mstsc.exe using API Hooking via HWBP.
  • Deobfuscar - A simple commandline application to automatically decrypt strings from Obfuscator protected binaries.
  • gcpwn - Enumeration/exploit/analysis/download/etc pentesting framework for GCP; modeled like Pacu for AWS; a product of numerous hours via @WebbinRoot.
  • honeyzure - HoneyZure is a honeypot tool specifically designed for Azure environments, fully provisioned through Terraform. It leverages a Log Analytics Workspace to ingest logs from various Azure resources, generating alerts whenever the deceptive Azure resources are accessed.
  • SteppingStones - A Red Team Activity Hub.
  • CVE-2024-26229 - CWE-781: Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code.
  • CVE-2024-26229-BOF - BOF implementations of CVE-2024-26229 for Cobalt Strike and BruteRatel.
  • profiler-lateral-movement - Lateral Movement via the .NET Profiler.
  • SlackEnum - A user enumeration tool for Slack.
  • ScriptBlock-Smuggling - Example code samples from our ScriptBlock Smuggling Blog post.
  • NativeDump - Dump lsass using only Native APIs by hand-crafting Minidump files (without MinidumpWriteDump!).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • nowafpls - Burp Plugin to Bypass WAFs through the insertion of Junk Data.
  • lazyegg - LazyEgg is a powerful tool for extracting various types of data from a target URL. It can extract links, images, cookies, forms, JavaScript URLs, localStorage, Host, IP, and leaked credentials.
  • KeyCluCask - Simple and handy overview of applications shortcuts.
  • security-hub-compliance-analyzer - A compliance analysis tool which enables organizations to more quickly articulate their compliance posture and also generate supporting evidence artifacts.
  • Nemesis-Ansible - Automatically deploy Nemesis.
  • Packer_Development - Slides & Code snippets for a workshop held @ x33fcon 2024.
  • InsightEngineering - Hardcore Debugging.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.