Last Week in Security (LWiS) - 2024-10-14

FortiGate exploit (@watchtowrcyber), Azure admin approval bypass (@PedroGabaldon), dylib 💉 in Teams (@Coiffeur0x90), Ivanti Connect Secure vuln (@buffaloverflow), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-10-07 to 2024-10-14.

News

Techniques and Write-ups

Tools and Exploits

  • Voidmaw - A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic code (such as reflective loaders implemented by C2 beacons) or other problematic executables that will be flagged by the antimalware programs(such as mimikatz).
  • Proxll - Tool designed to simplify the generation of proxy DLLs while addressing common conflicts related to windows.h.
  • Sharelord - .NET Assembly that creates network shares, sets ACE entries for directories, sets share perms, and deletes shares. Learning project for C#.
  • TrailDiscover - An evolving repository of CloudTrail events with detailed descriptions, MITRE ATT&CK insights, real-world incidents, references and security implications.
  • orc2timeline - orc2timeline extracts and analyzes artifacts contained in archives generated with DFIR-ORC.exe to create a timeline from them.
  • CVE-2024-9465 - Proof of Concept Exploit for CVE-2024-9465 (Palo Alto Expedition unauthenticated SQL injection).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • pssrecon - Small tool to perform SCCM recon and enumerate a Primary Site Server (PSS) or Distribution Point (DP) over winreg. This can enumerate useful information such as the Site Database, whether a DP allows anonymous access, if a DP is PXE enabled and the location of Management Points (MP) in the site.
  • misconfig-mapper - Misconfig Mapper is a fast tool to help you uncover security misconfigurations on popular third-party services used by your company and/or bug bounty targets!
  • MiniKvm_public - This repo contains all the code and documentation for the MiniKvm project and the CH9329 controller.
  • Aggressor-Aggregator - A helper script for consolidating Aggressor and BOF repositories into a single CNA for Cobalt Strike.
  • ADcheck - Assess the security of your Active Directory with few or all privileges.
  • gocrack - GoCrack is a management frontend for password cracking tools written in Go.
  • Living Off Security Tools - It was only a matter of time. Let's not forget Iscariot Suite. Not sure if this project will take off or not but we will track it.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. 4