Last Week in Security (LWiS) - 2024-10-28

Delta Sues Crowdstrike (@CrowdStrike), Jenkins Post-Exploitation (@TrustedSec), PE embedded within a PNG (@MalDevAcademy), Prompt Injection to C2 (@wunderwuzzi23), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-10-21 to 2024-10-28.

News

Techniques and Write-ups

Tools and Exploits

  • ExecutePeFromPngViaLNK - Extract and execute a PE embedded within a PNG file using an LNK file.
  • Chrome-App-Bound-Encryption-Decryption - Tool to decrypt App-Bound encrypted keys in Chrome 127+, using the IElevator COM interface with path validation and encryption protections.
  • udpz - Speedy probe-based UDP service scanner.
  • OctoC2t - Simple C2 using GitHub repository as comms channel.
  • KernelCallbackTable-Injection-PoC - Proof of Concept for manipulating the Kernel Callback Table in the Process Environment Block (PEB) to perform process injection and hijack execution flow.
  • SkyScalpel - SkyScalpel is an open-source framework for JSON policy parsing, obfuscation, deobfuscation, and detection in cloud environments. It provides flexible and highly configurable mechanisms to handle JSON-level obfuscation, IAM policy transformations, and the detection of evasive obfuscation techniques in cloud security contexts.
  • AuthStager - AuthStager is a proof-of-concept tool that generates a custom stager shellcode that authenticates to the stager server using an authentication token.
  • ShareFouine - This python script allows you to easily navigate into Sharepoint using UNIX like commands.
  • TypeLibWalker - This is a new way of persistence on Windows machines using TypeLib. TypeLib persistence technique.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • openbas - Open Breach and Attack Simulation Platform.
  • pyLootApacheServerStatus - A script to automatically dump all URLs present in /server-status to a file locally.
  • LOLSearches - Living off the land searches for explorer and sharepoint.
  • goopts - goopts, a Go library to parse arguments given in command line to a program.
  • DGPOEdit - Disconnected GPO Editor - A Group Policy Manager launcher to allow editing of domain GPOs from non-domain joined machines.
  • UniGetUI - UniGetUI: The Graphical Interface for your package managers. Could be terribly described as a package manager manager to manage your package managers.
  • skyvern - Automate browser-based workflows with LLMs and Computer Vision.
  • Bindable Microservices with Cloudflare Workers - three files, one command, boom - you have a backend. Cloudflare is magic!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.