Last Week in Security (LWiS) - 2024-12-02

Windows LPE (@SecuriTeam_SSD), Nighthawk 0.3.3 (@MDSecLabs), Advanced Cobalt Strike Usage (@_RastaMouse), Webcam LED control (@andreyknvl), AI/ML attacks (@olivier_boschko), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-11-25 to 2024-12-02.

News

Techniques and Write-ups

Tools and Exploits

  • lights-out - Tools for controlling webcam LED on ThinkPad X230. See the [PDF] slides for more fuel to tape over your webcams.
  • ShadowHound - PowerShell scripts for alternative SharpHound enumeration, including users, groups, computers, and certificates, using the ActiveDirectory module (ADWS) or System.DirectoryServices class (LDAP).
  • SilentLoad - Loads a drivers through NtLoadDriver by setting up the service registry key directly. To be used in engagement for Bring Your Own Vulnerable Driver (BYOVD), where service creation creates an alert. Could also be useful with WinDivert/PortBender.
  • Enumprotections_BOF - A BOF to enumerate system process, their protection levels, and more.
  • Eclipse - Activation Context Hijack.
  • censeye - This tool is designed to help researchers identify hosts with characteristics similar to a given target. The tool can discover useful pivots in Censys host data and (optionally) crawl related hosts using data from those discoveries.
  • KrbRelayEx - KrbRelayEx is a tool designed for performing Man-in-the-Middle (MitM) attacks by relaying Kerberos AP-REQ tickets. It listens for incoming SMB connections and forwards the AP-REQ to the target host, enabling access to SMB shares or HTTP ADCS (Active Directory Certificate Services) endpoints on behalf of the targeted identity.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • badmalloc (CVE-2023-32428) - a macOS LPE - A file race condition in macOS leads to a local privilege escalation. Apple does not handle the bug bounty well, sadly.
  • Hooka - Shellcode loader generator with multiples features.
  • urlfinder - A high-speed tool for passively gathering URLs, optimized for efficient and comprehensive web asset discovery without active scanning.
  • Hannibal - A Mythic Agent written in PIC C.
  • bananas - Bananas🍌, Cross-Platform screen 🖥️ sharing 📡 made simple ⚡.
  • reg_snake - Python tool to interact with WMI StdRegProv.
  • floki - Agentic Workflows Made Simple.
  • GPOHunter - A security assessment tool for analyzing Active Directory Group Policy Objects (GPOs) to identify misconfigurations and vulnerabilities.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.