Last Week in Security (LWiS) - 2024-12-02
Windows LPE (@SecuriTeam_SSD), Nighthawk 0.3.3 (@MDSecLabs), Advanced Cobalt Strike Usage (@_RastaMouse), Webcam LED control (@andreyknvl), AI/ML attacks (@olivier_boschko), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-11-25 to 2024-12-02.
News
- Intel, Biden-Harris Administration Finalize $7.86 Billion Funding Award Under US CHIPS Act - Apparently not enough to save Intel CEO Pat Gelsinger's job.
- Nighthawk 0.3.3 - Evanesco - The team at MDSec has stepped up their in-memory evasion techniques with this new release. With the new Python API and ability to register custom commands, Nighthawk is becoming a contender to dethrone Cobalt Strike.
- RomCom exploits Firefox and Windows zero days in the wild - Two 0days led to Firefox/Windows compromise without user interaction - browse to page, get exploited. These kinds of 0-click exploits are becoming rarer as browsers and operating systems become increasingly sandboxed/hardened.
- It's Baaack… Credit Card Canarytokens are now on your Consoles - Probably not a concern for redteamers (are you trying credit card numbers?), but defenders may want to consider dropping some canarytoken cards in their databases. Hopefully other canarytokens have fired long before the cards, but defense in depth is always a good idea.
- Raspberry Pi Pico 2 - The chip that powered the DEF CON badges this year is now available in a $5 microcontroller ($7 if you want WiFi and Bluetooth).
Techniques and Write-ups
- SSD Disclosure Advisory - ksthunk.sys Integer Overflow (Windows LPE) Sponsored - A vulnerability in the ksthunk.sys driver allows a local attacker to exploit an Integer Overflow vulnerability and gain elevated privileges on Windows (PoC provided). Microsoft states it has been patched, but it still works on the latest Windows 11. Have an exploit you want to disclose? Check out SSD Secure Disclosure to know more.
- DeepSeek AI: From Prompt Injection To Account Takeover - With web frontends and code generation, LLMs can be used to generate cross site scripting (XSS) payloads that get executed in the browser.
- Gaming Engines: An Undetected Playground for Malware Loaders - Using a game engine to load malware is a clever technique to evade detection. The use of the 3D renderer to check for sandboxed environments is a nice touch.
- Exploring Anti-Phishing Measures in Microsoft 365 - Pt. 2 - The arms race of phishing warnings implemented in HTML/CSS continues. Since senders can determine the style of their emails, they can modify the styles of the warnings that Microsoft 365 displays to hide them - mostly.
- The New PKCE Authentication in AWS SSO Brings Hope (Mostly) - Device Code phishing should be a thing of the past, but Amazon still has it enabled and there is no way to disable it. The post includes details about PKCE (Proof Key for Code Exchange) and helpful hints on how to hunt for device code authentications.
- Group Policy Security Nightmares pt2 - Loving this series on Group Policy. Each post is a short explanation of a vulnerable Group Policy and how it can be abused.
- Windows Sockets: From Registered I/O to SYSTEM Privileges - A Windows local privilege escalation via a vulnerability patched in August 2024 that uses a heap spray is detailed here. This PoC is not affiliated with the post, be careful.
- Wake up and Smell the BitLocker Keys - Another post on BitLocker key extraction. Without a second factor, consider BitLocker an annoyance to moderately sophisticated attackers, not a security feature.
- UDRL, SleepMask, and BeaconGate - Cobalt Strike has evolved quite a bit over the last few years. This post breaks down the User-Defined Reflective Loader (UDRL), SleepMask, and BeaconGate.
- Breaking Down Adversarial Machine Learning Attacks Through Red Team Challenges - Learn how to craft and understand adversarial attacks on AI/ML models through hands-on challenges.
Tools and Exploits
- lights-out - Tools for controlling webcam LED on ThinkPad X230. See the [PDF] slides for more fuel to tape over your webcams.
- ShadowHound - PowerShell scripts for alternative SharpHound enumeration, including users, groups, computers, and certificates, using the ActiveDirectory module (ADWS) or System.DirectoryServices class (LDAP).
- SilentLoad - Loads a drivers through NtLoadDriver by setting up the service registry key directly. To be used in engagement for Bring Your Own Vulnerable Driver (BYOVD), where service creation creates an alert. Could also be useful with WinDivert/PortBender.
- Enumprotections_BOF - A BOF to enumerate system process, their protection levels, and more.
- Eclipse - Activation Context Hijack.
- censeye - This tool is designed to help researchers identify hosts with characteristics similar to a given target. The tool can discover useful pivots in Censys host data and (optionally) crawl related hosts using data from those discoveries.
- KrbRelayEx - KrbRelayEx is a tool designed for performing Man-in-the-Middle (MitM) attacks by relaying Kerberos AP-REQ tickets. It listens for incoming SMB connections and forwards the AP-REQ to the target host, enabling access to SMB shares or HTTP ADCS (Active Directory Certificate Services) endpoints on behalf of the targeted identity.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- badmalloc (CVE-2023-32428) - a macOS LPE - A file race condition in macOS leads to a local privilege escalation. Apple does not handle the bug bounty well, sadly.
- Hooka - Shellcode loader generator with multiples features.
- urlfinder - A high-speed tool for passively gathering URLs, optimized for efficient and comprehensive web asset discovery without active scanning.
- Hannibal - A Mythic Agent written in PIC C.
- bananas - Bananas🍌, Cross-Platform screen 🖥️ sharing 📡 made simple ⚡.
- reg_snake - Python tool to interact with WMI StdRegProv.
- floki - Agentic Workflows Made Simple.
- GPOHunter - A security assessment tool for analyzing Active Directory Group Policy Objects (GPOs) to identify misconfigurations and vulnerabilities.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.