Jan 20 2025 Last Week in Security (LWiS) - 2025-01-20

News

• Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity - The White House drops one last cybersecurity executive order before the transition. Nothing really novel here: follow best practices, FedRAMP all the things, do security better.
• Justice Department and FBI Conduct International Operation to Delete Malware Used by China-Backed Hackers - I suppose the FBI accessing US computers is now standard operating procedure. This is the second widely published case after 2021's FBI Accesses Computers Around Country to Delete Microsoft Exchange Hacks. A creative use of warrants.

Techniques and Write-ups

• Intune Attack Paths — Part 1 - SpecterOps has been leading the charge on Intue attacks, and this post is a great overview of all the red team things you can do with it.
• Accessing resources cross tenant using managed service identities - This could be used to allow an "attacker tenant" to access resources in a "victim tenant."
• Being a good CLR host - Modernizing offensive .NET tradecraft - Custom common language runtime (CLR) loading is key to good OPSEC. "If you are still trying to reflectively load an assembly named Seatbelt in whatever year you are reading this then I would suggest you close this blog post and pursue a more fulfilling activity." 🤣 Code here: Being-A-Good-CLR-Host.
• raink: Use LLMs for Document Ranking - Seems off topic, but Bishop Fox uses for problems like, "Which of these code diffs most likely fixes the issue described in following security advisory?" Code here: raink.
• Exploring WinRM plugins for lateral movement - We had no idea WinRM could use plugins, and this post introduces a custom plugin for lateral movement as well as ways to move over files without Defender detection.
• Windows BitLocker -- Screwed without a Screwdriver - Very indepth post on Bitlocker and how to pull off a downgrade + PXE boot attack to get unencrypted data. However, it requires access to the unlocked machine to get the Boot Configuration Data (BCD) to create the modified BCD which puts the Bitlocker key in memory but then boots via PXE. I suspect there is a way to make a generalized BCD and then put this whole attack on a Pi Zero or similar. The 38c3 talk on the topic was well done and includes a demo.
• The Key to COMpromise - Pwning AVs and EDRs by Hijacking COM Interfaces, Part 1 - Exploit the EDR on a Windows machine to get SYSTEM! Slides: 38c3_com_talk.
• Practical Methods for Decapping Chips - A niche topic not often discussed. Neat to see a post on the prerequisite physical attack required on many chips before glitching or other attacks can take place.

Tools and Exploits

• CVE-2024-49138-POC - Windows LPE Proof of Concept that exploits CVE-2024-49138 in CLFS.sys.
• CVE-2024-43468 - Microsoft Configuration Manager (ConfigMgr / SCCM) 2403 Unauthenticated SQL injections (CVE-2024-43468) exploit. This one will be big for years to come I predict. Unpatched SCCM results in total network pwnage from any unauthenticated endpoint that can reach a management point. Full write up here.
• RSYNC: 6 vulnerabilities - A heap buffer overflow leads to RCE. A tale as old as time.
• Patronusx - This tool captures command line inputs during security assessments, meticulously redacts any sensitive information, and organizes the data by command type.
• IPFilter - IP address filter by City.
• dyana - A sandbox environment designed for loading, running and profiling a wide range of files, including machine learning models, ELFs, Pickle, Javascript and more.
• SSD Advisory – Palo Alto Expedition RCE (RegionsDiscovery) - "A vulnerability in the /API/regionsDiscovery.php endpoint allows unauthenticated attackers to trigger a call to an Apache Spark server (attacker controlled) which can then be used to cause the execution of arbitrary code." This feels like an echo of Log4Shell.
• Ivanti Connect Secure IFT TLS Stack Overflow pre-auth RCE (CVE-2025-0282) - "This is purposefully broken in non-trivial ways and will require effort to work as outlined previously in our exploitation technique blogpost." Not to worry, PoC for CVE-2025-0282, appear to be fully functional (for 22.7r2.4 anyway).
• rust_template - A template for Rust projects to be able to compile as an exe or a dll with sRDI compatibility for windows.
• CVE-2024-27397 - A local privilege escalation in Linux 4.1 to 6.8 exists if you can create user/net namespaces. The exploit itself is 100% effective, but the KSLR bypass is 90% effective (and may differ based on CPU).
• Introducing BloodHound CLI - A new Go command line tool to install and manage a Bloodhound server.
• gemini-web-navigator - Experiments with Google Gemini's Vision capabilities for LLM driven/aided web navigation and desktop manipulation.
• BetterNetLoader - A version of NetLoader, Execute Assemblies and Bypass ETW and AMSI using Hardware Breakpoints.
• DataExplorer - The DataExplorer plugin integrates the pattern language from ImHex into x64dbg.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• injectly - I think this is meant for web design agencies, but it feels like a red team tool to manage and update phishing sites.
• Etw-SyscallMonitor - Monitors ETW for security relevant syscalls maintaining the set called by each unique process.
• AIGoat - AIGoat: A deliberately Vulnerable AI Infrastructure. Learn AI security through solving our challenges.
• windows_x64_shellcode_template - An easily modifiable shellcode template for Windows x64 written in C.
• mini-rack - Miniature rack builds, for portable or compact Homelabs.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.