Search:

Last Week in Security (LWiS) - 2025-03-10

Detection Studio (@sifex), SCCM discovery account decryption (@unsigned_sh0rt), FindProcessesWithNamedPipes (@podalirius_), Windows LPE (@MrAle_98), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-03-03 to 2025-03-10.

News

Techniques and Write-ups

  • !exploitable Episode Two - Enter the Matrix - Love this blast from the past - SSHNuke, a real exploit used in The Matrix Reloaded.
  • New Method to Leverage Unsafe Reflection and Deserialisation to Rce on Rails - Deserialization bugs aren't new, but this post explores a new technique to leverage them for remote code execution on a default Rails install by using the sqlite3 gem.
  • Exploiting Neverwinter Nights - The 2002 RPG game gets exploited to allow remote code execution on a client that connects to a malicious server. While the specific exploit is unlikely to be useful to you, the process of finding and creating the exploit is well documented.
  • Node is a loader - The suggestion of using Logitech Hub as an initial access hijacked app is interesting.
  • Kerberoasting w/o the TGS-REQ - If your compromised user has an appropriate service ticket cached in their logon session, you can just describe it out and try to crack it.
  • Decrypting the Forest From the Trees - "SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via the Administration Service API." There was an update to sccmhunter to add the get_forestkey command as well.

Tools and Exploits

  • Detection Studio - A new tool to help detection engineers get the most out of Sigma. Learn more here.
  • ZeroProbe - ZeroProbe is an advanced enumeration and analysis framework designed for exploit developers, security researchers, and red teamers. It provides a set of enumeration tools to identify security vulnerabilities, analyze system protections, and facilitate exploit development.
  • Meet Rayhunter: A New Open Source Tool from EFF to Detect Cellular Spying - rayhunter turns an orbic mobile hotspot into a Stingray detector.,
  • CVE-2025-21333-POC - POC exploit for CVE-2025-21333 heap-based buffer overflow privilege escalation exploit for Windows 11 23H2. It leverages WNF state data and I/O ring IOP_MC_BUFFER_ENTRY. Read more here.
  • FindProcessesWithNamedPipes - A simple C++ Windows tool to get information about processes exposing named pipes.
  • ACLViewer - ACL Viewer for Windows.
  • ocd-mindmaps - Orange Cyberdefense mindmaps. mindmap_ad_dark_classic_2025.03.excalidraw.svg is new/updated.
  • RunAs-Stealer - RunAs Utility Credential Stealer implementing 3 techniques : Hooking CreateProcessWithLogonW, Smart Keylogging, Remote Debugging.
  • RepoMan - Repoman is a command-line tool designed to automate the creation, modification, and management of Git repositories.
  • SharpRBCD - An executable that simplifies adding the msds-AllowedToActOnBehalfOfOtherIdentity attribute for RBCD.
  • phisherman - A real fake social engineering app.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.