May 19 2025 Last Week in Security (LWiS) - 2025-05-19

Certipy 5 (@ly4k_), MobileIron pwnage (@chudyPB), new CRTO pricing (@_ZeroPointSec), Volatility 3 parity (@volatility), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-05-12 to 2025-05-19.

News

New Site Launch - Zero Point Security (from @_RastaMouse) the company behind the increasingly popular Certified Red Team Operator (CRTO) course, has a new site and new lab provider backend. Best of all, exams are now on-demand (previously had to be scheduled) and retakes are free. Awesome!
Rogue communication devices found in Chinese solar power inverters - This article makes bold claims, with little fact or evidence, from "two people." I don't doubt it's happening, but find a device and show it if you're going to write an article. It reminds me of the 2018 classic: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies which led to... nothing (except tanking $SMCI).
Advanced Protection: Google’s Strongest Security for Mobile Devices - Apple has "Lockdown mode," Google now has "Advanced Protection." End-to-end encrypted security logs stored in the cloud is a really cool feature that is sure to have advanced attackers thinking twice about using that 0day on a phone with Advanced Protection enabled.
Ground control to Major Trial - Oh boy, if you host nearly 4,000 VMs on a platform, it's time to pay for a license. One wonders if the cost (person-hours) of creating the trial-refresh system and then updating the trial license every month was more than a license. I suspect it was.

Techniques and Write-ups

Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428) - Your weekly watchTowr blog, this time its MobileIron aka Ivanti moble device management (MDM). Always a great detailed read.
Analyzing the Attack Surface of Ivanti's DSM - Ivanti's Desktop & Server Management (DSM) product allows for centralized distribution of software packages, so similar to MDM, but for desktops and servers. This detailed article focuses on software management on Windows hosts, and all the pitfalls you may run into before the software is End-Of-Life'd in December 2026. Because no one will be running it after that, right?
GOst in the Protocol: Hunting Ligolo with JARM Fingerprinting in the wild - "We identified three distinct JARM signatures that reliably identify Ligolo proxy servers in the wild: one for Ligolo 0.7.x, one for Ligolo 0.8.x, and one for Ligolo-MP (which is shared with Sliver C2)." Beyond a simple JARM signature, the post explores how to verify that what looks like Ligolo, actually is. They dropped a tool to do so: Hunting-Ligolo.
Breaking Out of Restricted Mode: XSS to RCE in Visual Studio Code - Even if you open a file in Restricted Mode by clicking "No, I don't trust the authors," a cross site scripting (XSS) issue in iPython could launch another instance of Visual Studio Code without Restricted Mode which allows for full command execution. Should probably be opening these repos in throw away virtual machines (perhaps setup automatically with Ludus).
Oracle VM VirtualBox - VM escape via VGA device - The timeline from report to fix to disclosure is impressively fast on this one.
Commit Stomping - Manipulating Git Histories to Obscure the Truth - "Git’s distributed and trust-based design can be turned into a technique for deception." This post gives some more detail to git commit "stomping" following the release of RepoMan.
Harnessing the Power of Cobalt Strike Profiles for EDR Evasion – Part 2 - "The last three updates has introduced a lot of flexibility for the operator. From post-exploitation DLL string removal, ability to hook high-level API via BeaconGate, the introduction of PrependLoader and its evasive features and much more, makes Cobalt Strike a more ready-to-use tool and a more customizable one."
Evading Defender With Python And Meterpreter Shellcode: Part 1 - Sometimes, the simple things work.
New Process Injection Class: The CONTEXT-Only Attack Surface - The opposite of the last entry, a very deep dive into process injection, and a new method: RedirectThread - Playing around with Thread Context Hijacking. Building more evasive primitives to use as alternative for existing process injection techniques.

Tools and Exploits

ludus_adaptix_c2 - An Ansible role that install the Adaptix C2 server and/or client on Debian based hosts. [This one is ours 😊]
The Future of Certipy and the Release of v5 & ESC16 - A massive release for Certipy which includes a new ADCS attack: ESC16.
Neo4LDAP - Neo4LDAP is a query and visualization tool focused on Active Directory environments. It combines LDAP syntax with graph-based data analysis in Neo4j, offering an alternative approach to tools like BloodHound.
Claude-C2 - Utilizing an MCP Server to communicate with your C2.
EntraFalcon - A lightweight PowerShell tool for assessing the security posture of Microsoft Entra ID environments. It helps identify privileged objects, risky assignments, and potential misconfigurations. More at: Introducing EntraFalcon.
NetImpostor - Gain another host's network access permissions by establishing a stateful connection with a spoofed source IP. More at: Stateful Connection With Spoofed Source IP — NetImpostor.
Announcing the Official Parity Release of Volatility 3! - The best memory analysis tool can now "fully replace Volatility 2."
dirtyZero - Basic customization app using CVE-2025-24203. Patched in iOS 18.4.
CVE-2025-31258-PoC - 1day practice - Escape macOS sandbox (partial) using RemoteViewServices. Video PoC.
Living-off-the-COM-Type-Coercion-Abuse - This technique leverages PowerShell's .NET interop layer and COM automation to achieve stealthy command execution by abusing implicit type coercion.
PowerDodder - Persist like a Dodder.
zip_smuggling - Python3 utility for creating zip files that smuggle additional data for later extraction.
TrollDisappearKey is a loader which allows loading of .exe assemblies (provide URL to assembly) without amsi scanning taking place during assembly.load().

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

LockBitPanelDB - Repo of the SQL database from the LockBit panel being hacked. More info: LockBit ransomware gang hacked, victim negotiations exposed.
tablecruncher - A lightweight, powerful CSV editor for macOS, Windows and Linux — with built-in JavaScript macros.
LNKSmuggler - A Python script for creating .lnk (shortcut) files with embedded encoded data and packaging them into ZIP archives.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.