Jun 09 2025 Last Week in Security (LWiS) - 2025-06-09

News

• Cellebrite to Acquire Corellium - How much is the world's best "virtual hardware" platform worth? $200 million USD apparently. Congrats to Corellium founders Amanda Gorton, Chris Wade, and Stan Skowronek. Chris Wade (current Corellium CTO) will join Cellebrite as their new CTO. Hopefully the innovation continues!
• Disclosure: Covert Web-to-App Tracking via Localhost on Android - A novel combination of techniques to link web browsing to user identities on Android. Looks like Yandex was the first to use it back in 2017, and Meta picked it up in late 2024. Creative, but creepy.
• HMAS Canberra accidentally blocks wireless internet and radio services in New Zealand - Next time you have an outage, maybe you can blame radar interference from a warship.

Techniques and Write-ups

• The Ultimate Guide to Windows Coercion Techniques in 2025 - Computer accounts in an active directory network can be extremly valuable, and there are a lot of ways to convince them to authenticate to your compromised host.
• No Agent, No Problem: Discovering Remote EDR - Use event tracing for windows (ETW) remotely to gather data on hosts without having to compromise them.
• The Not So Self Deleting Executable on 24h2 - Windows changed some low level kernel handling of delete disposition flags, and thus broke an old faithful technique to self-delete files on Windows (normally not allowed). @TKYNSEC dug in with Ghirda and found a method that works with 24H2.
• Solo: A Pixel 6 Pro Story (When one bug is all you need) - Some hardcore Android exploitation. Lin rewrites a Mali GPU exploit that required previously relied on a kernel address leak to only require the GPU exploit for the Pixel 6.
• DNS rebinding attacks explained: The lookup is coming from inside the house! - DNS rebinding isn't new, but it does have the power to expose "private" services to attacks. This article is a good overview with a real-life example (Deluge torrent server).
• Parallels Desktop prl_vmarchiver Unarchive Hard Link Privilege Escalation - macOS privilege escalations aren't all that common, and they usually come in the form of 3rd party software being exploited (like this one). Perhaps all the cool OS bugs are being sold/kept by researchers? There are two other Parallels privilege escalation bugs released as well.
• Planting a Tradecraft Garden - "Tradecraft Garden is a collection of projects centered around the development of position-independent DLL loaders." The mastermind behind beacon object files (BOFs) drops "PICOs" - a BOF-like convention to run one-time or persistent COFFs from position-independent code. Visit the Tradecraft Garden to see the current collection of position-independent DLL loaders. I like Raphael's statement: "Develop technologies that give individual operators and researchers LEVERAGE acting on hypothesis and make it fast to try things, adapt, and modify." It echos what we are doing with the free and open source Ludus, making it fast and easy to try complex networks.
• Harvesting the Tradecraft Garden - Rasta Mouse incorporates the tools from the Tradecraft Garden into Cobalt Strike.
• Bruteforcing the phone number of any Google user - A combination of a display name leak from "Google Looker Studio" and the strange condition where a no-javascript endpoint would not rate limit when combined with a javascript created botguard token led to the ability to brute force the phone number of any Google user.
• Update: Dumping Entra Connect Sync Credentials - The command Get-AADIntSyncCredentials no longer works, but fear not, you can still dump the Entra Connect Sync Credentials with GetEntraConnectCreds.exe.
• Teaching a New Dog Old Tricks - Phishing With MCP - This is just the beginning of tailored phishing with AI. It only get's "worse" from here.
• Full Disclosure, GraphGhost: Are You Afraid of Failed Logins? - The ability to check for valid password without creating a log event is a valuable primitive. Microsoft fixed this specific flaw on 2025-04-11.
• So you want to rapidly run a BOF? Let's look at this 'cli4bofs' thing then - Yet another standard for Beacon object file (BOF) metadata, in yaml this time. The one thing missing from the original BOF spec was a standard format for metadata instead of relying on .cna scripts. Pretty soon someone will write a .cna parser than can translate to both Sliver json and cli4bofs yaml.
• Spying On Screen Activity Using Chromium Browsers - Since browsers have to see your entire screen to be able to share it, they can also be used to take screenshots of your screen. A similar technique can be used for Camera and Microphone Spying Using Chromium Browsers.

Tools and Exploits

• VSCode-Backdoor - Backdooring VSCode Projects.
• srum-dump - A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet.
• SelfDeletion-Updated - Updated version of a long known self deletion technique to work with 24H2.
• ECUtilities - Powershell and python utilities for Entra Connect.
• JonMon-Lite is a research proof-of-concept "Remote Agentless EDR" that creates an ETW Trace Session through a Data Collector Set. This session can be created locally or remotely.
• TrollRPC - a library to blind RPC calls based on UUID and OPNUM. A more surgical version of Ghosting-AMSI.
• newtowner - Abuse trust-boundaries to bypass firewalls and network controls.
• Delegations - A tool to work with all types of Kerberos delegations (unconstrained, constrained, and resource-based constrained delegations) in Active Directory.
• VRDP-Training-Material - This repository contains the pre-joining training materials given to aspiring researchers on the Vulnerability Researcher Development Program.
• kerbtool - A tool to interact with Kerberos to request, forge and convert various types of tickets in an Active Directory environment.
• funcshenanigans - A bunch of shenanigans using functions, VEH and more.
• SafeHarbor-BOF - Safe Harbor is a BOF that streamlines process reconnaissance for red team operations by identifying trusted, low-noise targets to maintain stealth and robust OPSEC.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Boflink: A Linker For Beacon Object Files - Boflink was presented in last week's blog, but without explanation. Here are all the details!
• Beating the kCTF PoW with AVX512IFMA for $51k - Serious CTF players are on a different level. Timothy implemented a proof of work solver in AVX512 to beat other teams to a flag submission by solving the proof of work over 4x faster. That is to say nothing about the fact to win you also needed a stable Linux kernel 0day! 🤯
• My AI Skeptic Friends Are All Nuts - If you find yourself getting sick of AI hype, this is for you.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.