Nov 03 2025 Last Week in Security (LWiS) - 2025-11-03

News

• A Brief History of Domains - .com is 40 years old!
• Introducing Tailscale Peer Relays - Tailscale brings self-hostable relay servers, and they're built into the tailscale client. All customers can use two peer relays, for free, forever.
• Code of Conduct for Online Presenters - China is requiring real names, identity verification, and adherence "to the correct political orientation," for "online presenters" (streamers). "For livestream content that requires a higher professional level (such as medical care, finance, law, education) presenters should obtain the corresponding practice qualifications and report them to the livestream platform."
• ICE and CBP Agents Are Scanning Peoples’ Faces on the Street To Verify Citizenship - Are you ready to bet your freedom on a "lowest price technically acceptable" facial recognition system? "An apparent biometric match by Mobile Fortify is a ‘definitive’ determination of a person’s status and that an ICE officer may ignore evidence of American citizenship—including a birth certificate—if the app says the person is an alien."
• Update to our Terms and data use - LinkedIn has opted you in to using your data to train AI models. To opt out, go to Settings -> Data Privacy -> Data for Generative AI Improvement and turn it off.
• TEE.fail: Breaking Trusted Execution Environments via DDR5 Memory Bus Interposition - The DDR5 DRAM bus can be used to break the security guarantees of modern "Trusted Execution Environments" (TEEs). The portable version of the attack fits in a briefcase and "even has a cup holder for your coffee." If your favorite blockchain depends on TEEs for security, you may want to consider something [PDF] based on math.
• HTTPS by default - In a year Chrome will first try to use HTTPS for all requests by default and warn the user before trying HTTP. You can enable this now in Settings -> Privacy and security -> Always use secure connections. I'm old enough to remember Firesheep.

Techniques and Write-ups

• CVE-2025-62725: From “docker compose ps” to System Compromise - Even "read only" commands like docker compose ps could lead to path traversal and therefore system compromise if the attacker targets a binary or SSH keys for overwriting.
• Defeating KASLR by Doing Nothing at All - It's interesting to see one Google team (Project Zero) publicly beefing with another Google team (Pixel/Linux Kernel team) about a security feature.
• Dead Domain Discovery: Discover Expired or Unregistered Domains - Two tools to help discovery expired or unregistered domains as you browse target domains: dead-domain-discovery-dns and dead-domain-discovery.
• Creating a "Two-Face" Rust Binary on Linux - This could also be considered advanced "environmental keying" for malware.
• A Retrospective Analysis of CVE-2025-59287 in Microsoft WSUS - The patch for the WSUS vulnerability last month actually contained a new vulnerability?!
• Epic Pentest Fail - Almost no one shares their failures, and that's a shame. Good on Forrest (and Specter Ops) for publishing this post.
• ShareHound: An OpenGraph Collector for Network Shares - Network shares, especially on larger and older networks, are often full of useful data for red teamers. ShareHound, along with shareql allows for precise targeting and enumeration of network shares, and then using OpenGraph, the exploration of them in BloodHound.
• Arranging the PIC Parterre - A look at the recent updates to Crystal Palace from a third party perspective.
• AdminSDHolder: Misconceptions, Misconfigurations, and Myths - Be sure to check out the [PDF] 150 page white paper on AdminSDHolder.
• Hack-cessibility: When DLL Hijacks Meet Windows Helpers - Always fun when a technique can be both persistence and lateral movement. Also a good reminder that there are lots of techniques that are "published" but not "publicized."

Tools and Exploits

• Ebyte-Syscalls - Obfuscating function calls using Vectored Exception Handlers by redirecting execution through exception-based control flow. Uses byte swapping without memory or assembly allocation.
• UnderlayCopy - PowerShell toolkit that extracts locked Windows files (SAM, SYSTEM, NTDS, ...) using MFT parsing and raw disk reads.
• LibGate - A Crystal Palace shared library to resolve & perform syscalls.
• COM-Fuzzer - Gain insights into COM/DCOM implementations that may be vulnerable using an automated approach and make it easy to visualize the data. By following this approach, a security researcher will hopefully identify interesting (D)COM classes/implementations in such a time that would take a manual approach significantly more.
• twoface - "Two-Face" Rust binary on Linux.
• teams-cookies-bof - BOF to steal Teams cookies.
• LibIPC - LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
• Community Pavilion - A collection of projects that build on the Tradecraft Garden (position-independent development framework from Mudge).
• SilentButDeadly is a network communication blocker specifically designed to neutralize EDR/AV software by preventing their cloud connectivity using Windows Filtering Platform (WFP). This version focuses solely on network isolation without process termination.
• CVE-2025-50168-pwn2own-berlin-2025 - Pwn2Own Berlin 2025 - LPE (Windows 11) winning bug.
• BOF_Spawn - Cobalt Strike BOF for beacon/shellcode injection using fork & run technique with Draugr synthetic stack frames.
• conquest - Conquest is a feature-rich and malleable command & control/post-exploitation framework developed in Nim.
• ADCSDevilCOM - A C# tool for requesting certificates from ADCS using DCOM over SMB. This tool allows you to remotely request X.509 certificates from CA server using the MS-WCCE protocol over DCOM and It bypasses the traditional endpoint mapper requirement by using SMB directly.
• Hermes - Fast covert timing channel communication for inter-process and inter-processor communication on Windows systems
• COMHijackBOF - Automates COM hijacking of msedgewebview2.exe for persistence and code execution.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• guilty-as-yara - A Rust-based tool that generates Windows PE executables containing data patterns designed to trigger YARA rule matches. This is invaluable for validating YARA rules and ensuring your malware detection signatures work as expected.
• Easy Cyber Ranges with Ludus - If you've struggled with building complex cyber ranges to practice your red team or pentest skills, Ludus will make scaffolding your lab much easier on a variety of platforms including Microsoft Azure, Google GCP, Proxmox and mini-pcs. Create ranges such as Game of Active Directory (GOAD) easily.
• LinuxPlay - An open-source, ultra-low-latency remote desktop for Linux hosts and Windows clients.
• AxHound - Grab yer ldapsearch logs from AdaptixC2 a little easier.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.