Nov 10 2025 Last Week in Security (LWiS) - 2025-11-10

News

• Apple's DCMA takedown request for apps.apple.com sourcemaps - When the web version of the Apple app store was launched recently, it included javascript "sourcemaps" that made it easy to recreate the original javascript source code of the frontend. This is commonly used in development, but usually stripped from a production build when the source code is minified. While not a security issue, the sourcemaps did include references to internal issues, TODO comments, and the like. The internet never forgets.
• Introducing Aardvark: OpenAI’s agentic security researcher - Begun, the big AI lab's security researcher wars have. Google's entrant: Introducing CodeMender: an AI agent for code security.
• Announcing IncusOS - I've been keeping a close eye on Incus (the community fork of the LXC container manager), and a dedicated OS is a cool addition to the ecosystem.

Techniques and Write-ups

• Evading Elastic EDR's call stack signatures with call gadgets - Use a benign DLL with a call gadget to break up the suspect call stack which breaks Elastic EDR's detection. Easy to test this in Ludus with the Elastic Security Lab. Code at LibTPLoadLib.
• Tradecraft Engineering with Aspect-Oriented Programming - Mudge introduces a new feature to Crystal Palace, hooking! You can now chain hooks that modify how an API call is executed.
• Site Unseen: Enumerating and Attacking Active Directory Sites - Quentin Roland shows the power of Sites in Active Directory and contributed pull requests to SharpHound/Bloohound. Sites, like other Active Directory objects,
• What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299) - "Managed File Transfer" applications are notoriously vulnerable pieces of "enterprise" tech.
• How I Reversed Amazon's Kindle Web Obfuscation Because Their App Sucked - I can't help but think how much human time was wasted on both ends of this, the obfuscation and the reverse engineering. Simson Garfinkel (creator of bulk_extractor) once told me he doesn't do "file cabinet forensics," that is, forensic analysis/reverse engineering where the solution is in a file cabinet somewhere, just unavailable to the public (i.e. proprietary). The lengths Amazon has gone to obfuscate ebooks are just lots more files in the file cabinet.

Tools and Exploits

• DonPwner - Advanced Domain Controller attack and credential analysis tool leveraging DonPAPI database.
• magnet - Purple-team telemetry & simulation toolkit.
• srsocwamof - Sneaky Remap - Shared Object Cloaking with a Minimum of Fuss ~ BSides Berlin 2025.
• ExitPatcher - Prevent in-process process termination by patching exit APIs.
• MaleficentVM - This is practice VM for malware development.
• DiaSymbolView - PDB file inspection tool.
• PhantomTask - A tool to play with scheduled tasks on Windows, in Rust.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Today I learned: binfmt_misc - Register a SUID binary as a custom format for a nice Linux backdoor.
• LLMGoat - This project is a deliberately vulnerable environment to learn about LLM-specific risks based on the OWASP Top 10 for LLM Applications.
• Operationalize Adversary Behaviors Into Actionable Alerts - Deceptiq launched its canary token service. No affiliation, just a fan of canary tokens and Rad (see: Writing Tiny, Efficient, And Reliable Malware by Rad Kawar).
• kvc - KVC enables unsigned driver loading via DSE bypass (g_CiOptions patch/skci.dll hijack) and PP/PPL manipulation for LSASS memory dumping on modern Windows with HVCI/VBS.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.