Dec 02 2025 Last Week in Security (LWiS) - 2025-12-02

Two weeks of news, techniques, tools, exploits, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-11-18 to 2025-12-02.

News

US Military Hackers Go on Offense With Help From Cyber Startup - The US has always had a private/public partnership for all things military, and now it's looking like it will have it for offensive cyber operations as well. I hope the CISO at Twenty is ready for the nation state attacks that will inevitably follow this publication.
Hacking CMMC CTF with CyberTalents - A CTF focused on a cybersecurity standard that is currently being implemented by the US government is novel.
Android Quick Share Support for AirDrop: A Secure Approach to Cross-Platform File Sharing - Cross-platform file sharing for the mobile OSs. What's next, world peace?!
Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ - Quite a journey of OSINT breadcrumbs to uncover the identity of an admin of the Scattered Lapsus$ Hunters Telegram group.
Lawmakers Want to Ban VPNs—And They Have No Idea What They're Doing - Wisconsin joins Michigan in attempting to ban VPNs, except Wisconsin's bill has passed the State Assembly is is moving through the State Senate. "This battle is being fought by people who clearly have no idea how any of this technology actually works."
Huawei and Chinese Surveillance - Interesting anecdote from the Stone Group founder about how the Ministry of State Security told him they would were going to "send agents to work undercover at his company in positions dealing with international relations." Nothing that ties this to Huawei, but interesting nonetheless.
GrapheneOS migrates server infrastructure from France amid police intimidation claims - Speaking of government intimidation...
Shai-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposing Secrets - The JavaScript Node Package Manager (npm) ecosystem was under attack yet again. This worm-like campaign is impressive in its scope and the fact it was registering infected developer machines as GitHub Actions runners and then using GitHub Actions for command and control is pretty clever.

Techniques and Write-ups

Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem) - It's so easy to self-host these kinds of formatters there is no excuse for using random websites, and then to "save" them is just something else.
Tradecraft Orchestration in the Garden - The addition of variables and callable labels makes Tradecraft Garden projects truly modular. For more see PIC Symphony by Rasta Mouse. I have a feeling there is a Tradecraft Garden/Crystal Palace training course in the works 😉.
Reflecting Your Authentication: When Windows Ends Up Talking to Itself - Kerberos, NTLM, SMB, HTTP and DCE/RPC, Ghost SPNs, the CredMarshalTargetInfo (CMTI) trick, and more covered in this post. Authentication coercion and reflection is an issue in basically every Windows environment. The fact that until June 2025 any domain user could reflect authentication back to a domain controller and compromise a domain is crazy. "There are a couple of other reflection attacks I've already submitted to MSRC" 🤯
Creating a framework in Wyrm C2 to easily configure custom exports of an implant - This rust based C2 framework is expanding quickly.
Less Praying More Relaying – Enumerating EPA Enforcement for MSSQL and HTTPS - A great low level investigation into what Enhanced Protection for Authentication (EPA) actually does in practice, and some nice tooling to enumerate it. While I can't prove it, the IPs used in the screenshots look like this was developed in a GOAD lab on Ludus.
An Evening with Claude (Code) - Using regex and an LLM to determine if a command is safe seems like an impossible task. There are simply too many edge cases and strange utilities that can execute commands or write to files. Always a good idea to use containers, sandboxes, VMs for AI work. You know, in case Google Antigravity deletes the contents of your whole drive.
SCCM Hierarchy Takeover via Entra Integration…Because of the Implication - Three posts from Specter Ops in one LWiS? Yep. That what happens when you publish good content. At this point Garrett Foster may be the world's leading expert on SCCM attacks. While this is a somewhat niche attack (you have to be able to manipulate UPNs), getting SCCM administrator is usually game over for the domain. Another CVE powered by Ludus 😊.
Discreet Driver Loading in Windows - You can modify a driver's checksum, and therefore it's hash, which keeps the digital signature valid while breaking any hash based detections. Note that Microsoft’s list of blocked drivers cannot be bypassed using this technique, since that list includes the authentihash of the drivers.

Tools and Exploits

push_matrix_tool - A self-hosted web push notification demo server for testing and training purposes. Built with FastAPI and vanilla JavaScript.
RelayInformer - Python and BOF utilities to the determine EPA enforcement levels of popular NTLM relay targets from the offensive perspective.
moxpack - A Qemu Proxmox Template builder project using Packer.
sleepmask-vs - A simple Sleepmask BOF example.
icmp-udc2 - UDC2 implementation that provides an ICMP C2 channel.
RSA-Backdoor - This repo contains code to reproduce the Secretly Embedded Trapdoor with Universal Protection (SETUP) attack on RSA key generation proposed by Young & Yung, 1996. Considering the potential of this attack, never trust black box key generation systems. I am also planning on providing a small utility to hook ssh-keygen on compromised host to automatically backdoor further keys... TBC
Kharon-Agent - Agent for AdaptixC2 containing lateral movement capabilities ( WMI, SCM, WinRM, DCOM), bof/dotnet/shellocde in memory executions, postex modules with shellcode and bof with possibilities of fork executions (spawn/explicit).
BOF_RunPe - BOF to run PE in Cobalt Strike Beacon without console creation.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

bichon - A lightweight, high-performance Rust email archiver with WebUI.
CS7038-Malware-Analysis - Course Repository for University of Cincinnati Malware Analysis Class (CS[567]038).
heretic - Fully automatic censorship removal for language models.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.