Last Week in Security (LWiS)

A months worth of news, techniques, tools and exploits!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week(s). This post covers 2023-05-22 to 2023-06-15.

News

MOVEIt

Patch Diffing Progress MOVEIt Transfer RCE (CVE-2023-34362)

MOVEIt Transfer RCE Part Two (CVE-2023-34362)

MOVEit! An Overview of CVE-2023-34362

CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief (Updated)

MOVEit Transfer CVE-2023-34362 Deep Dive and Indicators of Compromise

Techniques and Write-ups

Messing Around With AWS Batch For Privilege Escalations
Abusing undocumented features to spoof PE section headers
CodeQL zero to hero part 2: getting started with CodeQL
[PDF] UTOPIA: Automatic Generation of Fuzz Driver using Unit Tests. Finally a paper that actually released the source code.
How I choose a security research topic
A More Complete Exploit for Fortinet CVE-2022-42475
Active Directory Spotlight: Attacking The Microsoft Configuration Manager (SCCM/MECM). Don't skip this one.
Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust
Ligolo: Quality of Life on Red Team Engagements
Red Team Story Time!. You don't even need code execution to get impactful data compromise.
CVE-2022-32902: Patch One Issue and Introduce Two
Pre-authenticated RCE in VMware vRealize Network Insight CVE-2023-20887
Understanding Telemetry: Kernel Callbacks
Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution. Great "new" initial access method.
Bypassing An Industry-Leading WAF and Exploiting SQLi
OneDrive to Enum Them All
Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver
can I speak to your manager? hacking root EPP servers to take control of zones

Tools and Exploits

CVExploits Search - Your comprehensive database for CVE exploits from across the internet.
cloudfoxable - Create your own vulnerable by design AWS penetration testing playground.
CVE-2023-2825 - GitLab CVE-2023-2825 PoC. This PoC leverages a path traversal vulnerability to retrieve the /etc/passwd file from a system running GitLab 16.0.0.
CVE-2023-20887 - VMWare vRealize Network Insight Pre-Authenticated RCE (CVE-2023-20887).
elevationstation - elevate to SYSTEM any way we can!
SharpFtpC2 - A Streamlined FTP-Driven Command and Control Conduit for Interconnecting Remote Systems.
limba - compile-time control flow obfuscation using mba.
Banshee - Experimental Windows x64 Kernel Driver/Rootkit.
RDPCredentialStealer - steals credentials provided by users in RDP using API Hooking with Detours in C++.
HiddenDesktop - HVNC for Cobalt Strike.
DropSpawn_BOF - CobaltStrike BOF to spawn Beacons using DLL Application Directory Hijacking.
Terminator - Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes.
superman - Kill processes protected by antivirus during offensive activities.
Blackout - kill anti-malware protected processes (BYOVD).
EPI - Process injection through entry points hijacking.
Ruy-Lopez This repository contains the Proof-of-Concept(PoC) for a new approach to completely prevent DLLs from being loaded into a newly spawned process.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

mcfridafee
plane - Open Source JIRA, Linear and Height Alternative. Plane helps you track your issues, epics, and product roadmaps in the simplest way possible.
PythonMemoryModule - pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory.
deepsecrets - Secrets scanner that understands code.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.