News

• Live Updates: Shai-Hulud, The Most Dangerous NPM Breach In History Affecting CrowdStrike and Hundreds of Popular Packages - Another NPM breach. If you're using NPM, it's tike to take steps to protect yourself. Consider using pnpm with a minimumReleaseAge in the configuration to delay package updates and using bubblewrap in a script to invoke package managers. Credit to Florian Roth @cyb3rops for the suggestions.
• [PDF] I write to request that the Federal Trade Commission (FTC) investigate and hold Microsoft responsible for its gross cybersecurity negligence - US Senator Ron Wyden drops terms like Kerberoasting and RC4 in a letter to the FCC. Ron Wyden is the one who called for the Cyber Safety Review Board Report on Summer 2023 Microsoft Online Exchange Incident, so it's possible this request could result in action. However, the Cyber Safety Review Board was disbanded 6 days into the second Trump administration.
• [PDF] House Bill No. 4938 - "An internet service provider providing internet service in this state shall implement mandatory filtering technology to prevent residents of this state from accessing prohibited material. An internet service provider providing internet service in this state shall actively monitor and block known circumvention tools." The US state of Michigan could join China, Russia, Pakistan, and Myanmar in banning VPNs. No US state has attempted to ban VPNs before, even as part of age verification requirements. The fact the bill's sponsor asked the Michigan State Police if banning pornography/VPNs was “something you guys are equipped to enforce?” makes me think this bill is engagement bait and not a serious attempt to change laws. I suppose it worked.

Techniques and Write-ups

• One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens - This is the most impactful vulnerability since EternalBlue. Since this was a vulnerability in the Azure/Entra cloud, it affected all Microsoft cloud users but also could be patched by Microsoft for all customers at once. The potential damage of this vulnerability being found by a malicious actor cannot be understated. I hope Microsoft compensated Dirk-jan appropriately.
• WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine - Web applications with real time features often use WebSockets to communicate between the client and server reusing a connection. This can be opaque to testers and often goes unexplored, however vulnerabilities lurk any place data is processed, and WebSocketTurboIntruder allows you to fuzz WebSockets with custom Python code.
• Under the Pure Curtain: From Rat to Builder to Coder - Check Point Research does a great job documenting the full, multi-step infection chain from "click fix" lure, to an open source intermediate remote access tool, and finally a full fledged "commercial" remote access tool.
• Implementing Hell’s Gate in Zig – Part 1 - Zig is an up and coming language (i.e. used in ghostty), and this post ports a Rust implementation of the direct syscall technique for Windows called Hell's Gate to Zig. The Code is available in zig_offsec.
• CVE-2025-21692 nday writeup - A buffer underflow/out of bounds read in the packet scheduling queueing ETS (Enhanced Transmission Selection) qdisc can be used as a write primitive and eventually remote code execution in the Linux kernel. Code available here: CVE-2025-21692-poc.
• Huntress Threat Advisory: The Dangers of Storing Unencrypted Passwords - A threat actor found plaintext Huntress recovery codes on a Huntress customer's desktop, and used them to close Huntress security alerts, disable the Huntress agent, and deploy ransomware. In this case, Huntress was used as traitorware.
• Mythical Beasts: Diving into the depths of the global spyware market - "The authors found that the number of US-based investors in spyware has notably increased in the past year," and, "the authors elaborated on the central role that resellers and brokers play in the spyware market, while being a notably under-researched set of actors."
• More Fun With WMI - MSFT_MTProcess is a class on Server operating systems that can perform similar functions to Win32_Process. There are also ways to install it remotely on workstations.
• Automating Operations with Nighthawk - The ability to extend and automate your command and control servers and agents is critical for high level red teams.

Tools and Exploits

• EDR-Freeze - EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state.
• WMI_Proc_Dump - Dump processes over WMI with MSFT_MTProcess.
• mtprocess - Python script to leverage MSFT_MTProcess WMI class.
• Linux Kernel Runtime Guard (LKRG) 1.0 is a Linux kernel module that performs runtime integrity checking of the kernel and detection of security vulnerability exploits against the kernel, prevention of and response to successful attacks, and encrypted remote logging.
• google-redirector - A lightweight redirector for Google Cloud Run, enabling domain fronting via Google-owned infrastructure. See: Domain Fronting is Dead. Long Live Domain Fronting! (not to be confused with my DEF CON 28 talk [PDF] Domain Fronting is Dead, Long Live Domain Fronting)
• TTPx - Red Team reporting and analytics platform.
• Ouroboros - Decompiler written in Rust.
• Introducing KSON - "Anywhere a human is reading or editing YAML/JSON/TOML, KSON may be used as a more effective interface on that data." KSON is a superset of JSON but written like YAML.
• TaskHound - Tool to enumerate privileged Scheduled Tasks on Remote Systems.
• auditkit - Open source SOC2 compliance scanner - Alternative to $20k/year tools.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• ZigStrike - ZigStrike, a powerful Payload Delivery Pipeline developed in Zig, offering a variety of injection techniques and anti-sandbox features.
• like-dbg - Fully dockerized Linux kernel debugging environment.
• Ghost in the Script: Impersonating Google App Script projects for stealthy persistence - "Apps Script projects can serve as stealthy persistence mechanisms if left unmonitored. Attackers can impersonate them to hide cryptomining, privileged service accounts, or other malicious resources inside your environment."
• Get-NetNTLM - Internal Monologue BOF.
• arcane - Modern Docker Management, Designed for Everyone.
• withoutbg - Open source image background removal model.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.