#CQLabs – Implementing Proof-of-Concept C2 with Microsoft OCR
During the security assessments, one of the things that we always check is the possibility to extract information outside of the client network. This includes the ability to copy data to external drivers, send them via e-mail to external e-mail addresses, use various TCP/UDP ports, non-typical protocols or even side channels. In mature environments, special […]
#CQLabs 4 – from Unquoted Service Path to Privilege Escalation
In this article, I will write about a service misconfiguration that I’ve found within the Rockstar Games Launcher (https://socialclub.rockstargames.com/rockstar-games-launcher). The issue is already fixed by the vendor and I was granted a bounty for its discovery and coordinated disclosure. The interesting trivia about it is that the component was not initially included in the scope […]
#CQLabs – CVE-2019-15511: Broken Access Control in GOG Galaxy
This article covers a vulnerability discovered in GOG Galaxy, which may result in Local Privilege Escalation due to a lack of authorization of commands sent via a local TCP connection. The attacker may exploit this vulnerability to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed. Background I’ve recently started looking at […]
#CQLabs – DSInternals PowerShell Module by Michael Grafnetter
CQLabs – Offline Attacks on Active Directory Introduction This lab will guide you through some of the most interesting features of the DSInternals PowerShell Module, which was featured at Black Hat Europe 2019 and is also included in FireEye’s Commando VM. This open-source toolset exposes many internal and undocumented security-related features of Active Directory (AD), […]
#CQLabs – Windows Defender Exploit Guard under the hood by Artur Wojtkowski
Antivirus software usually uses malware signatures, behavioral detection or heuristic detection to block malware. All these methods may be insufficient in case of APT (Advanced Persistent Threat) attacks prepared specifically for the victim or attacks exploiting 0day vulnerabilities in software, that were never seen before. Exploit Guard: Exploit Protection and Exploit Guard: Attack Surface Reduction […]
#CQLabs – Extracting Roamed Private Keys from Active Directory by Michael Grafnetter
Previously on CQLabs This article is a continuation of a previous one, called #CQLabs 5 – DSInternals PowerShell Module. Introduction One of the lesser known features of Active Directory (AD) is called Credential Roaming. When enabled, it synchronizes DPAPI Master Keys, user certificates (including the corresponding private keys) and even saved passwords between computers. We […]
#CQLabs – How UAC bypass methods really work by Adrian Denkiewicz
In this article, we will analyze a couple of knowns, still working, UAC bypasses – how they work, what are the requirements, and potential mitigation techniques. Before we dive into this, we need to briefly explain what UAC is. What is UAC The acronym UAC stands for User Account Control, a part of the […]