When Computer Says Yes (automatically): Understanding UAC Auto-Elevation – Part 2/2
September 03, 2025
How Attackers Abuse Auto-Elevation
As we’ve previously mentioned, auto-elevation doesn’t grant magical powers to every user; a standard (non-admin) user cannot force elevation via these binaries. But if the logged-in user is a local admin (running most apps in medium-integrity mode), auto-elevated binaries can be hijacked.
Let us note that abusing auto-elevation allows for a stealthier privilege escalation; by using trusted Windows binaries instead of dropping custom malware, attackers minimize their detection footprint. Defenders may see “normal system activity” in their logs… unless they dig deeper.
When Computer Says Yes (automatically): Understanding UAC Auto-Elevation – Part 1/2
September 02, 2025
Windows systems have long wrestled with the balance between usability and security; we joke about how every other version of Windows is “the bad version”, when security takes precedence over user-experience (I’m talking to you, Windows Vista!).
One of Microsoft’s key mechanisms for keeping users safe – while still allowing administrators to perform their job – is User Account Control (UAC); but like many security features, the implementation leaves certain “cracks” that attackers can exploit. One of those cracks lies in the concept of auto-elevated executables.
Hunting for Service Executable Hijacking
December 13, 2023
Prologue
In a recent Red Team engagement my organization had, the penetration testers managed to laterally move to a Windows endpoint; since they didn’t have admin privileges on it, they were looking for ways to escalate their privileges. Luckily (for them), they found a service with insecure permissions that ran under the context of NT Authority\SYSTEM – and exploited it, gaining that level of privilege on that host.
When I read the PT report, I was annoyed; was it pure luck they got to a host that was vulnerable to this misconfiguration, or was it a game of probabilities (well, that’s true in many cases, I guess)?
And if so – what is the percentage of hosts which are also vulnerable to this type of hijacking? 5%? 50%?
In this blog post, we will explore Windows Service Executable Hijacking from both a Red Team (adversarial) and a Blue Team (defender) perspective. We’ll discuss how Red Team operators exploit this attack and provide practical advice for Blue Teams on how to detect and mitigate this threat.
Do You Trust GPO Trustees?
August 20, 2023
Introduction
Group Policy Objects (or GPOs) are a valuable and necessary pillar of any Windows-based organization. They enforce various rules and definitions on hosts, and allow sysadmins to govern the Active Directory domain, on all its users, endpoints and servers.
In the ever-evolving landscape of cybersecurity, GPOs have not gone unnoticed. One notable technique in penetration testing involves the abuse of GPOs by exploiting overly permissive permissions pertaining to them.
This blog post discusses the issue, and introduces a tool designed to assist both Red and Blue Teams in identifying such misconfigurations within GPOs.
BASk in The Glory of Breach & Attack Simulations?
May 09, 2023
Introduction
One of the most popular (and “sexy”) fields in cyber-security is the field of penetration testing (or “pen-testing” \ “PT” for short); it is also a crucial component of any organization’s cybersecurity strategy.
In simple terms, pen-testing involves simulating an attack on a system or network, in order to identify potential vulnerabilities, misconfigurations and other weaknesses. By doing so, organizations can identify (in a safe manner) areas of their security infrastructure that need improvement – before an actual attacker exploits them.
As new technologies emerge, so do new terms come into existence. The notion that much of the work a human pen-tester does could be automated by a machine has created a new line of products, which Gartner has coined the term for as B.A.S., or “Breach & Attack Simulation” systems.
Communication Obstacles On the Path to Problem Solving
March 17, 2023
In our day to day job in IT (but actually, in all aspects of life), we encounter problems which need solutions, or have needs that need to be addressed and fulfilled.
In an ideal situation: people will have a clear understanding of their needs, or a comprehensive view of the problem; which in turn enables them to “break them down” to modular pieces, analyze them and come up with the optimal solution (given all necessary parameters and conditions), either alone or after brainstorming with others.
However, a lot more often than not – I have seen a lack of this type of analytical thinking; it starts with a lack of definitions for terms used, as well as laconic explanations of the needs or the problems that emerged, continues with mixing the problem with the solution, and ends up with explaining why the solution is in fact the real problem – and why the only real solution is to do X and not Y, or why a solution to the problem is not feasible in the first place!
The following paragraphs address 4 such common obstacles in communication skills regarding problems and the ways to solve them:
Hunting For Saved Credentials in WinSCP and MobaXterm
February 02, 2023
Introduction
When attackers get a foothold on a compromised machine, one of their first courses of action is seeking means for elevation of privileges; that hopefully allows them access to other resources in the target organization, a way to move laterally and reach their goals.
One way for privilege escalation is by extracting passwords from areas they reside in. This could be as easy a task as opening a “passwords.txt” file located on the user’s Desktop, or as “hard” as dumping credentials from the machine’s volatile memory.