Adventures in the Underland: The CQForensic Toolkit as a Unique Weapon Against Hackers

Presented at Black Hat USA 2019, Aug. 8, 2019, 3:50 p.m. (50 minutes)

<p class="p1"><span class="s1">Best practices come out when true experts’ experience meets the power of science! Let’s face it: hackers’ creativity has no end. What is more, people, the most valuable resource, are not always aware of the level of security in their companies, possible points of entry, how operating systems are attacked, and how to protect the infrastructure from successful attacks which are, in some cases, triggered by configuration mistakes. The secure infrastructure configuration should be the most important line of defense in every organization. Although hackers often win the race, your OS is not defenseless!</span></p><p class="p1"><span class="s1">This session is based on CQTools; several of them are the result of discoveries made by CQURE Team! Some took years to be completed, and all of those work in a straightforward manner. CQTools is the ultimate toolkit to have when delivering penetration tests – the tools work simply, and we use them in practice during our cybersecurity projects. Furthermore, </span><span class="s2">Paula</span><span class="s1"> and CQURE Team made a DPAPI world discovery where they have reverse-engineered this mechanism to tell you at the moment how it works and if it is safe. During the session, participants could also hear about 2 great discoveries CQURE made. First is about how to decrypt DPAPI protected data by leveraging usage of the private key stored as a LSA Secret on a domain controller. The second discovery is a great way to find the way how to decrypt SID-protected PFX files even without access to user's password but just by generating the SID and user's token. Attendees become familiar with completely unique CQForensic toolkit which can build an attack timeline, extract information from the USN journal, recover files, also from MFT, decrypt user's and system's stored secrets, like encrypted data, extract information from Prefetch and from Remote Desktop Session cache, extract information from the configuration of the used for administration tools.<br></span></p><p class="p1"><span class="s1">Beware: extremely technical and detailed session!</span></p>

Presenters:

• Paula Januszkiewicz - CEO, Cybersecurity Expert, CQURE Inc.
  Paula Januszkiewicz is the founder and CEO of CQURE, an IT and cybersecurity consultancy which predominantly conducts IT security audits and penetration testing. Founded in Poland in 2007, the company now has presence in the UAE, US and Switzerland. Paula has 15 years consulting experience based mainly within cybersecurity, holding contracts with large companies such as Microsoft, Orange and Hewlett Packard as well as with government departments. What is more, Paula holds numerous titles such as Microsoft Regional Director, Enterprise Security Microsoft Valuable Professional, Microsoft Certified Trainer, and Microsoft Security Trusted Advisor. She is also an in-demand speaker on cybersecurity, speaking at global events such as Microsoft Ignite, RSA, Black Hat, TechEd North America, TechEd Europe, TechEd Middle East, and CyberCrime. She was granted an access to the Windows source code.

Links:

• https://www.blackhat.com/us-19/briefings/schedule/#adventures-in-the-underland-the-cqforensic-toolkit-as-a-unique-weapon-against-hackers-17076
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/Adventures in the Underland The CQForensic Toolkit as a Unique Weapon Against Hackers.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/Adventures in the Underland The CQForensic Toolkit as a Unique Weapon Against Hackers.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=7D_WUJJKZdQ

Similar Presentations:

• Black Hat USA 2019 / Attack Surface as a Service
• Black Hat USA 2019 / How Do Cyber Insurers View The World?
• Black Hat USA 2019 / The Path Less Traveled: Abusing Kubernetes Defaults