ITSEC Newsletter 2025-07-10

Another season of Collegiate Cyber Defense Competition (CCDC) has officially ended. I had the good fortune this year to be on the red team for National CCDC this year, and I can only describe it as "some of the most fun you can have on a computer." There's nothing quite like the feeling of playing Doom on someone's hypervisor and watching as they frantically try to figure out how to eject you from the system, or spawning 100 copies of an unkillable goose that runs around wreaking havoc on the desktop of a domain controller.

Cross-Session Activation has mainly been used for privilege escalation purposes so far. However, with administrative privileges, it is also possible to execute code on a remote system in the context of an actively logged-in user. From an attacker's perspective, this also has the advantage that we can leave out IoCs for injection, impersonation or credential dumping, as we can directly execute code in the context of our target user. COM Hijacking makes this new Lateral Movement vector easy to find and abuse, but can also get detected accurately with targeted rule sets.

In this second part of our research, we delve deeper into RACF by examining its decision-making logic, database structure, and the interactions between the various entities in this subsystem. To facilitate offline analysis of the RACF database, we have developed our own utility, racfudit, which we will use to perform possible checks and evaluate RACF configuration security. As part of this research, we also outline the relationships between RACF entities (users, resources, and data sets) to identify potential privilege escalation paths for z/OS users.