When Everyone's Dog is Named Fluffy: Abusing the Brand New Security Questions in Windows 10 to Gain Domain-Wide Persistence

Presented at Black Hat Europe 2018, Dec. 5, 2018, 4:30 p.m. (25 minutes)

In Windows domain environments most attacks involve obtaining domain admin privileges. But that's not enough - once an attacker gets them, he has to make sure he doesn't lose his grip in the domain. That's why, in recent years, new levels of innovation are being focused on means of establishing domain persistence. New ideas are emerging, such as DCShadow and DACL-based methods. In this session we will present an effective approach for creating such persistence, exploiting new opportunities offered by the Win 10 security questions feature.

The new feature, introduced this April, is a good example of how a well-intended idea can become a security nightmare. It allows a user to provide security questions and answers which he can later use to regain access to a local account. Yep, questions like "What was the name of your first pet?" are now safe-guarding your domain.

We dug into the implementation of this feature and discovered that it can be abused to create a very durable, low profile backdoor. Once an attacker compromises a network, this backdoor can be remotely distributed to any Win 10 machine in the network - without even executing code on the targeted machine. We'll present this method and the challenges we faced while implementing it, including:

How to remotely set the security questions feature

How to get remote access to the "Password Reset" screen

How to revert back to the user's original password after password reset, to avoid leaving traces (using Mimikatz existing features)

We'll also share methods of mitigating this attack, including an open source tool we've developed that can control or disable the security questions feature, thus preventing security questions being used as a backdoor.


  • Tom Sela - Head of Security Research, Illusive Networks
    Tom Sela is Head of Security Research at Illusive Networks. He specializes in reverse engineering, malware research, deception development and OS internals. Prior to joining Illusive, Tom headed the Malware Research team at Trusteer (acquired by IBM), where he was responsible for Trusteer’s anti-fraud endpoint product. At Trusteer he also led a team of reverse-engineers, researching the internals of advanced malware. As an active contributor to the security research community, Tom has spoken at DefCon and IEEE events. He attended the Israeli Naval Academy at the University of Haifa and holds a B.Sc. from Ben-Gurion University.
  • Magal Baz - Security Researcher, Illusive Networks
    Magal Baz is a security researcher and history enthusiast. In 2015 he joined IBM Trusteer as a malware researcher and reverse engineer, focusing on financial malware families. He recently joined Illusive Networks, mostly researching network security issues and developing network deceptions.


Similar Presentations: