In Windows 10 and Windows Server 2016, Microsoft has introduced a new feature called Windows Hello for Business (WHfB), that allows password-less authentication in Active Directory-based environments and thus aims to reduce the risk of password theft. It is built on top of well-known industry standards, including Kerberos PKINIT, JWT, WS-Trust or FIDO2 and relies heavily on advanced cryptographic mechanisms like TPM key attestation or token binding. Unfortunately, WHfB is overly complicated, lacks proper management tools and its documentation is missing many important technical details. It is, therefore, a black box for most administrators, security auditors, and pentesters.
While analyzing the current WHfB implementation in Windows, we have identified several new attack vectors that might lead to privilege escalation and persistence. Our most important discovery is a new type of persistent Active Directory backdoor that, to our knowledge, is not detected by current security solutions and audit procedures. Moreover, even companies that do not actively use WHfB might be affected by this threat.
We have also discovered that following Microsoft's mitigation guide for a previously known vulnerability would not only leave Active Directory vulnerable, but it could also introduce yet another security issue into the system. These practically exploitable vulnerabilities might result in Active Directory user impersonation without requiring any special Active Directory permissions.
During this talk, we will also demonstrate our new toolset that can be used to scan corporate environments for the aforementioned vulnerabilities and to resolve any issues found. It also provides a much-required visibility into Windows Hello for Business usage in Active Directory.