Presented at
May Contain Hackers (MCH2022),
July 23, 2022, 10:40 p.m.
(50 minutes).
It’s interesting to see how new, recent technologies such as Microsoft Intune might be used to nullify endpoint security solutions such as Microsoft Defender for Endpoint, the big brother of Microsoft Defender.
In this talk, we start from the perspective of a malicious insider in a company. He obviously has low-privileged access to his own laptop/workstation, which has been carefully hardened using modern endpoint protections such as Microsoft Defender for Endpoint, BitLocker and Secure Boot. Nowadays, central management of these tools is a must to ease the management of all the company’s workstations. This is the ideal target for a malicious insider to gain local administrative access over his laptop.
We want to show you a proof of concept where a malicious insider can gain administrative access within 10 minutes while only having access to his BitLocker recovery key, managed by Microsoft Intune & Azure Active Directory, defeating all the workstation’s hardening measures in place. We will start with a real attack scenario that was part of one of our red team engagements and explain the steps we took to obtain local administrative privileges on the end user’s workstation.
We start by showing how a malicious insider can retrieve the BitLocker recovery key. Then, we bypass the default Secure Boot configuration to boot into an alternative operating system. This allows us to decrypt the BitLocker encrypted hard drive and use tools to gain control over the built-in local Administrator account.
A thorough explanation including defensive measures are part of this talk as well.
This presentation is divided in 3 sections.
First we are going to explain our attack scenario. Here, as a malicious insider, we have access our own user account and our own company-managed laptop. Since we are a new employee, we get the laptop configuration that the IT team of the company uses for every new laptop that is deployed in the company’s IT landscape. They know their business; they make use of an Endpoint Detection & Response (EDR) solution by Microsoft: Defender for Endpoint. Next to that, they configured BitLocker on their endpoints to prevent an attacker getting physical access to the laptop’s hard drive and being able to extract unencrypted data from the laptop. To be sure that no malicious USB sticks with Kali Linux can be used to bypass security measures on the laptop, they enable Secure Boot in the UEFI settings. Of course, they put an administrator password on the UEFI settings to prevent someone from altering the UEFI settings & simply disabling Secure Boot.
Second, we will talk about how centrally managed cloud native services such as Microsoft Azure Active Directory and Microsoft Intune are working together to ease the management of endpoints in a company’s IT landscape. While a low-privileged user is blocked from accessing most of the management portals for these services, he can still access a platform where he is able to retrieve his BitLocker recovery key. This is called the BitLocker self-service portal. In a default configuration, a user can use this portal to retrieve his BitLocker recovery key without needing to have approval of IT to retrieve it. We now have access to the BitLocker recovery key and a well-secured company-managed endpoint device. What could go wrong?
In the third section, we show how a default Secure Boot configuration allows a malicious insider, or attacker, can still boot into an alternative Linux operating system because the bootloader is signed by Microsoft itself! This allows the operating system to pass the Secure Boot check. Then, we can install malicious tools on this alternative Linux operating system to be able to interact with the BitLocker-encrypted built-in hard drive. Since we have the recovery key, we can easily decrypt and mount the Windows partition on this hard drive. Since we have full access to the operating system (remember, we’re root) we can use tools to modify the SAM database on the hard drive – this is where local users of the Windows installation are managed. This way, we can enable the local built-in Administrator account and set his password to an empty password! We write it to the hard drive, reboot to Windows et voila, we have administrative access over the laptop. We could even take it as far as adding exclusions to Microsoft Defender for Endpoint – essentially disabling it for that endpoint.
During the talk, we will give a live demo, cover defensive measures that can be taken to hinder a malicious insider’s malintent and further cover the impact this attack might have in a corporate environment.
Presenters:
-
Wiebe Willems
Wiebe picked up broad IT knowledge during his studies at Odisee Ghent, where he obtained a degree in Electronics-ICT, specializing in Network Infrastructure & Security in his last year. At that time, he did not yet know where he would end up, but he knew it would have something to do with cyber security.
After his studies, Wiebe began his career as a consultant at the Belgian Cyber Security team at EY. He was asked to perform penetration tests, but was also mainly part of the defensive blue team. This enabled him to gain offensive & defensive security experience in a broad number of areas, such as:
• Infrastructure penetration tests
• Purple team assessments
• Web application penetration tests
• Phishing assessments
• SIEM rules engineering & configuration
• Security Automation & Orchestration (SOAR)
Using the experience gained during his time at EY, he evolved to a pure penetration testing, red team & adversary emulation role at NVISO, a European Cyber Security Services company. There, he applies most of the tactics, techniques & procedures used in the MITRE ATT&CK framework to assess and improve the general security posture of NVISO’s clients.
Next to Cyber Security, Wiebe also has a particular interest in music, cars & sports. He is nothing near a rockstar guitar player, but he fancies a good jam when there is one – even though he only recently started playing guitar. He mainly loves watching cars, but the technology behind modern cars is of course related to his general interest in IT. He registers his occasional kilometres on his racing bike on Strava as well.
Wiebe is always open for a talk – if you see him, come say hi!
Links:
Similar Presentations: