When Everyone's Dog is Named Fluffy: Abusing the Brand New Security Questions in Windows 10 to Gain Domain-Wide Persistence

Conference:  BlackHat EU 2018



In Windows domain environments most attacks involve obtaining domain admin privileges. But that's not enough - once an attacker gets them, he has to make sure he doesn't lose his grip in the domain. That's why, in recent years, new levels of innovation are being focused on means of establishing domain persistence. New ideas are emerging, such as DCShadow and DACL-based methods. In this session we will present an effective approach for creating such persistence, exploiting new opportunities offered by the Win 10 security questions feature.The new feature, introduced this April, is a good example of how a well-intended idea can become a security nightmare. It allows a user to provide security questions and answers which he can later use to regain access to a local account. Yep, questions like "What was the name of your first pet?" are now safe-guarding your domain.We dug into the implementation of this feature and discovered that it can be abused to create a very durable, low profile backdoor. Once an attacker compromises a network, this backdoor can be remotely distributed to any Win 10 machine in the network - without even executing code on the targeted machine. We'll present this method and the challenges we faced while implementing it, including:How to remotely set the security questions featureHow to get remote access to the "Password Reset" screenHow to revert back to the user's original password after password reset, to avoid leaving traces (using Mimikatz existing features)We'll also share methods of mitigating this attack, including an open source tool we've developed that can control or disable the security questions feature, thus preventing security questions being used as a backdoor.