An Evil Maid attack is a security exploit that targets a computing device that has been left unattended. An evil maid attack is characterized by the attacker's ability to physically access the target multiple times without the owner's knowledge. On BlackHat Europe 2015, Ian Haken in his talk "Bypassing Local Windows Authentication to Defeat Full Disk Encryption" had demonstrated a smart Evil Maid attack which allows the attacker to bypass Bitlocker disk encryption in an enterprise's domain environment. The attacker can do so by connecting the unattended computer into a rogue Domain Controller and abusing a client side authentication vulnerability. As a result, Microsoft had released a patch to fix this vulnerability and mitigate the attack. While being a clever attack, the physical access requirement for the attack seems to be prohibitive and would prevent it from being used on most APT campaigns. As a result, defenders might not correctly prioritize the importance of patching it.
In our talk, we reveal the "Remote Malicious Butler" attack, which shows how attackers can perform such an attack, remotely, to take a complete control over the remote computer. We will dive into the technical details of the attack including the rogue Domain Controller, the client-side vulnerability and the Kerberos authentication protocol network traffic that ties them. We would explore some other attack avenues, all leveraging on the rogue Domain Controller concept. We would conclude with the analysis of some practical generic detection and prevention methods against rogue Domain Controllers.
Tal Be'ery is a Senior Security Research Manager in Microsoft, formerly the VPof Research at Aorato (acquired by Microsoft), protecting organizationsthrough entity behavior. Previously, Tal managed various security projectteams in several companies. Tal holds a B.Sc and an M.Sc degree in ElectricalEngineering and Computer Science and is a Certified Information SystemsSecurity Professional (CISSP). Tal is the lead author of the TIME attackagainst HTTPS, has been a speaker at security industry events including RSA,Blackhat and AusCERT and was included by Facebook in their whitehat securityresearchers list. Mr. Be'ery is a columnist for the securityweek.com magazine.
Chaim Hoch is a security researcher at Microsoft. Prior to Microsoft, Chaimserved six years in the IDF in various roles, leading teams of signal analystsand security researchers. He is starting his M.Sc in Computer Science at theHebrew University (HUJI) this fall.