Windows Authentication Bypass via Accessibility Binaries
We've probably all encountered the frustrating moment of trying to login to your computer after a brief hiatus from work or school, to discover that we can't recall our password. To folks in a situation like that, the techniques I'm about to detail may come in handy, unless your organization has a robust endpoint detection and response agent that detects or even blocks the action from working. This is because these techniques are also leveraged by ill-intended users attempting to circumvent authentication requirements upon logon.
What is Authentication Bypass?
Authentication bypass is when a user tries to circumvent the login requirements on an endpoint. This means the user can access the resources an authenticated user can access without having to go through the authentication process. This poses a risk in the form of potential follow-on actions the person can take on the host once gaining access.
Replacing legitimate accessibility binaries with cmd.exe
This bypass method replaces the Windows accessibility executables with the Windows command prompt. The accessibility executables are those that allow users with sensory impairments to operate the computer, such as the magnifier and the on-screen keyboard. By replacing the executable with a command prompt, this allows the user an unrestricted shell on the host. In order to successfully do this, the user would require a Windows operating system install disk that matches the operating system of the host. Note that there are ways to fabricate these disks and they do not have to necessarily be purchased.
The user would then execute the following steps:
- Boot from the Windows operating system install disk
- Click Next on the screen that solicits input regarding language
- On the next screen, click on the Repair your computer option
- Click the radio button next to "Use tools that can help fix...", highlight the operating system to repair, and click Next
- When prompted for a security tool, select Command Prompt
ren [Executable being replaced].exe [Executable being replaced].exe.bak
Why this is a risk worth worrying about
You may be thinking, "why would I worry about this? The 'hacker' would need to have physical access to the host." If you're a network administrator at an organization, this is definitely worth worrying about. The threats to your network do not solely reside outside of the walls of the institution. The day-to-day legitimate users on the network pose a plethora of security risks due to gaps in security education and human error.
Even more importantly, an embittered employee may have been recently fired or laid-off. At this point, that individual has motive to commit damaging actions to the institution, whether it's deleting files imperative to the company's success or leaking information that is detrimental to the organization's competitive edge. If that individual somehow manages to regain physical access to their old system, they can cause damage even if their original user account has been deactivated.
Furthermore, if the user implements this executable swap and it goes unnoticed, it can pose additional risks if the environment has RDP enabled. Malicious actors that may have ingressed the network through other means now have the opportunity to laterally move and bypass authentication on the host, therefore potentially getting access to sensitive information.
How to mitigate risks associated with this technique
- Full disk encryption: Enabling full-disk encryption on the hosts within the environment adds an extra layer of protection. There are commercial solutions available for managing full-disk encryption for multiple devices. Bitlocker is the full-disk encryption feature available on Windows hosts. Additionally, ensuring that the recovery keys are changed immediately after an individual leaves the organization can reduce the risk of that person being able to access their old device and therefore protect against this technique.
- Endpoint detection and response software: Having a robust endpoint detection and response agent deployed in the environment can help at least alert on this tactic being used. It's important that the EDR software is behavior-based and not solely signature-based. This is because the technique utilizes legitimate Windows binaries that would not be detected as malicious by a signature-based solution.