Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Remote Safe Mode attack defeats Windows 10 pass-the-hash defenses

Lucian Constantin | Sept. 19, 2016
To avoid their password extraction tools from being detected or blocked, attackers can remotely reboot computers into Safe Mode

If attackers want to capture a user's credentials, they need to let the user log in, but if their goal is only to execute a pass-the-hash attack, they can simply force a back-to-back restart which would be indistinguishable to the user, Naim said.

CyberArk reported the issue, but claims that Microsoft doesn't view it as a security vulnerability because attackers need to compromise the computer and gain administrative privileges in the first place.

While a patch might not be forthcoming, there are some mitigation steps that companies could take to protect themselves against such attacks, Naim said. These include removing local administrator privileges from standard users, rotating privileged account credentials to invalidate existing password hashes frequently, using security tools that function properly even in Safe Mode and adding mechanisms to be alerted when a machine boots in Safe Mode.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.