Bypassing Windows Defender to gain local system access

Up until recently there has always been an easy approach for demoing the reason to have a form of disk encryption to protect the integrity of not only your data but also the operating system from being tempered with. For ages now, Microsoft Windows contained executable files that could be launched before a user logged on to the box. The result was that the person having physical access to that machine could gain system access privileges and do all kind of nasty stuff. Like create a new admin account, manipulate the system or steal your data. For literally ages (well decades more) now the advice any security person would give was to enable BitLocker on a Windows machine to protect the integrity of the operating system. So much to my surprise a while ago my demo broke as Microsoft seems to have built-in detection now for this specific bypass. That’s really a good thing, but I would still like to have a visible and easy to understand way of getting the message across why you need disk encryption, like BitLocker.

It turned out to be easier than I initially imagined. In a nutshell, once you gain physical access to a Windows 10 machine, reboot to an alternative OS, like Windows PE, or simply the Windows installation media, open up a command prompt, rename the executables that are provide the “ease of access’ functionality (sethc.exe or utilman.exe), make a symbolic link to cmd.exe, using the original name of the beforementioned two executable files and you’re good to go.

You can think of a symbolic link as a form of shortcut that simply points to another file or folder. That’s not some form of magic that’s being used, just standard Windows functionality that’s, for example, also used or application compatibility.

Default Symbolic Links for Application Compatibility

In the demo video below I’ll be demonstrating the former functionality that was used to bypass the Windows logon screen and how Windows Defender caches the malicious attempts to gain access. In the latter half of the video I’ll show you how to bypass it again.

Moral of the story, whatever the way an attacker finds to gain physical access to your machines, make sure that you have a form of disk encryption enabled on the box to safeguard the integrity of not only the operating system but at the end also safeguarding your and your company’s data. Really there’s no excuse to not have a Windows device without Bitlocker enabled, it’s included, it doesn’t cost anything extra, it’s fast, easy to use and safe.

Until next time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s