Detecting non-privileged Windows Hello abuse

Detecting non-privileged Windows Hello abuse

I recently followed a live session of Dirk-Jan Mollema and Ceri Coburn on how Windows Hello for Business can be abused as a non-privileged user. I was very intrigued by the concept of the attack they demonstrated, which is why a spend a couple of days thinking of ways how we can counter this attack with detective controls as blue teamers.
20 min read
Windows Hello Detection Engineering WDAC MDE
Using WDAC to ingest missing MDE events and detect token stealing

Using WDAC to ingest missing MDE events and detect token stealing

In a previous blog post I talked about how adversaries can exploit SSO capabilities of Hybrid or fully Entra ID joined devices. I mentioned the different ways we can steal tokens from the devices, either by using BrowserCore.exe or MicrosoftAccountTokenProvider.dll.
7 min read
Entra ID WDAC Tokens PRT Stealing