Detecting Non-Privileged Windows Hello Abuse

The article discusses detecting abuse of Windows Hello for Business (WHfB) by non-privileged users, leveraging research by Dirk-Jan Mollema and Ceri Coburn. The attack involves abusing WHfB credentials to gain unauthorized access via Remote Desktop Protocol (RDP) on non-TPM-protected devices.

🔗 Reference: Detecting Non-Privileged Windows Hello Abuse

You Should Know:

1. WDAC Audit Policy for Missing DeviceImageLoad Events

To detect suspicious activity, enable Windows Defender Application Control (WDAC) Audit Policy to log missing `DeviceImageLoad` events in Microsoft Defender for Endpoint (MDE).

PowerShell Command:

Set-RuleOption -FilePath "C:\WDAC\Policy.xml" -Option 3 "Audit Mode"

Hunting Queries (KQL – Microsoft Sentinel / Defender XDR)

Hunt for First RDP Session

DeviceEvents 
| where ActionType == "RdpConnectionSuccess" 
| summarize FirstConnection = min(Timestamp) by DeviceName 
| where FirstConnection > ago(7d)

Hunt for RDP to Non-TPM Devices

DeviceEvents 
| where ActionType == "RdpConnectionSuccess" 
| join kind=leftouter ( 
DeviceInfo 
| where TpmVersion == "0.0.0.0" 
) on DeviceName 
| where isnotempty(TpmVersion)

3. Detection Queries

Suspicious `ncrypt.dll` Usage by CLI Tool

DeviceImageLoadEvents 
| where FileName == "ncrypt.dll" 
| where InitiatingProcessFileName endswith ".exe" 
| where InitiatingProcessCommandLine contains "cmd" or InitiatingProcessCommandLine contains "powershell"

Suspicious `ncrypt.dll` Usage with Entra ID Nonce Request

DeviceEvents 
| where ActionType == "ImageLoaded" 
| where FileName == "ncrypt.dll" 
| where InitiatingProcessFileName contains "Microsoft.AAD.BrokerPlugin"

Suspicious `ncrypt.dll` Usage on Admin Device with RDP to Non-TPM Device

DeviceImageLoadEvents 
| where FileName == "ncrypt.dll" 
| where InitiatingProcessParentFileName contains "rdpinit.exe" 
| join kind=inner ( 
DeviceInfo 
| where TpmVersion == "0.0.0.0" 
) on DeviceName

Multiple WHfB PRT Tokens Used Simultaneously

SigninLogs 
| where AppDisplayName == "Windows Hello for Business" 
| summarize Count = count() by UserPrincipalName, DeviceId 
| where Count > 1

4. Mitigation Steps

Enforce TPM Requirement for RDP:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "RequireTPM" -Value 1

Monitor `ncrypt.dll` Loading Events:

Add-MpPreference -AttackSurfaceReductionRules_Ids "56a863a9-875e-4185-98a7-b882c64b5ce5" -AttackSurfaceReductionRules_Actions "AuditMode"

What Undercode Say

Windows Hello for Business is a powerful authentication mechanism, but attackers can abuse it if not properly monitored. By implementing WDAC audit policies, KQL hunting queries, and strict TPM enforcement, organizations can detect and prevent unauthorized RDP access.

Additional Linux & Windows Commands for Security Monitoring
– Check TPM Status (Linux):

sudo tpm2_getcap properties-fixed

– List Loaded Kernel Modules (Linux – Detect Malware):

lsmod

– Check RDP Sessions (Windows):

qwinsta /server:<IP>

– Audit Failed Logins (Linux):

sudo grep "authentication failure" /var/log/auth.log

– Disable RDP if Not Needed (Windows):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1

Expected Output:

A structured detection and mitigation strategy for Windows Hello abuse, including KQL queries, PowerShell commands, and Linux security checks to enhance enterprise security posture.