Search

Shift+F10 PXE Attack....nearly 4 years on

During MDT or ConfiMgr deployment of Windows 10, press Shift+F10 whilst Windows detects devices. A command prompt with System Privileges will pop up allowing all sorts of shenanigans and without being logged by SIEM, those agents wont be running yet.


Also during Windows 10 upgrades, that Bitlocker drive encryption is disabled allowing the same attack.


This is an old issues raised some 3 to 4 years ago.... Well today on my test rig during a 1909 deployment, I was just curious, it cant still be vulnerable.... oops.


The fix is pretty straight forward, although I cant take credit, that belongs to Johan Arwidmark and this post here


#Declare Mount Folders for DISM Offline Update

$mountFolder1 = 'D:\Mount1'

$mountFolder2 = 'D:\Mount2'

$WinImage = 'D:\MDTDeployment\Operating Systems\Windows 10 x64 1909\sources'


#Mount install.wim to first mount folder

Mount-WindowsImage -ImagePath $WinImage\install.wim -Index 1 -Path $mountFolder1


#Mount winre.wim to second mount folder

Mount-WindowsImage -ImagePath $mountFolder1\Windows\System32\Recovery\winre.wim -Index 1 -Path $mountFolder2


#Create folder for DisableCMDRequest.TAG file in Winre.wim

New-Item $mountFolder2\Windows\setup\scripts -ItemType Directory


#Create DisableCMDRequest.TAG file for Winre.wim

New-Item $mountFolder2\Windows\setup\scripts\DisableCMDRequest.TAG -ItemType File


#Commit changes to Winre.wim

Dismount-WindowsImage -Path $mountFolder2 -Save


#Create folder for DisableCMDRequest.TAG in install.wim

New-Item $mountFolder1\Windows\setup\scripts -ItemType Directory


#Create DisableCMDRequest.TAG file for install.wim

New-Item $mountFolder1\Windows\setup\scripts\DisableCMDRequest.TAG -ItemType File


#Commit changes to Winre.wim

Dismount-WindowsImage -Path $mountFolder1 -Save





18 views0 comments