Hey everyone! I'm looking for some insight into a security incident involving one of our laptops. We had a Dell Latitude that was "borrowed" by someone, and during that time, they somehow created a local admin account, set up a hypervisor, disabled some security rules, and ran suspicious tools. Here's the situation:
- The person had physical access to the laptop when it was away from our site.
- We've regained possession of the device.
- We found no admin credentials indicating they modified anything.
- BitLocker isn't currently enabled, but we're unsure if it was turned off or if it was never on.
- The BIOS still has its admin password set.
- There's evidence of a Kali Live USB in the Defender timeline.
- They deleted all the security event logs.
- Some other laptops in the area reported BitLocker being off, but our reporting has been inconsistent.
I'm trying to understand:
1. Could they bypass BitLocker if it was on without local admin access?
2. If BitLocker was off, what methods exist for creating a local admin account offline?
3. Given that the BIOS has an admin password, how did they manage to boot from a Kali Live USB?
Thanks for your help!
6 Answers
If BitLocker was off, then just physically removing the drive allows full access to the data. A BIOS password wouldn't hold them back there either. Once a user has access, even an enabled BitLocker might have vulnerabilities during updates where it could be maneuvered around.
There are numerous third-party tools that can change local admin passwords, which likely played a part here. As for your concerns about the BIOS, if they accessed it, the password isn't a hard stop against booting from external media.
Not sure how much info you have, but if they had a known exploit or if the BitLocker firmware was outdated, they might've had an easy way around it. Also, check if BitLocker recovery keys could have been accessed remotely, as that’s another weak spot.
I’m not completely aware of their exploits, but I do know we're using Defender and Intune. Chances are low that they had the BIOS password, though.
For your last question, they might have connected the USB drive in such a way that it's prioritized in the boot order, skipping the need to access BIOS. That’s pretty common with many setups.
Thanks for that! I did check and confirmed that USB was indeed lower in the boot priority.
Or they could've used advanced restart options to boot from another device without the usual password barrier.
It sounds like BitLocker was probably off. If the drive isn't encrypted, someone could easily take it out and modify its contents. Once that's done, there are ways to reset the admin password or create a new local account.
Right! And they could even boot from USB and reconfigure files to run commands on the login screen, which is another trick to create new accounts without needing admin access.
But with that Kali Live USB detected, they might've circumvented BIOS settings too. Could be worth looking into if they managed to run it from a VM!
Just to clarify, if BitLocker wasn’t enabled or they managed to turn it off, they could just boot using a live environment and do whatever they wanted, like modifying accounts in Windows offline. It sounds pretty straightforward if security measures weren't correctly in place.
Exactly! That’s a big factor here—understanding whether they could’ve turned BitLocker off or if it was just never active. We’re currently checking into that anomaly with other devices. Thanks for the insights!
That update vulnerability is interesting. Good to know we're using LAPS for local admin creds! I'll keep that in mind.