T1110 Brute Force Mappings

BitLocker uses TPM (Intel PTT) to bind the volume encryption keys for full disk encryption (FDE), Intel AES-NI to accelerate the encryption/decryption process, and Intel BootGuard to ensure operating system components are not compromised during boot. BitLocker also can add pre-boot authentication (like PIN) to access the decryption keys used for FDE. BitLocker relies on Intel BootGuard and the TPM (Intel PTT) to ensure none of the boot components or the OS components are tampered with before releasing the BitLocker key. BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker also uses Intel PTT to check integrity of early boot components, configuration data as well as OS components preventing attacks that perform modifications of those components. Data on the encrypted volume can't be accessed without entering the PIN if configured. TPMs (Intel PTT) also have anti-hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN. To defend against malicious reset attacks, BitLocker uses the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory. Windows 11 Personal Data Encryption (PDE) uses Intel PTT (TPM), Intel AES-NI, Intel BootGuard to ensure operating system components are not compromised until the Windows Sign-in screen at which point Windows Hello for Business is used in conjunction with Microsoft Entra to authenticate the user and open the container with the encryption keys used to secure the user's personal data. Bitlocker features are used to then encrypt or decrypt that data utilizing those keys. PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. PDE refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container which houses the encryption keys used by PDE. When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content. PDE provides real-time protection against adversaries exfiltrating data at rest in removable media. In some cases, data is protected at rest until the user logs in, and is marked partial for such cases.

BitLocker uses TPM (Intel PTT) to bind the volume encryption keys for full disk encryption (FDE), Intel AES-NI to accelerate the encryption/decryption process, and Intel BootGuard to ensure operating system components are not compromised during boot. BitLocker also can add pre-boot authentication (like PIN) to access the decryption keys used for FDE. BitLocker relies on Intel BootGuard and the TPM (Intel PTT) to ensure none of the boot components or the OS components are tampered with before releasing the BitLocker key. BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker also uses Intel PTT to check integrity of early boot components, configuration data as well as OS components preventing attacks that perform modifications of those components. Data on the encrypted volume can't be accessed without entering the PIN if configured. TPMs (Intel PTT) also have anti-hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN. To defend against malicious reset attacks, BitLocker uses the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory. Windows 11 Personal Data Encryption (PDE) uses Intel PTT (TPM), Intel AES-NI, Intel BootGuard to ensure operating system components are not compromised until the Windows Sign-in screen at which point Windows Hello for Business is used in conjunction with Microsoft Entra to authenticate the user and open the container with the encryption keys used to secure the user's personal data. Bitlocker features are used to then encrypt or decrypt that data utilizing those keys. PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. PDE refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container which houses the encryption keys used by PDE. When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content. PDE provides real-time protection against adversaries exfiltrating data at rest in removable media. In some cases, data is protected at rest until the user logs in, and is marked partial for such cases.

Credential Guard uses Intel VT-x for providing Virtualization-based security (VBS), to isolate secrets so that only privileged system software can access them. It isolates LSA-related processes and provides real-time protection against in-memory credential-stealing attempts. NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot (Intel PTT and Intel Boot Guard) and virtualization, to protect credentials. Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications such as domain credentials. However, it does not protect against all forms of credential dumping, such as registry dumping. Credential Guard benefits from enabling Secure Boot (BootGuard) and UEFI Lock. When Secure Boot is enabled, a secure and verified environment is established from the start of the boot process. With UEFI Lock, Credential Guard settings are stored in UEFI firmware, significantly increasing the difficulty of disabling Credential Guard through registry changes. This is marked as partial since it uses VBS to isolate LSA related processes and provides some protection against in-memory credential stealing attempts.

Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of brute force attacks. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Brute force attacks involve adversaries attempting to gain unauthorized access to systems by systematically guessing passwords or encryption keys. These attacks often involve high volumes of login attempts or other forms of credential stuffing, exploiting weak or reused passwords. Intel TDT plays a key role in identifying these attacks by providing real-time telemetry on program execution, memory access, and control flow, enabling security teams to detect abnormal behaviors such as unusually high login attempts, suspicious API calls, or rapid access attempts that may indicate brute force activity. Additionally, CAMS offloads the performance-intensive task of memory scanning from the CPU to the Intel Integrated GPU, ensuring faster, more efficient detection of malicious activity without impacting system performance. CAMS helps identify suspicious behaviors, such as repeated login failures, dictionary attacks, or other signs of brute force methods used to bypass security defenses. By leveraging Intel TDT and CAMS's combined capabilities, organizations can detect and stop brute force attacks more efficiently, strengthening their defenses against unauthorized access and reducing the risk of compromise from credential-based threats.

Windows Hello ESS authentication leverages virtual sandbox(Intel VT-X) to protect authentication data to significantly reduce the risk of brute force attacks on passwords, as biometrics typically require physical presence or biometric data that cannot be easily guessed or replicated. It uses the TPM (Intel PTT) to store authentication data including public/private key pairs. Windows Hello also includes Passkeys, a passwordless authentication option that generates public/private key pair with the public key shared with the service requiring authentication and the private key stored in the TPM, which is only released after authentication locally on the device using either a biometric factor such as fingerprint, facial recognition, or a PIN. Windows Hello helps protect against the risk of credentials being stored in files by eliminating the need for passwords in many authentication scenarios. Windows Hello utilizes passkeys which helps protect against the risk of credentials being stored in files by eliminating the need for passwords.