A new technique that allows attackers to read highly sensitive files on Windows systems, bypassing many of the modern security tools designed to prevent such breaches. A report from Workday’s Offensive Security team explains how, by reading data directly from a computer’s raw disk, a malicious actor can sidestep Endpoint Detection and Response (EDR) solutions, […] The post Hackers May Leverage Raw Disk Reads to Bypass EDR Solutions and Access Highly Sensitive Files appeared first on Cyber Security News.
Local Administrators have rights to access local data.
None of this should be an issue if your company has standard security practices.
It really flagged my attention when they stated they can reconstruct the data from the master boot record. I don’t even think Windows 11 can install on an MBR setup. 10 is usually setup using GPT as well showing the information is outdated, but really it just means encrypt drives with sensitive data. No one should have local admin rights to install drivers (anything really) outside of the IT department, which even the IT department roles should be segregated. Most government contractors won’t allow rights to not be segregated out because they’ll fail security audits really. Also most corporate data should be stored on network drives, which even if a user has local admin rights, won’t grant them permissions to scrape data off those.
So even if you give that worker local admin rights to avoid the hassle of them reaching out all the time, they can only scrape data from other users on their machine.
Edit: that said, if you leave machines accessible to people, and don’t lock down their boot options, they can be a local admin, but once again, that should be locked down by IT