Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Explore the security vulnerabilities in Microsoft's Endpoint Privilege Management (EPM) solution through this 34-minute conference talk from Nullcon Berlin 2025. Delve into the internals of Microsoft EPM, a system designed to allow unprivileged users to run specific applications with elevated privileges according to enterprise-defined policies, helping organizations avoid the "Everyone's a local admin trap" while maintaining necessary functionality. Learn how elevation policy enforcement is supposed to work and discover multiple vulnerabilities that enable attackers to execute arbitrary code with administrative privileges. Follow the speakers' reverse-engineering process of EPM binaries to uncover the first vulnerability, then examine their patch-diffing methodology and code re-analysis techniques used to bypass security patches through various methods. Understand additional design issues that could facilitate privilege escalation attacks and gain insights into the complex challenges of designing and implementing a Local Privilege Escalation (LPE)-resistant EPM solution. The presentation demonstrates practical exploitation techniques while discussing the inherent difficulties and pitfalls in securing endpoint privilege management systems.
