Intel AMT - Using & Abusing the Ghost in the Machine

Explore the potential security vulnerabilities and forensic analysis techniques of Intel Active Management Technology (AMT) in this comprehensive conference talk from Hack.lu 2017. Delve into how attackers can exploit AMT's legitimate functionalities to gain persistent, undetectable access to modern machines. Learn about practical attack demonstrations, including a 60-second AMT ownership takeover method. Discover mitigation strategies and prevention techniques against such threats. Gain insights into non-destructive forensic processes for AMT systems with unknown admin passwords, and understand how to reclaim AMT ownership post-investigation. Examine the newly released Linux tooling for AMT forensics. Understand AMT's role as an out-of-band management technology in Intel chipsets, its prevalence in business and high-end consumer devices, and its implications for remote management and security.

Intro
Project Goals
What is Intel AMT?
AMT Core Features
High Level Requirements for using Intel AMT
AMT Provisioning Options
AMT in the News
Open Source Tools
After those Goals are achieved?
Provisioning attack vectors
Attacker Goals (Updated)
Ideal steps for an attack
USB provisioning findings
Getting CIRA to work
Attacker assumptions for target laptop (Updated)
Attack Steps
User Detection
Mitigation
Prevention Options
First up: Due Diligence
Ask Intel for help
Ideal vs Reality
Learning from Windows Tool - $SosAdmin
Retrieving AMT Audit Log
Decoding the logs...