Recently, I was prepping for a session and wanted to show the old hack where you boot into a Windows setup using a USB stick and change out the utilman.exe with cmd.exe. Utilman.exe is the binary behind this icon here on the logon screen:
Figure 1 - Icon for Utilman.exe
First, follow these instructions to get a USB stick with the
Windows installation:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/install-windows-from-a-usb-flash-drive
When that is taken care of, boot on the memory stick. Note that some computers require you to press F12, Escape, or any other key to bring up a boot menu, and others require you to go into the bios to change the boot order—this all depends on your computer. When you bring the boot menu up, select the USB stick from the menu and go into the Windows setup.
When the setup screen is loaded, press Shift + F10. This will bring up a command line where you can do stuff on the currently installed operating system.
Figure 2 - How to Open Command Shell
Now, simply replace the binary you want with another one. Note that in most cases the OS drive is mapped to D:.
What I did while preparing for my session was I changed out utilman.exe with cmd.exe like this:
Figure 3 - Changing Utilman.exe With Cmd.exe
There are other binaries you can replace as well, which I will cover in a bit. After I replaced utilman.exe, I rebooted the computer and on the logon screen, I attempted to click the icon, expecting a cmd.exe to appear. That was not the case while I was testing, so I decided I had to dig a bit further and figure out what is going on. Changing binaries on the Windows installation is of course not possible if the Windows installation is encrypted using BitLocker or any other disk encryption tool.
I was aware that Microsoft had made some effort to block that by creating a signature for it, but I thought it was only for the sticky keys trick (5x shift) that launches the sethc.exe. During my attempt, I triggered a Windows Defender signature, which made it not work as expected for me. But since I really wanted to show this hack, I went down the rabbit hole to figure out other ways of doing the exact same thing using other tricks. My goal was to show that a computer without encryption is at risk and can easily be hacked with just a little effort.
The Windows Defender signature name that is triggered is the Win32/AccessibilityEscalation.A, as shown in the screenshot.
Figure 4 - Signature That Triggers
Looking at the Microsoft pages, not much information is given about the signature: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/AccessibilityEscalation.A&ThreatID=-2147238315
Mapping Out Possibilities
First, I wanted to know what options we have on the logon screen, so I started to list out all the different binaries that are used or can be triggered at the logon screen after you boot. This is the list I have come up with (there could of course be more that I do not know of yet).
Binary Name | Shortcuts | Description |
Sethc.exe | 5x Shift or Left Alt + Left Shift + PrtScrn or Hold right shift for 8 sec or Hold NumLock for 5 sec | Sticky keys |
Utilman.exe | Windows Key + U | Little icon in corner |
Narrator.exe | Control + Windows Key + Enter | Helps the user by reading things out loud |
Magnify.exe | Windows Key + Plus Key | Zooms |
Osk.exe | Windows Key + Control + O | On screen keyboard. Shortcut only works inside Windows. Use Windows Key + U and click on On-Screen Keyboard. |
I attempted to swap out the binaries with a list of different ones. I tried to replace them with cmd.exe, conhost.exe, mmc.exe, ftp.exe, and a custom cmd.exe version from Didier Stevens found here: http://didierstevens.com/files/software/cmd-dll_v0_0_4.zip .
Here are the results in this table:
Binary | Replaced With | Status |
Sethc.exe | Cmd.exe | Fails - Triggers Windows defender |
Sethc.exe | Conhost.exe | Fails - No Triggers from Windows Defender |
Sethc.exe | mmc.exe | Fails – No Triggers from Windows Defender |
Sethc.exe | ftp.exe | Works! |
Sethc.exe | Didier Stevens cmd.exe | Works! |
Utilman.exe | Cmd.exe | Fails - Triggers Windows defender |
Utilman.exe | Conhost.exe | Fails - No Triggers from Windows Defender |
Utilman.exe | mmc.exe | Fails - No Triggers from Windows Defender |
Utilman.exe | ftp.exe | Fails - No Triggers from Windows Defender |
Utilman.exe | Didier Stevens cmd.exe | Works! |
Narrator.exe | Cmd.exe | Fails - Triggers Windows defender |
Narrator.exe | Conhost.exe | Fails - No Triggers from Windows Defender |
Narrator.exe | mmc.exe | Fails - No Triggers from Windows Defender |
Narrator.exe | ftp.exe | Works if you click on the icon |
Narrator.exe | Didier Stevens cmd.exe | Works! |
Magnify.exe | Cmd.exe | Fails - Triggers Windows defender |
Magnify.exe | Conhost.exe | Works! |
Magnify.exe | mmc.exe | Fails - No Triggers from Windows Defender |
Magnify.exe | ftp.exe | Works! |
Magnify.exe | Didier Stevens cmd.exe | Works! |
Osk.exe | Cmd.exe | Fails - Triggers Windows defender |
Osk.exe | Conhost.exe | Works if you click on utilman and enable it |
Osk.exe | Mmc | Fails - No Triggers from Windows Defender |
Osk.exe | ftp.exe | Works! |
Osk.exe | Didier Stevens cmd.exe | Works! |
*It is unclear at this point why mmc.exe fails, but I believe there are some dependencies that are required. It works fine if you first start cmd.exe/Conhost.exe and the mmc.
Some of you are probably wondering why I choose ftp.exe as a test. Well, if you did not know this it will blow your mind. You can run OS commands from ftp.exe by prepending the commands with !. If you want to add a user, you can type the command:
!net user TrustedSec Dav1dKR0cks! /add
Figure 5 - Executing Commands Through FTP.exe
While mapping this out, I got curious about if I could find something even more exciting, so I turned to my old friend mklink to help me out. You can create something called a symbolic link using mklink, so I attempted to delete the binary and replace it with a link to cmd.exe. This also works for all the mentioned binaries except for osk.exe.
Command:
Mklink utilman.exe cmd.exe
Figure 6 - Creating Symbolic Links
Conclusion
I ended up finding a way to show this hack in my session without too much effort and I got a good round of applause for it. ????
To be honest, I feel that relying on anti-virus signatures to protect against these attacks is probably not the best way. I get that encrypting your hard drive protects against these attacks, but a normal home user would not even know what BitLocker/hard drive encryption is.
One thing I found funny during this was that it is easier to add a third-party evil binary to perform the attack rather than relying on Windows binaries since they are signatured. Also, I am pretty confident that within a few months, Windows Defender will start blocking the ones I just highlighted in this blog post as well. I would love to see Microsoft changing tactics when blocking stuff like this, instead of relying on signatures.