Recently, I was prepping for a session and wanted to show the old hack where you boot into a Windows setup using a USB stick and change out the utilman.exe with cmd.exe. Utilman.exe is the binary behind this icon here on the logon screen:

Figure 1 – Icon for Utilman.exe

First, follow these instructions to get a USB stick with the Windows installation:

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/install-windows-from-a-usb-flash-drive

When that is taken care of, boot on the memory stick. Note that some computers require you to press F12, Escape, or any other key to bring up a boot menu, and others require you to go into the bios to change the boot order—this all depends on your computer. When you bring the boot menu up, select the USB stick from the menu and go into the Windows setup.

When the setup screen is loaded, press Shift + F10. This will bring up a command line where you can do stuff on the currently installed operating system.

Figure 2 – How to Open Command Shell

Now, simply replace the binary you want with another one. Note that in most cases the OS drive is mapped to D:.

What I did while preparing for my session was I changed out utilman.exe with cmd.exe like this:

Figure 3 – Changing Utilman.exe With Cmd.exe

There are other binaries you can replace as well, which I will cover in a bit. After I replaced utilman.exe, I rebooted the computer and on the logon screen, I attempted to click the icon, expecting a cmd.exe to appear. That was not the case while I was testing, so I decided I had to dig a bit further and figure out what is going on. Changing binaries on the Windows installation is of course not possible if the Windows installation is encrypted using BitLocker or any other disk encryption tool.

I was aware that Microsoft had made some effort to block that by creating a signature for it, but I thought it was only for the sticky keys trick (5x shift) that launches the sethc.exe. During my attempt, I triggered a Windows Defender signature, which made it not work as expected for me. But since I really wanted to show this hack, I went down the rabbit hole to figure out other ways of doing the exact same thing using other tricks. My goal was to show that a computer without encryption is at risk and can easily be hacked with just a little effort.

The Windows Defender signature name that is triggered is the Win32/AccessibilityEscalation.A, as shown in the screenshot.

Figure 4 – Signature That Triggers

Looking at the Microsoft pages, not much information is given about the signature: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/AccessibilityEscalation.A&ThreatID=-2147238315

Mapping Out Possibilities

First, I wanted to know what options we have on the logon screen, so I started to list out all the different binaries that are used or can be triggered at the logon screen after you boot. This is the list I have come up with (there could of course be more that I do not know of yet).

Binary Name Shortcuts Description Sethc.exe 5x Shift or

Left Alt + Left Shift + PrtScrn or

Hold right shift for 8 sec or

Hold NumLock for 5 sec Sticky keys Utilman.exe Windows Key + U Little icon in corner Narrator.exe Control + Windows Key + Enter Helps the user by reading things out loud Magnify.exe Windows Key + Plus Key Zooms Osk.exe Windows Key + Control + O On screen keyboard. Shortcut only works inside Windows. Use Windows Key + U and click on On-Screen Keyboard.

I attempted to swap out the binaries with a list of different ones. I tried to replace them with cmd.exe, conhost.exe, mmc.exe, ftp.exe, and a custom cmd.exe version from Didier Stevens found here: http://didierstevens.com/files/software/cmd-dll_v0_0_4.zip .

Here are the results in this table:

Binary Replaced With Status Sethc.exe Cmd.exe Fails – Triggers Windows defender Sethc.exe Conhost.exe Fails – No Triggers from Windows Defender Sethc.exe mmc.exe Fails – No Triggers from Windows Defender Sethc.exe ftp.exe Works! Sethc.exe Didier Stevens cmd.exe Works! Utilman.exe Cmd.exe Fails – Triggers Windows defender Utilman.exe Conhost.exe Fails – No Triggers from Windows Defender Utilman.exe mmc.exe Fails – No Triggers from Windows Defender Utilman.exe ftp.exe Fails – No Triggers from Windows Defender Utilman.exe Didier Stevens cmd.exe Works! Narrator.exe Cmd.exe Fails – Triggers Windows defender Narrator.exe Conhost.exe Fails – No Triggers from Windows Defender Narrator.exe mmc.exe Fails – No Triggers from Windows Defender Narrator.exe ftp.exe Works if you click on the icon Narrator.exe Didier Stevens cmd.exe Works! Magnify.exe Cmd.exe Fails – Triggers Windows defender Magnify.exe Conhost.exe Works! Magnify.exe mmc.exe Fails – No Triggers from Windows Defender Magnify.exe ftp.exe Works! Magnify.exe Didier Stevens cmd.exe Works! Osk.exe Cmd.exe Fails – Triggers Windows defender Osk.exe Conhost.exe Works if you click on utilman and enable it Osk.exe Mmc Fails – No Triggers from Windows Defender Osk.exe ftp.exe Works! Osk.exe Didier Stevens cmd.exe Works!

*It is unclear at this point why mmc.exe fails, but I believe there are some dependencies that are required. It works fine if you first start cmd.exe/Conhost.exe and the mmc.

Some of you are probably wondering why I choose ftp.exe as a test. Well, if you did not know this it will blow your mind. You can run OS commands from ftp.exe by prepending the commands with !. If you want to add a user, you can type the command:

!net user TrustedSec Dav1dKR0cks! /add

Figure 5 – Executing Commands Through FTP.exe

While mapping this out, I got curious about if I could find something even more exciting, so I turned to my old friend mklink to help me out. You can create something called a symbolic link using mklink, so I attempted to delete the binary and replace it with a link to cmd.exe. This also works for all the mentioned binaries except for osk.exe.

Command:

Mklink utilman.exe cmd.exe

Figure 6 – Creating Symbolic Links

Conclusion

I ended up finding a way to show this hack in my session without too much effort and I got a good round of applause for it. 😊

To be honest, I feel that relying on anti-virus signatures to protect against these attacks is probably not the best way. I get that encrypting your hard drive protects against these attacks, but a normal home user would not even know what BitLocker/hard drive encryption is.

One thing I found funny during this was that it is easier to add a third-party evil binary to perform the attack rather than relying on Windows binaries since they are signatured. Also, I am pretty confident that within a few months, Windows Defender will start blocking the ones I just highlighted in this blog post as well. I would love to see Microsoft changing tactics when blocking stuff like this, instead of relying on signatures.