Windows Authentication Bypass via Accessibility Binaries

We've probably all encountered the frustrating moment of trying to login to your computer after a brief hiatus from work or school, to discover that we can't recall our password. To folks in a situation like that, the techniques I'm about to detail may come in handy, unless your organization has a robust endpoint detection and response agent that detects or even blocks the action from working. This is because these techniques are also leveraged by ill-intended users attempting to circumvent authentication requirements upon logon.

What is Authentication Bypass?

Authentication bypass is when a user tries to circumvent the login requirements on an endpoint. This means the user can access the resources an authenticated user can access without having to go through the authentication process. This poses a risk in the form of potential follow-on actions the person can take on the host once gaining access.

Replacing legitimate accessibility binaries with cmd.exe

This bypass method replaces the Windows accessibility executables with the Windows command prompt. The accessibility executables are those that allow users with sensory impairments to operate the computer, such as the magnifier and the on-screen keyboard. By replacing the executable with a command prompt, this allows the user an unrestricted shell on the host. In order to successfully do this, the user would require a Windows operating system install disk that matches the operating system of the host. Note that there are ways to fabricate these disks and they do not have to necessarily be purchased.

The user would then execute the following steps:

  1. Boot from the Windows operating system install disk
  2. Click Next on the screen that solicits input regarding language
  3. On the next screen, click on the Repair your computer option
  4. Click the radio button next to "Use tools that can help fix...", highlight the operating system to repair, and click Next
  5. When prompted for a security tool, select Command Prompt
At this point, the accessibility binary of your choice can be replaced with the command prompt executable. The commands to input in order to accomplish that are as follows:

cd windows\system32

ren [Executable being replaced].exe [Executable being replaced].exe.bak

copy cmd.exe [Executable being replaced].exe

What these commands specifically do is make the Windows/system32 directory the current working directory, rename the legitimate executable so that your actions can be reversed later, and rename cmd.exe as the name of the legitimate executable. For example, if we were replacing utilman.exe, then the legitimate utilman.exe would become utilman.exe.bak, and cmd.exe would become utilman.exe.

Utilman.exe is a software component of the Windows operating system. Utilman, short for Utility Manager, is responsible for the accessibility features built into the Windows OS. A user can interact with the utility manager by pressing the Windows key + U upon reaching the Windows logon screen.

So after executing the above commands, the user would then be able to press Windows key + U upon reaching the logon screen and would get a command terminal. This would then allow the user to change passwords or create new user accounts to access the host.

If instead of replacing utilman.exe, the user decided to replace the on-screen keyboard executable (osk.exe), then the user would select the Ease of Access option upon reaching the logon screen and select On-Screen Keyboard. Instead, the user would get a command terminal. For the "sticky keys" bypass, the user would have to replace sethc.exe with cmd.exe, which would then allow a command shell to spawn by simply holding down the Shift key for 5 seconds.

Why this is a risk worth worrying about

You may be thinking, "why would I worry about this? The 'hacker' would need to have physical access to the host." If you're a network administrator at an organization, this is definitely worth worrying about. The threats to your network do not solely reside outside of the walls of the institution. The day-to-day legitimate users on the network pose a plethora of security risks due to gaps in security education and human error. 

Even more importantly, an embittered employee may have been recently fired or laid-off. At this point, that individual has motive to commit damaging actions to the institution, whether it's deleting files imperative to the company's success or leaking information that is detrimental to the organization's competitive edge. If that individual somehow manages to regain physical access to their old system, they can cause damage even if their original user account has been deactivated.

Furthermore, if the user implements this executable swap and it goes unnoticed, it can pose additional risks if the environment has RDP enabled. Malicious actors that may have ingressed the network through other means now have the opportunity to laterally move and bypass authentication on the host, therefore potentially getting access to sensitive information.

How to mitigate risks associated with this technique

  • Full disk encryption: Enabling full-disk encryption on the hosts within the environment adds an extra layer of protection. There are commercial solutions available for managing full-disk encryption for multiple devices. Bitlocker is the full-disk encryption feature available on Windows hosts. Additionally, ensuring that the recovery keys are changed immediately after an individual leaves the organization can reduce the risk of that person being able to access their old device and therefore protect against this technique.
  • Endpoint detection and response software: Having a robust endpoint detection and response agent deployed in the environment can help at least alert on this tactic being used. It's important that the EDR software is behavior-based and not solely signature-based. This is because the technique utilizes legitimate Windows binaries that would not be detected as malicious by a signature-based solution.

Additional Reading

Comments