Wednesday, June 21, 2017

Display Color Calibration tool DCCW and UAC bypasses

In today's post we'll look at yet another way to bypass UAC using the Display Color Calibration tool, hereafter referred to as "DCCW".

DCCW has already been exploited in the past to bypass UAC, more specifically, by leveraging DLL sideloading:

This research started by helping out a friend with display issues some months ago, and stumbling upon the DCCW tool, or more specifically, the following blog post:
Using the Display Color Calibration Tool (DCCW.exe) in Windows 7 to Get the Most From your Display

Being inspired by Matt Nelson, I decided to have a closer look as to how and why this may be a UAC bypass.

What follows below is purely a Proof of Concept, as you would already need to have compromised the machine (or bypassed UAC, or let the user allow) in order to execute this.

Regardless, it can be used for persistence, and I'd still like for you to following along on my journey inside the wondrous world of UAC bypasses  :-)

This has been tested on: Windows 10 and Windows 8.1 x64 and x86.


  • User has to be member of the local administrator group.
  • UAC is ... already disabled, or at a low setting, or the user confirmed the UAC prompt.

DCCW is a Microsoft signed binary and will auto-elevate itself due to its manifest.

Figure 1 - verified, signed Microsoft binary (using Sigcheck)

Figure 2 - autoElevate is set to 'true'

Running through the DCCW wizard, we can happily click next, until the end of the wizard the following is displayed:

Figure 3 - end of DCCW wizard

Note the automatically enabled or ticked checkbox:
"Start ClearType Tuner when I click Finish to ensure that text appears correctly (Recommended)"

Launching procmon and executing DCCW; the following can be observed:

Figure 4 - DCCW loading CTTune

As you notice, DCCW attempts to open, and read, the subkey in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Image File Execution Options (IFEO) has several uses, and can for example be used to prevent a program from starting, For example, in the past, malware has abused IFEO to hijack processes of antivirus programs, so they would not be able to start.

Back on topic, creating an IFEO using CTTune, we can start anything at the highest integrity (and circumvent the UAC prompt) ... Including PowerShell :-)

Figure 5 - Launch of DCCW, note the High integrity


Figure 6 - PowerShell started with High integrity (normal level of integrity is Medium)

To try this yourself, create a new key in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options named CTTune.exe, consequently create a new value named 'Debugger' and in the Data section, place whatever you want. Example:

Figure 7 - CTTune IFEO


Figure 8 - PowerShell running as administrator, with highest integrity

This attack is more theoretical, rather than practical, due to the need for initial admin permissions, the DCCW wizard appearing, and the user having the need to click through. The main point here is that no UAC windows will appear asking the user for permission, once the IFEO is set, and DCCW is started. Some other points to consider:

  • Users love to click on things, especially 'Next' in wizards :-)
  • You can try social engineering to entice the user in allowing UAC, & clicking through
  • You can try extending the PowerShell script below, by simulating mouse clicks or button presses in PowerShell - effectively impersonating the user.

You may find the PowerShell script here on Github:

If I made any mistake(s) in the script, please do let me know!

Finding UAC bypasses

If you like to try new things, then trying to find a UAC bypass can definitely prove to be a challenge and fun! While my story here was both successful and not - I found a UAC bypass, but with limitations, it's still good to go out of your way and do something you're less familiar with.

For finding UAC bypasses, or other strange, weird or old Windows artifacts and binaries, I can definitely recommend the following tools:

Process Explorer

Process Monitor



IDA Pro Free:

A Windows system, and a C:\Windows\System32 and/or C:\Windows\SysWOW64 folder.

Additionally, have a look at the Resources section at the end of this post.


Obviously, you would like to prevent these specific bypasses from ever occurring. Please find below some recommendations I've compiled:

Additionally, have a look at the Resources section at the end of this post.


UAC bypasses are an interesting domain: while Microsoft seems to take a 'lighter' approach in regards to these specific bypasses, it doesn't mean they aren't being looked at. For example, latest releases of Windows 10 fix several UAC bypasses.

My hope is that, by accumulating the info in this blog post and following along my journey, you may find other UAC bypasses, or other cool stuff lying around :-)

Keep in mind that UAC bypasses are definitely out there in the wild - not only by pentesters, but also by attacks, whether cybercrime or APTs.

As always, feedback is appreciated.


Defeating Windows User Account Control (UACME)
Dridex Returns With Windows UAC Bypass Method
Enigma0x3's blog (tons of good stuff in there)
User Account Control: Inside Windows 7 User Account Control
User Account Control Step-by-Step Guide

Sunday, May 21, 2017

WannaCry: frequently asked questions

Unless you haven't accessed the internet for a week, you must have heard about WannaCry or one of the aliases it uses, such as WannaCryptor, WanaCry or WanaDecrypt0r.

In this blog post, I'll try to answer, in clear & concise language, some of the most asked questions. While there have been several excellent (technical) blog posts about WannaCry, this one will be purely non-technical and focuses on practical steps.

What is WannaCry?

The most obvious question, but not necessarily an obvious answer. In essence, it is ransomware, software that holds your machine and your files ransom, until a fee is paid.

In its latest version, it also introduced a wormable component; in other words, it could spread to other machines running Windows in your network.

A worm is a type of malware that can replicate itself and thus spread to other machines in a network.

The name 'WannaCry' stems from the ransomware authors themselves, as that is how they named it.

How does WannaCry work?

An excellent infographic explaining how WannaCry works already exists - see below:

Figure 1 - How does the WannaCry ransomware work? (Source)

Which operating systems does WannaCry infect?

Windows only. More specifically: Windows XP up to Windows 10, Windows Server 2003 up to Windows server 2016. This is the ransomware in its pure form only, however. (see questions below)

Which operating systems were affected the most?

Most of the operating systems or machines were running Windows 7.

Figure 2 - affected Windows versions by % (Source)

Can I spread WannaCry unwillingly to others, or in my network?

It is definitely possible, but only if the worm component is active and you have not updated Windows in a while. More specifically, you will need to install MS17-010 to 'close the hole' or patch the vulnerability.

When did the outbreak of WannaCry start? 

The outbreak reportedly started last week Friday, 12/05/2017, in the morning hours (UTC). However; it is possible the outbreak started the evening before that. A sudden spike in internet traffic seems to suggest the worm started spreading that night:

Figure 3 - possible related spike in traffic (Source)

Can something like this happen again?

Defnitely. In fact, some malware families also exploit(ed) the same vulnerability in Windows as mentioned above.

What is or was the WannaCry 'kill switch'?:

The Wikipedia definition of a kill switch is as follows:

A kill switch is a security measure used to shut off a device in an emergency. (Source) 
This is no different in WannaCry: a specific domain was embedded in the ransomware to act as a kill switch: if said domain exists & communicates this to the ransomware; exit immediately.

Thanks to MalwareTech, who registered the domain, a lot of the WannaCry infections were unable to spread further, since the domain now existed.

Note that some variants appeared later with other 'kill switch domains', which were also rather quickly registered by other security researchers.

Can I decrypt or recover files encrypted by WannaCry?

It is possible. A tool, WannaKiwi, has been developed by several security researchers which may be able to restore your files.

Please find below:

The tool will work granted you have not killed the ransomware process (or your antivirus didn't), and/or you didn't reboot your machine.

What if the tool doesn't work? Can I restore my files in any other way?

If the tool doesn't work, you may have rebooted your machine, the ransomware may have been removed or its process killed.

If you are still desperate to get your files back, there's always a possibility using...:
  • ... Backups! If you have backups, please do try restoring from a backup first.
  • ... Shadow Copies (Restore Previous Versions). If this doesn't work, you can use ShadowExplorer for example.
  • ... Using data recovery software like Recuva, or for a bigger chance in restoring your files, PhotoRec.

Will I get my files back if I pay the ransomware?

There is no sure way of telling. The general advise is, as always, to NOT pay. A few reasons why not:

  • The decrypter they send may not work at all, or does nothing.
  • They don't send any decrypter at all.
  • They cannot contact you or you cannot contact them for whichever reason.
  • You are contributing to the 'ransomware eco-system', thus ensuring and increasing the amount of (new) ransomware that will emerge.
  • You are dealing with criminals in the end. Cybercriminals, but criminals. This means there is no way of telling if they will hold up their end of the bargain.

If you can avoid it, DO NOT PAY!

How do I remove the ransomware itself?

Any antivirus and/or antimalware by now detects all versions of WannaCry.

How can I defend myself or the other machines in my network against this attack?

Specifically against the worm component, you will need to install patch MS17-010 as mentioned above. If you are using an older version of Windows, for example Windows XP, please see below:

The link here above is worth a read regardless if you have Windows XP, or a newer operating system version of Windows. If you are still using Windows XP, please do consider to upgrade to a newer version of Windows. Some computer stores may be able to offer you a discount.

Note that by default, Windows updates will be performed automatically.

You may want to check if automatic updates are enabled, by reading the following article:
How to configure and use Automatic Updates in Windows

Additionally, you will need an antivirus and a firewall. If you use Windows 7 or above, the Windows firewall is fairly decent. A free antivirus will, in most cases, suffice as well.

However, it may be worthwhile considering a full antivirus package, which usually includes better antivirus protection and a better firewall. (and additional features, such as anti-spam for example)

How can I protect my files from being encrypted or targeted by ransomware such as WannaCry?

The best recommendation of all times, is to create backups.

Many free backup solutions exist to create copies of your files (pictures, documents, ...). An overview of no less 34 backup solutions can be found here:
34 Free Backup Software Tools

You may also want to give the following article a read:
7 Backup Strategies for Your Data, Multimedia, and System Files

It may seem a lot of work initially, but it is definitely worth it.

A few points to consider when making backups:
  • Don't leave your external drive plugged in after the backup. This to prevent your backup files will be encrypted as well. So, take your backup and disconnect your external hard drive afterwards.
  • Be careful with backups in the cloud as well. If you use Dropbox for example, and it syncs to your Dropbox folder after your data has been encrypted... You will have another copy of your encrypted data.
  • Test your backup, if possible. You wouldn't want to encounter an infection then to only find out your backups are corrupted somehow.
  • You can also write your backups to write-once media, like for example DVDs or Blue-Ray. Easier is of course using an external hard drive, but don't forget to disconnect it after you have made the backup.

Can I report someone, somewhere, somehow about this ransomware if it affected me?

Surely. You can fill out an online form via the following portals:
Alternatively, you may want to use my online form to fill in, (print out,) and hand over a copy to your local police department, or Computer Emergency Response Team.

Find the form here; Cybercrime Report Template

It is very important you report the incident. The more information that is available to law enforcement, the bigger the chance they can catch and arrest the people behind WannaCry, or others.

Unfortunately, should you have paid, but your files are still encrypted, there is no sure way of telling if you'll be able to recover any monetary losses. Therefore, the advise is to NOT pay the ransom.

That's it, I hope you have been better informed! Unless of course...

I would like to read more. Where can I find more information?

I have setup a whole page on ransomware prevention, which you can flick through.

Any other questions, please do not hesitate to post in the comments, or send me a message on Twitter.

Sunday, April 23, 2017

Ransomware, fala sério!

Recently, a user contacted me in regards to what looks like a new, Brazilian ransomware. In this blog post, we're taking a quick look at the ransom and how to unlock or decrypt your files.

TL;DR: to unlock your files, you can use the key or password: 123
Para desbloquear seus arquivos, você pode usar a chave ou a senha: 123

The title of this blog loosely translates to: ransomware, no way! (excuse my Portuguese)

The ransomware appears to call itself 'Sem Solução'; which translates to 'Hopeless' or 'No Solution'. I propose we call it 'Hopeless ransomware':

Figure 1 - 'Seus arquivos foram criptografados'

Sua IDNão a formas de recuperar sem comprar a senha, ser tenta eu apago tudo!O método de pagamento é via Bitcoins.  O preço é: 600,00 REAIS =  Bitcoins
Não tem Bitcoins?, pesquise no google e aprenda comprar ou clique em Compra Bitcoinsenvie os bitcoins para: 1LULpQbdvoAWqKzhe8fuMiPQ8iGdW36pk1Para receber a senha, voce precisa criar uma e-mail em https://mail.protonmail.comE enviar SUA ID para em 24h ou mais voce receberá a sua senha!, Obrigado..


Your IDNot the ways to recover without buying the password, be try I delete everything!The method of payment is via Bitcoins. The price is: 600,00 REAIS = Bitcoins
Do not have Bitcoins ?, search google and learn how to buy or click Buy BitcoinsSend the bitcoins to: 1LULpQbdvoAWqKzhe8fuMiPQ8iGdW36pk1To receive the password, you need to create an email at https://mail.protonmail.comAnd send YOUR ID to in 24h or more you will receive your password !, Thank you ..

The price is 600 REAIS (Brazilian Real), which currently amounts to 0.15 BTC.
(176 EUR | 155 GBP | 199 USD)

Interestingly enough, the ransomware has a built-in function to detect whether or not your machine belongs to a domain, and if so, will increase the amount of ransom to be paid to a whopping 1000 REAIS, or 0.25 BTC. (293 EUR | 259 GBP | 333 USD)

Figure 2 - Func _get_bitcoin_value()

The ransomware author or authors is/are definitely not kidding: if you enter a wrong password, the ransom will start deleting files.

Figure 3 - 'Error!", "Senha de descriptografia errada, NA PROXIMA 500 ARQUIVOS SERÃO EXCLUIDOS!'

Files to encrypt, including those used in virtualization software such as VMware for example:

zip, 7z, rar, pdf, doc, docx, xls, xlsx, pptx, pub, one, vsdx, accdb, asd, xlsb, mdb, snp, wbk, ppt, psd, ai, odt, ods, odp, odm, , , odc, odb, docm, wps, xlsm, xlk, pptm, pst, dwg, dxf, dxg, wpd, rtf, wb2, mdf, dbf, pdd, eps, indd, cdr, dng, 3fr, arw, srf, sr2, bay, crw, cr2, dcr, kdc, erf, mef, mrw, nef, nrw, orf, raf, raw, rwl, rw2, r3d, ptx, pef, srw, x3f, der, cer, crt, pem, pfx, p12, p7b, p7c, abw, til, aif, arc, as, asc, asf, ashdisc, asm, asp, aspx, asx, aup, avi, bbb, bdb, bibtex, bkf, bmp, bpn, btd, bz2, c, cdi, himmel, cert, cfm, cgi, cpio, cpp, csr, cue, dds, dem, dmg, dsb, eddx, edoc, eml, emlx, EPS, epub, fdf, ffu, flv, gam, gcode, gho, gpx, gz, h, hbk, hdd, hds, hpp, ics, idml, iff, img, ipd, iso, isz, iwa, j2k, jp2, jpf, jpm, jpx, jsp, jspa, jspx, jst, key, keynote, kml, kmz, lic, lwp, lzma, M3U, M4A, m4v, max, mbox, md2, mdbackup, mddata, mdinfo, mds, mid, mov, mp3, mp4, mpa, mpb, mpeg, mpg, mpj, mpp, msg, mso, nba, nbf, nbi, nbu, nbz, nco, nes, note, nrg, nri, afsnit, ogg, ova, ovf, oxps, p2i, p65, p7, pages, pct, PEM, phtm, phtml, php, php3, php4, php5, phps, phpx, phpxx, pl, plist, pmd, pmx, ppdf, pps, ppsm, ppsx, ps, PSD, pspimage, pvm, qcn, qcow, qcow2, qt, ra, rm, rtf, s, sbf, set, skb, slf, sme, smm, spb, sql, srt, ssc, ssi, stg, stl, svg, swf, sxw, syncdb, tager, tc, tex, tga, thm, tif, tiff, toast, torrent, txt, vbk, vcard, vcd, vcf, vdi, vfs4, vhd, vhdx, vmdk, vob, wbverify, wav, webm, wmb, wpb, WPS, xdw, xlr, XLSX, xz, yuv, zipx, jpg, jpeg, png, bmp

Additionally, Steam users aren't spared of getting their files encrypted either:

Figure 4 - Executable files in Steam's games directory will be encrypted

In reality, it appears all files are encrypted, regardless of extension.

The ransomware ultimately calls home and leverages Pastebin to do so. However, when analysing the ransomware, none of the Pastebin links were online as they had been removed.

$data = "pcname=" & @ComputerName & "&hwid=" & $key & "&version=Locker"

At time of writing, no payments have been made as of yet to the Bitcoin address:

The ransomware encrypts files prepending the original extension with '.encrypted.'. For example;
image.png would become: image.encrypted.png

The ransomware is based on CryptoWire, an open-sourced ransomware written in AutoIT.


To unlock your files, you can use the key or password: 123
Para desbloquear seus arquivos, você pode usar a chave ou a senha: 123

Note: as always, prevention is more important than decryption or disinfection! Have a look at the dedicated page I've set up here.


While ransomware is anything but uncommon, ransomware very likely stemming from Brazil and specifically targeting Brazilian users and businesses, is a less frequent occurence. In fact, the only notable example, as far as I know, is TeamXRat also known as Xpan ransomware.

Below you may find IOCs.


Monday, March 27, 2017

Popular attacker tools & techniques: survey results

In my last blog post, I decided to create a survey as to get a better perspective on popular or favourite tools of attackers, red teamers and/or pentesters.

Below  I present the results, with additional & minimal commentary from my side. Comments are below the figures. Note this is not fully indicative of an attacker or threat actor's arsenal, but I do hope it can give anyone some pointers. Enjoy the journey.

Yes, you may use this data as long as you mention the original source, which is this exact blog post. You may find a direct SurveyMonkey link to the results here.

Figure 1 - What do you do
Answered: 76 

First and foremost question: what do you do? Are you a red/blue or purple teamer? Or no idea at all?

Most people that answered were red teamers. Awesome! If you have no idea what any of this means, or you are just starting with all this, then I definitely advise you to read the following:
The Difference Between Red, Blue, and Purple Teams.

Figure 2 - Favourite lateral movement method

Answered: 66

Second question definitely yielded interesting results; with Pass the Hash (PtH) as most favourite or preferred method of lateral movement. Note that I shamelessly used this list from Mitre's excellent ATT&CK page on Lateral Movement here:

Figure 3 - Favourite AV bypass tool
Answered: 64 

Bypassing AV can be interpreted quite broadly, but let's say using the most well-known tools with ability to evaded AV - with which Metasploit takes the lead, and Veil a close second.

Figure 4 - Favourite web app pentest tool
Answered: 66

Burp seems to have the biggest share of being most popular or used web app pentest tool.

Figure 5 - Favourite PowerShell tool
Answered: 66

This is definitely one of the, if not the most, interesting results of all questions. PowerShell Empire takes the lead, with PowerSploit following very closely... And not too far off is PowerShell itself. Draw your conclusions.

Figure 6 - Favourite credential dumper

Answered: 67

Mimikatz seems to be the most preferred credential dumper all around.

Figure 7 - Favourite password brute forcer

Answered: 66

Hashcat, Hydra and John the ripper rank among the top three of password brute forcers.

Figure 8 - Usage of RATs

Answered: 69 

This question and the next overlap slightly - if an attacker doesn't (or can't) build custom malware, they may be more inclined to use RATs (freely available or not). Building a RAT is definitely more trivial than building or writing custom malware.

However, don't be fooled. If an attacker is strongly motivated, it's not a question of if they'll get on the network, but when. Take appropriate defensive measures.

Figure 9 - Usage of malware
Answered: 58

Repeating: attackers will not hesitate to use custom malware which is adapted or tailored to/for your environment! (and to evade any security controls or measures in place)

Figure 10 - Application Whitelisting bypasses
Answered: 69

A rather surprising result, seeing 11 of the respondents either skipped, or didn't know what Application Whitelisting is. (and as such, how it may be bypassed)

I can definitely recommend you to check out Casey Smith's Catalog of Application Whitelisting Bypass Techniques.

Extra comments

... provided by some of the respondents yielded additional tools and information:

Lateral movement methods:
PowerUpSQL, CrackMapExecWin, smbexec, PowerSCCM, Kerberoasting, CobaltStrike (after obtaining admin creds for another system), WMI, Password reuse.

AV bypass:
PS Empire, PEspin, Shellter, and even manually.

Web app pentesting:
metasploitHelper, Dirb, dirbuster, Kali2.

PowerShell tools:
Compress-File.ps1, BloodHound, PowerLurk, PowerSkype.ps1, PowerOPS, PowerForensics,

Credential dumping:
mimikittenz, go-mimikatz.

Password brute forcing:
Nmap NSE "brute"-category scripts, patator, Invoke-SMBAutoBrute.ps1, HashcatOCL.

RATs and malware:
Empire, Meterpreter (Metasploit), ADC2.ps1, ThinkPwn, manwhoami/Bella, tinymet/Ultimet, CobaltStrike beacons.


You may wonder if every attacker will use every tool on this list. They may well do so, or not use any of the tools and scripts discussed at all, and rather write everything tailored to your environment.

Also keep in mind that an attacker's TTPs may change over the course of weeks, months or even years. However, some tools will always be popular and withstand the test of time.

What's next?

I definitely advise you to either subscribe to feeds, or follow people on Twitter - both red teamers and blue teamers. Often, they both provide a unique insight which in turn will help you to defend better as well. Don't hesitate to share your findings with the community!

Try to think like an attacker. Leave nothing out. Know your own environment.

I'm not sure where to start.

Why not start by checking out a real live intrusion that happened, featuring APT29? There's an excellent presentation out there by Matthew Dunwoody and Nick Carr here:

Another excellent blog to check out is:

I additionally advise you to check out Matt Swan's Incident Response Hierarchy of Needs. If you like hierarchies or pyramids. definitely check out the threat intelligence Pyramid of Pain by David Bianco.

There's also a good paper on detecting lateral movement in Windows infrastructure by CERT-EU.

Lastly, check out JPCert's excellent report on lateral movement here:

Still in doubt? Start Googling some of the TTPs mentioned above and check out their functionality - and shortcomings!

What about PowerShell and all its misuses?

If your organisation has no need for it, disable PowerShell by configuring AppLocker. Note that PowerShell has many valid usages as well, such as logon scripts. There's a short blog post by Michael Schneider here that touches on this very subject: A story about blocking PowerShell

If you do want to use PowerShell, I advise you to upgrade to the latest version (currently v5) and turn on all the logging! A blog post worth reading: Greater Visibility Through PowerShell Logging

And the last one in regards to PowerShell is a very recent blog post written by Ashley McGlone:
Practical PowerShell Security: Enable Auditing and Logging with DSC

What about AV and how it can be bypassed?

AV should never be your only layer of protection. Next-gen or not.

What about... ?

Where there are attackers, there are defenders and vice versa. Use Event Logging. Use Sysmon.

I'm a red teamer, where can I find more information?

A recent post by Artem Kondratenk offers a ton of resources and insight:
A Red Teamer's guide to pivoting

Can I use this data?

Of course! As long as you mention the original source, which is this exact blog post. You may find a direct SurveyMonkey link to the results here.

Thanks to all the participants, and to you for reading!

Please do comment with your feedback or questions or anything else you would like to discuss.