Open in app

Sign in

Write

Sign in

[Mal Series #18] icacls.exe — Access denied or granted?

GhouLSec
2 min readApr 3, 2021

--

What is the capability of icalcs 🤔 and how does the malware 😈 abuse it during their operation.

Based on ss64.com, it is capable of:

Change file and folder permissions — display or modify Access Control Lists (ACLs) for files and folders.
iCACLS resolves various issues that occur when using the older CACLS & XCACLS

Some of the common icacls parameter that malware used are /deny and /grant. Sometimes, malware abuses takeown (Used to take ownership of a file) and icacls /reset execution combo to get access of certain service.

As what I found, malware will execute icalcs to
- Prevent file itself from removal.
- Getting full access to certain file/folder to ensure no issue occur during encryption process.
- Change access privilege of certain user group to a file/folder.
- Gain access of certain services.

Prevent file delete (e.g STOP Ransom)

icalcs <file> /deny s-1–1–0:(IO)(CI)(DE,DC)

Prevent any issue occur during the encrypt process. (e.g. WannaCry & REvil)

icacls "C:\*" /grant Everyone:F /T /C /Q

Malware Stealer (Possible Ave Maria loader)

icacls "C:\ProgramData\{S91RLWPZ-SX2K-ISZN-IG1O-726R3DHAEBYB}" /inheritance:e /deny “Users:(R,REA,RA,RD)”

There are a few similar icacls process executed to deny the access of certain user group to that folder.

Take control of service (e.g. BitPaymer)

takeown.exe /F <service_name>
icacls.exe <service_name> /reset

Make sure the file can be run under higher privilege user group (e.g.ServHelper)

takeown.exe /A /F rfxvmt.dll
icacls.exe rfxvmt.dll /inheritance:d
icacls.exe rfxvmt.dll /setowner “NT SERVICE\TrustedInstaller”
icacls.exe rfxvmt.dll /grant “NT SERVICE\TrustedInstaller:F”

icacls.exe rfxvmt.dll /remove “NT AUTHORITY\SYSTEM”
icacls.exe rfxvmt.dll /grant “NT AUTHORITY\SYSTEM:RX”

Remove access to SmartScreen (Full script, used in one of REvil operation)

icacls “%systemroot%\System32\smartscreen.exe” /inheritance:r /remove *S-1–5–32–544 *S-1–5–11 *S-1–5–32–545 *S-1–5–18

SID to user type name (Full list -> here)

  • S-1-1-0 Everyone
  • S-1-5-32-544 Administrators
  • S-1-5-11 Authenticated Users
  • S-1-5-32-545 Users
  • S-1-5-18 Local System

References:

iCacls - Modify Access Control List - Windows CMD - SS64.com

Change file and folder permissions - display or modify Access Control Lists (ACLs) for files and folders.

ss64.com

Detecting Ransomware Precursors

The business model for Ransomware has evolved to include multi-level and multi-stage services and tool kits. Initial…

dfirtnt.wordpress.com

From Dridex to BitPaymer Ransomware to DoppelPaymer......The Evolution

Evil Corp, also known as INDRIK SPIDER and TA505, released BitPaymer ransomware in 2017, after hitting some obstacles…

lifars.com

An Updated ServHelper Tunnel Variant - Binary Defense

James Quinn, Threat Researcher for Binary Defense Executive Summary Binary Defense Researchers discovered active…

www.binarydefense.com

Security identifiers in Windows - Windows Server

This article provides information about well-known SIDs in all versions of Windows. Original product version: Windows…

docs.microsoft.com

Cybersecurity
Malware Analysis
Access Control
Ransomware
Malware

--

--

GhouLSec
GhouLSec

Written by GhouLSec

226 Followers
82 Following

Typical memes addict🐒from Malaysia. GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams