[Mal Series #18] icacls.exe — Access denied or granted?

What is the capability of icalcs 🤔 and how does the malware 😈 abuse it during their operation.

Based on ss64.com, it is capable of:

Change file and folder permissions — display or modify Access Control Lists (ACLs) for files and folders.
iCACLS resolves various issues that occur when using the older CACLS & XCACLS

Some of the common icacls parameter that malware used are /deny and /grant. Sometimes, malware abuses takeown (Used to take ownership of a file) and icacls /reset execution combo to get access of certain service.

As what I found, malware will execute icalcs to
- Prevent file itself from removal.
- Getting full access to certain file/folder to ensure no issue occur during encryption process.
- Change access privilege of certain user group to a file/folder.
- Gain access of certain services.

Prevent file delete (e.g STOP Ransom)

icalcs <file> /deny s-1–1–0:(IO)(CI)(DE,DC)

Prevent any issue occur during the encrypt process. (e.g. WannaCry & REvil)

icacls "C:\*" /grant Everyone:F /T /C /Q

Malware Stealer (Possible Ave Maria loader)

icacls "C:\ProgramData\{S91RLWPZ-SX2K-ISZN-IG1O-726R3DHAEBYB}" /inheritance:e /deny “Users:(R,REA,RA,RD)”

There are a few similar icacls process executed to deny the access of certain user group to that folder.

Take control of service (e.g. BitPaymer)

takeown.exe /F <service_name>
icacls.exe <service_name> /reset

Make sure the file can be run under higher privilege user group (e.g.ServHelper)

takeown.exe /A /F rfxvmt.dll
icacls.exe rfxvmt.dll /inheritance:d
icacls.exe rfxvmt.dll /setowner “NT SERVICE\TrustedInstaller”
icacls.exe rfxvmt.dll /grant “NT SERVICE\TrustedInstaller:F”

icacls.exe rfxvmt.dll /remove “NT AUTHORITY\SYSTEM”
icacls.exe rfxvmt.dll /grant “NT AUTHORITY\SYSTEM:RX”

Remove access to SmartScreen (Full script, used in one of REvil operation)

icacls “%systemroot%\System32\smartscreen.exe” /inheritance:r /remove *S-1–5–32–544 *S-1–5–11 *S-1–5–32–545 *S-1–5–18

SID to user type name (Full list -> here)

  • S-1-1-0 Everyone
  • S-1-5-32-544 Administrators
  • S-1-5-11 Authenticated Users
  • S-1-5-32-545 Users
  • S-1-5-18 Local System

References:

--

--

--

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} 猜歌达人 Hack Free Resources Generator

Adamant Token (Cronos) Presale Date Set

GDPR, what you need to know

iOS 15 Password Manager will feature Multi-Factor Authentication (MFA/2FA) using Verification Codes.

Singapore makes contact tracing devices available to residents

{UPDATE} Chained Car Racing Challenge Hack Free Resources Generator

Blog (TryHackMe) Walkthrough

TikTok & WeChat banned by US Government

TikTok & WeChat banned by US Government

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GhouLSec

GhouLSec

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

D3T3CT to PRoT3CT — Log4Shell — A Purple Team Perspective

Malware Analysis —Banking Trojan: Dyre

Hear No Evil: An Introduction to Audio File Analysis for OSINT

The Human Factor 👤 & BlackCat Ransomware 🐈