[Mal Series #18] icacls.exe — Access denied or granted?

What is the capability of icalcs 🤔 and how does the malware 😈 abuse it during their operation.

Based on ss64.com, it is capable of:

Change file and folder permissions — display or modify Access Control Lists (ACLs) for files and folders.
iCACLS resolves various issues that occur when using the older CACLS & XCACLS

Some of the common icacls parameter that malware used are /deny and /grant. Sometimes, malware abuses takeown (Used to take ownership of a file) and icacls /reset execution combo to get access of certain service.

As what I found, malware will execute icalcs to
- Prevent file itself from removal.
- Getting full access to certain file/folder to ensure no issue occur during encryption process.
- Change access privilege of certain user group to a file/folder.
- Gain access of certain services.

Prevent file delete (e.g STOP Ransom)

icalcs <file> /deny s-1–1–0:(IO)(CI)(DE,DC)

Prevent any issue occur during the encrypt process. (e.g. WannaCry & REvil)

icacls "C:\*" /grant Everyone:F /T /C /Q

Malware Stealer (Possible Ave Maria loader)

icacls "C:\ProgramData\{S91RLWPZ-SX2K-ISZN-IG1O-726R3DHAEBYB}" /inheritance:e /deny “Users:(R,REA,RA,RD)”

There are a few similar icacls process executed to deny the access of certain user group to that folder.

Take control of service (e.g. BitPaymer)

takeown.exe /F <service_name>
icacls.exe <service_name> /reset

Make sure the file can be run under higher privilege user group (e.g.ServHelper)

takeown.exe /A /F rfxvmt.dll
icacls.exe rfxvmt.dll /inheritance:d
icacls.exe rfxvmt.dll /setowner “NT SERVICE\TrustedInstaller”
icacls.exe rfxvmt.dll /grant “NT SERVICE\TrustedInstaller:F”

icacls.exe rfxvmt.dll /remove “NT AUTHORITY\SYSTEM”
icacls.exe rfxvmt.dll /grant “NT AUTHORITY\SYSTEM:RX”

Remove access to SmartScreen (Full script, used in one of REvil operation)

icacls “%systemroot%\System32\smartscreen.exe” /inheritance:r /remove *S-1–5–32–544 *S-1–5–11 *S-1–5–32–545 *S-1–5–18

SID to user type name (Full list -> here)

  • S-1-1-0 Everyone
  • S-1-5-32-544 Administrators
  • S-1-5-11 Authenticated Users
  • S-1-5-32-545 Users
  • S-1-5-18 Local System

References:

--

--

--

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

MITM Part 2 : DNS SPOOFING

Are You Ready For The GDPR? — A Changing View of Data Privacy

{UPDATE} Shooting Showdown 2 Hack Free Resources Generator

The Bangladesh Bank Heist

Currently there area lot of rumors that said Dank Memer and NotSoBot is unsafe

The Cambridge Analytica Scandal. How to prevent?

Introduction to Voice over Internet Protocol (VOIP)

{UPDATE} Fragmental 3D Lite Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GhouLSec

GhouLSec

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

Detect and Alert on Sentinel

SOC143 — Password Stealer Detected (Letsdefend.io) step-by-step analysis

Bypassing Defender’s self-protect mechanism

On-Disk Detection: Bypass AV’s/EDR’s using syscalls with legacy instruction, series of instructions…