Windows OOBE Flaw Allows Full Administrative Command Prompt Access
A newly documented flaw in Windows’ Out-of-Box-Experience (OOBE) allows users to obtain full administrative access to the command prompt, bypassing Microsoft’s long-standing Shift+F10 security restriction. Traditionally, attackers could press Shift+F10 during initial setup to open an elevated command shell, but Microsoft introduced a mitigation where placing a DisableCMDRequest[.]tag file in C:\Windows\Setup\Scripts\ disabled that shortcut. Researchers have now discovered a method that renders this safeguard ineffective by utilizing the Windows+R keyboard combination to open the Run dialog instead. The process begins by launching an accessibility tool, such as Magnifier, to create the proper window focus, and then pressing Windows+R to open the Run dialog in the background. Using Alt+Tab reveals the dialog, allowing the user to type cmd[.]exe, press Ctrl+Shift+Enter, and accept the UAC prompt. This results in an elevated command prompt running under the defaultuser0 account, which remains a member of the Administrators group during OOBE, granting complete system control before setup is complete. The security implications are significant, particularly in corporate or managed environments where users may exploit this in combination with Windows’ push-button reset feature via Microsoft Intune’s Company Portal. A malicious actor could exploit the flaw to create backdoor accounts, modify security configurations, disable protections, or establish persistence before IT administrators even take possession of the device after a reset. Microsoft has designated the behavior as a “won’t-fix” issue, stating that OOBE inherently runs in an administrative session and that leaving devices unattended during setup is equivalent to leaving a logged-in machine unlocked. To mitigate the risk, organizations using Intune should hide the reset button on corporate Windows devices by navigating to the Microsoft Intune admin center, selecting Tenant administration → Customization, and enabling “Hide reset button on corporate Windows devices.” This discovery underscores how OOBE’s privileged execution context can be abused and highlights the importance of restricting both physical access and reset capabilities in enterprise deployments.
Proxyware Campaign Masquerades as YouTube Video Download Services
The AhnLab Security Intelligence Center (ASEC) has identified a new wave of proxyware distribution in South Korea that abuses fake YouTube video downloader sites to deploy bandwidth-sharing software without consent. This tactic, known as proxyjacking, monetizes victims’ internet connections by selling their bandwidth to external parties, similar to cryptojacking but focused on network resources instead of CPU power. Threat actors lure victims through search engine results for free video download tools, leading them to pages with a “Download Now” button that redirects to ad-heavy portals or directly to malicious files. The malware—often disguised as “QuickScreenRecorder[.]exe” and hosted on GitHub repositories—launches with a PowerShell script that first checks for sandboxes or virtual machines to avoid detection. If the system passes these checks, the script installs Node.js, retrieves malicious JavaScript, and schedules persistence tasks under names such as “DefragDiskCleanup.” This JavaScript then communicates with attacker-controlled C&C servers, sending system telemetry and receiving further PowerShell commands to install proxyware, most often DigitalPulse. However, some variants include Honeygain components for added monetization. The Honeygain variant drops “hgsdk[.]dll” alongside “FastCleanPlus[.]exe,” registering it in the Task Scheduler to maintain persistence. The launcher calls the DLL’s hgsdk_start() function using the attacker’s API key, instantly enabling bandwidth sharing for profit. ASEC’s malware analysis shows a modular design, with PowerShell scripts orchestrating downloads and execution, while C&C responses may deliver compressed archives containing proxyware payloads. Detection indicators include Dropper/Win.Proxyware.C5783593 and behavioral flags like Execution/MDP[.]Powershell[.]M2514, highlighting the importance of proactive endpoint monitoring. This campaign builds on earlier large-scale proxyware incidents, including a 2023 operation that infected over 400,000 Windows systems through DigitalPulse. By leveraging widely searched, free utility tools and ad-driven distribution, attackers can infiltrate systems with minimal user suspicion. A strong mitigation strategy is to avoid downloading software from unofficial or ad-heavy sites, verify authenticity through trusted vendors, and deploy reputable endpoint protection that is capable of detecting both proxyware and its supporting infrastructure.
Splunk Publishes Comprehensive Guide for Early Detection of ESXi Ransomware
Splunk has released an in-depth defender’s guide designed to help security teams detect and respond to ransomware campaigns targeting VMware’s ESXi hypervisor before they can cause catastrophic damage. ESXi platforms, which allow multiple virtual machines to run on a single bare-metal server, have become high-value targets for ransomware operators because a single compromise can disrupt an entire enterprise. This was demonstrated in the 2023 MGM Resorts breach, where attackers encrypted over 100 ESXi hypervisors in just a few days, inflicting an estimated $100 million in losses. The guide emphasizes that the first step in defending ESXi infrastructure is ensuring proper log ingestion into Splunk through methods such as Splunk Connect for Syslog, dedicated syslog servers, or direct ingestion. It details how to capture and correlate multiple ESXi log types—including shell command logs that record system-level actions and hostd logs that track host management service activity—so defenders can spot early anomalies before attackers initiate mass encryption. This log visibility addresses a persistent security gap, as many enterprise ESXi environments are under-monitored compared to traditional endpoints and servers. The guide delivers a comprehensive library of prebuilt detection rules mapped to common attacker techniques observed in ESXi ransomware intrusions. These rules cover reconnaissance behaviors such as system information discovery, suspicious account events, including unplanned administrator role assignments, and unauthorized software installations through VIB (vSphere Installation Bundle) manipulations. Splunk also outlines detections for unauthorized SSH enablement, firewall configuration changes, and other access control modifications that attackers use to maintain persistence. It further addresses anti-forensic behaviors, including the deletion or tampering of audit logs and the manipulation of system clocks to obscure malicious activity. Each rule is paired with actionable configuration steps, enabling rapid deployment without requiring deep ESXi-specific expertise. Security practitioners have welcomed the resource as a critical operational playbook, particularly as ransomware groups increasingly target virtualized environments to maximize their impact. A strong mitigation strategy combines these Splunk detection rules with continuous ESXi log monitoring, strict administrative access controls, and proactive configuration hardening to reduce the attack surface.
