Senior Consultant, Digital Forensics & Incident Response
September 30, 2022
7 min read.
When investigating security incidents, analysts often come across suspicious—yet completely legitimate—activity on systems. However, confirming the legitimacy of this activity is not always straightforward due to the lack of documentation available for Operating Systems and applications.
ParaFlare recently assisted a client who had concerns about malware detections and the presence of strange user accounts (e.g., “shpctac0ffee”) on an employee’s corporate laptop. It would be easy to jump to the conclusion that a threat actor had obtained privileged access to the system and created these user accounts, but analysts should always consider alternative explanations.
Further examination of the client’s environment revealed that a few other systems had the shpctac0ffee user account, in addition to other account names beginning with “shpctac”. ParaFlare discovered that these user accounts were created by a Windows feature that lacked official documentation. We are sharing our findings to assist other analysts who may come across the same thing in the future.
The Too Long Didn’t Read (TLDR) for this article is as follows. User account names similar to “shpctac0ffee” are likely Guest accounts created on a Windows 10/11 PC where Shared PC Mode is enabled. The last 6-characters of the username appear to be in hexadecimal and increment as new Guest user accounts are created.
For more in-depth information, please continue reading.
While investigating a potential “Wacatac” malware infection, we found the user attempting to run the malicious process was called shpctac0ffee, and the account name did not fit with the organisation’s naming scheme.
The “c0ffee” suffix of the username and malware executable being run purporting to be a "GTA San Andreas KeyGen” created a tenuous linkage (at least in my mind) between the username and the infamous GTA:SA “hot coffee mod” scandal of 2004 (NSFW warning for those wanting to Google that reference).
Unable to find a satisfactory reason for the weird username, a learned colleague found several articles pointing to Windows Shared PC Mode. Buried in a video guide (Windows 10 Shared PC Mode - how to configure a guest PC by David Y) about how to setup Shared PC Mode, there was a small nugget of familiar data: shpctac0ffee.
Actions: Setting up Shared or Guest PC Mode
There are several ways to enable Shared or Guest PC Mode (e.g. through Group Policy, or a similar device management system), but we are going to use Windows Configuration Designer.
To test / replicate this, fire up a Windows 10 Virtual Machine (VM) in your favoured HyperVisor (i.e. VMware, VirtualBox, etc). Remembering to snapshot the VM beforehand as, depending on the settings, setting up Shared PC Mode is a one-way process using this method.
Note: requirements call for Windows 10 / 11 (Pro, Enterprise, or Education, NOT Home Edition unfortunately) https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc
Once you have Windows 10 up and running, this is going to be the general game plan:
- Download the Windows Configuration Designer.
- Create and export a provisioning package to apply to the VM (turning on Shared PC Mode).
- Apply the provisioning package to our test VM.
- Sign-Out and then Sign-In as a Guest.
Download Windows Configuration Designer
The app itself is available from the Microsoft Store: https://www.microsoft.com/store/apps/9nblggh4tx22
The associated Microsoft documentation is available here: https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd
Create a provisioning package
Open the Windows Configuration Designer and select the option to Provision desktop devices, and then select the option to Configure devices for shared use:
You can access the Advanced Editor for finer controls of settings:
Note: For the purposes of this test, you only really need to enable the Shared Use option, but you can change the DeletionPolicy and Levels to suit your needs. These settings will determine the point at which Guest user accounts get deleted / removed but were not explored as part of this testing.
Export the Provisioning Package to a folder of your choosing, or onto the Desktop. Follow the on-screen prompts, you won’t need to encrypt or sign the package. Pressing Build will create the package.
Applying the provisioning package
To apply the settings to your test VM, locate the .ppkg file and run it:
You will need to allow the User Account Control and Trust the package to run:
Once the package is applied, there really isn’t any meaningful confirmation of completion, so to test it sign out of the account.
Sign-Out and then Sign-In as a Guest
Once you’re back out on the Windows login screen, you should have a Guest option available. Selecting the Guest option and pressing Sign in should log you in after a short “Preparing Windows” message.
Actions: Creating Guest Users
When signing into the Guest account, there is a new user account created, called shpctac0ffee:
We can see that there are some restrictions, for instance opening File Explorer:
And attempting to access other user directories is denied:
If you then sign out:
And then sign-in again using Guest, you will see that you will go through the same Preparing Windows phase:
Once back into Windows, we can see that there is now a new user account created, called shpctac0ffef:
What happens if you keep repeating this process? (Signing out, and signing back in as Guest…)
Well… you get a load of new user accounts.
Examples of the new user account names:
Outcomes: Interpreting usernames
It could be that the first part of the username “shpcta”, means “shared pc temporary account” or similar, but I don’t know for sure, I am not party to the Redmond reasoning on that one.
Note: local Windows usernames are normally shortened to 5 characters in length: e.g., “carljohnson” becomes “carlj”.
The final characters of the username appear to be hexadecimal (i.e., base16: 0, 1, 2… D, E, F). If you look at the final six characters as three pair of two nibbles, then you get:
It appears that when Windows Shared / Guest mode is enabled, it will create a new username for every guest that logins in (i.e., signing out and signing in again creates a new account). That username appears to follow a naming convention (as detailed above), incrementing its number by one each time.
This information does not appear to be well documented, and was new to us, so we thought we would share it with you.
Have a comment? Join the conversation on LinkedIn