Windows Settings Shortcuts Can Be Abused for Code Execution on Windows 10 June 26, 2018 https://www.bleepingcomputer.com/ne...n-be-abused-for-code-execution-on-windows-10/
.SettingContent-ms files remind us that it is features, not bugs we should be most concerned about https://www.virusbulletin.com/blog/...s-not-bugs-we-should-be-most-concerned-about/
Turns out PowerShell is in reality not a feasible attack vector with this technique. However, mshata.exe is. Here's a great article on how to weaponize: Weaponizing .SettingContent-ms Extensions for Code Execution https://www.trustedsec.com/2018/06/weaponizing-settingcontent/ -EDIT- Some particulars on this attack method. A .hta file is dropped on the target. It is renamed to .txt. At this point you're "deadmeat." When the xml code runs within the .settingcontext-ms file, it creates a shell to run the .txt file via remote execution of mshata.exe. I must say this bears a sticking resemblance technique wise to Casey Smith's infamous "squiblydoo" hack.
It doesn't take long once a POC is published to "fire the up" the malware community. Malware Authors Seem Intent on Weaponizing Windows SettingContent-ms Files https://www.bleepingcomputer.com/ne...-weaponizing-windows-settingcontent-ms-files/
As far as the first working exploit of this vulnerability is: Not very creative but does show how PowerShell can be used to locally run a process under a different name; in this a case a legit system process name.
Microsoft Blocks Embedding SettingContent-ms Files in Office 365 Docs July 10, 2018 https://www.bleepingcomputer.com/ne...g-settingcontent-ms-files-in-office-365-docs/
For all the rest of us poor SOB's using non-cloud MS Office versions, note this important article excerpt. I effectively disabled the extension when the baloney surfaced: -EDIT- I just ran the Win 10 1803 July Cumulative Update and my Office 2010 MS Word applicable key value is set to a value of "2" - blocked. I didn't check the reg key value prior to running Win Updates. So I can't verify for sure if Microsoft changed all Office vers. in this update, or the value was set that way previously.
Massive Malspam Campaign Finds a New Vector for FlawedAmmyy RAT Hundreds of thousands of emails are delivering weaponized PDFs containing malicious SettingContent-ms files. July 20, 2018 https://threatpost.com/massive-malspam-campaign-finds-a-new-vector-for-flawedammyy-rat/134262/