Windows Settings Shortcuts Can Be Abused for Code Execution on Windows 10

guest · Jun 26, 2018

Windows Settings Shortcuts Can Be Abused for Code Execution on Windows 10
June 26, 2018
https://www.bleepingcomputer.com/ne...n-be-abused-for-code-execution-on-windows-10/

A new file type format added in Windows 10 can be abused for running malicious code on users' computers, according to Matt Nelson, a security researcher for SpecterOps.
SettingContent-ms can run malicious code
All SettingContent-ms files are nothing more than XML documents, which contain a < DeepLink > tag that specifies the on-disk location of the Windows 10 setting page that it will open when users double-click shortcuts.

But earlier this month, Nelson discovered that he could replace this DeepLink tag with any other executables from the local system, including links to binaries such as cmd.exe or PowerShell.exe, two apps that allow shell command execution.
No alert when opening SettingContent-ms from the Internet
Tricking users to open such files appears to be an easy task as well. Nelson says he hosted a SettingContent-ms shortcut on a web server, and he was able to download and run it without Windows 10 or Windows Defender alerting the user at all.
Attackers can hide SettingContent-ms files inside Office documents [...]
SettingContent-ms files bypass ASR [...]
Click to expand...

Minimalist · Jul 3, 2018

.SettingContent-ms files remind us that it is features, not bugs we should be most concerned about

One of the most significant developments in the threat landscape in recent years has been the return of malicious Office macros, their resurgence having started four years ago.

Unlike their predecessors from the 1990s, these macros can't run automatically, but require the user to explicitly enable macros. This obviously mitigates the damage quite a bit, but not enough to stop this being an attractive infection method for both opportunistic and targeted malware attacks.
Click to expand...

https://www.virusbulletin.com/blog/...s-not-bugs-we-should-be-most-concerned-about/

itman · Jul 3, 2018

.SettingContent-ms files remind us that it is features, not bugs we should be most concerned about
Click to expand...

Turns out PowerShell is in reality not a feasible attack vector with this technique. However, mshata.exe is. Here's a great article on how to weaponize:

Weaponizing .SettingContent-ms Extensions for Code Execution
https://www.trustedsec.com/2018/06/weaponizing-settingcontent/

-EDIT- Some particulars on this attack method. A .hta file is dropped on the target. It is renamed to .txt. At this point you're "deadmeat." When the xml code runs within the .settingcontext-ms file, it creates a shell to run the .txt file via remote execution of mshata.exe.

I must say this bears a sticking resemblance technique wise to Casey Smith's infamous "squiblydoo" hack.

itman · Jul 4, 2018

It doesn't take long once a POC is published to "fire the up" the malware community.

Malware Authors Seem Intent on Weaponizing Windows SettingContent-ms Files

Malware authors are frantically trying to weaponize a new infection vector that was revealed at the start of June.

The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve code execution on Windows 10 PCs.

Ever since SpecterOps security researcher Matt Nelson published his research on the matter three weeks ago, malware authors have been playing around with proof-of-concept code in attempts of crafting an exploit that can deploy weaponized malware on a victim's system.

More SettingContent-ms exploits detected each day

With each passing day, more and more exploits are being uploaded on VirusTotal. FireEye security researcher Nick Carr has been avidly tracking these uploads for the past two weeks and has been documenting new findings in Twitter threads like this, this, this, this, or this.

But while previous uploads have been mostly inept tests [1, 2], in recent days, crooks have also put together the first exploit chain that uses a SettingsContent-ms file to actually download and install an actual malware sample.
Click to expand...

https://www.bleepingcomputer.com/ne...-weaponizing-windows-settingcontent-ms-files/

itman · Jul 5, 2018

As far as the first working exploit of this vulnerability is:

Uses PowerShell to download & launch hxxps://lanitida[.]net/LAW231.exe as %APPDATA%\Rundll32.exe
Click to expand...

Not very creative but does show how PowerShell can be used to locally run a process under a different name; in this a case a legit system process name.

guest · Jul 10, 2018

Microsoft Blocks Embedding SettingContent-ms Files in Office 365 Docs
July 10, 2018
https://www.bleepingcomputer.com/ne...g-settingcontent-ms-files-in-office-365-docs/

Microsoft has updated the list of dangerous files it blocks inside Office 365 documents, and has added the ".SettingContent-ms" file format to that list.
Malware authors were experimenting with SettingContent-ms files
Microsoft took the decision to block SettingContent-ms files inside Office 365 after a security researcher published a report in June showing how someone could embed these files inside Office documents and achieve remote code execution on Windows 10.

But Microsoft's Office 365 team didn't want to stand by and wait for one to take the place. This week, the company's engineers updated the Packager Activation list.

The Packager Activation list is a collection of "dangerous files" that Microsoft blocks users from embedding inside Office documents via the OLE (Object Linking and Embedding) feature.
Click to expand...

itman · Jul 10, 2018

mood said: ↑

Microsoft Blocks Embedding SettingContent-ms Files in Office 365 Docs
Click to expand...

For all the rest of us poor SOB's using non-cloud MS Office versions, note this important article excerpt. I effectively disabled the extension when the baloney surfaced:

The Packager Activation list for Office 365 can also be ported to older Office versions using a registry key system, detailed here.
Click to expand...

-EDIT- I just ran the Win 10 1803 July Cumulative Update and my Office 2010 MS Word applicable key value is set to a value of "2" - blocked. I didn't check the reg key value prior to running Win Updates. So I can't verify for sure if Microsoft changed all Office vers. in this update, or the value was set that way previously.

guest · Jul 20, 2018

Massive Malspam Campaign Finds a New Vector for FlawedAmmyy RAT
Hundreds of thousands of emails are delivering weaponized PDFs containing malicious SettingContent-ms files.
July 20, 2018
https://threatpost.com/massive-malspam-campaign-finds-a-new-vector-for-flawedammyy-rat/134262/

A widespread spam campaign from the well-known financial criminal group TA505 is spreading the FlawedAmmyy RAT using a brand-new vector: Weaponized PDFs containing malicious SettingContent-ms files.

“All this file does is open the Control Panel for the user [control.exe],” explained SpecterOps researchers in a recent posting on the format. “The interesting aspect of this file is the <DeepLink> element in the schema. This element takes any binary with parameters and executes it. What happens if we simply substitute ‘control.exe’ to something [malicious]?”

This approach code also flies under the radar, and the maliciously crafted files simply bypass certain Windows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.

“On July 16 there was a particularly large campaign with hundreds of thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file,” Proofpoint researchers said in a posting yesterday. “The messages in the campaign used a simple lure asking the user to open the attached PDF.”
Click to expand...

Log in or Sign up

Windows Settings Shortcuts Can Be Abused for Code Execution on Windows 10

guest Guest

Minimalist Registered Member

itman Registered Member

itman Registered Member

itman Registered Member

guest Guest

itman Registered Member

guest Guest

Log in or Sign up

Windows Settings Shortcuts Can Be Abused for Code Execution on Windows 10

guest Guest

Minimalist Registered Member

itman Registered Member

itman Registered Member

itman Registered Member

guest Guest

itman Registered Member

guest Guest

Useful Searches