Windows 10's defences are pretty robust these days, so of course folk are trying to break them

White and black hats tinker with XML .SettingContent-ms files as a method to deliver malware

Image by Maksim Kabakouhttp://www.shutterstock.com/pic-362745248/stock-photo-privacy-concept-broken-shield-on-wall-background.html

Hackers have been experimenting with a newly discovered technique to commandeer Windows 10 boxes.

The approach, revealed at the start of June, relies on abusing Windows Settings files (.SettingContent-ms), an XML file type introduced in Windows 10. The technology allows users to create "shortcuts" to various Windows settings pages.

SpecterOps security researcher Matt Nelson flagged up the technology as a possible mechanism for hackers to plant malware with minimal user interaction through the <DeepLink> element of the XML schema, which takes any binary with parameters and executes it.

Malware slingers are in dire need of a new approach because Microsoft is getting better at thwarting long-established techniques.

Office 2016 started default blocking all of the "dangerous" file formats from being embedded via OLE (Object Linking and Embedding). The SettingContent-ms file format, however, is not included in that list.

Microsoft also introduced Attack Surface Reduction (ASR) rules into Windows 10, which further cut back the scope for mischief, at least from prevalent hacker techniques such as "Block Office applications from creating child processes".

Nelson discovered that there is no "open" prompt when double-clicking a SettingContent-ms file, Windows just executes the command. As such, the file format potentially allows shell command execution via a file open, if delivered to an unwitting user via the internet. In the video below, Nelson uses the method to open the thankfully benign Windows calculator app.

Youtube Video

Penetration testers have begun experimenting with proof-of-concept code in attempts to exploit Windows Settings. Samples of these efforts are being uploaded onto VirusTotal.

FireEye security researcher Nick Carr has been keeping tabs on these uploads, which are so far mostly confined to experiments by both miscreants and security researchers.

"Scale = lots of tinkering, very little in-the-wild usage due to small attack surface. Have seen <10 weaponized, non-POC #DeepLink files uploaded publicly and <5 delivered in-the-wild (I understand they were red teams)," Carr told El Reg in an exchange on Twitter.

The experimentation on both sides may call into question the ethics of publishing offensive hacking techniques. The prevailing view is that "security through obscurity" only helps hackers in the long term.

It's better to think like a hacker and anticipate likely attack scenarios so that defences and countermeasures can be prepared ahead of the need to use them. ®




Biting the hand that feeds IT © 1998–2018