魔法の拡張子（.SettingContent-ms）

Transcript

1. CYBERɹ-ɹEDUCATIONɹ-ɹPENTESTɹ-ɹJSOCɹ-ɹ 119ɹ-ɹCONSULTING We provide IT total solutions based on advanced

   security technologies. supports your B usiness LAC ೥݄೔ גࣜձࣾϥοΫ
   αΠόʔηΩϡϦςΟࣄۀ෦
   ·ͬͪΌ͍ͩ;͘ ˜
   
   -"$
   $P
   -UE ຐ๏ͷ֦ுࢠ

2. ˜
   
   -"$
   $P
   -UE Win10ͷʮઃఆʯ༻ͷ γϣʔτΧοτͰ೚ҙͷίʔυΛ࣮ߦՄೳ

3. ˜
   
   -"$
   $P
   -UE ֦ுࢠɿ.SettingContent-ms

4. ˜
   
   -"$
   $P
   -UE ݩʑͷ༻్͸ɺʮઃఆʯ߲໨ͷىಈ༻ WindowsεϚʔτνϡʔχϯά(337) Win 10TPฤ: γϣʔτΧοτϑΝΠϧͰʮઃఆʯͷWindows UpdateΛݺͼग़͢ | ϚΠφϏχϡʔε

   → https://news.mynavi.jp/article/windows-337/

5. ˜
   
   -"$
   $P
   -UE ֦ுࢠ͕ফ͑ͨʂ

6. ˜
   
   -"$
   $P
   -UE Githubʹcalc.exeΛىಈ͢ΔPoC͕ʂʂʂ test.SettingContent-ms · GitHub → https://gist.github.com/enigma0x3/b948b81717fd6b72e0a4baca033e07f8

7. ˜
   
   -"$
   $P
   -UE ࣮ࡍ΍ͬͯΈΔ

8. ˜
   
   -"$
   $P
   -UE Ұॠcmd.exe͕ಈ͍ͯɺcalc.exe͕ىಈ

9. ˜
   
   -"$
   $P
   -UE μ΢ϯϩʔυϑΝΠϧ͸Πϯλʔωοτκʔϯ

10. ˜
    
    -"$
    $P
    -UE ܯࠂͳ͘ɺcalc.exeىಈ

11. ˜
    
    -"$
    $P
    -UE ɹɹ2/16/2018: Report sent MSRC ɹɹ2/16/2018: MSRC acknowledged the

    report, case number assigned ɹɹ3/2/2018: MSRC confirmed that they could reproduce the issue ɹɹ4/24/2018: Requested status update ɹɹ4/25/2018: MSRC informed me of a case handler change. An update ɹɹɹɹɹɹɹɹɹɹɹwas requested from the engineering team and would be relayed to me ɹɹɹɹɹɹɹɹɹɹɹASAP ɹɹ6/1/2018: Requested another update from MSRC ɹɹ6/4/2018: MSRC responded with a note that the severity of the issue is ɹɹɹɹɹɹɹɹɹɹbelow the bar for servicing and that the case will be closed. ɹɹ6/11/2018: Report published MS͸मਖ਼͢Δͭ΋Γ͸ແ͘࢓༷ͰΫϩʔζΒ͍͠ June | 2018 | enigma0x3 → https://enigma0x3.net/2018/06/

12. ˜
    
    -"$
    $P
    -UE OLEʹຒΊࠐ·ΕͨΒ΍͹͍ʂ ɹɹɹɹˠ͓ͦΒ͘ϒϥοΫϦετʹೖΕͯ͘Δ Windows Settings Shortcuts Can Be Abused

    for Code Execution on Windows 10
 → https://www.bleepingcomputer.com/news/security/windows-settings-shortcuts-can-be-abused-for-code-execution-on-windows-10/

13. ˜
    
    -"$
    $P
    -UE SettingContent-MS-File-Execution/LoadPowershellDemo.SettingContent-MS at master · bvoris/SettingContent-MS-File-Execution · GitHub →

    https://github.com/bvoris/SettingContent-MS-File-Execution/blob/master/LoadPowershellDemo.SettingContent-MS PowerShellΛಈ͔͢PoC΋ग़ͯ·͢ʢThanksੴ઒͞Μʣ ೥݄೔ߋ৽

14. ˜
    
    -"$
    $P
    -UE <?xml version="1.0" encoding="UTF-8"?> <PCSettings> <SearchableContent xmlns - pastebin.com

    → https://pastebin.com/HaBb87Av mshta.exeΛ࢖͏PoC΋ग़ͯ·͢ʢ࢖͑Δ͔ෆ໌ʣ ೥݄೔ߋ৽ JUN 23RD, 2018

15. ˜
    
    -"$
    $P
    -UE ͜ͷ֦ுࢠ͸Symantec Cloud͸ݕ஌ ೥݄೔ߋ৽ ೥݄೔৘ใ

16. ˜
    
    -"$
    $P
    -UE Ϛϧ΢ΤΞʹѱ༻ʂʂʂʂʢThanksੴ઒͞Μʣ(1/2) ೥݄೔ߋ৽ VirusTotal → https://www.virustotal.com/ja/file/09666731EFAB134CB6C882902D64B5E22D664FCAA4B97211D8C66AAC966709A4/analysis/

17. ˜
    
    -"$
    $P
    -UE VirusTotal → https://www.virustotal.com/#/file/51b06db04512d3e3c415b015be59a324c940e9538e47ff8ebfe340188bffbb84/detection μ΢ϯϩʔυ͞ΕΔɺLAW231.exe ͸ɺREMCOS RAT Β͍͠Ͱ͢ɻ Ϛϧ΢ΤΞʹѱ༻ʂʂʂʂʢThanksੴ઒͞Μʣ(2/2)

18. CYBERɹ-ɹEDUCATIONɹ-ɹPENTESTɹ-ɹJSOCɹ-ɹ 119ɹ-ɹCONSULTING We provide IT total solutions based on advanced

    security technologies. supports your B usiness LAC Thank you. Any Questions ? ˜
    
    -"$
    $P
    -UE