Remote Code Execution Abusing Setting Content

By: Cymulate

July 5, 2018

To keep on giving our customers the tools to boost their cybersecurity posture, our Cymulate Labs are constantly searching for new global attacks that can compromise organizations. By adding the latest in-the-wild detected threats, we keep our BAS platform up to date. That’s why one of the unique (and highly popular) features in our platform is the Immediate Threat assessment, which allows organizations to test their vulnerability head-on to those latest threats within just a few hours.

One of the latest threats that our Cymulate Labs have been analyzing is the malicious abuse of Windows SettingContent-ms files that cybercrooks can use to execute malicious codes. SettingContent-ms is a file type that Microsoft introduced to create shortcuts to Windows settings pages as an alternative to classic Control Panel options for Windows functions (e.g., what default apps should be used to open particular file types). Since SettingContent-ms is an XML file that contains paths to different Windows setting pages, it can be abused to bypass OS defenses and run arbitrary malicious codes.

Those XML files contain a <DeepLink> tag which can be replaced with any other executable from the local system with links to binaries such as cmd.exe or PowerShell.exe that allow shell command execution. By executing those two binary paths one after the other, attackers can create booby-trapped SettingContent-ms shortcuts that run malicious code in the background and then show the intended Windows setting page to dupe users. Even worse, when downloaded, the file can execute without any security warning or alert.

This type of attack is a so-called Remote Code Execution (RCE) attack which can be used to infect the target through attachments containing SettingContent-ms files, including Word documents with embedded SettingContent-ms shortcuts using Object Linking and Embedding (OLE). Since SettingContent-ms abuse is fairly new, it is not included in Office’s OLE file format blacklist yet.

Our recommendations:

  1. Set Microsoft’s OLE embedding limitations to block SettingContent-ms extension.
  2. Install the Microsoft patch as soon as it becomes available.
  3. Inform employees about the potential danger of SettingContent-ms files.
  4. Keep your cybersecurity defenses up to date.
  5. Run a Cymulate Immediate Threat assessment to check if your organization is vulnerable to this latest RCE attack.
RCE Attack flow
Subscribe