New MS Office Zero Day Evades Defender

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Wow! Your response is not really what I expected :oops: although I had recognized a while back that you are strongly opposed to MS Office suite :D So are you implying that the measures I asked about will not work, or are these suggestions of yours additional mitigative measures?

EDIT

I utilized step 3 via SRP in H_C. Thanks :)
It seems that msdt.exe can use PowerShell cmdlets without spawning powershell.exe, so blocking powershell.exe will not help.
The Constrained Language Mode can help because it is rooted in the System.Management.Automation.dll, which exports PowerShell functions.
If you block outbound connections of Microsoft Office apps or use ASR rules for MS Office, then the threat can be blocked if the weaponized document is opened with MS Office. The Explorer preview uses MS Office for rendering but without spawning the MS Office programs. So when the threat uses it, the outbound connections of Explorer should be blocked.
There is no sufficient documentation about OSA, so you have to ask the developer - it surely blocked the threat in the wild.
Other security layers that can block msdt.exe can prevent this attack vector.
Of course, there are several other URI schemes waiting for exploits.

Edit.
Blocking the outbound connections of Explorer may be insufficient if the preview uses svchost.exe for the Internet connections.
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
@Andy Ful

thank you sir (y)

These Office ASR rules were already enabled:

Office ASR rules.png
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
For those like me who are interested in this exploit but don't quite understand every technical detail, here is a simplified explanation that made it "click" (for me). You might remember he is the one who discovered the WannaCry kill switch some years ago.



In the comments that follow, someone is offering an example of this exploit used in the wild, CURRENTLY. Hopefully, affected Enterprise people aren't just sitting around waiting for Microsoft to do something. Or worse: not having a clue about this.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593

Nice summary.
The philosophy of Microsoft Windows is similar to Hegel's "contradictory nature of pure indeterminate being".
They constantly introduce unsafe but good-looking features and then try to mitigate them for years. For example, the Excel 4.0 macros were introduced 30 years ago and finally disabled by default this year. The attackers love MS Office even more than people who must use it. In this way, Microsoft can make happy everyone. The same is true for gun sellers.:unsure:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593

DogWalk​


Another MSDT threat (very nasty).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I'm hoping that a detailed analysis replete with a nice diagram, similar to the type that Andy Ful is so good at finding on the Internet will be available soon

Infection chain:

1654792514103.png


MSDT can pass the PowerShell code to sdiagnhost.exe which executes this PowerShell code without spawning the powershell.exe. The final payload is usually a child process of sdiagnhost.exe, but some malicious actions can be also done without spawning child processes.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I assume it's Enterprise environments that are getting hit the most with these exploits?
These attacks are very rare in the wild and highly targeted (so far). Most of them were made by state-sponsored actors, for example:

The problem is not the Follina exploit, but rather the possible exploits of many URI schemes that wait for applying in the wild.
 
Last edited:
F

ForgottenSeer 69673

These attacks are very rare in the wild and highly targeted (so far). Most of them were made by state-sponsored actors, for example:

The problem is not the Follina exploit, but rather the possible exploits of many URI schemes that wait for applying in the wild.
Is there a way to block all URI Schemes without adding each separate one?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Is there a way to block all URI Schemes without adding each separate one?
No one knows the exact answer, but probably not. Anyway, the story will continue in a similar manner.
  1. The security researcher will highlight the potential exploit (yes, it is usually not a hacker) and warn Microsoft.
  2. Microsoft will ignore it for some time. In the case of MSDT, it was nearly 2 years:
    The current exploits for ms-msdt and search-ms were probably made on the basis of this research (see page 29). Some patches were done only for particular applications like in the case of MS Teams (in September 2021) and after submitting the POCs.
  3. Microsoft will wait until the researcher will submit a concrete POC or the exploit will be used in the wild. Such vulnerabilities are exploited first (almost always) in highly targeted attacks.
  4. Microsoft will work on the patch. It can take a month or a year depending on the exploit's popularity and severity.
  5. The exploit will be closed via Windows updates until it could hurt home users.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
@Andy Ful What are your thoughts on this please?


Thanks!
It is OK. He created a custom PowerShell interpreter that directly uses/loads System.Management.Automation.dll and patches it in memory. Similar methods can be done for bypassing AMSI. Such tools are commonly used in the targeted attacks on Enterprises for lateral movement.
 

Trooper

Level 17
Verified
Top Poster
Well-known
Aug 28, 2015
801
It is OK. He created a custom PowerShell interpreter that directly uses/loads System.Management.Automation.dll and patches it in memory. Similar methods can be done for bypassing AMSI. Such tools are commonly used in the targeted attacks on Enterprises for lateral movement.

Thank you. But for Follina having Powershell in Contrained Language Mode we are safe correct?
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
Thank you. But for Follina having Powershell in Contrained Language Mode we are safe correct?

This PS CL Mode Bypass, posted in "another forum" looks interesting:


I'm assuming, hopefully correctly, that selecting InstallUtil.exe under SRP Blocked sponsors would stop this.
 
  • Like
Reactions: [correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top