- Jul 27, 2015
- 5,459
New MS Office Zero Day Evades Defender
- Thread starter MuzzMelbourne
- Start date
- Dec 23, 2014
- 8,129
It seems that msdt.exe can use PowerShell cmdlets without spawning powershell.exe, so blocking powershell.exe will not help.Wow! Your response is not really what I expectedalthough I had recognized a while back that you are strongly opposed to MS Office suite
EDIT
I utilized step 3 via SRP in H_C. Thanks
The Constrained Language Mode can help because it is rooted in the System.Management.Automation.dll, which exports PowerShell functions.
If you block outbound connections of Microsoft Office apps or use ASR rules for MS Office, then the threat can be blocked if the weaponized document is opened with MS Office. The Explorer preview uses MS Office for rendering but without spawning the MS Office programs. So when the threat uses it, the outbound connections of Explorer should be blocked.
There is no sufficient documentation about OSA, so you have to ask the developer - it surely blocked the threat in the wild.
Other security layers that can block msdt.exe can prevent this attack vector.
Of course, there are several other URI schemes waiting for exploits.
Edit.
Blocking the outbound connections of Explorer may be insufficient if the preview uses svchost.exe for the Internet connections.
Last edited:
- Apr 5, 2021
- 570
For those like me who are interested in this exploit but don't quite understand every technical detail, here is a simplified explanation that made it "click" (for me). You might remember he is the one who discovered the WannaCry kill switch some years ago.
In the comments that follow, someone is offering an example of this exploit used in the wild, CURRENTLY. Hopefully, affected Enterprise people aren't just sitting around waiting for Microsoft to do something. Or worse: not having a clue about this.
In the comments that follow, someone is offering an example of this exploit used in the wild, CURRENTLY. Hopefully, affected Enterprise people aren't just sitting around waiting for Microsoft to do something. Or worse: not having a clue about this.
- Apr 5, 2021
- 570
- Dec 23, 2014
- 8,129
Nice summary.
The philosophy of Microsoft Windows is similar to Hegel's "contradictory nature of pure indeterminate being".
They constantly introduce unsafe but good-looking features and then try to mitigate them for years. For example, the Excel 4.0 macros were introduced 30 years ago and finally disabled by default this year. The attackers love MS Office even more than people who must use it. In this way, Microsoft can make happy everyone. The same is true for gun sellers.
Last edited:
- Apr 24, 2016
- 6,593
- Jul 27, 2015
- 5,459
- Dec 23, 2014
- 8,129
DogWalk
New Microsoft Zero-Day Vulnerability Times Two: Follina and DogWalk
Microsoft zero-day vulnerability times two: Follina and DogWalk. Learn more about what this means for your environment.
practical365.com
Microsoft Diagnostic Tool "DogWalk" Package Path Traversal Gets Free Micropatches (0day/WontFix)
by Mitja Kolsek, the 0patch Team With the "Follina" / CVE-2022-30190 0day still hot, i.e., still waiting for an official fix while appare...
Another MSDT threat (very nasty).
Last edited:
- Jul 27, 2015
- 5,459
Outlook blacklist .diagcab files, but not Edge?
- Dec 23, 2014
- 8,129
Infection chain:
MSDT can pass the PowerShell code to sdiagnhost.exe which executes this PowerShell code without spawning the powershell.exe. The final payload is usually a child process of sdiagnhost.exe, but some malicious actions can be also done without spawning child processes.
Last edited:
- Apr 5, 2021
- 570
I assume it's Enterprise environments that are getting hit the most with these exploits?
- Aug 28, 2015
- 772
- Dec 23, 2014
- 8,129
These attacks are very rare in the wild and highly targeted (so far). Most of them were made by state-sponsored actors, for example:
Follina Exploited by State-Sponsored Hackers
A government-aligned attacker tried using a Microsoft vulnerability to attack U.S. and E.U. government targets.
threatpost.com
Follina abuses Microsoft Office to execute remote code | TechRepublic
A vulnerability dubbed "Follina" could allow attackers to gain full system control of affected systems. Learn more about it and how to protect yourself from it,
www.techrepublic.com
The problem is not the Follina exploit, but rather the possible exploits of many URI schemes that wait for applying in the wild.
Last edited:
Is there a way to block all URI Schemes without adding each separate one?These attacks are very rare in the wild and highly targeted (so far). Most of them were made by state-sponsored actors, for example:
Follina Exploited by State-Sponsored Hackers
A government-aligned attacker tried using a Microsoft vulnerability to attack U.S. and E.U. government targets.Follina abuses Microsoft Office to execute remote code | TechRepublic
A vulnerability dubbed "Follina" could allow attackers to gain full system control of affected systems. Learn more about it and how to protect yourself from it,
The problem is not the Follina exploit, but rather the possible exploits of many URI schemes that wait for applying in the wild.
- Dec 23, 2014
- 8,129
No one knows the exact answer, but probably not. Anyway, the story will continue in a similar manner.
- The security researcher will highlight the potential exploit (yes, it is usually not a hacker) and warn Microsoft.
- Microsoft will ignore it for some time. In the case of MSDT, it was nearly 2 years:
The current exploits for ms-msdt and search-ms were probably made on the basis of this research (see page 29). Some patches were done only for particular applications like in the case of MS Teams (in September 2021) and after submitting the POCs. - Microsoft will wait until the researcher will submit a concrete POC or the exploit will be used in the wild. Such vulnerabilities are exploited first (almost always) in highly targeted attacks.
- Microsoft will work on the patch. It can take a month or a year depending on the exploit's popularity and severity.
- The exploit will be closed via Windows updates until it could hurt home users.
Last edited:
- Aug 28, 2015
- 772
@Andy Ful What are your thoughts on this please?
github.com
Thanks!
GitHub - calebstewart/bypass-clm: PowerShell Constrained Language Mode Bypass
PowerShell Constrained Language Mode Bypass. Contribute to calebstewart/bypass-clm development by creating an account on GitHub.
github.com
Thanks!
- Dec 23, 2014
- 8,129
It is OK. He created a custom PowerShell interpreter that directly uses/loads System.Management.Automation.dll and patches it in memory. Similar methods can be done for bypassing AMSI. Such tools are commonly used in the targeted attacks on Enterprises for lateral movement.@Andy Ful What are your thoughts on this please?
GitHub - calebstewart/bypass-clm: PowerShell Constrained Language Mode Bypass
PowerShell Constrained Language Mode Bypass. Contribute to calebstewart/bypass-clm development by creating an account on GitHub.
Thanks!
- Aug 28, 2015
- 772
Thank you. But for Follina having Powershell in Contrained Language Mode we are safe correct?
- Apr 5, 2021
- 570
This PS CL Mode Bypass, posted in "another forum" looks interesting:
GitHub - calebstewart/bypass-clm: PowerShell Constrained Language Mode Bypass
PowerShell Constrained Language Mode Bypass. Contribute to calebstewart/bypass-clm development by creating an account on GitHub.
github.com
I'm assuming, hopefully correctly, that selecting InstallUtil.exe under SRP Blocked sponsors would stop this.
Similar threads
