Windows Settings

A new file type format added in Windows 10 can be abused for running malicious code on users' computers, according to Matt Nelson, a security researcher for SpecterOps.

The file type is ".SettingContent-ms", a file format introduced in Windows 8 a few years back. This file format is used to create shortcuts to Windows 8/10 settings pages, which Microsoft created as an alternative to classic Control Panel options.

SettingContent-ms can run malicious code

All SettingContent-ms files are nothing more than XML documents, which contain a < DeepLink > tag that specifies the on-disk location of the Windows setting page that it will open when users double-click  shortcuts.

Nelson SettingContet-ms attack

But earlier this month, Nelson discovered that he could replace this DeepLink tag with any other executables from the local system, including links to binaries such as cmd.exe or PowerShell.exe, two apps that allow shell command execution.

Nelson SettingContet-ms attack

Further, Nelson discovered that he could chain two binary paths and have them executed one after the other. This means that attackers can create boobytrapped SettingContent-ms shortcuts that run malicious code in the background and then show the intended Windows setting page, like nothing ever happened.

No alert when opening SettingContent-ms from the Internet

Tricking users to open such files appears to be an easy task as well. Nelson says he hosted a SettingContent-ms shortcut on a web server, and he was able to download and run it without Windows 10 or Windows Defender alerting the user at all.

"Yikes!! When this file comes straight from the internet, it executes as soon as the user clicks 'open'," Nelson wrote in his research. "For one reason or another, the file still executes without any notification or warning to the user."

Nelson recorded a video of him opening a SettingContent-ms shortcut he downloaded from a remote server.

Attackers can hide SettingContent-ms files inside Office documents

But despite its web-based execution vector, most users will generally be wary of opening a file with an extension of SettingContent-ms, which many have not heard of before.

Nelson says this isn't a big problem, as malware authors can also embed a SettingContent-ms shortcut inside Office documents with the help of an Office feature named  Object Linking and Embedding (OLE).

This feature allows Office users to embed other files in Office documents. It was intended to improve Office's appeal to users, but in the past few decades, it has also been one of the simplest methods of running malicious code on users' PCs.

Microsoft has counteracted this trend by disallowing the embedding of certain dangerous file types inside OLE objects. Since SettingContent-ms is a new file type, it is not included in Office's OLE file format blacklist.

This means that malware authors can reliably use SettingContent-ms file types Office documents to execute malicious operations on users' systems.

SettingContent-ms files bypass ASR

But that's not all. Nelson also says SettingContent-ms also bypasses a Windows 10 security feature named Attack Surface Reduction (ASR).

ASR is a collection of various security rules. They are optional in Windows 10 and are disabled by default. One of the many ASR rules that users can enable can prevent Office documents from starting child processes, a technique used by malware to spread from an Office OLE object to their own process.

On large enterprise networks, system administrators often enable this ASR rule on the PCs they manage to prevent users from accidentally opening malicious Office docs and infecting the entire company.

Nelson says that SettingContent-ms files can bypass this ASR rule that prevents Office from spawning child processes. The trick is to chain the SettingContent-ms DeepLink to start with an Office app that's whitelisted and allowed to start child processes, and then continue from there by running the malicious operations afterward.

Nelson SettingContet-ms attack

By using this trick, malware authors can achieve code execution on even the most hardened Windows 10 PCs.

Nelson contacted Microsoft, but the OS maker did not consider this a vulnerability in the OS. While this won't be fixed in an urgent Patch Tuesday security update, it is highly likely that SettingContent-ms files will end up on the OLE file format blacklist pretty soon.

Nelson has published some defenses against the malicious use of SettingContent-ms files in his report, along with a sample of a malicious SettingContent-ms file that other sysadmins can use to replicate his research.

Related Articles:

Windows 10 Build 18242 (19H1) Released With Bug Fixes

Windows 10 Build 17763 Released As Microsoft Continues to Squash Bugs

Windows 10 Cumulative Update KB4464218 and KB4464217 Released

Microsoft Is Updating Office Desktop on Windows With New Features for Insiders

Windows 10 Build 17760 (RS5) Released to Insiders in the Fast Ring