Windows 10 Shortcut File Vulnerable to Code Execution

Security researcher Matt Nelson from SpectreOps found a vulnerability in the Windows 10 .SettingContent-ms file format that could allow a threat actor to run malicious code on a targeted system. A .SettingContent-ms shortcut file is able to direct users to a Windows 10 settings page. Threat actors could replace the path noted in the <DeepLink> tag with a path to an executable from the local system, such as PowerShell.exe, that has been injected with malicious code. Another way a threat actor could potentially abuse this file format is by chaining together two different paths in the <DeepLink> tag so that a malicious process can hide in the background while displaying the intended Windows setting page to the user. Using this same technique, Nelson discovered it is also possible to embed a SettingContent-ms shortcut inside Microsoft Office documents by utilizing the Object Linking and Embedding (OLE) feature. A Windows 10 security feature named Attack Surface Reduction (ASR) would normally stop malicious processes from starting; however, using the chaining technique described above, a whitelisted process would be opened first, resulting in the bypassing of security, ultimately allowing any malicious process that follows to run. The NJCCIC recommends reviewing Matt Nelson’s report  for more information and follow the recommendations provided to defend against the malicious use of .SettingContent-ms files. All users are advised to keep their software and hardware updated to the latest vendor-supported patch levels.