eSentire Threat Intelligence is aware of a recently discovered code execution technique affecting hosts running the Windows 10 operating system [1]. The Threat Intelligence team assesses with medium confidence that this technique does not pose an immediate threat to customers. Public samples examined by the eSentire Threat Intelligence team showed that antivirus solutions such as Windows Defender have released signatures to detect and block the DeepLink technique. At this time, eSentire has not observed threats employing this technique against eSentire customers. Should this change, eSentire Threat Intelligence will reassess the severity of this threat.

What we’re doing about it

  • Current esENDPOINT rules will detect known uses of this technique for customers with this service
  • Current esRECON checks identify assets with antivirus signatures out-of-date

What you should do about it

  • Update antivirus signatures
  • Conduct user awareness training around phishing and opening documents from unknown or suspicious sources
  • Implement a policy of least privilege [2]

Additional Information

  • By embedding Setting Content files inside Office documents (OLE) and PDFs (JavaScript/Embedded File), threat actors can achieve code execution without the use of document macros.
  • In Windows 10, Setting Content files (.SettingContent-ms) are xml configuration files used to create shortcuts to the Windows Control Panel. The configuration file contains a parameter called DeepLink that can be used to execute code.
  • When a user opens the malicious document, no additional security warnings or message boxes occur, making the attack less obvious to end users. During testing, Windows Defender, with Virus definition version - 1.271.491.0 or higher, detected and blocked malicious documents employing the DeepLink technique.
  • Below is a malicious Setting Content file that was embedded inside a PDF (Figure 1).  Using the DeepLink parameter, it retrieved a malicious executable from a remote host.
Figure 1: A Setting Content File embedded inside a PDF

Figure 1: A Setting Content File embedded inside a PDF

References:

[1] https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/

[2] https://www.us-cert.gov/bsi/articles/knowledge/principles/least-privilege

eSentire Media Contacts

Mandy Bachus | eSentire | [email protected] | +1 519.651.2200 x5226 | @MandyBachus

Angela Tuzzo | MRB Public Relations | [email protected] | +1 732.758.1100 x105 | @MRB_PR

Ready to start the conversation about cybersecurity?

Let's Talk