SettingContent-ms Files Can Easily bypass OLE and Attack Surface Reduction (ASR) Rules

Windows file type “.SettingContent-ms”, initially introduced in Windows 10 in 2015 is vulnerable to command execution using the DeepLink attribute in it’s schema-which itself is a simple XML document.

Matt Nelson of SpecterOps discovered and reported the vulnerability which can be used by attackers for easy payload to gain access also simulated in this video

Attackers can use the SettingContent-ms file to pull downloads from the internet which raises several possibilities of serious damage since it can be used to download files that may allow remote code executions.

Even with the Office 2016’s OLE block rule and ASR’s Child Process Creation rule enabled the attacker can evade the OLE block through the .SettingsContent-ms file files combined with a whitelisted path in the Office folder can allow the attacker to circumvent these controls and execute arbitrary commands as Matt demonstrated on the SpectreOps blog by using the AppVLP file.

OLE/ASR evasion payload – SpecterOps

By default, Office documents are flagged as MOTW and opens up in Protected View, there are certain files that still allow OLE and aren’t triggered by the Protected View. Ideally the SettingContent-ms file should not be executing any file outside of C:\Windows\ImmersiveControlPanel.

Matt also suggests neutering the file formats by killing its handlers by setting the “DelegateExecute” through the registry editor in HKCR:\SettingContent\Shell\Open\Command to be empty again – however, no guarantees that doing this won’t break Windows therefore a restore point should be created before you attempt this.

Maira Ahmed

Maira is a system analyst for the last 10 years. She likes to explore, experience and understand new technologies shaping the future. She was a key member of the MUM "Mera Urdu Messenger"s (R&D) team, the first ever Urdu messenger released by CRI in the 90s.