Jake Williams Profile picture
Breaker of software | VP R&D @hunterstrategy | CTI/DFIR | @ians_security faculty | Bookings: jake at malwarejake dot com | GSE #150 | He/him

May 29, 2022, 10 tweets

Okay, so playing the #msdt 0-day a bit and here's what's happening:
1. The maldoc contains a linked HTML document
2. Word automatically retrieves the linked HTML document, which contains JS to reset the location to an ms-msdt protocol handler, which is present by default 1/

3. The protocol handler launches msdt, which launches a command using the IT_BrowseForFile parameter. The maldoc that triggered this whole event invokes this code (newlines and comments added). The doc was likely distributed with a .rar file. 2/

4. I don't have the ".rar" file, but we can still tell what it's doing. The findstr command is looking for "TVNDRgAAAA" which means it's looking for a base64 encoded string beginning with "MSCF" which is the file header for a .cab file.
5. The expand command unpacks the .cab 3/

6. The .cab file contains a file named rgb.exe, which is ultimately executed.

People have obviously found pieces of this before. This blog post discusses other URL handlers. I'm betting these are going to get a LOT more scrutiny in the coming days. 4/
blog.syss.com/posts/abusing-…

While researching msdt parameters used, I came across another blog noting the potential to abuse msdt. This post implies the action requires a user click (and as written, it does). Embedded in a word doc, it's zero click. 5/
sec.ud64.com/1-click-rce-in…

Here are the arguments to msdt (indented for ease of reading). The only two arguments I've found that are absolutely necessary to abuse the msdt handler *outside of word* are:
* IT_SelectProgram=NotListed
* IT_BrowseForFile=h$(<PowerShell>)

If you omit IT_SelectProgram=NotListed you won't get execution and will instead get a popup asking how you should be opening the file.

If the user just selects the default action, you'll still get execution.
7/

This only works because of the handler in HKCR\ms-msdt. If you delete this key, users will see the following if they open a payload document. Note that I haven't tested this to know other impacts but it absolutely prevents exploitation with known #msdt samples. 8/

You should probably be doing some detection engineering in your environment to understand how and where msdt.exe is used (e.g. what are the parent processes).

Also, the maldoc uses mpsigstub.exe, a legitimate Defender exe that is often excluded from logging. /FIN

Speaking of detection engineering...

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling