Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Jake Williams Profile picture
Jake Williams
@MalwareJake
Breaker of software | VP R&D @hunterstrategy | CTI/DFIR | @ians_security faculty | Bookings: jake at malwarejake dot com | GSE #150 | He/him

May 29, 2022, 10 tweets

Okay, so playing the #msdt 0-day a bit and here's what's happening:
1. The maldoc contains a linked HTML document
2. Word automatically retrieves the linked HTML document, which contains JS to reset the location to an ms-msdt protocol handler, which is present by default 1/

3. The protocol handler launches msdt, which launches a command using the IT_BrowseForFile parameter. The maldoc that triggered this whole event invokes this code (newlines and comments added). The doc was likely distributed with a .rar file. 2/

4. I don't have the ".rar" file, but we can still tell what it's doing. The findstr command is looking for "TVNDRgAAAA" which means it's looking for a base64 encoded string beginning with "MSCF" which is the file header for a .cab file.
5. The expand command unpacks the .cab 3/

6. The .cab file contains a file named rgb.exe, which is ultimately executed.

People have obviously found pieces of this before. This blog post discusses other URL handlers. I'm betting these are going to get a LOT more scrutiny in the coming days. 4/
blog.syss.com/posts/abusing-…

While researching msdt parameters used, I came across another blog noting the potential to abuse msdt. This post implies the action requires a user click (and as written, it does). Embedded in a word doc, it's zero click. 5/
sec.ud64.com/1-click-rce-in…

Here are the arguments to msdt (indented for ease of reading). The only two arguments I've found that are absolutely necessary to abuse the msdt handler *outside of word* are:
* IT_SelectProgram=NotListed
* IT_BrowseForFile=h$(<PowerShell>)

If you omit IT_SelectProgram=NotListed you won't get execution and will instead get a popup asking how you should be opening the file.

If the user just selects the default action, you'll still get execution.
7/

This only works because of the handler in HKCR\ms-msdt. If you delete this key, users will see the following if they open a payload document. Note that I haven't tested this to know other impacts but it absolutely prevents exploitation with known #msdt samples. 8/

You should probably be doing some detection engineering in your environment to understand how and where msdt.exe is used (e.g. what are the parent processes).

Also, the maldoc uses mpsigstub.exe, a legitimate Defender exe that is often excluded from logging. /FIN

Speaking of detection engineering...

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling