The problem stems from a new file type called “.SettingContent-ms”. Yes, this is a Microsoft file for Windows 10 and comes with a range of privileges. At its core, the file allows shortcuts to be made to the Settings app. Despite its apparent usefulness, SpecterOps security researcher Matt Nelson says the XML file is too widespread and can be exploited. According to Nelson, the SettingsContent-ms file accepts any filepath in deeplink, including Powershell and CMD paths. In other words, this means the file can performance one task simultaneously with another, without the user knowing there is a secondary task running: “So, we now have a file type that allows arbitrary shell command execution and displays zero warnings or dialogues to the user. When trying to get initial access, going across a target’s perimeter with an unusual file type can be risky. Ideally, this file would be placed in a container of a more common file type, such as an Office document.”
Bypassing Windows Defence
Worryingly, the filetype also bypasses Windows Defender and navigates past Attack Surface Reduction (ASR) in Office. “When a document comes from the internet with a .SettingContent-ms file embedded in it, the only thing the user sees is the “Open Package Contents” prompt. Clicking “Open” will result in execution. If an environment doesn’t have any Attack Surface Reduction rules enabled, this is all an attacker needs to execute code on the endpoint. I was curious, so I poked at how this holds up with ASR’s child process creation rules enabled.” So, SettingsContent-ms is wide open. Still, Microsoft does not believe the file is a security problem and will likely keep it intact. Although, Nelson explains he thinks the company will add it to a blacklist of filetypes that Windows checks when downloaded from the internet.
