Home
%3CLINGO-SUB%20id%3D%22lingo-sub-240192%22%20slang%3D%22en-US%22%3EMulti-layer%20defense%20against%20attacks%20that%20abuse%20the%20.settingcontent-ms%20file%20type%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-240192%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EAttackers%20are%20always%20on%20the%20lookout%20for%20new%20ways%20to%20infiltrate%20systems%20and%20networks.%20%3C%2FSPAN%3E%3CSPAN%3ENot%20long%20after%20security%20researcher%20Matt%20Nelson%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fposts.specterops.io%2Fthe-tale-of-settingcontent-ms-files-f1ea253e4d39%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3Edetailed%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E%20a%20way%20to%20abuse%20the%20%3C%2FSPAN%3E%3CI%3E%3CSPAN%3E.settingcontent-ms%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%3E%20file%20format%20%3C%2FSPAN%3E%3CSPAN%3Eto%20load%20shell%20command%3C%2FSPAN%3E%3CSPAN%3Es%3C%2FSPAN%3E%3CSPAN%3E%2C%20cybercriminals%20%3C%2FSPAN%3E%3CSPAN%3Eexperimented%20with%20ways%20to%20use%20this%20technique%20in%20attacks.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EMicrosoft%20365%20has%20multiple%20layers%20of%20defense%20against%20%3C%2FSPAN%3E%3CSPAN%3Ethis%20new%20attacker%20technique.%20These%20protections%20include%20mitigations%20in%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fproducts.office.com%2Fen-us%2Fbusiness%2Foffice-365-trust-center-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3EOffice%20365%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E%2C%20as%20well%20as%20detection%20and%20investigation%20capabilities%20in%20the%20Windows%20Defender%20Advanced%20Threat%20Protection%20(%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwindowsforbusiness%2Fwindows-atp%3Focid%3Dcx-blog-mmpc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3EWindows%20Defender%20ATP%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E)%20unified%20security%20platform.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EOffice%20365%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBy%20default%2C%20Office%20365%20applications%20will%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fpackager-activation-in-office-365-desktop-applications-52808039-4a7c-4550-be3a-869dd338d834%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3Eblock%3C%2FSPAN%3E%3C%2FA%3E%20%3CI%3E%3CSPAN%3E.settingcontent-ms%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%3E%20objects%20inside%20documents.%3C%2FSPAN%3E%20%3CSPAN%3EThis%20is%20meant%20to%20defeat%20social%20engineering%20attacks%20that%20%3C%2FSPAN%3E%3CSPAN%3Eembed%20malicious%20executables%20or%20scripts%20(for%20example%2C%20.exe%2C%20.js%2C%20.vbs%20files)%20in%20Office%20documents.%3C%2FSPAN%3E%20%3CSPAN%3EOutlook%20uses%20the%20same%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fpackager-activation-in-office-365-desktop-applications-52808039-4a7c-4550-be3a-869dd338d834%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3Elist%20of%20blocked%20file%20extensions%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E%20to%20block%20attachments.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20470px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F44502i3B88BA71040A1215%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22O365.png%22%20title%3D%22O365.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EF%3C%2FEM%3E%3CEM%3Eigure%201.%20Office%20365%20apps%20will%20not%20allow%20the%20activation%20of%20objects%20that%20link%20to%20file%20name%20extensions%20considered%20high%20risk%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAttack%20surface%20reduction%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fna01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fwindows%252Fsecurity%252Fthreat-protection%252Fwindows-defender-exploit-guard%252Fattack-surface-reduction-exploit-guard%26amp%3Bdata%3D04%257C01%257C%257C984c2990b60c46d9477b08d60ea2cc8e%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636712489761220424%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%253D%253D%257C-1%26amp%3Bsdata%3DyqFOq%252FWUJZci2OVkxuyZ4mAqmUfp2czej1pvjlj7BY0%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAttack%20surface%20reduction%3C%2FA%3E%20capabilities%20in%20Windows%20Defender%20ATP%20provide%20a%20set%20of%20built-in%20intelligence%20that%20can%20block%20underlying%20behaviors%20used%20by%20malicious%20documents.%20The%20following%20Attack%20surface%20reduction%20%3CA%20href%3D%22https%3A%2F%2Fna01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fwindows%252Fsecurity%252Fthreat-protection%252Fwindows-defender-exploit-guard%252Fattack-surface-reduction-exploit-guard%2523attack-surface-reduction-rules%26amp%3Bdata%3D04%257C01%257C%257C984c2990b60c46d9477b08d60ea2cc8e%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636712489761230429%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%253D%253D%257C-1%26amp%3Bsdata%3DDuxutPQTGXoSDfK0vx14VEv8cdcL2JAdlBZKm%252B6%252BGrs%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Erules%3C%2FA%3E%2C%20updated%20immediately%20after%20the%20attacker%20technique%20was%20made%20public%2C%20protect%20against%20attacks%20that%20use%20documents%20with%20%3CEM%3E.settingcontent-ms%3C%2FEM%3E%20objects%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EBlock%20Office%20applications%20from%20creating%20child%20processes%20(D4F940AB-401B-4EFC-AADC-AD5F3C50688A)%3C%2FLI%3E%0A%3CLI%3EBlock%20Office%20applications%20from%20creating%20executable%20content%20(3B576869-A4EC-4529-8536-B80A7769E899)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIn%20addition%2C%20the%20following%20rule%2C%20available%20in%20preview%2C%20protects%20against%20malicious%20.pdf%20files%20with%20embedded%20%3CEM%3E.settingcontent-ms%3C%2FEM%3E%20objects%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EBlock%20Adobe%20Reader%20from%20creating%20child%20processes%20(7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20following%20rule%2C%20also%20in%20preview%2C%20protects%20against%20emails%20that%20have%20%3CEM%3E.settingcontent-ms%3C%2FEM%3E%20objects%20embedded%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EBlock%20Office%20communication%20applications%20from%20creating%20child%20processes%20(26190899-1602-49e8-8b27-eb1d0a1ce869)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F44511i080306301CF35295%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22atp4.png%22%20title%3D%22atp4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EFigure%202.%20Attack%20surface%20reduction%20rules%20prevent%20execution%20of%20abused%20.settingconten-ms%20files%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENext%20Generation%20Protection%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAntivirus%20capabilities%20in%20Windows%20Defender%20ATP%20detect%20and%20block%20malicious%20.settingcontent-ms%20files%20as%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwdsi%2Fthreats%2Fmalware-encyclopedia-description%3FName%3DTrojan%253aO97M%252fDPlink.A%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETrojan%3AO97M%2FDPlink.A%3C%2FA%3E.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F44503i7364911A6E85751F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22atp1.png%22%20title%3D%22atp1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EFigure%203.%20Alert%20raised%20in%20Windows%20Defender%20Security%20Center%20for%20Trojan%3AO97M%2FDPlink.A%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EEndpoint%20detection%20and%20response%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-atp%2Fwindows-defender-security-center-atp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEndpoint%20detection%20and%20response%3C%2FA%3E%3C%2FSPAN%3E%20capabilities%20in%20Windows%20Defender%20ATP%20allow%20security%20operations%20personnel%20to%20monitor%20and%20investigate%20malicious%20%3CEM%3E.settingcontent-ms%3C%2FEM%3E%20threats%20in%20the%20network.%20Using%20the%20alert%20from%20the%20antivirus%20detection%2C%20SecOps%20can%20pivot%20to%20machine%20timeline%20and%20trace%20the%20process%20tree%20to%20investigate%20related%20events%20(e.g.%2C%20file%20creation)%20and%20remediate%20attacks.%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F44504i2C965094230F1E09%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22ATP2.png%22%20title%3D%22ATP2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EFigure%204.%20Process%20tree%20for%20a%20sample%20.settingcontent-ms%20file%20extension%20in%20machine%20timeline%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAdvanced%20Hunting%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20hunt%20for%20possible%20threats%20that%20leverage%20malicious%20.settingcontent-ms%20files%20in%20the%20network%2C%20SecOps%20can%20use%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-atp%2Fadvanced-hunting-windows-defender-advanced-threat-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAdvanced%20hunting%3C%2FA%3E%3C%2FSPAN%3E%20capabilities%20in%20Windows%20Defender%20ATP.%20The%20Advanced%20hunting%20query%20experience%20is%20integrated%20into%20the%20existing%20Windows%20Defender%20ATP%20investigation%20experience%2C%20making%20proactive%20hunting%20for%20possible%20threats%20more%20effective.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F44505i3CC4DC072ED16933%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22ATP3.png%22%20title%3D%22ATP3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EFigure%205.%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%2Fblob%2F7b4698427ab75e4a8e1acdfbce34662b14b754a4%2FCampaigns%2FAbusing%2520settingcontent-ms.txt%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESample%20Advanced%20hunting%20query%3C%2FA%3E%3C%2FSPAN%3E%20that%20returns%20file%20creation%20events%20where%20file%20name%20ends%20with%20.settingcontent-ms%20and%20initiating%20process%20is%20a%20browser%2C%20Outlook%2C%20or%20explorer.exe.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20a%20reminder%20you%20can%20find%20the%20above%20query%20and%20many%20more%20samples%20Advanced%20hunting%20queries%20in%20our%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FWindowsDefenderATP-Hunting-Queries%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGitHub%20repository%3C%2FA%3E%3C%2FSPAN%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-240192%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20hunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emilad.aslaner%40microsoft.com%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Attackers are always on the lookout for new ways to infiltrate systems and networks. Not long after security researcher Matt Nelson detailed a way to abuse the .settingcontent-ms file format to load shell commands, cybercriminals experimented with ways to use this technique in attacks.  

 

Microsoft 365 has multiple layers of defense against this new attacker technique. These protections include mitigations in Office 365, as well as detection and investigation capabilities in the Windows Defender Advanced Threat Protection (Windows Defender ATP) unified security platform.  

 

Office 365 

 

By default, Office 365 applications will block .settingcontent-ms objects inside documents. This is meant to defeat social engineering attacks that embed malicious executables or scripts (for example, .exe, .js, .vbs files) in Office documents. Outlook uses the same list of blocked file extensions to block attachments. 

 

O365.png

Figure 1. Office 365 apps will not allow the activation of objects that link to file name extensions considered high risk

 

Attack surface reduction

 

Attack surface reduction capabilities in Windows Defender ATP provide a set of built-in intelligence that can block underlying behaviors used by malicious documents. The following Attack surface reduction rules, updated immediately after the attacker technique was made public, protect against attacks that use documents with .settingcontent-ms objects:

 

  • Block Office applications from creating child processes (D4F940AB-401B-4EFC-AADC-AD5F3C50688A)
  • Block Office applications from creating executable content (3B576869-A4EC-4529-8536-B80A7769E899)

In addition, the following rule, available in preview, protects against malicious .pdf files with embedded .settingcontent-ms objects:

 

  • Block Adobe Reader from creating child processes (7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c)

The following rule, also in preview, protects against emails that have .settingcontent-ms objects embedded:

 

  • Block Office communication applications from creating child processes (26190899-1602-49e8-8b27-eb1d0a1ce869)

 

atp4.png

Figure 2. Attack surface reduction rules prevent execution of abused .settingconten-ms files

 

Next Generation Protection

 

Antivirus capabilities in Windows Defender ATP detect and block malicious .settingcontent-ms files as Trojan:O97M/DPlink.A.

atp1.png

Figure 3. Alert raised in Windows Defender Security Center for Trojan:O97M/DPlink.A

 

Endpoint detection and response

 

Endpoint detection and response capabilities in Windows Defender ATP allow security operations personnel to monitor and investigate malicious .settingcontent-ms threats in the network. Using the alert from the antivirus detection, SecOps can pivot to machine timeline and trace the process tree to investigate related events (e.g., file creation) and remediate attacks.

 

ATP2.png

Figure 4. Process tree for a sample .settingcontent-ms file extension in machine timeline

 

Advanced Hunting 

 

To hunt for possible threats that leverage malicious .settingcontent-ms files in the network, SecOps can use Advanced hunting capabilities in Windows Defender ATP. The Advanced hunting query experience is integrated into the existing Windows Defender ATP investigation experience, making proactive hunting for possible threats more effective.

 

ATP3.png

Figure 5. Sample Advanced hunting query that returns file creation events where file name ends with .settingcontent-ms and initiating process is a browser, Outlook, or explorer.exe.

 

As a reminder you can find the above query and many more samples Advanced hunting queries in our GitHub repository.