.. /.Settingcontent-ms

Phishing
Double Click
Native
Executable

Author:

mr.d0x

Description:

SETTINGCONTENT-MS are XML formatted files introduced in Windows 8 that are used to create shortcuts to different setting pages. They can be used to launch executables on Windows machines. They can be embedded in Microsoft Office programs (fixed in CVE-2018–8414) and PDF files.

OS:

Windows

Recommendation:

Block execution of SETTINGCONTENT-MS files outside of “C:\Windows\ImmersiveControlPanel” path.

Resources:

https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat

File Samples:

Contributions: