Arbitrary Shell Command Execution Via Settingcontent-Ms
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
Sigma rule (View on GitHub)
1title: Arbitrary Shell Command Execution Via Settingcontent-Ms
2id: 24de4f3b-804c-4165-b442-5a06a2302c7e
3status: test
4description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
5references:
6 - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
7author: Sreeman
8date: 2020-03-13
9modified: 2022-04-14
10tags:
11 - attack.t1204
12 - attack.t1566.001
13 - attack.execution
14 - attack.initial-access
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains: '.SettingContent-ms'
21 filter:
22 CommandLine|contains: 'immersivecontrolpanel'
23 condition: selection and not filter
24fields:
25 - ParentProcess
26 - CommandLine
27 - ParentCommandLine
28falsepositives:
29 - Unknown
30level: medium
References
-
As an attacker, initial access can prove to be quite the challenge against a hardened target. When selecting a payload for initial access…
Read More
Related rules
- Droppers Exploiting CVE-2017-11882
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759
- HTML Help HH.EXE Suspicious Child Process
- Suspicious Execution via macOS Script Editor