/  

Microsoft Windows Support Diagnostic

反向壳

How Does It Works

image.png

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Workarounds

To disable the MSDT URL Protocol

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

  1. RunCommand Prompt asAdministrator .
  2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdtfilename
  3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

  1. RunCommand Prompt asAdministrator .
  2. To back up the registry key, execute the command “reg importfilename”

Microsoft Defender Detections & Protections

Customers with Microsoft Defender Antivirus should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

Customers of Microsoft Defender for Endpoint can enable attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. For more information see Attack surface reduction rules overview.

Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer:

  • Trojan:Win32/Mesdetty.A
  • Trojan:Win32/Mesdetty.B
  • Behavior:Win32/MesdettyLaunch.A
  • Behavior:Win32/MesdettyLaunch.B
  • Behavior:Win32/MesdettyLaunch.C

Microsoft Defender for Endpoint provides customers detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:

  • Suspicious behavior by an Office application
  • Suspicious behavior by Msdt.exe

JohnHammond's github page.
SANS's webpage.

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability


标题:Chisaka
作者:Chisaka
地址:https://www.xiaohongyan.cn/articles/2022/05/31/1653978669060.html
声明:博客上的所内容均可免费使用,可注明归属,注明作者或网址这种行为值得赞赏。