Previous
Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.
Author: Dalibor Gašić / Last Updated: 6/30/2022
Reviewed By: Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Table Of Contents
The nao_sec team posted this on their Twitter account link on May 27, 2022, like a zero-day vulnerability because then there was no patch to address this.
Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022
For those who don’t know, nao_sec is a Cyber Security Research team that has been active since 2017 in finding various vulnerabilities that you can find on their official website.
Microsoft Support Diagnostic Tool (MSDT) is a service in Windows 11/10/8.1/7 and Windows Server, even the latest: Windows Server 2022.
The tool enables the Microsoft support representatives to analyze diagnostic data and find a resolution for the problems experienced by users.
To make it clearer to you which tool it is, it would be best to say that it is a troubleshooting window that almost never solved the user’s problem.
This software component is included on startup by default on the mentioned versions of Microsoft Windows and can be found in
“C:\Windows\System32″ under the name msdt.exe”.
As mentioned above, exploitation is done with the help of a malicious Word document example exploit_name.doc and enabled vulnerable Microsoft Support Diagnostic tool installed on a Windows machine.
This vulnerability has gone viral on the Internet and there are a lot of explanations for this vulnerability, let’s try to simplify for the part of the audience that is not technologically savvy.
From here, the attacker can now work on further exploiting the machine in the background, installing persistence as a backdoor to maintain access, and working on escalating privileges from user to administrator.
The complete procedure in the more professional edition can be seen in the picture below, as well as in the references, links with a more detailed description, and where the exploit can be found.
How PurpleSec Helps To Secure Your Organization
Our vulnerability management services and penetration testing services provide a holistic approach to securing what’s most important to you.
On Tuesday, June 14, 2022, Microsoft issued Windows updates to address this vulnerability.
Microsoft recommends installing the updates as soon as possible.
In particular, to prevent exploitation of this vulnerability, you can disable support for the MSDT URL protocol by taking these steps:
This first line of protection will stop most of these types of files that have not been modified to bypass antivirus and defenders, of course, if the attacker is not high-skilled.
If you are in a company environment, it is recommended that endpoint protection is present, which will also be upgraded and noticed based on the behavior of this type of file.
Related Articles:
Dalibor is a Senior Security Engineer with experience in penetration testing having recently served over 8 years in the Ministry of Internal Affairs in the Department of Cyber Security in Serbia.