0

During the atack chain (nicely described here) the javascript inside the html gets executed and calls an ms-msdt:// url. Within this url you have powershell embedded, as in the example:

window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe "";

My question is: Why is this powershell executed and who exactly executes this? Is this a bug related to msdt or does this only happen in conjunction with an office application/document? I would like to understand, what is the root cause/bug that leeds to this execution.

Improve this question

1 Answer 1

Reset to default
0

MS Word is used here as the method of delivery of payload.Powershell script is executed due to bug in msdt.The ms-msdt protocol passes the string it is given directly to msdt.exe and executes the script. The powershell script can be executed without using word file.For that you will have to localhost the malicious html page.Next, instead of opening the html file using a browser, call the localhost url using wget or iwr command in powershell.This method will help you to invoke the powershell script without using word.

Improve this answer
1
  • As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.
    – Community Bot
    Commented Jun 23, 2022 at 18:15

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .