{"id":57886,"date":"2018-11-07T09:00:35","date_gmt":"2018-11-07T01:00:35","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=57886"},"modified":"2018-11-06T15:48:23","modified_gmt":"2018-11-06T07:48:23","slug":"settingcontent-ms-%e5%8f%af%e8%a2%ab%e7%94%a8%e6%96%bc%e5%9f%b7%e8%a1%8c%e8%a4%87%e9%9b%9c%e7%9a%84-deeplink-%e4%bb%a5%e5%8f%8aicon-based-%e7%9a%84%e6%83%a1%e6%84%8f%e7%a8%8b%e5%bc%8f%e7%a2%bc","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=57886","title":{"rendered":"SettingContent-ms \u53ef\u88ab\u7528\u65bc\u57f7\u884c\u8907\u96dc\u7684 DeepLink \u4ee5\u53caIcon-based \u7684\u60e1\u610f\u7a0b\u5f0f\u78bc"},"content":{"rendered":"

\u5fae\u8edfSettingContent-ms\u6700\u8fd1\u6210\u70ba\u5099\u53d7\u95dc\u6ce8\u7684\u8a71\u984c\u3002\u8da8\u52e2\u79d1\u6280<\/a><\/u>\u5728\u4e03\u6708\u770b\u5230\u4e00\u500b\u5783\u573e\u90f5\u4ef6\u6d3b\u52d5\u5229\u7528\u60e1\u610f\u7684SettingContent-ms\u6a94\u6848\u5d4c\u5165PDF<\/a>\u6a94\u4e2d\uff0c\u76ee\u7684\u662f\u70ba\u4e86\u57f7\u884c\u9060\u7aef\u5b58\u53d6\u7684\u6728\u99ac\u7a0b\u5f0fFlawedAmmyy, \u9019\u500b\u9060\u7aef\u5b58\u53d6\u6728\u99ac(RAT) \u4e5f\u88ab\u4f7f\u7528\u5728Necurs\u6bad\u5c4d\u7db2\u8def\u4e0a. \u800c\u653b\u64ca\u884c\u52d5\u4e3b\u8981\u9396\u5b9a\u7684\u76ee\u6a19\u662f\u6b50\u6d32\u548c\u4e9e\u6d32\u7684\u9280\u884c\u3002<\/p>\n

SettingContent-ms\u6700\u8fd1\u624d\u52a0\u5165\u5fae\u8edf\u8edf\u9ad4\u4e2d\uff0c\u6700\u65e9\u662f\u5728Windows 10\u4e2d\u5f15\u5165\u3002\u4ee5XML\u683c\u5f0f\/\u8a9e\u8a00\u5beb\u5165\u6b64\u985e\u578b\u6a94\u6848\u4e2d\uff0c\u901a\u5e38\u9019\u985e\u578b\u6a94\u6848\u6703\u5305\u542bWindows\u529f\u80fd\u7684\u8a2d\u5b9a\u5167\u5bb9\uff0c\u4f8b\u5982\u66f4\u65b0\u6d41\u7a0b\u4ee5\u53ca\u958b\u555f\u67d0\u4e9b\u7279\u5b9a\u985e\u578b\u6a94\u6848\u7684\u61c9\u7528\u7a0b\u5f0f\u7b49\u3002\u9019\u4e9b\u6a94\u6848\u6700\u5e38\u88ab\u7528\u4f86\u7576\u6210\u958b\u555f\u820a\u7248Winodws\u63a7\u5236\u53f0\u7684\u6377\u5f91\u3002<\/p>\n

\"Figure<\/em><\/p>\n

\u57161.SettingContent-ms\u7684\u526f\u6a94\u540d\u4ee5\u53caicon<\/em><\/p>\n

 <\/p>\n

\"Figure<\/p>\n

\u57162.Figure 2. \u6b63\u5e38 SettingContent\u6a94\u6848\u4e2d\u7684 DeepLink tag<\/em><\/p>\n

\u9664\u4e86\u5783\u573e\u90f5\u4ef6\u6d3b\u52d5\u4e4b\u5916\uff0c\u9084\u6709\u4e00\u4e9b\u95dc\u65bc\u5fae\u8edfSettingContent-ms\u7684\u6982\u5ff5\u9a57\u8b49(POC)\u7814\u7a76<\/a>\uff0c\u5728\u4e03\u6708\u4efd\u7531Specter Ops\u6240\u767c\u4f48\u3002\u7531\u6b64\u4efd\u7814\u7a76\u5831\u544a\u4ee5\u53ca\u5be6\u969b\u51fa\u73fe\u7684\u653b\u64ca\u884c\u52d5\u986f\u793a\u51fa\u53ea\u8981\u5c07DeepLink tag\u4e0b\u7684\u6307\u4ee4\u66ff\u63db\u6210\u60e1\u610f\u6307\u4ee4\u78bc\uff0c\u4fbf\u53ef\u5229\u7528SettingContent-ms\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u3002\u4e00\u958b\u59cb\u7576\u5fae\u8edf\u5f9e\u7814\u7a76\u4eba\u54e1\u807d\u5230\u9019\u500b\u554f\u984c\u6642\uff0c\u4ed6\u5011\u4e26\u4e0d\u8a8d\u70ba\u9019\u662f\u4f5c\u696d\u7cfb\u7d71\u7684\u5f31\u9ede\u3002\u4f46\u662f\u57282018\u5e748\u6708\uff0c\u4ed6\u5011\u516c\u5e03\u4e86\u4fee\u6b63\u7a0b\u5f0f\u4ee5\u4fee\u88dc\u9019\u500b\u554f\u984c: CVE-2018-8414<\/a><\/p>\n

\"Figure<\/p>\n

\u5716 3. \u00a0DeepLink tag \u4e0b\u7684\u60e1\u610f\u6307\u4ee4\u78bc<\/em><\/p>\n

\u5982\u57163\u6240\u793a\uff0c\u662f\u4e00\u500bSettingContent-ms\u88ab\u6feb\u7528\u7684\u7bc4\u4f8b\uff0c\u5728DeepLink tag\u4e0b\u7684\u60e1\u610f\u6307\u4ee4\u78bc\u53ef\u4ee5\u57f7\u884cPowerShell script\u4e26\u5f9e\u60e1\u610f\u7db2\u7ad9\u4e0b\u8f09\u4e26\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u3002<\/p>\n

\u5728\u9032\u4e00\u6b65\u7814\u7a76\u9019\u4e9b\u65b9\u6cd5\u6642\uff0c\u6211\u5011\u958b\u59cb\u770b\u5230\u8a72\u6280\u8853\u7684\u5c40\u9650\u6027\u3002 \u55ae\u7368\u4f7f\u7528DeepLink\u4f3c\u4e4e\u6709\u4e00\u4e9b\u7f3a\u9ede\uff1a<\/p>\n

\u512a\u9ede<\/strong>\u00a0<\/strong><\/p>\n