Blocking this attack?
So, I'm sure I'm not the only person who's actually maintaining a network who's looking at this, and more importantly how to block it.
"In short, HTAs pack all the power of Internet Explorer—its object model, performance, rendering power and protocol support—without enforcing the strict security model and user interface of the browser." and "an HTA runs as a fully trusted application and therefore has more privileges than a normal HTML file; for example, an HTA can create, edit and remove files and registry entries"
An HTA is executed using the program mshta.exe
Definitely not something that I want running on the network.
I already have "Restrict File Download" set in the office GPO, so in *theory* then on opening the document winword shouldn't be able to download the payload in the first place so I should be safe.
However, I don't wish to be complacent, and I do wish to be professionally paranoid (ie, doing my job...). So, on the safe side then by adding a disallowed path rule for "%SystemRoot%\system32\mshta.exe" to a software restriction policy GPO would prevent the any HTA's that make it to the endpoints from running.
And that's absolute protection against this? Or have I missed something. Opinions from fellow professionals welcome.
Biting the hand that feeds IT
