Microsoft Word subDoc Feature Abused to Steal Windows Credentials

Discussion in '0-day Release' started by silversurfer, Jan 5, 2018.

  1. silversurfer

    silversurfer Malware Tester Silver Member

    The security research team at Rhino Labs, a US-based cyber-security company, has discovered that malicious actors can use a lesser-known Microsoft Word feature called subDoc to trick Windows computers into handing over their NTLM hashes, the standard format in which user account credentials are stored.

    At the heart of this technique is a classic NTLM pass-the-hash attack, which has been known about for years. What's different, according to Rhino Labs, is the way this can be carried out, via a Word feature called subDoc that allows Word files " to load sub-documents from a master document."

    Rhino Labs has also released a tool for generating subDoc-weaponized Word files so that system administrators and security researchers can carry out their own tests. The tool is named SubDoc Injector, is available on GitHub, and was authored by former LulzSec member Hector "Sabu" Monsegur, now part of the Rhino Labs team. Rhino Labs has also published a technical post with a step-by-step reproduction of the subDoc attack.

    Trim, Der.Reisende and RGiskardR like this.
  2. Google Adsense

Share This Page