Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,758 questions
Determining if office products (click2run) has been tampered with
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 51%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERF%3C/text%3E%3C/svg%3E)
Roy Fulton
0
Reputation points
I’ve been dealing with a some kind of malicious processes that looks to have modified some updating services to windows applications. Looking at the left over install logs of the click2run, it looks like there was some kind of injection in the Click2Run executable and I can't find a way of overwriting it. Also I’ve seen the MS edge updater, and chrome updater (there’s a few others) that seem to be changed at around the same time. Is there a white paper on how a normal click2run install log 'should' look like?I'm not a developer, but looking through the entries in the logs this is what it appears to be doing. I'm not sure if I have the initial logs anymore, but nevertheless I think it looks odd:
The installer logs that I have seen looks like it takes my authentication token and passes it up requesting an update file from some MS automated update server. Its not using my password, but some token that it has captured. It submits some information that has a few fields purposely placed with fake data, then tells the update portal to ignore the fields after it goes back and forth a few times. The portal sends the update file back to the client and then the process replaces the fields with their own entries. They make the new process look exactly like the old one down to the bit size. I believe they also obtained a dummy ms cert to legitimize this process. I know this may sound pretty whacked out and at times I think I should probably be committed because of all the stuff that I see this thing do. However, being an IT professional (and being the obsessive compulsive person that I am), I can’t just let this one go. Other machines look to have received this as well. If they don’t have Office installed, then there’s an edge updater that appears to be affected. Though I haven't yet drilled down into OneDrive yet, I believe it may be used to obtain user information is some way.
I realize that there’s a lot of things that can look really fishy when you’re looking through logs—believe me. Hence, I wanted to see what a current click2run install log looks like when the software is updated before I definitively say that it’s been compromised. I’ve searched through forums and whitepapers looking but haven’t come across what I’m looking for. Lacking the time and needing move on, I felt I should at least report this if I can’t substantiate it before I nuke the entire network.
Regards
Roy
Microsoft 365
Office
Office
A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.
1,910 questions
Office Development
Office Development
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Development: The process of researching, productizing, and refining new or existing technologies.
4,267 questions
Sign in to answer