AV-Comparatives Advanced Threat Protection Test 2023 – Enterprise

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Gandalf_The_Grey

Level 82
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,189
“Advanced persistent threat” is a term commonly used to describe a targeted cyber-attack that employs a complex set of methods and techniques to penetrate information system(s). Different aims of such attacks could be stealing/substituting/damaging confidential information, or establishing sabotage capabilities, the last of which could lead to financial and reputational damage of the targeted organisations. Such attacks are very purposeful, and usually involve highly specialised tools. The tools used are partly free and partly commercial, partly their payloads are based on non-evasive techniques such as using standard Windows APIs, and partly their payloads are based on evasive techniques such as direct syscalls, indirect syscalls, user-mode unhooking, shellcode obfuscation, API hashing, hardware breakpoints, etc.

In our Advanced Threat Protection Test, we use Tactics, Techniques and Procedures (TTPs) that reflect the strategies attackers use to infiltrate a network with malware. These multifaceted attacks can be classified using Lockheed Martin’s Cybersecurity Kill Chain, which divides them into seven distinct phases, each marked by its own unique Indicators of Compromise (IOCs). Our testing approach is heavily influenced by a subset of the TTPs found in the respected MITRE ATT&CK® framework. To reinforce the authenticity and reliability of our findings, a false alarm test is integrated into our report. Our tests are designed to simulate real-world scenarios as closely as possible, using a variety of techniques and resources that mimic the malware found in real-world cyber-attacks. We use system programs designed to evade signature-based detection, while also exploiting the versatility of popular scripting languages such as JavaScript, batch files, PowerShell and Visual Basic scripts. Our tests intricately interweave both staged and non-staged malware samples, cleverly using obfuscation and encryption strategies such as Base64, XOR and AES to disguise malicious code before it executes. We use a range of C2 channels to communicate with the attacker, including HTTP, HTTPS and TCP. In addition, our arsenal includes a variety of well-known exploit frameworks such as the Metasploit Framework, PowerShell Empire and several other commercial tools. This holistic and complex approach ensures that our tests remain at the forefront of cybersecurity evaluation and reflect the ever-evolving threat landscape.

To represent the targeted hosts, we use fully patched 64-bit Windows 10 systems, each with a different AV product installed. In the enterprise test, the target user has a standard user account. In the consumer test, an admin account is targeted, although every POC is executed using only a standard-user account, with medium integrity. Windows User Account Control is enabled and set to the default level in both tests. With regard to vendors whose products were tested in both the Consumer and Enterprise ATP Tests, please note that the products and their settings may differ. Hence, the results of the Consumer Test should not be compared with those of the Enterprise Test.

Once the payload is executed by the victim, a Command and Control Channel (C2) to the attacker’s system is opened. For this to happen, a listener has to be running on the attacker’s side. For example, this could be a Metasploit Listener on a Kali Linux system. Using the C2 channel, the attacker has full access to the compromised system. The functionality and stability of this established access is verified in each test-case. If a stable C2 connection is made, the system is considered to be compromised.

The test consists of 15 different attacks. It focuses on protection, not on detection, and is carried out entirely manually. Whilst the testing procedure is necessarily complex, we have used a fairly simple description of it in this report.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top