AppGuard Customers Protected Against Process Doppelgänging - Fileless Attack

Discussion in 'AppGuard (Blue Ridge Networks)' started by Lockdown, Dec 10, 2017.

  1. Lockdown

    Lockdown From AppGuard

    Oct 24, 2016
    AppGuard LLC Virginia, U.S.
    #1 Lockdown, Dec 10, 2017
    Last edited: Dec 10, 2017
    Official Website:
    AppGuard Customers Protected Against Process Doppelgänging - Fileless Attack
    Eirik Iverson
    December 8, 2017
    Cybersecurity, Malicious Code Attacks

    This week, researchers presented at Black Hat Europe in London information regarding an extremely dangerous new “fileless” attack vector that affects all Windows operating systems. The researchers observed that the attack bypasses many widely used endpoint security tools. AppGuard customers need NOT make any policy adjustments to mitigate risks from such attacks. AppGuard already blocks them.

    Details of the new code injection attack can found in the researchers’ Black Hat presentation available online. In short, exploitation of the discovered Windows design flaw involving commonly available Windows system calls (API), enables attackers to inject code into Windows system files or other trusted applications, transforming them into weaponized instruments working for the attackers. Worse, because of the way Windows operates, antivirus, Endpoint Detection and Response (EDR), and other tools are unable to detect and stop these code injections. Sophisticated attackers can further take advantage of this blind spot by leaving little to no indicators of compromise behind, making compromise discovery even more difficult. These new code injection attacks can succeed without leaving a trace.

    In-memory tactics became increasingly prevalent in the wild after application whitelisting cyber controls became widely adopted by the enterprise. This is because whitelisting only prevents unknown executables from launching. Such tools do NOT contain what trusted applications do after they launch. In the Doppleganging code injection attack, the malicious code is inserted into the application during the program load stage.

    Based on the revealed tests using the new code injection attack, none of the well-known antivirus products, including much hyped Machine Learning/Artificial Intelligence antivirus products, were able to detect and stop the attack. The products are listed in the Black Hat presentation.

    When the Doppleganging code injection attack is used in the wild, it will typically be launched in the form of phishing, drive by download, or via weaponized document. AppGuard will defeat such attacks in the earliest Doppleganging stages, preventing the adversaries from transforming other processes on the endpoint into unbounded malicious instruments.

    The Doppleganging attack potential helps illustrate the downside to reliance on a ‘detect and react’ posture. It requires the enterprise to employ an army of highly skilled analysts to sift through mountains of alerts from many different sources. Check out our recent blog post on cyber alerts fatigue. Despite the army of analysts, the array of tools and services, and the workflow overhead, the time to detect data breaches is usually measured in months. Ponemon reported a median of just over 6 months. How long can the enterprise sustain these costs and labor challenges that grow year after year? The enterprise cannot afford to accept endpoint compromises as an unavoidable new normal. It needs to keep fighting the good fight, preventing compromises at the endpoint. Much of the enterprise cyber program costs depends on what happens at the endpoint.

    Tagged: Process Doppelgänging, fileless attack, Windows Operating Systems, Cybersecurity


    Older PostKeep Calm And… Here Is A List Of Alarming Cybersecurity Statistics

    Contact Us

    VA Office

    14120 Parke Long Court
    Suite 103
    Chantilly, VA 20151

    NY Office

    333 Seventh Avenue
    10th Floor
    New York, NY 10001

    Tokyo Office
    (Blue Planet-works, Inc.)

    Daiwa Jingumae Bldg., 3Fl2-4-11 Jingumae
    Shibuya-Ku Tokyo,
    150 - 0002

    A Blue Planet-works Company

    Terms of Use | Privacy Policy | All Right Reserved, © 2017. AppGuard, LLC. Blue Planet-Works Company
    In2an3_PpG, Umbra, harlan4096 and 4 others like this.
  2. Umbra

    Umbra Level 61
    Content Creator

    May 16, 2011
    Beta tester
    Europe > S-E Asia
    Windows 10
    I think we can't miss it is appguard thread :p
  3. Lockdown

    Lockdown From AppGuard

    Oct 24, 2016
    AppGuard LLC Virginia, U.S.
    #3 Lockdown, Dec 10, 2017
    Last edited: Dec 10, 2017
    Copy-Paste is more efficient. I am not trying to make a fashion statement or any kind of statement, but you know there are those that will accuse me of doing something rotten. Here on the forums a simple copy-paste will get you falsely accused.
    Umbra likes this.
  4. plat1098

    plat1098 Level 6

    Aug 23, 2017
    Windows 10
    Can I timidly say something? Speaking of fashion, those are the addresses of your offices? The New York one is right by the Fashion Institute of Technology in midtown Manhattan--I must have walked by that building a hundred times. This is some of the most sought-after unreal estate in the world, believe it!
    upnorth likes this.
Similar Threads Forum Date
How to configure AppGuard to be use on a gaming PC? AppGuard (Blue Ridge Networks) Jan 12, 2018
Q&A AppGuard + Spectre/Meltdown General Security Discussions Jan 9, 2018
AppGuard LLC Partners with SheepDog Response AppGuard (Blue Ridge Networks) Jan 2, 2018
  • About Us

    Our community has been around since 2010, and we pride ourselves on offering unbiased, critical discussion among people of all different backgrounds about security and technology . We are working every day to make sure our community is one of the best.
  • Need Malware Removal Help?

    If you're being redirected from a site you’re trying to visit, seeing constant pop-up ads, unwanted toolbars or strange search results, your computer may be infected with malware. We offer free malware removal assistance to our members in the Malware Removal Assistance forum.
  • Quick Tip

    Without meaning to, you may click a link that installs malware on your computer. To keep your computer safe, only click links and downloads from sites that you trust. Don’t open any unknown file types, or download programs from pop-ups that appear in your browser.