Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
BYOVD attack - CIS case
Message
<blockquote data-quote="Andy Ful" data-source="post: 1109152" data-attributes="member: 32260"><p><strong>Bring Your Own Vulnerable Driver attack - CIS case.</strong></p><p><strong></strong></p><p><strong><span style="color: rgb(0, 168, 133)">Most readers can skip the part of the video from 1:34 to 7:18, which is about the CIS settings.</span></strong></p><p></p><p>[MEDIA=youtube]wU-BcQOPSkA[/MEDIA]</p><p></p><p>This video is an example of targeted attack on the AV via vulnerable driver + external LOLBin + UAC bypass.</p><p>That attack silently compromises the system and will dismantle the AV protection after Windows restart.</p><p>The method used is well known and I used Comodo Internet Security 2025 (CIS) as an AV example.</p><p>The information needed to perform such attacks is publicly available on the web.</p><p></p><p>Attack flow:</p><p>ISO file ---> user opens it and runs the content ---> system silently compromised</p><p>No UAC prompt, no Comodo alerts.</p><p>The user can see that something is wrong only after restarting Windows.</p><p></p><p>A similar type of attack can be done against any AV. It is different from "AV challenge" POCs used by me in the</p><p>series of videos on the MalwareTips forum to dismantle the AVs protection.</p><p></p><p>Edit.</p><p>The attack is different from Kill-floor malware (different execution method and driver):</p><p>[URL unfurl="true"]https://www.bleepingcomputer.com/news/security/hackers-abuse-avast-anti-rootkit-driver-to-disable-defenses/[/URL]</p><p>The Kill-floor malware can be easily contained by Comodo, so no Comodo products are on the target list of that malware. Bypassing Comodo requires non-standard execution methods to bypass auto-containment and Script Analysis.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1109152, member: 32260"] [B]Bring Your Own Vulnerable Driver attack - CIS case. [COLOR=rgb(0, 168, 133)]Most readers can skip the part of the video from 1:34 to 7:18, which is about the CIS settings.[/COLOR][/B] [MEDIA=youtube]wU-BcQOPSkA[/MEDIA] This video is an example of targeted attack on the AV via vulnerable driver + external LOLBin + UAC bypass. That attack silently compromises the system and will dismantle the AV protection after Windows restart. The method used is well known and I used Comodo Internet Security 2025 (CIS) as an AV example. The information needed to perform such attacks is publicly available on the web. Attack flow: ISO file ---> user opens it and runs the content ---> system silently compromised No UAC prompt, no Comodo alerts. The user can see that something is wrong only after restarting Windows. A similar type of attack can be done against any AV. It is different from "AV challenge" POCs used by me in the series of videos on the MalwareTips forum to dismantle the AVs protection. Edit. The attack is different from Kill-floor malware (different execution method and driver): [URL unfurl="true"]https://www.bleepingcomputer.com/news/security/hackers-abuse-avast-anti-rootkit-driver-to-disable-defenses/[/URL] The Kill-floor malware can be easily contained by Comodo, so no Comodo products are on the target list of that malware. Bypassing Comodo requires non-standard execution methods to bypass auto-containment and Script Analysis. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
