App Review "Bypassing" NoVirusThanks EXE Radar Pro

[509322]

Guys don't panic. Look at Panda's bypassed video comment section. They are a Cylance and CB reseller as well. Finally, the actual weakness is in Windows 7 and it's Powershell version 1.0 or 2.0 - all product will fail as they will use all types of powershell attack tools and will always bypass...if not file based, fileless will work as well, after I mentioned about "Invoke Obfuscation" powershell method Carbon Black won't be able to block as well, look at their answers....they still need to combine with Logrhythm or CyberShark to detect. Don't worry guys....trust your own product. Look at this video then you will understand...no security product at this moment can 100% protect you against advanced powershell attack especially fileless based attack. If only their video ran on Windows 10, disable Powershell 2.0, enable Windows Defender, enable your product...if run the exact same attack from the current video of your product...it will fail to bypass..but of course, if they were to reproduce another video running on windows 10, they will surely leverage the attack to another level.

If your product is running on Windows 10 or server 2016, disable Powershell 2.0, running fully on Powershell version 5, setup logging in Events, GPO, setup Logrhythm/Cybershark or other similar tools, install your product ensure support AMSI, Enable Windows Defender and secure it.. then you are protected from the most advanced powershell attack...except invoke Obfuscation Powershell Attack which needs close monitoring on your networks and system event.

LOL... the guy (I think Alessandro) that asked Black Cipher Security to test NVT ERP wanted him to test the most recent stable build of ERP with the default Vulnerable Process List - which includes both cmd.exe and powershell.exe on it - to verify that ERP would protect a home system.

However, Black Cipher Security tested ERP from an Enterprise perspective - and not a home use one. So however he chose the version of ERP - whether deliberately or by chance - he used the old stable version that does not include powershell.exe on the default Vulnerable Process List and he probably removed cmd.exe from the list as well.

If bypassuac is still using Invoke-BypassUAC.ps1 (or whatever the pen-test community is passing around at the moment), then there would have been an alert for powershell.exe in the most recent stable build of ERP. Even in the old stable version of ERP there should be an alert if cmd.exe is launched. As there are no cmd.exe alerts in the video, one of the possible reasons is that he removed cmd.exe from the Vulnerable Process List.

For the guys who wanted or are interested in the ERP test and its results, Black Cipher Security should have shown the Vulnerable Process List - and not just the Settings (which for the most part are irrelevant).

The only thing that people here wanted to know is "Will ERP protect against this type of attack ?" But the video creator performed a test that was not asked for. It's a change-up and sowing confusion. It's simple, home users want a test of actual home use and not Enterprise. The version of ERP and the ERP VPL was probably modified to allow scripts as if ERP were being used in a corporate environment.

Black Cipher Security should be given a break on this one as he probably did not know that the users he was interacting with are home users and wanted ERP tested from that perspective.

 

[Emmanuellws]

LOL... the guy (I think Alessandro) that asked Black Cipher Security to test NVT ERP wanted him to test the most recent stable build of ERP with the default Vulnerable Process List - which includes both cmd.exe and powershell.exe on it - to verify that ERP would protect a home system.

However, Black Cipher Security tested ERP from an Enterprise perspective - and not a home use one. So however he chose the version of ERP - whether deliberately or by chance - he used the old stable version that does not include powershell.exe on the default Vulnerable Process List and he probably removed cmd.exe from the list as well.

If bypassuac is still using Invoke-BypassUAC.ps1 (or whatever the pen-test community is passing around at the moment), then there would have been an alert for powershell.exe in the most recent stable build of ERP. Even in the old stable version of ERP there should be an alert if cmd.exe is launched. As there are no cmd.exe alerts in the video, one of the reasons is that he removed cmd.exe from the Vulnerable Process List.

For the guys who wanted or are interested in the ERP test and its results, Black Cipher Security should have shown the Vulnerable Process List - and not just the Settings (which for the most part are irrelevant).

The only thing that people here wanted to know is "Will ERP protect against this type of attack ?" But the video creator performed a test that was not asked for. It's a change-up and sowing confusion. It's simple, home users want a test of actual home use and not Enterprise. The version of ERP and the ERP VPL was probably modified to allow scripts as if ERP were being used in a corporate environment.

Same, I felt that they rigged the test for most of the product, Panda would have popped up that powershell too..but it didn't unless they unblock it from the console. .But to understand more about variety of powershell attacks... the attacker actually can change the powershell name to something else, and if it runs directly from the memory, none of the product can actually catch powershell.exe bcoz they are using their own custom powershell program from their console and launch and call the dll from the victim's machine directly. So many ways to launch powershell, can bypass whitelisting technology, can bypass AV and only through ADsecurity's video you may find out why and how to actually protect from the most advance powershell attack. Application whitelisting only blocks powershell.exe from running automatically called from other application or files. But won't be able to block its own custom powershell app running in the memory as well as a method called "Invoke Obfuscation Attack". None of the product in the market alone can protect computers from this attack. Watch the video, only you will understand what I mean.

 

[509322]

Same, I felt that they rigged the test for most of the product, Panda would have popped up that powershell too..but it didn't unless they unblock it from the console. .But to understand more about variety of powershell attacks... the attacker actually can change the powershell name to something else, and if it runs directly from the memory, none of the product can actually catch powershell.exe bcoz they are using their own custom powershell program from their console and launch and call the dll from the victim's machine directly. So many ways to launch powershell, can bypass whitelisting technology, can bypass AV and only through ADsecurity's video you may find out why and how to actually protect from the most advance powershell attack. Application whitelisting only blocks powershell.exe from running automatically called from other application or files. But won't be able to block its own custom powershell app running in the memory as well as a method called "Invoke Obfuscation Attack". None of the product in the market alone can protect computers from this attack. Watch the video, only you will understand what I mean.

There is some stuff that can be done to prevent alternate ways to launch powershell or at least reduce some of the risk.

In any case, this thread is typical: "Bypass ! Bypass ! Hack-Mo-G bypassed software X ! Call the President ! Call the Prime Minister ! Call the Army ! Call EV-ER-Y-BOD-Y !!"

Not to mention that we did not even touch on the subject of how outbound firewall rules could be created to monitor or block to thwart the attack. That's assuming the stager isn't somehow capable of bypassing every single firewall. I would bet every single firewall is set to "allow all whitelisted processes access to the network" or whatever each soft that has an integrated firewall calls the setting.

 

[TheMalwareMaster]

LOL... the guy (I think Alessandro)

It's me

 

[TheMalwareMaster]

A new one with comodo (there must be something wrong with this one too)

 

[shmu26]

There is some stuff that can be done to prevent alternate ways to launch powershell or at least reduce some of the risk.

What can be done?
And is cmd.exe, too, vulnerable to execution by means of dll, or only powershell?

 

[509322]

A new one with comodo (there must be something wrong with this one too)

Check the COMODO HIPS settings that he used\shows in the COMODO video. HIPS is set to Paranoid mode, but he sets HIPS alerts to OFF and to Allow Requests. Also, he enabled Create Rules for Safe Files.

Those settings ensure that cmd.exe and powershell.exe will be allowed to execute without any alerts because both are rated as Safe by COMODO. With those settings he effectively neutered HIPS Paranoid mode for the demonstration.

From CIS documentation...

• Do NOT show popup alerts - Configure whether or not you want to be notified when the HIPS encounters a malware. Choosing 'Do NOT show popup alerts' will minimize disturbances but at some loss of user awareness. (Default = Disabled). If you choose not to show alerts then you have a choice of default responses that CIS should automatically take – either 'Block Requests' or 'Allow Requests'.
• Create rules for safe applications - Automatically creates rules for safe applications in HIPS Ruleset (Default = Disabled).

In short, he is using settings\configurations in all the videos that I actually bothered to watch to ensure cmd and powershell are whitelisted or not monitored. I didn't watch every single video. He is using PowerShell Empire in some, Metasploit in others, and whatever else.

PowerShell Empire takes advantage of the fact that cmd and powershell are whitelisted by the vast majority of antivirus\internet security suites.

At least some of those tested softs can be tweaked by the user to alert upon initiation and during the "demonstration." Don't ask me how; research it and figure it out so it is permanently written on the inside of your skull.

@Umbra asked him to show ALL settings, rules, etc for each video. Do you think the guy is actually going to honor that request and explain why he using the specific settings\configuration that he uses ?

 

[509322]

What can be done?
And is cmd.exe, too, vulnerable to execution by means of dll, or only powershell?

Use AppGuard.

 

[_CyberGhosT_]

In any case, this thread is typical: "Bypass ! Bypass ! Hack-Mo-G bypassed software X ! Call the President ! Call the Prime Minister ! Call the Army ! Call EV-ER-Y-BOD-Y !!"

I agree, and too many are willig to take crap like this at face value, and don't display an ability for
critical thinking and challenge whats presented. This allows misinformation to rule the day for most.
I am so glad there are those here that don't revel in this type of fatal or flawed thinking.

 

[509322]

I agree, and too many are willig to take crap like this at face value, and don't display an ability for
critical thinking and challenge whats presented. This allows misinformation to rule the day for most.
I am so glad there are those here that don't revel in this type of fatal or flawed thinking.

I don't use it as a mocking, obnoxious "make-fun-of" users comment. When reading IT security reports and viewing test videos, users should take pause, keep their wits about them, and research stuff before screaming "fire ! fire !" The answers might be found quickly or it might take a long while.

 

[shmu26]

Use AppGuard.

Another way to do it: Kaspersky Internet Security can be used to categorize powershell and cmd.exe as "high restricted".

 

[SHvFl]

In reality to do all this steps with macros you must be stupid but the youtube video creator does it because it will minimise the chance of being detected i would assume. So an alert shown by the security application will not really help people that will get up to that step.
If you believe you will ever manage to be so stupid to click open/run/etc at so many things then use a default deny program that doesn't suck. I am not going to suggest one here because it's a topic about another program but i am sure you can find the 2-3 good applications that are out there. The end.

 

[509322]

In reality to do all this steps with macros you must be stupid but the youtube video creator does it because it will minimise the chance of being detected i would assume. So an alert shown by the security application will not really help people that will get up to that step.
If you believe you will ever manage to be so stupid to click open/run/etc at so many things then use a default deny program that doesn't suck. I am not going to suggest one here because it's a topic about another program but i am sure you can find the 2-3 good applications that are out there. The end.

The term "stupid" is a relative one dependent upon usage. In the way that you are using it, even Admins are "stupid." They make mistakes too or just completely or partially disregard best practices.

If one recommends that typical users do not enable macros, you have many, many people that will argue that the real issue is that security softs are supposed to protect "stupid" users 100 % of the time in 100 % of all scenarios. Well... it just ain't true and they can just persist with that thinking to the end of their days as nobody is going to pay attention.

 

[SHvFl]

The term "stupid" is a relative one dependent upon usage. In the way that you are using it, even Admins are "stupid." They make mistakes too or just completely or partially disregard best practices.

If one recommends that typical users do not enable macros, you have many, many people that will argue that the real issue is that security softs are supposed to protect "stupid" users 100 % of the time in 100 % of all scenarios. Well... it just ain't true and they can just persist with that thinking to the end of their days as nobody is going to pay attention.

Stupid was used for security knowledge. Their iq may or may not be higher. If you don't block everything before execution and have tight rules nothing can protect the user that behaves in a stupid way. It's possible but this users usually want the easy way the typical antiviruses promise them which can't work for them.

 

[509322]

Stupid was used for security knowledge. Their iq may or may not be higher. If you don't block everything before execution and have tight rules nothing can protect the user that behaves in a stupid way. It's possible but this users usually want the easy way the typical antiviruses promise them which can't work for them.

Approximately 53 % of all Enterprise breaches start with something similar to what he shows in those videos - meaning an email attachment and then recipient user "uses the attachment."

You have people that truly believe and say "We are users and we want to use stuff - that is what PCs were made for. Infection is not because of what we do, but because security softs suxx and don't protect us !"

 

[SHvFl]

Approximately 53 % of all Enterprise breaches start with something similar to what he shows in those videos - meaning an email attachment and then recipient user "uses the attachment."

You have people that truly believe and say "We are users and we want to use stuff - that is what PCs were made for. Infection is not because of what we do, but because security softs suxx and don't protect us !"

If an enterprise user is not educated and downloads and runs every email he gets then i hope his company has proper backups or blocks every application not whitelisted from running.

 

[509322]

If an enterprise user is not educated and downloads and runs every email he gets then i hope his company has proper backups or blocks every application not whitelisted from running.

Enterprise workstation users typically receive little to no IT security training. What is typical is a document gets distributed to personnel. If they read it, they read it. If they don't, then they don't. Not to even mention that it is rare to have someone assigned to make sure users are following policies and procedures.

 

[SHvFl]

Enterprise workstation users typically receive little to no IT security training. What is typical is a document gets distributed to personnel. If they read it, they read it. If they don't, then they don't. Not to even mention that it is rare to have someone assigned to make sure users are following policies and procedures.

Yeah, this is true depending on what kind of job you work. Most will be like you describe i guess. But at least most of those i used a computer for had some sort of application control.

 

[shmu26]

Enterprise workstation users typically receive little to no IT security training. What is typical is a document gets distributed to personnel. If they read it, they read it. If they don't, then they don't. Not to even mention that it is rare to have someone assigned to make sure users are following policies and procedures.

So that is exactly the point of the video's author: in a typical business environment, where bored secretaries are dealing carelessly with email attachments etc all day long, an infection like this is bound to happen.

 

[509322]

So that is exactly the point of the video's author: in a typical business environment, where bored secretaries are dealing carelessly with email attachments etc all day long, an infection like this is bound to happen.

It goes way beyond that. For example, in a unionized hospital the IT Admin (member of management) can't say anything directly to any unionized personnel that are careless, but must instead go to the designated union supervisor.

There are countless variables that affect IT security - some that have nothing to do with it directly. One employee with a bad attitude or disgruntled...

That is one of the guys points. "What ifs" come by the millions...