Serious Discussion Can Anti-Viruses stop RATS that have their connection established?

[Trident]

Just don't store passwords in browsers. Store them in your PW manager............a good one. And if you use a weak PW manager.........then you had it

Cool but StealC (Vidar knock-off) can exfiltrate the following:

Spoiler: StealC cute capabilities

Annex​

Annex 1 – Stealc capabilities​

Targeted web browsers​

Web browser	Path of targeted file	Format
Google Chrome	\Google\Chrome\User Data	chrome
Google Chrome Canary	\Google\Chrome SxS\User Data	chrome
Chromium	\Chromium\User Data	chrome
Amigo	\Amigo\User Data	chrome
Torch	\Torch\User Data	chrome
Vivaldi	\Vivaldi\User Data	chrome
Comodo Dragon	\Comodo\Dragon\User Data	chrome
EpicPrivacyBrowser	\Epic Privacy Browser\User Data	chrome
CocCoc	\CocCoc\Browser\User Data	chrome
Brave	\BraveSoftware\Brave-Browser\User Data	chrome
Cent Browser	\CentBrowser\User Data	chrome
7Star	\7Star\7Star\User Data	chrome
Chedot Browser	\Chedot\User Data	chrome
Microsoft Edge	\Microsoft\Edge\User Data	chrome
360 Browser	\360Browser\Browser\User Data	chrome
QQBrowser	\Tencent\QQBrowser\User Data	chrome
CryptoTab	\CryptoTab Browser\User Data	chrome
Opera Stable	\Opera Software	opera
Opera GX Stable	\Opera Software	opera
Mozilla Firefox	\Mozilla\Firefox\Profiles	firefox
Pale Moon	\Moonchild Productions\Pale Moon\Profiles	firefox
Opera Crypto Stable	\Opera Software	opera

Targeted browser extensions​

Cryptocurrency wallet	Extension ID
MetaMask	djclckkglechooblngghdinmeemkbgci
MetaMask	ejbalbakoplchlghecdalmeeeajnimhm
MetaMask	nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink	ibnejdfjmmkpcnlpebklmnkoeoihofec
Binance Wallet	fhbohimaelbohpjbbldcngcnapndodjp
Yoroi	ffnbelfdoeiohenkjibnmadjiehjhajb
Coinbase Wallet extension	hnfanknocfeofbddgcijnmhnfnkdnaad
Guarda	hpglfhgfnhbgpjdenjgmdgoeiappafln
Jaxx Liberty	cjelfplplebdjjenllpjcblmjkfcffne
iWallet	kncchdigobghenbbaddojjnnaogfppfj
MEW CX	nlbmnnijcnlegkjjpcfjclmcfggfefdm
GuildWallet	nanjmdknhkinifnkgdcggcfnhdaammmj
Ronin Wallet	fnjhmkhhmkbjkkabndcnnogagogbneec
NeoLine	cphhlgmgameodnhkjdmkpanlelnlohao
CLV Wallet	nhnkbkgjikgcigadomkphalanndcapjk
Liquality Wallet	kpfopkelmapcoipemfendmdcghnegimn
Terra Station Wallet	aiifbnbfobpmeekipheeijimdpnlpgpp
Keplr	dmkamcknogkgcdfhhbddcghachkejeap
Sollet	fhmfendgdocmcbmfikdcogofphimnkno
Auro Wallet(Mina Protocol)	cnmamaachppnkjgnildpdmkaakejnhae
Polymesh Wallet	jojhfeoedkpkglbfimdfabpdfjaoolaf
ICONex	flpiciilemghbmfalicajoolhkkenfel
Coin98 Wallet	aeachknmefphepccionboohckonoeemg
EVER Wallet	cgeeodpfagjceefieflmdfphplkenlfk
KardiaChain Wallet	pdadjkfkgcafgbceimcpbkalnfnepbnk
Rabby	acmacodkjbdgmoleebolmdjonilkdbch
Phantom	bfnaelmomeimhlpmgjnjophhpkkoljpa
Brave Wallet	odbfpeeihdkbihmopkbjmoonfanlbfcl
Oxygen	fhilaheimglignddkjgofkcbgekhenbh
Pali Wallet	mgffkfbidihjpoaomajlbgchddlicgpn
BOLT X	aodkkagnadcbobfpggfnjeongemjbjca
XDEFI Wallet	hmeobnfnfcmdkdcmlblgagmfpfboieaf
Nami	lpfcbjknijpeeillifnkikgncikgfhdo
Maiar DeFi Wallet	dngmlblcodfobpdpecaadgfbcggfjfnm
Keeper Wallet	lpilbniiabackdjcionkobglmddfbcjo
Solflare Wallet	bhhhlbepdkbapadjdnnojkbgioiodbic
Cyano Wallet	dkdedlpgdmmkkfjabffeganieamfklkm
KHC	hcflpincpppdclinealmandijcmnkbgn
TezBox	mnfifefkajgofkcjkemidiaecocnkjeh
Temple	ookjlbkiijinhpmnjffcofjonbfbgaoc
Goby	jnkelfanjkeadonecabehalmbgpfodjm
Ronin Wallet	kjmoohlgokccodicjjfebfomlbljgfhk
Byone	nlgbhdfgdhgbiamfdfmbikcdghidoadd
OneKey	jnmbobjmhlngoefaiojfljckilhhlhcj
DAppPlay	lodccjjbdhfakaekdiahmedfbieldgik
SteemKeychain	jhgnbkkipaallpehbohjmkbjofjdmeid
Braavos Wallet	jnlgamecbpmbajjfhmmmlhejkemejdma
Enkrypt	kkpllkodjeloidieedojogacfhpaihoh
OKX Wallet	mcohilncbfahbmgdjkbpemcciiolgcge
Sender Wallet	epapihdplajcdnnkdeiahlgigofloibg
Hashpack	gjagmgiddbbciopjhllkdnddhcglnemk
Eternl	kmhcihpebfmpgmihbkipmjlmmioameka
Pontem Aptos Wallet	phkbamefinggmakgklpkljjmgibohnba
Petra Aptos Wallet	ejjladinnckdgjemekebdpeokbikhfci
Martian Aptos Wallet	efbglgofoippbgcjepnhiblaibcnclgk
Finnie	cjmkndjhnagcfbpiemnkdpomccnjblmj
Leap Terra Wallet	aijcbedoijmgnlmjeegjaglmepbmpkpi
Trezor Password Manager	imloifkgjagghnncjkhggdhalmcnfklk
Authenticator	bhghoamapcdpbohphigoooaddinpkbai
Authy	gaedmjdfmmahhbjefcbgaolhhanlaolb
EOS Authenticator	oeljdldpnmdbchonielidgobddffflal
GAuth Authenticator	ilgcnhelpchnceeipipijaljkblbcobl
Bitwarden	nngceckbapebfimnlniiiahkandclblb
KeePassXC	oboonakemofpalcgghocfoadofidjkkk
Dashlane	fdjamakpfbbddfjaooikfcpapjohcfmg
NordPass	fooolghllnmhmmndgjiamiiodkpenpbb
Keeper	bfogiafebfohielmmehodmfbbebbbpei
RoboForm	pnlccmojcmeohlpggmfnbbiapkmbliob
LastPass	hdokiejnpimakedhajhdlcegeplioahd
BrowserPass	naepdomgkenhinolocfifgehidddafch
MYKI	bmikpgodpkclnkgmnpphehdgcimmided
Splikity	jhfjfclepacoldmjmkmdlmganfaalklb
CommonKey	chgfefjpcobfbnpmiokfjjaglahmnded
Zoho Vault	igkpcodhieompeloncfnbekccinhapdb
Opera Wallet	gojhcdgcpbpfigcaejpfhfegekdgiblk

Targeted desktop cryptocurrency wallets​

Cryptocurrency wallet	Path of targeted directory	File
Bitcoin Core	\Bitcoin\wallets\	wallet.dat
Bitcoin Core Old	\Bitcoin\	wallet.dat
Dogecoin	\Dogecoin\	wallet.dat
Raven Core	\Raven\	wallet.dat
Daedalus Mainnet	\Daedalus Mainnet\wallets\	she*.sqlite
Blockstream Green	\Blockstream\Green\wallets\	.
Wasabi Wallet	\WalletWasabi\Client\Wallets\	.json
Ethereum	\Ethereum\	keystore
Electrum	\Electrum\wallets\	.
ElectrumLTC	\Electrum-LTC\wallets\	.
Exodus	\Exodus\	exodus.conf.json
Exodus	\Exodus\	window-state.json
Exodus	\Exodus\exodus.wallet\	passphrase.json
Exodus	\Exodus\exodus.wallet\	seed.seco
Exodus	\Exodus\exodus.wallet\	info.seco
Electron Cash	\ElectronCash\wallets\	.
MultiDoge	\MultiDoge\	multidoge.wallet
Jaxx Desktop (old)	\jaxx\Local Storage\	file__0.localstorage
Jaxx Desktop	\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	.
Atomic	\atomic\Local Storage\leveldb\	.
Binance	\Binance\	app-store.json
Binance	\Binance\	simple-storage.json
Binance	\Binance\	.finger-print.fp
Coinomi	\Coinomi\Coinomi\wallets\	.wallet
Coinomi	\Coinomi\Coinomi\wallets\

 

[Brahman]

I use Kaspersky which has HIPS, a Firewall, and also is a good anti-virus. Is that a secure setup?

As i said its multiple layers and I wouldn't say your setup is not enough, its more than enough for anyone with non risky habits, but if you wish you can add more like encrypted dns, a filtering Doh on router , a good router with good firewall Etc.

 

[Xeno1234]

As i said its multiple layers and I wouldn't say your setup is not enough, its more than enough for anyone with non risky habits, but if you wish you can add more like encrypted dns, a filtering Doh on router , a good router with good firewall Etc.

I mean the only risky thing I do is download game mods for minecraft thats it tbh

 

[piquiteco]

Just don't store passwords in browsers. Store them in your PW manager............a good one. And if you use a weak PW manager.........then you had it

Desktop based PW, no use of extension like keepass, keepasXC.

 

[Xeno1234]

Desktop based PW, no use of extension like keepass, keepasXC.

Kaspersky Password Manager also pretty nice

 

[Sandbox Breaker]

It takes proper threat hunting. Remote access software that isn't in the company service catalog should not be there.

Also network threat hunting and log review.
Sandboxes also help to lower the TTD.

 

[ForgottenSeer 97327]

NEVER rely on an antivirus solution!
If Kaspersky and Harmony fail and Norton succeeds, will you install Norton?
Ditto if F-Secure succeeds?
You've got to stop believing that antivirus solutions are superheroes who will protect you from everything. They're not...

For a RAT, you already need to know whether the code is known. Some AVs like Eset or Kaspersky decompile the code. If they see a known piece of code, it will be blocked.
For Kaspersky, if the RAT tries to touch the system, it will also be blocked.
And if it gets past Kaspersky, the server's ip address or url must not be known....

Once again, most antivirus programs can protect you from it, some will do better, but if you don't download files like "FortniteVbuksFreeCracked.exe" or "MyDogIsBeautiful.jpg.jar" you risk nothing.

Smart Application Control (SAC) for FortniteVbuksFreeCracked.exe and SimpleWindopwsHardening (SWH) for MyDogIsBeautiful.jpg.jar would be a great and hassle free combo when your are on Windows11. Most RAT's are delivered through scriptors or weaponized documents which SWH provides excellent protection against. SAC adds a cloud based whitelist to any executable based intrusion (often the second stage in RAT attacks).

When you want to combine SAC+SWH with AVAST free you can also use Hard_Configurator (H_C) which has a special AVAST_hardened mode profile. The advantage of H_C with AVAST profile over SWH is that H_C allows you to block most common scriptors as extra protection: Setup Idea - Double cloud based whitelist protection for FREE Avast free also has a behavioral blocker and firewall which are additional protections against RAT intrusion as @Kongo explained).

With any other third-party AV I would combine SAC with SWH. The combo SAC + SWH is a simple and excellent addition to any AntiVirus solution to minimize the attack surface. On MT the number of people promoting SAC + SWH are low, while in my opinion it is a rock solid addition to your AV of choice. It is hassle free no-brainer addition to any third-pary AntiVirus for most users.

 

[Gandalf_The_Grey]

Smart Application Control (SAC) for FortniteVbuksFreeCracked.exe and SimpleWindopwsHardening (SWH) for MyDogIsBeautiful.jpg.jar would be a great and hassle free combo when your are on Windows11. Most RAT's are delivered through scriptors or weaponized documents which SWH provides excellent protection against. SAC adds a cloud based whitelist to any executable based intrusion (often the second stage in RAT attacks).

When you want to combine SAC+SWH with AVAST free you can also use Hard_Configurator (H_C) which has a special AVAST_hardened mode profile. The advantage of H_C with AVAST profile over SWH is that H_C allows you to block most common scriptors as extra protection: Setup Idea - Double cloud based whitelist protection for FREE Avast free also has a behavioral blocker and firewall which are additional protections against RAT intrusion as @Kongo explained).

With any other third-party AV I would combine SAC with SWH. The combo SAC + SWH is a simple and excellent addition to any AntiVirus solution to minimize the attack surface. On MT the number of people promoting SAC + SWH are low, while in my opinion it is a rock solid addition to your AV of choice. It is hassle free no-brainer addition to any third-pary AntiVirus for most users.

I like your idea and SWH is a great tool, highly recommended for hardening Windows
But I'm not sure if SAC is the ideal companion for all 3rd party antivirus:

Discussion Thread - Deep Instinct | Deep Learning AI Cybersecurity Platform

Hello I recently purchased a license but I dont know exactly how to add an exclusion. DeepInspect is throwing alerts of Steam code injection and what I can only do is to put code inject behaviour to 'detect' and not to 'prevent'. Any idea? Thanks I had to add exclusion for one "false+" and...

malwaretips.com

 

[Xeno1234]

What is SWH? I also cannot enable SAC, its not there for me.

 

[Gandalf_The_Grey]

SWH = Simple Windows Hardening:

New Update - Simple Windows Hardening

Post updated in July 2023. SWH ver. 2.1.1.1 - July 2023 (added support for Windows 11 ver. 22H2) https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111.zip SWH ver. 2.0.0.1 - August 2022 (no support for Windows 11 ver. 22H2)...

malwaretips.com

SAC is Windows 11 only

What is Smart App Control? - Microsoft Support

Smart App Control is a feature of Windows 11 that helps to block malicious, untrusted, or potentially unwanted apps from running on your device.

support.microsoft.com

 

[Xeno1234]

SWH = Simple Windows Hardening:

New Update - Simple Windows Hardening

Post updated in July 2023. SWH ver. 2.1.1.1 - July 2023 (added support for Windows 11 ver. 22H2) https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111.zip SWH ver. 2.0.0.1 - August 2022 (no support for Windows 11 ver. 22H2)...

malwaretips.com

SAC is Windows 11 only

What is Smart App Control? - Microsoft Support

Smart App Control is a feature of Windows 11 that helps to block malicious, untrusted, or potentially unwanted apps from running on your device.

support.microsoft.com

Ahh. Should I go to windows 11?

 

[Gandalf_The_Grey]

Ahh. Should I go to windows 11?

Not sure, does your current hardware support Windows 11?
I really like Windows 11, but others do not.
So, you must decide that for yourself.
There is no real need when Windows 10 is still in support till October 14, 2025.

 

[Xeno1234]

Not sure, does your current hardware support Windows 11?
I really like Windows 11, but others do not.
So, you must decide that for yourself.
There is no real need when Windows 10 is still in support till October 14, 2025.

I really like how it looks, I just dont like that I cant move the taskbar to the top of the screen, but thats something that really only I like lol

 

[Xeno1234]

SWH = Simple Windows Hardening:

New Update - Simple Windows Hardening

Post updated in July 2023. SWH ver. 2.1.1.1 - July 2023 (added support for Windows 11 ver. 22H2) https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111.zip SWH ver. 2.0.0.1 - August 2022 (no support for Windows 11 ver. 22H2)...

malwaretips.com

Just to be sure, this should work with Kaspersky/Harmony, right?

 

[Jonny Quest]

@Xeno1234. Incredible thread, who knew all this good information would be posted from your question? "Bookmarked" to re-read.

 

[Xeno1234]

@Xeno1234. Incredible thread, who knew all this good information would be posted from your question? "Bookmarked" to re-read.

I know right?

 

[Gandalf_The_Grey]

Just to be sure, this should work with Kaspersky/Harmony, right?

Yes, for Kaspersky, not sure about Harmony.
Don't know enough about Harmony.
From the Simple Windows Hardening GitHub page:

Software incompatibilities

Windows built-in SRP cannot work with AppLocker (introduced via GPO or MDM WMI Bridge). In such a case, SimpleWindowsHardening shows an alert. Furthermore, the options related to SRP are Switched OFF and removed from the Settings menu.

From the year 2022, AppLocker (GPO) policies can work on Windows 10/11 Home and Pro. AppLocker is activated by default on Windows 11 ver. 22H2 or later (also on Windows Home), so SRP is disabled in the default configuration.

SimpleWindowsHardening ver. 2.1.1.1 can enable SRP on Windows 11, and SRP can also work with enabled Smart App Control (SAC).

Windows built-in SRP is incompatible with Child Account activated on Windows 10+ via Microsoft Family Safety. Child Account adds some AppLocker rules (via MDM), so SRP cannot work. Unfortunately, after removing Child Account, the AppLocker Policy files are not removed (unpleasant bug)! These policy files have to be removed manually to recover the SRP functionality.

SimpleWindowsHardening settings are not compatible with SRP introduced via Group Policies Object (GPO) available in Windows Pro, Education, and Enterprise editions. The GPO refresh feature will overwrite the SimpleWindowsHardening settings. So, before installing SimpleWindowsHardening, SRP has to be removed from GPO.

SimpleWindowsHardening will also conflict with any software which uses SRP, but such applications are rare (CryptoPrevent, SBGuard, AskAdmin, Ultra Virus Killer). Before installing SimpleWindowsHardening it will be necessary to uninstall the conflicting application.

Hard_Configurator/Simple Windows Hardening at master · AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator

github.com

 

[Kongo]

Yes, for Kaspersky, not sure about Harmony.
Don't know enough about Harmony.
From the Simple Windows Hardening GitHub page:

Hard_Configurator/Simple Windows Hardening at master · AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator

github.com

Probably not really needed with Harmony. If I understood correctly, you can also set up script restrictions just like with Deep Instinct.

 

[Trident]

Probably not really needed with Harmony. If I understood correctly, you can also set up script restrictions just like with Deep Instinct.

And default-deny is coming soon as well.

 

[Xeno1234]

Probably not really needed with Harmony. If I understood correctly, you can also set up script restrictions just like with Deep Instinct.

The Kaspersky Anti-Malware engine provides very good script coverage, therefore the restrictions may not be needed either.