ConfigureDefender utility for Windows 10/11

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
silversurfer posted the example of advanced multistage malware:
malwaretips.com

Microsoft Spots Nodersok Malware Campaign That Zombifies PCs

A new fileless malicious campaign, dubbed Nodersok by Microsoft Defender ATP Research Team researchers who discovered it, drops its own LOLBins to infect Windows computers with a Node.js-based malware that will turn the devices into proxies. Unlike other fileless malware attacks that only use...
malwaretips.com malwaretips.com

Here is a fragment from Microsoft article about WD protection which can fight such malware:
"
  1. Machine learning models in the Windows Defender Antivirus client generically detects suspicious obfuscation in the initial HTA file used in this attack. Beyond this immediate protection, behavioral detection and containment capabilities can spot anomalous and malicious behaviors, such as the execution of scripts and tools. When the behavior monitoring engine in the client detects one of the more than 500 attack techniques, information like the process tree and behavior sequences are sent to the cloud, where behavior-based machine learning models classify files and identify potential threats.
  2. Meanwhile, scripts that are decrypted and run directly in memory are exposed by Antimalware Scan Interface (AMSI) instrumentation in scripting engines, while launching PowerShell with a command-line that specifies encoded commands is defeated by command-line scanning. Tamper protection in Microsoft Defender ATP protects systems modifications that attempt to disable Windows Defender Antivirus.
  3. These multiple layers of protection are part of the threat and malware prevention capabilities in Microsoft Defender ATP. The complete endpoint protection platform provides multiple capabilities that empower security teams to defend their organizations against attacks like Nodersok. Attack surface reduction shuts common attack surfaces. Threat and vulnerability management, endpoint detection and response, and automated investigation and remediation help organizations detect and respond to cyberattacks. Microsoft Threat Experts, Microsoft Defender ATP’s managed detection and response service, further helps security teams by providing expert-level monitoring and analysis."
"
I put here three paragraphs from this text into three points.
The first point is interesting because it is related to actions made by WD offline protection. It also clearly states how works the behavior monitoring engine:

"behavior monitoring engine in the client detects one of the more than 500 attack techniques, information like the process tree and behavior sequences are sent to the cloud, where behavior-based machine learning models classify files and identify potential threats."

The third point is mostly related to Windows E5 (except some ASR features).
 
Last edited:
  • Like
  • Thanks
  • +Reputation
Reactions: [correlate], silversurfer, woodrowbone and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
I wish I could see the ConfigureDefender Log from the last WD test:
I wonder if 4 script samples were missed, or some WD advanced settings silently blocked the malicious actions (or Windows 10 mitigations did this). In the end, the system seems protected. But, who knows?
The script 0.3614618.js was seen as a part of EMOTET attack.
 
Last edited:
  • Like
Reactions: [correlate], Gandalf_The_Grey, harlan4096 and 2 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
  • Like
Reactions: [correlate], Gandalf_The_Grey, harlan4096 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
Some people would like to test if AMSI works on their computer. It is easy when using the test script prepared by Microsoft:
First copy/paste the below script to PowerShell console to see what command will be executed:
Code: 
# AMSI test script
$base64 = "FHJ+YHoTZ1ZARxNgUl5DX1YJEwRWBAFQAFBWHgsFAlEeBwAACh4LBAcDHgNSUAIHCwdQAgALBRQ="
$bytes = [Convert]::FromBase64String($base64)
$string = -join ($bytes | % { [char] ($_ -bxor 0x33) })
# The variable $string contains the command that will be executed
$string
You will see the output:
'AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386'
which is a decoded command.
After this execute this command:
Code: 
iex $string
which should be blocked by WD:
AMSI_test.png



Edit.
Converting from BASE64 is blocked in PowerShell Constrained Language mode, which is set by SRP default-deny, or can be set via SysHardener.
 
Last edited:
  • Like
Reactions: ForgottenSeer 85179, [correlate], harlan4096 and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
WD offline detection c.d.

Andy Ful said:
...
The first point is interesting because it is related to actions made by WD offline protection. It also clearly states how works the behavior monitoring engine:

"behavior monitoring engine in the client detects one of the more than 500 attack techniques, information like the process tree and behavior sequences are sent to the cloud, where behavior-based machine learning models classify files and identify potential threats."
...
Click to expand...
Fragment from MS article:
www.microsoft.com

How artificial intelligence stopped an Emotet outbreak | Microsoft Security Blog

At 12:46 a.m. local time on February 3, a Windows 7 Pro customer in North Carolina became the first would-be victim of a new malware attack campaign for Trojan:Win32/Emotet. In the next 30 minutes, the campaign tried to attack over a thousand potential victims, all of whom were instantly and...
www.microsoft.com www.microsoft.com

"When the client-based machine learning model predicts a high probability of maliciousness, a rich set of feature vectors is then prepared to describe the content. These feature vectors include:
  • Behavior during emulation, such as API calls and executed code
  • Similarity fuzzy hashes
  • Vectors of content descriptive flags optimized for use in ML models
  • Researcher-driven attributes, such as packer technology used for obfuscation
  • File name
  • File size
  • Entropy level
  • File attributes, such as number of sections
  • Partial file hashes of the static and emulated content
This set of features form a signal sent to the Windows Defender AV cloud protection service, which runs a wide array of more complex models in real-time to instantly classify the signal as malicious or benign."
 
  • Like
  • Thanks
Reactions: [correlate], silversurfer, oldschool and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
SUMMARY of WD offline non-signature detection/blocking on Windows Home and Pro.
  1. WD offline non-signature detection uses Machine Learning models, behavior-based algorithms, generics (based on similarities to known malware), and heuristics.
  2. AMSI is used to log/detect unobfuscated script actions.
  3. Most of these features apply to images in memory and are optimized to detect suspicious behavior and trigger the cloud backend.
  4. WD can be configured to use also ASR rules and Controlled Folder Access to block locally, malicious behaviors.
It seems that WD main offline protection is based on malware signatures, and can be extended by using ASR rules and Controlled Folder Access. Other features are mostly the interlude to the cloud backend.
Of course, in the home environment, offline protection is supported by cloud protection even when the user is offline! The main malware delivery is due to the Internet, so if the user is well protected online (web protection, BAFS, etc.), then there is usually no malware on disk when being offline. This may work well for many users, but there are some exceptions, for example when downloading/unpacking files without MOTW (like from USB drives, via 7-ZIP unpacker, etc.).
 
Last edited:
  • Like
Reactions: [correlate], Venustus, woodrowbone and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
SeriousHoax said:
@Andy Ful
Log from the latest test if you're interested: https://malwaretips.com/threads/malware-samples-19-30-09-2019.95316/
Log
Click to expand...
Thanks for the Log. WD behavior blocking features did very well when blocking the malicious actions of SoundSysK.exe and remittance.jar . Even the autorun registry changes were blocked. (y)
The second malware is nasty:
app.any.run

Analysis remittance.jar (MD5: 79E1B51C470D6B34943FA9654C06D2B7) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
app.any.run app.any.run
 
  • Like
  • Applause
Reactions: [correlate], Gandalf_The_Grey, harlan4096 and 3 others
oldschool

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,595
blueblackwow65 said:
Hi just wondering why is cpu load at scanning at 50% with high settings? Is this on demand scanning only? Not realtime?
Click to expand...

You can change it > lower number if desired. My guess it's for all scans and real-time, but that doesn't mean it always uses 50%. I imagine under stress when encountering malware e.g. testing, is when it will spike. :unsure: Those who have tested it could give a more accurate answer than mine.
 
  • Like
Reactions: [correlate], blackice, harlan4096 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
  • Like
Reactions: [correlate], Venustus, oldschool and 3 others
harlan4096

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,905
@Andy Ful: what about XLSTATSTART.exe? I got final verdict from KVirusDesk is clean, also appears as Trusted in KSN... :unsure: :unsure:

I've also tested with KTS2020d (defaults) and :

I've tested and triggers cmd.exe -> conhost.exe for about 1 second and auto terminates, it only left a 0 KB file... false positive??
 
  • Like
Reactions: [correlate], Venustus, Andy Ful and 2 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,090
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,414
Hard_Configurator Tools
South Park
South Park
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,224
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top