Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="ForgottenSeer 98186" data-source="post: 1032572"><p>Yes, IIRC the attack requires a reverse shell (e.g. via a weaponized document or an agent). That type of attack is thwarted easily by using SWH. Not really a threat to a home user - unless that home user is a member of National Security Bureau (Polish: Biuro Bezpieczeństwa Narodowego, BBN) with data on their system that a nation state adversary wants.</p><p></p><p></p><p>IIRC this was how Morphisec bypassed CIG.</p><p></p><p></p><p>The injection can be easily thwarted again by preventing execution of common file types. SWH is going to prevent these sorts of attacks. I'm sure there are corner cases where such an attack could succeed, but realistically they are not much of a threat. So hardening the system against them is overkill for the unlikely instance of a system exploit or other clever attack.</p><p></p><p>Adding a bunch of processes to CIG is the exploit protection equivalent of adding 250 LOLBins to a block list. While both can be done at the home user level, it just is not necessary for a home user except in extreme circumstances (e.g. a home user lives in a nation that oppresses dissidents and they are being targeted by the government; think FinSpy).</p><p></p><p>It is always good infos to know, just-in-case. Overall though, as you've previously stated, these sorts of configurations provide little additional protection.</p><p></p><p></p><p>My data collected from the field shows: svchost, explorer, taskhost and lsass (less commonly targeted now due to Microsoft's increased lsass memory protections).</p></blockquote><p></p>
[QUOTE="ForgottenSeer 98186, post: 1032572"] Yes, IIRC the attack requires a reverse shell (e.g. via a weaponized document or an agent). That type of attack is thwarted easily by using SWH. Not really a threat to a home user - unless that home user is a member of National Security Bureau (Polish: Biuro Bezpieczeństwa Narodowego, BBN) with data on their system that a nation state adversary wants. IIRC this was how Morphisec bypassed CIG. The injection can be easily thwarted again by preventing execution of common file types. SWH is going to prevent these sorts of attacks. I'm sure there are corner cases where such an attack could succeed, but realistically they are not much of a threat. So hardening the system against them is overkill for the unlikely instance of a system exploit or other clever attack. Adding a bunch of processes to CIG is the exploit protection equivalent of adding 250 LOLBins to a block list. While both can be done at the home user level, it just is not necessary for a home user except in extreme circumstances (e.g. a home user lives in a nation that oppresses dissidents and they are being targeted by the government; think FinSpy). It is always good infos to know, just-in-case. Overall though, as you've previously stated, these sorts of configurations provide little additional protection. My data collected from the field shows: svchost, explorer, taskhost and lsass (less commonly targeted now due to Microsoft's increased lsass memory protections). [/QUOTE]
Insert quotes…
Verification
Post reply
Top
