Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="Andy Ful" data-source="post: 834322" data-attributes="member: 32260"><p><strong>H_C and fileless malware - an example.</strong></p><p></p><p>Here is the infection chain of the Astaroth variant attack:</p><p>[ATTACH=full]224550[/ATTACH]</p><p></p><p>The malware link on <strong>stage 1</strong> can be blocked by WD Network protection, but not if it is never seen malware. So the ZIP archive would be probably downloaded and the user will run the shortcut (LNK file) from this archive. But generally, shortcuts in H_C default-deny settings are blocked in UserSpace and this will stop the attack.</p><p>Let's suppose that we have another variant without intermediate LNK file. So, the user will run the BAT file instead. This also will be blocked, because BAT scripts are blocked in UserSpace. </p><p></p><p>We can imagine that another attack variant could somehow get to<strong> stage 2 (or 3)</strong> and WMIC was run. This will be stopped either when H_C's enhanced profile is applied or <Recommended H_C> outbound block rules in FirewallHardening are applied.</p><p>WMIC command will be also blocked if ConfigureDefender MAX Protection Level is applied.</p><p></p><p>On <strong>stage 4</strong>, the attack can be blocked when H_C's enhanced profile was applied which blocks running Bitsadmin.exe . It should be remembered that downloading by Bitsadmin.exe cannot be blocked via outbound firewall rules.</p><p></p><p>On the <strong>later stage</strong>, H_C could break the infection chain via custom settings by blocking Regsvr32.exe or Certutil.exe.</p><p></p><p>Anyway, blocking sponsors (Wmic.exe, Bitsadmin.exe, Certutil.exe, Regsvr32.exe) is usually not necessary because in most cases the infection chain can be broken by blocking shortcuts or scripts.</p><p></p><p>[URL unfurl="true"]https://www.techrepublic.com/article/what-is-fileless-malware-and-how-do-you-protect-against-it/[/URL]</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 834322, member: 32260"] [B]H_C and fileless malware - an example.[/B] Here is the infection chain of the Astaroth variant attack: [ATTACH type="full" alt="fileless-astaroth.jpg"]224550[/ATTACH] The malware link on [B]stage 1[/B] can be blocked by WD Network protection, but not if it is never seen malware. So the ZIP archive would be probably downloaded and the user will run the shortcut (LNK file) from this archive. But generally, shortcuts in H_C default-deny settings are blocked in UserSpace and this will stop the attack. Let's suppose that we have another variant without intermediate LNK file. So, the user will run the BAT file instead. This also will be blocked, because BAT scripts are blocked in UserSpace. We can imagine that another attack variant could somehow get to[B] stage 2 (or 3)[/B] and WMIC was run. This will be stopped either when H_C's enhanced profile is applied or <Recommended H_C> outbound block rules in FirewallHardening are applied. WMIC command will be also blocked if ConfigureDefender MAX Protection Level is applied. On [B]stage 4[/B], the attack can be blocked when H_C's enhanced profile was applied which blocks running Bitsadmin.exe . It should be remembered that downloading by Bitsadmin.exe cannot be blocked via outbound firewall rules. On the [B]later stage[/B], H_C could break the infection chain via custom settings by blocking Regsvr32.exe or Certutil.exe. Anyway, blocking sponsors (Wmic.exe, Bitsadmin.exe, Certutil.exe, Regsvr32.exe) is usually not necessary because in most cases the infection chain can be broken by blocking shortcuts or scripts. [URL unfurl="true"]https://www.techrepublic.com/article/what-is-fileless-malware-and-how-do-you-protect-against-it/[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
