Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="Andy Ful" data-source="post: 909065" data-attributes="member: 32260"><p>Such LOLBins are used by scripting, shortcuts, or when the attacker uses a file with active content (like .chm). So, it is not a problem for H_C settings. These methods and generally LOLBins can be a problem for AVs on default settings that allow running scripts, shortcuts, and files with active content. They have to block the malware on the second or later infection chain. This is much harder, because there are many more things to consider.</p><p>It is similar to the fight against the virus (like COVID-19). If you can quickly isolate the first infected person, then you will avoid much effort to recognize and quarantine tenths of other people on the infection tree.</p><p>Of course, the H_C setup is not magic, but only a smart-default-deny. One has to sacrifice some convenience for security.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p><p></p><p>Edit1.</p><p>As it was mentioned in the article, this LOLBin can be used to bypass such strong enterprise security as WD Application Control (WDAC), if not properly configured. Unfortunately, WDAC (and Applocker) cannot block shortcuts and files with active content (like .chm, etc.). So, one <s>has to</s> can block LOLBins by adding custom rules.</p><p>The same is true for most setups based on SRP, because users commonly allow shortcuts (and DLLs).</p><p></p><p>Edit2.</p><p>I tested this LOLBin against WDAC. Although it can be bypassed in some WDAC settings, this will not happen if WDAC is properly configured even <strong>without blocking any LOLBin</strong>. Simply, WDAC default-deny setup will block the malicious DLL (Id 3077) like in the below example:</p><p></p><p>"<em>Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\wuauclt.exe) attempted to load \Device\HarddiskVolume4\Users\reflective_dll.x64.dll that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{a244370e-44c9-4c06-b551-f6016e563076}).</em>"</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 909065, member: 32260"] Such LOLBins are used by scripting, shortcuts, or when the attacker uses a file with active content (like .chm). So, it is not a problem for H_C settings. These methods and generally LOLBins can be a problem for AVs on default settings that allow running scripts, shortcuts, and files with active content. They have to block the malware on the second or later infection chain. This is much harder, because there are many more things to consider. It is similar to the fight against the virus (like COVID-19). If you can quickly isolate the first infected person, then you will avoid much effort to recognize and quarantine tenths of other people on the infection tree. Of course, the H_C setup is not magic, but only a smart-default-deny. One has to sacrifice some convenience for security.:) Edit1. As it was mentioned in the article, this LOLBin can be used to bypass such strong enterprise security as WD Application Control (WDAC), if not properly configured. Unfortunately, WDAC (and Applocker) cannot block shortcuts and files with active content (like .chm, etc.). So, one [S]has to[/S] can block LOLBins by adding custom rules. The same is true for most setups based on SRP, because users commonly allow shortcuts (and DLLs). Edit2. I tested this LOLBin against WDAC. Although it can be bypassed in some WDAC settings, this will not happen if WDAC is properly configured even [B]without blocking any LOLBin[/B]. Simply, WDAC default-deny setup will block the malicious DLL (Id 3077) like in the below example: "[I]Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\wuauclt.exe) attempted to load \Device\HarddiskVolume4\Users\reflective_dll.x64.dll that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{a244370e-44c9-4c06-b551-f6016e563076}).[/I]" [/QUOTE]
Insert quotes…
Verification
Post reply
Top
