Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="Andy Ful" data-source="post: 955890" data-attributes="member: 32260"><p>I posted an interesting article about Endpoint Detection and Response Systems against Advanced Persistent Threats.</p><p>[URL unfurl="true"]https://malwaretips.com/threads/endpoint-detection-and-response-systems-against-advanced-persistent-threats.109745/[/URL]</p><p></p><p>So here is a question: What would happen if a home user would encounter such malware reused in widespread attacks?</p><p></p><p>The answer.</p><p>The attack method in the article starts with some spear-phishing emails that try to lure the target user into opening a file or follow a link that will be used to compromise the victim’s host. The authors crafted some emails with links to cloud providers that lead to some custom malware. The malicious files were CPL, HTA, and EXE files, plus DLL file (side loading attack).</p><p>The execution of CPL, HTA, and EXE files will be blocked in the H_C Recommended Settings. The EXE file will be also blocked when executing via InstallBySmartScreen. Also, the DLL hijacking attack will be blocked when the attacker would use a legal EXE file which normally loads a DLL dropped into the same location (side loading attack).</p><p></p><p>Is H_C better than EDR?</p><p>No. In some cases, the Administrator could apply the Windows built-in setup similar to the H_C settings, but in most cases, such a setup would be too much restrictive in the Enterprise Environment (too much work for Administrators).<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite130" alt="(y)" title="Thumbs up (y)" loading="lazy" data-shortname="(y)" /></p><p>The second reason is that there are far more attack vectors in Enterprises. For example, the attacker could compromise one machine in the network and<span style="color: rgb(184, 49, 47)"><strong> have got high privileges</strong></span>. After dropping CPL, HTA, EXE, and DLL files into the "Program Files" folder on another machine, these files could be executed remotely without SRP blocks ("Program Files" folder is whitelisted in H_C settings).</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 955890, member: 32260"] I posted an interesting article about Endpoint Detection and Response Systems against Advanced Persistent Threats. [URL unfurl="true"]https://malwaretips.com/threads/endpoint-detection-and-response-systems-against-advanced-persistent-threats.109745/[/URL] So here is a question: What would happen if a home user would encounter such malware reused in widespread attacks? The answer. The attack method in the article starts with some spear-phishing emails that try to lure the target user into opening a file or follow a link that will be used to compromise the victim’s host. The authors crafted some emails with links to cloud providers that lead to some custom malware. The malicious files were CPL, HTA, and EXE files, plus DLL file (side loading attack). The execution of CPL, HTA, and EXE files will be blocked in the H_C Recommended Settings. The EXE file will be also blocked when executing via InstallBySmartScreen. Also, the DLL hijacking attack will be blocked when the attacker would use a legal EXE file which normally loads a DLL dropped into the same location (side loading attack). Is H_C better than EDR? No. In some cases, the Administrator could apply the Windows built-in setup similar to the H_C settings, but in most cases, such a setup would be too much restrictive in the Enterprise Environment (too much work for Administrators).:)(y) The second reason is that there are far more attack vectors in Enterprises. For example, the attacker could compromise one machine in the network and[COLOR=rgb(184, 49, 47)][B] have got high privileges[/B][/COLOR]. After dropping CPL, HTA, EXE, and DLL files into the "Program Files" folder on another machine, these files could be executed remotely without SRP blocks ("Program Files" folder is whitelisted in H_C settings). [/QUOTE]
Insert quotes…
Verification
Post reply
Top