New Ursnif Malware Campaign Uses Fileless Infection to Avoid Detection

shmu26 · Feb 23, 2019

devjit2018 said:
Won't unticking powershell in guarded apps disable Appguard's protection for Powershell?

The guarded apps list overrides the user space list. As Andy already mentioned, the user space list is stricter -- it blocks totally.
So if you have something ticked on both lists, the guarded apps list wins, and you get weaker protection.

Wraith · Feb 23, 2019

Thanks @Andy Ful and @shmu26 for clearing my doubts about Appguard settings. I'm still using version 4 since I have a lifetime licence. I had some queries regarding AppGuard but can't seem to find the AppGuard section here at MT.

shmu26 · Feb 23, 2019

devjit2018 said:
Thanks @Andy Ful and @shmu26 for clearing my doubts about Appguard settings. I'm still using version 4 since I have a lifetime licence. I had some queries regarding AppGuard but can't seem to find the AppGuard section here at MT.

Yes, it seems like that section disappeared. The Appguard rep who provided support on that thread is no longer a member of the forum. But there are still some experienced Appguard users around who can answer questions.

ForgottenSeer 69673 · Feb 23, 2019

Andy Ful said:
Add bitsadmin.exe and the Interpreters from C:\Windows folder (and subfolders) to the User Space:
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
Look at the AppGuard log, if those rules do not block something safe.
You should also block opening the shortcuts from the Download folder in all user profiles.

Andy does your wild card cover both sys32 and syswow64 for version 4 too? I think it does but not completely sure. Also I have c:\windows\\reg.exe added to user space as well as c:\windows\\at.exe.

Andy Ful · Feb 23, 2019

ticklemefeet said:
Andy does your wild card cover both sys32 and syswow64 for version 4 too? I think it does but not completely sure. Also I have c:\windows\\reg.exe added to user space as well as c:\windows\\at.exe.

Yes.

You can check if your rules work by trying to run any of those executables and next looking at the AppGuard log.

ForgottenSeer 69673 · Feb 23, 2019

Not sure why but the forum doesn't show my asterisk but I also have c :\windows\*\schtasks.exe added to user space

shmu26 · Feb 23, 2019

ticklemefeet said:
Also I have c:\windows\\reg.exe added to user space as well as c:\windows\\at.exe.

That is standard for Appguard. It's good, leave it that way.

By the way, whenever you add something to the user space list, make sure it is set to be included. Because every item on the user space list can be toggled to included or excluded. If you want it blocked, it should be included. Forgetting to check this is among the most common errors in Appguard configuration.

ForgottenSeer 69673 · Feb 23, 2019

shmu26 said:
That is standard for Appguard. It's good, leave it that way.

By the way, whenever you add something to the user space list, make sure it is set to be included. Because every item on the user space list can be toggled to included or excluded. If you want it blocked, it should be included. Forgetting to check this is among the most common errors in Appguard configuration.

Not sure what you are saying but my user space list is set to included - yes. is that what you mean? Version 4 doesn't allow you to toggle between the two.

shmu26 · Feb 23, 2019

ticklemefeet said:
included - yes

Yes, that is what I mean. I meant you can toggle between include - yes and include - no.
Maybe toggle is the wrong word. Anyways, you got the idea.

Wraith · Feb 27, 2019

Andy Ful said:
Add bitsadmin.exe and the Interpreters from C:\Windows folder (and subfolders) to the User Space:
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
Look at the AppGuard log, if those rules do not block something safe.
You should also block opening the shortcuts from the Download folder in all user profiles.

Can regsvr32 be added in this list? Recently I've read somewhere that regsvr32 can also be used by malware.

shmu26 · Feb 27, 2019

devjit2018 said:
Can regsvr32 be added in this list? Recently I've read somewhere that regsvr32 can also be used by malware.

There is a very long list of lol bins, i.e., processes that can be abused. It is sufficient to block the main ones, which are commonly used to run scripts and/or download payloads. If you block everything that can be abused, you will end up with a headache and an unusable computer.

Andy Ful · Feb 27, 2019

devjit2018 said:
Can regsvr32 be added in this list? Recently I've read somewhere that regsvr32 can also be used by malware.

If I correctly remember, AppGuard blocks executables in the User Space even when they are going to run with Administrator rights, so administrative tasks cannot use them. Such executables as rundll32.exe or regsv32.exe are commonly used by the system and some user applications, so it is not recommended to block them.

Search

New Ursnif Malware Campaign Uses Fileless Infection to Avoid Detection

shmu26

Level 85

Wraith

Level 13

shmu26

Level 85

ForgottenSeer 69673

Andy Ful

From Hard_Configurator Tools

ForgottenSeer 69673

shmu26

Level 85

ForgottenSeer 69673

shmu26

Level 85

Wraith

Level 13

shmu26

Level 85

Andy Ful

From Hard_Configurator Tools

Similar threads