Now you see me: Exposing fileless malware

Status
Not open for further replies.

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
You forgot about DDE in MS Office.:)
Thanks. I somehow thought it was patched, I guess I confused this exploit with another one that was patched.
But it's really cat and mouse, because the bad actors will just keep on finding new ways. So protection is needed, otherwise you end up behind the eight-ball, as Lockdown says.
 
  • Like
Reactions: AtlBo and Andy Ful

Daviworld

Level 2
Verified
Feb 19, 2018
60
God window's so terrible with security, I know no OS is immune to exploit's, but I rather stick my stock with Linux. Hoping to make a full switch to Linux by the end of 2018 :x
 
  • Like
Reactions: AtlBo

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
God window's so terrible with security, I know no OS is immune to exploit's, but I rather stick my stock with Linux. Hoping to make a full switch to Linux by the end of 2018 :x
If you are skilled enough to switch to linux, you are surely skilled enough to stay safe and sound on windows...
 
  • Like
Reactions: AtlBo

ParaXY

Level 6
Verified
Mar 14, 2017
273
If you are skilled enough to switch to linux, you are surely skilled enough to stay safe and sound on windows...

It's funny because my brother in law (falsely) believes his beloved Apple is super secure compared to Windows and that he can't get infected with anything. Ironically they replaced it with a Windows 10 PC so I have now set them up with an SUA account and a PIN to login with.

I keep saying to people that say the above to me with the following: If you use the built in security features of Windows you're 90% to staying secure. The other 10% is using common sense and maybe purchasing some security software.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
What happens if you block only the dll, not powershell.exe?
It looks to me like it is behaving similar to when powershell runs as a guarded app. (Appguard)
 

ParaXY

Level 6
Verified
Mar 14, 2017
273
What happens if you block only the dll, not powershell.exe?
It looks to me like it is behaving similar to when powershell runs as a guarded app. (Appguard)

Thats a good question. I have the following set in Guarded Apps but I can't remember why:

upload_2018-2-27_17-7-32.png
 
  • Like
Reactions: AtlBo and shmu26

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,782
Hi,
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell\Turn on Script Execution(Execution Policy: Allow only signed scripts)
What is signed script?Should I enable this policy for better protection?
 
  • Like
Reactions: AtlBo and shmu26
5

509322

Speaking of this, what are the general thoughts on blocking system.management.automation.ni.dll as well?

It has been a while since specific testing, but I recall some targeted C# PowerShell bypass executables which from my understanding would dynamically create this system.management.automation.ni.dll module as a means of its bypass technique.

For example, in the Excubits command line rules, I would typically block something such as "*>*system.management.automation*.dll*" to cover for this. But I was wondering other users thoughts specifically on system.management.automation.ni.dll. Both PowerShell and .NET are areas in which I have less experience with but I am playing catch up with now due to the relevance of these possible attack vectors.


By the way, I am really enjoying and appreciating the great activity and participation level of this forum. It has taken me some time to get warmed up here but I am enjoying it.

That is why I recommend blocking *system.management.automation* because I have no idea of what mess Microsoft has gotten us into and at the same time I do not have the time nor inclination to go on a web expedition to discover what other bypasses are possible. "Security begins with knowledge" is true - and I am all for knowledge - but amassing a 1000 page notebook of bypasses is a bit much. In fact that thought annoys even me.
 
Last edited by a moderator:
5

509322

I did not say it (see the red fragment). I said that SRP with DLL checking breaks Edge.:)
If you know how to disable this DLL using Windows features I would be grateful. (y)
I also did not say that blocking it will break Windows. Personally, I like the blocking idea.
Anyone can see PROS and CONS from my previous post and decide which to choose.

I misunderstood.
 
5

509322

I am not surprised, it is always very probable because of my Polish-English.:)

It's not your English. Your English is very good.

It is these online communications. When I read online posts, I can read them 5 times and each time they can be interpreted 5 different ways. :unsure: So I have to figure out what I think the person making the post meant. That is the HUGE problem with online communications - they are not normal human conversations.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Thats a good question. I have the following set in Guarded Apps but I can't remember why:

View attachment 181114
So let me guess: you have powershell and cmd in the user space list, and you want them blocked.
So that's why you unticked them in guarded apps. Because guarded apps overrides the user space restrictions. So you needed to untick them, otherwise they will run as guarded apps (as per default appguard settings)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Hi,
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell\Turn on Script Execution(Execution Policy: Allow only signed scripts)
What is signed script?Should I enable this policy for better protection?
Just like there are signed exe files, so there are signed scripts.
 

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,782
Yes but I think its a bit different with that digital sign.
Andy Ful don't you want to tell me what is this policy?and will it block all kind of PowerShell attacks or no?
 
  • Like
Reactions: AtlBo and shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I think that policy only applies to running actual PS script files. It will not block embedded code.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
It's not your English. Your English is very good.

It is these online communications. When I read online posts, I can read them 5 times and each time they can be interpreted 5 different ways. :unsure: So I have to figure out what I think the person making the post meant. That is the HUGE problem with online communications - they are not normal human conversations.
Yes, I usually have the same problem.
 
  • Like
Reactions: AtlBo and shmu26

ParaXY

Level 6
Verified
Mar 14, 2017
273
So let me guess: you have powershell and cmd in the user space list, and you want them blocked.
So that's why you unticked them in guarded apps. Because guarded apps overrides the user space restrictions. So you needed to untick them, otherwise they will run as guarded apps (as per default appguard settings)

You hit the nail on the head, thanks!

I'm curious, is it a good idea to block flash.ocx (Adobe Flash) in AppGuard since this runs in system space?
 
  • Like
Reactions: AtlBo and shmu26
D

Deleted member 65228

I'm curious, is it a good idea to block flash.ocx (Adobe Flash) in AppGuard since this runs in system space?
A good idea would be to uninstall Adobe Flash altogether.

An even better idea would be to uninstall Adobe Flash, and if you have it, uninstall it. (y)

I had use Java for a few months but apart from that period I had neither installed on my system for many, many years... without any issues. As for Adobe Flash, it's all about HTML5 now; Adobe Flash was replaced in the modern world with something faster, a lot more efficient and safer - this is why malware authors stopped targeting Adobe Flash like they were before, because it was starting to become more and more less prevalent due to HTML5.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top