Hot Take Password Managers Auto-filled Credentials on Untrusted sites

[Andrezj]

For me it wouldn't work, besides AV you would have to overcome the last of defenses.

Spoiler

View attachment 272547

it is blocking output of keylogger.txt file, not sure as it is drive D:\ and you configured user temp directories there
but if it was allowed to write it, then you would find nothing but jibberish in the text file because spyshelter obfuscates the keystrokes
spyshelter alwasy stopped such script based keyloggers, scrambled keystrokes

spyshelter

 

[Andrezj]

here is another simple test, everybody thinks about keyloggers capturing keystrokes, but malware can send its own keystroke output to programs and anti-keylogger will not protect against it (iirc spyshelter prevented it, it was the only one)

1. launch notepad
2. open powershell
3. copy-pasta this command chain: $wshell = New-Object -ComObject wscript.shell; $wshell.AppActivate('Notepad'); $wshell.SendKeys('Hello World')
4. Enter

Hello World will appear in open notepad
this can be programmed to be hidden\not visible and manipulate system, and not stopped by amsi

 

[piquiteco]

it is blocking output of keylogger.txt file, not sure as it is drive D:\ and you configured user temp directories there

No, D:\ isn't the temporary files directory, spyshelter is crazy, and because I set it read-only.

spyshelter alwasy stopped such script based keyloggers, scrambled keystrokes

spyshelter

Yes, you already know, I just ask you nicely not to post any more commands, being Powershell, CMD, because it might violate the Forum Rules. I know you are knowledgeable and well-informed, you don't need to prove it in practice, if there is a moderator here who is going to get a tug-of-war it will end up being me.

 

[Andrezj]

No, D:\ isn't the temporary files directory, spyshelter is crazy, and because I set it read-only.

Yes, you already know it, I just ask you not to post any more commands being powershell, CMD, because it might violate the Forum Rules.

none of it is malicous
i mean pointing out how powershell legitimately works, and amsi does not work, should not be a forum violations
the one-line snippets i post would need hundreds of lines of additional code to turn into a problem, and then again it is the same type of thing hosted on github for public availability

powershell is a wonderful tool while at the same time potentially being turned into a real monster
anybody that does not need it for regular usage should block it globally - even microsoft says so
i think if microsoft had to do it all over again, knowing what it knows now about powershell, it would have incorporated a lot more security into it and windows

 

[piquiteco]

none of it is malicous
i mean pointing out how powershell legitimately works, and amsi does not work, should not be a forum violations
the one-line snippets i post would need hundreds of lines of additional code to turn into a problem, and then again it is the same type of thing hosted on github for public availability

Yes, I know, it's just that I'm cautious, suddenly a moderator comes along, can give me a hard time, thinking it was intentional, the problem is that everything posted here becomes public.

powershell is a wonderful tool while at the same time potentially being turned into a real monster
anybody that does not need it for regular usage should block it globally - even microsoft says so
i think if microsoft had to do it all over again, knowing what it knows now about powershell, it would have incorporated a lot more security into it and windows

Yes, it is very powerful, and used and abused by many hackers who create fileless malware, it should be blocked by default.

 

[piquiteco]

here is another simple test, everybody thinks about keyloggers capturing keystrokes, but malware can send its own keystroke output to programs and anti-keylogger will not protect against it (iirc spyshelter prevented it, it was the only one)

I knew what it was called, I don't remember the name anymore, when they create a malware, I will use the word camouflage the file to not be detected by security solutions. They send it to virustotal and other paid websites until no security solutions detect it, then they test and choose a target, after the first victim, then if it is created to exploit a vulnerability then it is gone, then like a domino effect, the malware proliferates. One hour it will be stopped, because many AV start to detect by the erratic behavior of the malware. You with F-secure I thinking here I need to install here, or for someone here at home my license of almost 4 years I am not using, I also like FS.

 

[Andrezj]

Yes, I know, it's just that I'm cautious, suddenly a moderator comes along, can give me a hard time, thinking it was intentional, the problem is that everything posted here becomes public.

Write-Host -BackgroundColor Red -ForegroundColor White "Stupid is as stupid does." -- Gump

public github has hundreds, maybe thousands, of malicious code repos

 

[piquiteco]

public github has hundreds, maybe thousands, of malicious code repos

And don't they remove it? or are there too many of them that can't investigate?

 

[Andrezj]

And don't they remove it? or are there too many of them that can't investigate?

most of the malicious code published on github is done by researchers and pentesters
the code is public precisely because it is meant to be open source
if github finds malicious code posted by some dark horse, then they'll delete it

there is even malware hosting (repos) on github, they do not get taken down
it depends upon who the git belongs to and for what purpose it is done

 

[n8chavez]

Maybe I'm dumb, but couldn't this whole exploit be avoided by using something that restricts application/script execution? I mean, slap on Voodooshield for the paranoid and you're good to go. If the PS script cannot run nothing can be exported.

 

[piquiteco]

Maybe I'm dumb, but couldn't this whole exploit be avoided by using something that restricts application/script execution? I mean, slap on Voodooshield for the paranoid and you're good to go. If the PS script cannot run nothing can be exported.

All the scripts were blocked by Hard_Configurator when @Andrezj posted I had unblocked them, but even so, I wasn't getting anywhere.

 

[n8chavez]

All the scripts were blocked by Hard_Configurator when @Andrezj posted I had unblocked them, but even so, I wasn't getting anywhere.

Except, as I understand it, Hard_Configurator won't run on Win11 22h2. And, it looks like that project might be dead.

 

[piquiteco]

Except, as I understand it, Hard_Configurator won't run on Win11 22h2. And, it looks like that project might be dead.

I'm running Windows 10 with Hard_Configurator, I haven't used Windows 11 so far so I can't say it works, according to the developer @Andy Ful he doesn't recommend using Hard_Configurator on W11 more specifically version 22h2.