Hot Take Password Managers Auto-filled Credentials on Untrusted sites

Andrezj

Level 6
Nov 21, 2022
248
For me it wouldn't work, besides AV you would have to overcome the last of defenses.(y)
it is blocking output of keylogger.txt file, not sure as it is drive D:\ and you configured user temp directories there
but if it was allowed to write it, then you would find nothing but jibberish in the text file because spyshelter obfuscates the keystrokes
spyshelter alwasy stopped such script based keyloggers, scrambled keystrokes

spyshelter (y)
 
  • Like
Reactions: piquiteco

Andrezj

Level 6
Nov 21, 2022
248
here is another simple test, everybody thinks about keyloggers capturing keystrokes, but malware can send its own keystroke output to programs and anti-keylogger will not protect against it (iirc spyshelter prevented it, it was the only one)

1. launch notepad
2. open powershell
3. copy-pasta this command chain: $wshell = New-Object -ComObject wscript.shell; $wshell.AppActivate('Notepad'); $wshell.SendKeys('Hello World')
4. Enter

Hello World will appear in open notepad
this can be programmed to be hidden\not visible and manipulate system, and not stopped by amsi
 

piquiteco

Level 14
Oct 16, 2022
626
it is blocking output of keylogger.txt file, not sure as it is drive D:\ and you configured user temp directories there
No, D:\ isn't the temporary files directory, spyshelter is crazy, and because I set it read-only.
spyshelter alwasy stopped such script based keyloggers, scrambled keystrokes

spyshelter (y)
Yes, you already know, I just ask you nicely not to post any more commands, being Powershell, CMD, because it might violate the Forum Rules. (y) I know you are knowledgeable and well-informed, you don't need to prove it in practice, if there is a moderator here who is going to get a tug-of-war it will end up being me.:oops:
 
Last edited:

Andrezj

Level 6
Nov 21, 2022
248
No, D:\ isn't the temporary files directory, spyshelter is crazy, and because I set it read-only.

Yes, you already know it, I just ask you not to post any more commands being powershell, CMD, because it might violate the Forum Rules. (y)
none of it is malicous
i mean pointing out how powershell legitimately works, and amsi does not work, should not be a forum violations
the one-line snippets i post would need hundreds of lines of additional code to turn into a problem, and then again it is the same type of thing hosted on github for public availability

powershell is a wonderful tool while at the same time potentially being turned into a real monster
anybody that does not need it for regular usage should block it globally - even microsoft says so
i think if microsoft had to do it all over again, knowing what it knows now about powershell, it would have incorporated a lot more security into it and windows
 
  • Like
Reactions: piquiteco

piquiteco

Level 14
Oct 16, 2022
626
none of it is malicous
i mean pointing out how powershell legitimately works, and amsi does not work, should not be a forum violations
the one-line snippets i post would need hundreds of lines of additional code to turn into a problem, and then again it is the same type of thing hosted on github for public availability
Yes, I know, it's just that I'm cautious, suddenly a moderator comes along, can give me a hard time, thinking it was intentional, the problem is that everything posted here becomes public.
powershell is a wonderful tool while at the same time potentially being turned into a real monster
anybody that does not need it for regular usage should block it globally - even microsoft says so
i think if microsoft had to do it all over again, knowing what it knows now about powershell, it would have incorporated a lot more security into it and windows
Yes, it is very powerful, and used and abused by many hackers who create fileless malware, it should be blocked by default.
 

piquiteco

Level 14
Oct 16, 2022
626
here is another simple test, everybody thinks about keyloggers capturing keystrokes, but malware can send its own keystroke output to programs and anti-keylogger will not protect against it (iirc spyshelter prevented it, it was the only one)
I knew what it was called, I don't remember the name anymore, when they create a malware, I will use the word camouflage the file to not be detected by security solutions. They send it to virustotal and other paid websites until no security solutions detect it, then they test and choose a target, after the first victim, then if it is created to exploit a vulnerability then it is gone, then like a domino effect, the malware proliferates. One hour it will be stopped, because many AV start to detect by the erratic behavior of the malware. You with F-secure I thinking here I need to install here, or for someone here at home my license of almost 4 years I am not using, I also like FS.
 

Andrezj

Level 6
Nov 21, 2022
248
Yes, I know, it's just that I'm cautious, suddenly a moderator comes along, can give me a hard time, thinking it was intentional, the problem is that everything posted here becomes public.
Write-Host -BackgroundColor Red -ForegroundColor White "Stupid is as stupid does." -- Gump

public github has hundreds, maybe thousands, of malicious code repos
 

Andrezj

Level 6
Nov 21, 2022
248
And don't they remove it? or are there too many of them that can't investigate?
most of the malicious code published on github is done by researchers and pentesters
the code is public precisely because it is meant to be open source
if github finds malicious code posted by some dark horse, then they'll delete it

there is even malware hosting (repos) on github, they do not get taken down
it depends upon who the git belongs to and for what purpose it is done
 

n8chavez

Level 16
Well-known
Feb 26, 2021
785
Maybe I'm dumb, but couldn't this whole exploit be avoided by using something that restricts application/script execution? I mean, slap on Voodooshield for the paranoid and you're good to go. If the PS script cannot run nothing can be exported.
 

piquiteco

Level 14
Oct 16, 2022
626
Maybe I'm dumb, but couldn't this whole exploit be avoided by using something that restricts application/script execution? I mean, slap on Voodooshield for the paranoid and you're good to go. If the PS script cannot run nothing can be exported.
All the scripts were blocked by Hard_Configurator when @Andrezj posted I had unblocked them, but even so, I wasn't getting anywhere.
 

piquiteco

Level 14
Oct 16, 2022
626
Except, as I understand it, Hard_Configurator won't run on Win11 22h2. And, it looks like that project might be dead.
I'm running Windows 10 with Hard_Configurator, I haven't used Windows 11 so far so I can't say it works, according to the developer @Andy Ful he doesn't recommend using Hard_Configurator on W11 more specifically version 22h2.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top