Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Simple Windows Hardening
Message
<blockquote data-quote="Andy Ful" data-source="post: 1066165" data-attributes="member: 32260"><p><strong>The report lacks some important details, so I assumed the techniques mostly used in attacks via the Internet. So, all attacks require user interaction to run the dropped file. Additional information:</strong></p><p></p><p></p><p></p><ol> <li data-xf-list-type="ol">Flash drive ---> ZIP ---> ISO ---> EXE<br /> Not blocked in default settings, except when the user opens files from flash drives via <strong><span style="color: rgb(41, 105, 176)">"Run By SmartScreen"</span></strong> (as recommended in the SWH documentation). <br /> Such attacks can be also prevented by adding the ISO extension to SRP or using the "Paranoid extensions" option in SWH. But this can only work if ISO files are opened by a dedicated application like PowerISO, 7-ZIP, etc.<br /> To prevent other popular variants, one has to also add such extensions as IMG, VHD, and VHDX (included in "Paranoid extensions").</li> <li data-xf-list-type="ol">Flash drive ---> JS<br /> Blocked by default.</li> <li data-xf-list-type="ol">Flash drive ---> CPL<br /> Blocked by default.</li> <li data-xf-list-type="ol">JS dropped and executed<br /> Blocked by default.</li> <li data-xf-list-type="ol">HTML smuggling or Email attachment ---> EXE<br /> If the EXE file is dropped via a web browser, it will be blocked by <strong><span style="color: rgb(0, 168, 133)">SmartScreen for Explorer</span></strong><span style="color: rgb(0, 168, 133)">.</span><br /> If the file is dropped via email client, it will be blocked by SWH.</li> <li data-xf-list-type="ol">HTML smuggling or Email attachment ---> JS<br /> Blocked by default.</li> <li data-xf-list-type="ol">HTML smuggling or Email attachment ---> EXE<br /> If the EXE file is dropped via a web browser, it will be blocked by <span style="color: rgb(0, 168, 133)"><strong>SmartScreen for Explorer</strong></span>.<br /> If the file is dropped via email client, it will be blocked by SWH.</li> <li data-xf-list-type="ol">Spearphishing Link ---> MSI<br /> Blocked by <span style="color: rgb(0, 168, 133)"><strong>SmartScreen for Explorer</strong></span>.</li> <li data-xf-list-type="ol">Spearphishing Link ---> EXE<br /> Blocked by <span style="color: rgb(0, 168, 133)"><strong>SmartScreen for Explorer</strong></span>.</li> <li data-xf-list-type="ol">Spearphishing Link ---> Office document ---> patching AMSI (VBA code) ---> malicious macro or script<br /> If MS Office is patched (no 0-day exploit), the attack can be blocked by DocumentsAntiExploit (tool included in SWH to protect MS Office).</li> <li data-xf-list-type="ol">HTML smuggling or Email attachment ---> PIF<br /> Blocked by default.</li> <li data-xf-list-type="ol">HTML smuggling or Email attachment ---> EXE<br /> If the EXE file is dropped via a web browser, it will be blocked by <span style="color: rgb(0, 168, 133)"><strong>SmartScreen for Explorer</strong></span>.<br /> If the file is dropped via email client, it will be blocked by SWH.</li> <li data-xf-list-type="ol">PS1 dropped and executed<br /> Blocked by default.</li> <li data-xf-list-type="ol">HTA dropped and executed by the user<br /> Blocked by default.</li> <li data-xf-list-type="ol">HTML smuggling or Email attachment ---> JS<br /> Blocked by default.</li> </ol><p>In rare cases, the attacks assumed to be blocked by SmartScreen can succeed in the wild. For example when the EXE or MSI 0-day malware is digitally signed with an EV certificate.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1066165, member: 32260"] [B]The report lacks some important details, so I assumed the techniques mostly used in attacks via the Internet. So, all attacks require user interaction to run the dropped file. Additional information:[/B] [LIST=1] [*]Flash drive ---> ZIP ---> ISO ---> EXE Not blocked in default settings, except when the user opens files from flash drives via [B][COLOR=rgb(41, 105, 176)]"Run By SmartScreen"[/COLOR][/B][COLOR=rgb(41, 105, 176)] [/COLOR](as recommended in the SWH documentation). Such attacks can be also prevented by adding the ISO extension to SRP or using the "Paranoid extensions" option in SWH. But this can only work if ISO files are opened by a dedicated application like PowerISO, 7-ZIP, etc. To prevent other popular variants, one has to also add such extensions as IMG, VHD, and VHDX (included in "Paranoid extensions"). [*]Flash drive ---> JS Blocked by default. [*]Flash drive ---> CPL Blocked by default. [*]JS dropped and executed Blocked by default. [*]HTML smuggling or Email attachment ---> EXE If the EXE file is dropped via a web browser, it will be blocked by [B][COLOR=rgb(0, 168, 133)]SmartScreen for Explorer[/COLOR][/B][COLOR=rgb(0, 168, 133)].[/COLOR] If the file is dropped via email client, it will be blocked by SWH. [*]HTML smuggling or Email attachment ---> JS Blocked by default. [*]HTML smuggling or Email attachment ---> EXE If the EXE file is dropped via a web browser, it will be blocked by [COLOR=rgb(0, 168, 133)][B]SmartScreen for Explorer[/B][/COLOR]. If the file is dropped via email client, it will be blocked by SWH. [*]Spearphishing Link ---> MSI Blocked by [COLOR=rgb(0, 168, 133)][B]SmartScreen for Explorer[/B][/COLOR]. [*]Spearphishing Link ---> EXE Blocked by [COLOR=rgb(0, 168, 133)][B]SmartScreen for Explorer[/B][/COLOR]. [*]Spearphishing Link ---> Office document ---> patching AMSI (VBA code) ---> malicious macro or script If MS Office is patched (no 0-day exploit), the attack can be blocked by DocumentsAntiExploit (tool included in SWH to protect MS Office). [*]HTML smuggling or Email attachment ---> PIF Blocked by default. [*]HTML smuggling or Email attachment ---> EXE If the EXE file is dropped via a web browser, it will be blocked by [COLOR=rgb(0, 168, 133)][B]SmartScreen for Explorer[/B][/COLOR]. If the file is dropped via email client, it will be blocked by SWH. [*]PS1 dropped and executed Blocked by default. [*]HTA dropped and executed by the user Blocked by default. [*]HTML smuggling or Email attachment ---> JS Blocked by default. [/LIST] In rare cases, the attacks assumed to be blocked by SmartScreen can succeed in the wild. For example when the EXE or MSI 0-day malware is digitally signed with an EV certificate. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
