Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Simple Windows Hardening
Message
<blockquote data-quote="Andy Ful" data-source="post: 917815" data-attributes="member: 32260"><p>I have examined the attack techniques used in the AV-Comparatives test "Enhanced Real-World Test 2020 – Enterprise". The test was focused on Advanced Threat Protection – Targeted Attacks, Exploits, and Fileless Threats.</p><p>[URL unfurl="true"]https://www.av-comparatives.org/tests/enhanced-real-world-test-2020-enterprise/[/URL]</p><p></p><p>So, let's find out which of these advanced attacks can be prevented by Simple Windows Hardening default settings (and most Hard_Configurator setting profiles).</p><p></p><p>The 15 test scenarios used in this test are very briefly described below:</p><ol> <li data-xf-list-type="ol">This threat is introduced via Trusted Relationship. MSHTA launches an HTML application, which executes a staged Empire PowerShell payload.</li> <li data-xf-list-type="ol">This threat is introduced via Trusted Relationship. A PowerShell script containing an AMSI bypass and a PowerShell Empire stager was executed.</li> <li data-xf-list-type="ol">This threat is introduced via Trusted Relationship. Windows Scripting Host was used to download a PowerShell payload via an integrated Empire PowerShell Stager, combined with an AMSI bypass.</li> <li data-xf-list-type="ol">This threat is introduced through Valid Accounts. The trusted Windows utility Microsoft Build Engine was used to proxy the execution of an Empire macro payload, which opens a command and control channel.</li> <li data-xf-list-type="ol">This threat is introduced through Valid Accounts. A VBScript which spawns a PowerShell process and executes an Empire payload has been used.</li> <li data-xf-list-type="ol">This threat is introduced through Valid Accounts. A batch file was used to execute an obfuscated PowerShell stager, download an obfuscated PoshC2.</li> <li data-xf-list-type="ol">This threat is introduced via Removable Media (USB). A JavaScript executes an obfuscated PowerShell stager, which downloads and executes a PoshC2 PowerShell payload.</li> <li data-xf-list-type="ol">This threat is introduced via Removable Media (USB). MSHTA.exe executes a PowerShell stager which launches a base64-encoded PoshC2 staged PowerShell payload.</li> <li data-xf-list-type="ol">This threat is introduced via Removable Media (USB). A malicious Microsoft Office macro executes a PoshC2 PowerShell payload.</li> <li data-xf-list-type="ol">This threat is introduced via Spearphishing Attachment. VBScript downloads and executes an XSL PoshC2.</li> <li data-xf-list-type="ol">This threat is introduced via Spearphishing Attachment. A HTML application downloads and executes an obfuscated PowerShell payload. This test case was created with Metasploit Meterpreter.</li> <li data-xf-list-type="ol">This threat is introduced via Spearphishing Attachment. VBScript downloads and executes an XSL payload. This test case was created with Metasploit Meterpreter.</li> <li data-xf-list-type="ol">This threat is introduced via Spearphishing Link. MSHTA.exe downloads and executes an obfuscated XSL payload. This test case was created with Metasploit Meterpreter.</li> <li data-xf-list-type="ol">This threat is introduced via Spearphishing Link. A JavaScript downloads and executes an obfuscated PowerShell payload. This test case was created with Metasploit Meterpreter.</li> <li data-xf-list-type="ol">This threat is introduced via Spearphishing Link. exe downloads and executes a PowerShell stager which downloads and executes an encrypted PowerShell Empire staged PowerShell payload, combined with an AMSI bypass.</li> </ol><p></p><p><strong>All these scenarios will be blocked if the attacker could not exploit some legal application to get command-line access (hardly possible on well-updated Windows 10 with well-updated software).</strong></p><p></p><p>Anyway, even if such an exploit would exist then only one scenario (number 13) could be successful by running the command-line with Sponsor (MSHTA, etc.) to download/run the XSL payload. This would be prevented also by applying FirewallHardening with H_C recommended Blocklist.</p><p></p><p>The other scenarios will be prevented (even after exploiting) as follows:</p><p>The techniques described in points 1, 2, 3, 5, 6, 7, 8, 9, 10, 11, 12, 15 use scripts as payloads (PowerShell or Windows Script Host) that will not be executed due to SWH settings.</p><p>Techniques 4 and 9 use also VBA macros that are blocked by SWH settings.</p><p>Some techniques use AMSI bypass, but SWH settings do not mind it.</p><p>Most of the PowerShell payloads would be blocked even if the user would allow PowerShell scripting in SWH (and H_C), due to Constrained Language Mode which is the SRP restriction for PowerShell applied independently.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 917815, member: 32260"] I have examined the attack techniques used in the AV-Comparatives test "Enhanced Real-World Test 2020 – Enterprise". The test was focused on Advanced Threat Protection – Targeted Attacks, Exploits, and Fileless Threats. [URL unfurl="true"]https://www.av-comparatives.org/tests/enhanced-real-world-test-2020-enterprise/[/URL] So, let's find out which of these advanced attacks can be prevented by Simple Windows Hardening default settings (and most Hard_Configurator setting profiles). The 15 test scenarios used in this test are very briefly described below: [LIST=1] [*]This threat is introduced via Trusted Relationship. MSHTA launches an HTML application, which executes a staged Empire PowerShell payload. [*]This threat is introduced via Trusted Relationship. A PowerShell script containing an AMSI bypass and a PowerShell Empire stager was executed. [*]This threat is introduced via Trusted Relationship. Windows Scripting Host was used to download a PowerShell payload via an integrated Empire PowerShell Stager, combined with an AMSI bypass. [*]This threat is introduced through Valid Accounts. The trusted Windows utility Microsoft Build Engine was used to proxy the execution of an Empire macro payload, which opens a command and control channel. [*]This threat is introduced through Valid Accounts. A VBScript which spawns a PowerShell process and executes an Empire payload has been used. [*]This threat is introduced through Valid Accounts. A batch file was used to execute an obfuscated PowerShell stager, download an obfuscated PoshC2. [*]This threat is introduced via Removable Media (USB). A JavaScript executes an obfuscated PowerShell stager, which downloads and executes a PoshC2 PowerShell payload. [*]This threat is introduced via Removable Media (USB). MSHTA.exe executes a PowerShell stager which launches a base64-encoded PoshC2 staged PowerShell payload. [*]This threat is introduced via Removable Media (USB). A malicious Microsoft Office macro executes a PoshC2 PowerShell payload. [*]This threat is introduced via Spearphishing Attachment. VBScript downloads and executes an XSL PoshC2. [*]This threat is introduced via Spearphishing Attachment. A HTML application downloads and executes an obfuscated PowerShell payload. This test case was created with Metasploit Meterpreter. [*]This threat is introduced via Spearphishing Attachment. VBScript downloads and executes an XSL payload. This test case was created with Metasploit Meterpreter. [*]This threat is introduced via Spearphishing Link. MSHTA.exe downloads and executes an obfuscated XSL payload. This test case was created with Metasploit Meterpreter. [*]This threat is introduced via Spearphishing Link. A JavaScript downloads and executes an obfuscated PowerShell payload. This test case was created with Metasploit Meterpreter. [*]This threat is introduced via Spearphishing Link. exe downloads and executes a PowerShell stager which downloads and executes an encrypted PowerShell Empire staged PowerShell payload, combined with an AMSI bypass. [/LIST] [B]All these scenarios will be blocked if the attacker could not exploit some legal application to get command-line access (hardly possible on well-updated Windows 10 with well-updated software).[/B] Anyway, even if such an exploit would exist then only one scenario (number 13) could be successful by running the command-line with Sponsor (MSHTA, etc.) to download/run the XSL payload. This would be prevented also by applying FirewallHardening with H_C recommended Blocklist. The other scenarios will be prevented (even after exploiting) as follows: The techniques described in points 1, 2, 3, 5, 6, 7, 8, 9, 10, 11, 12, 15 use scripts as payloads (PowerShell or Windows Script Host) that will not be executed due to SWH settings. Techniques 4 and 9 use also VBA macros that are blocked by SWH settings. Some techniques use AMSI bypass, but SWH settings do not mind it. Most of the PowerShell payloads would be blocked even if the user would allow PowerShell scripting in SWH (and H_C), due to Constrained Language Mode which is the SRP restriction for PowerShell applied independently. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
