Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Simple Windows Hardening
Message
<blockquote data-quote="Andy Ful" data-source="post: 970819" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">SimpleWindowsHardening vs. APT attacks.</span></strong></p><p></p><p>Thank [USER=79653]@Correlate[/USER] I recalled an article about possible weaknesses of Endpoint Detection Response software (Some time ago I made a thread about it on MT):</p><p>[URL unfurl="false"]https://malwaretips.com/threads/endpoint-detection-and-responsesystems-against-advanced-persistent-threats.109745/[/URL]</p><p>[URL unfurl="false"]https://malwaretips.com/threads/endpoint-detection-and-response-how-hackers-have-evolved-part-1.106619/post-970740[/URL]</p><p></p><p>The full research article can be found here:</p><p>[URL unfurl="true"]https://arxiv.org/pdf/2108.10422.pdf[/URL]</p><p></p><p>Attack Vectors</p><ul> <li data-xf-list-type="ul">A .cpl file: A DLL file which can be executed by double-clicking under the context of the rundll32 LOLBINS which can execute code maliciously under its context. The file has been crafted using CPLResourceRunner9 . To this end, we use a shellcode storage technique using Memory-mapped files (MMF) [17] and then trigger it using delegates, ...</li> <li data-xf-list-type="ul">A legitimate Microsoft (MS) Teams installation that will load a malicious DLL. In this regard, DLL side-loading10 will lead to a self-injection, thus, allowing us to ”live” under a signed binary...</li> <li data-xf-list-type="ul">An unsigned PE executable file; from now on referred to as EXE, that will execute process injection using the “Early Bird” technique of AQUARMOURY into werfault.exe. For this, we spoofed the parent of explorer.exe using the PROC THREAD ATTRIBUTE MITIGATION POLICY flag to protect our malware from an unsigned by Microsoft DLL event that is commonly used by EDRs for processes monitoring.</li> <li data-xf-list-type="ul">An HTA file. Once the user visits a harmless HTML page containing an IFrame, he will be redirected and prompted to run an HTML file infused with executable VBS code that will load the .NET code provided in Listing 2 perform self-injection under the context of mshta.exe.</li> </ul><p>I skipped the attack vector related to DLL side-loading because it was related to the lateral movement (common in Enterprises). The attacker had to drop the malicious DLL that was a modified system DLL (the original DLL is normally located in the "c:\Windows\system32" folder) to the application folder of Microsoft Teams (already installed in the system).</p><p></p><p>When looking at the Defender results it can be seen that SWH + Microsoft Defender for Endpoints (Defender with advanced settings) could prevent all attack vectors (except lateral movement).</p><p></p><p>It is interesting that many products missed the fileless attacks via CPL or HTA files (blocked by SWH):</p><p>Carbon Black, Comodo, CrowdStrike, Elastic, F-Secure, Microsoft, Panda, Sentinel, Symantec, TrendMicro.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 970819, member: 32260"] [B][SIZE=5]SimpleWindowsHardening vs. APT attacks.[/SIZE][/B] Thank [USER=79653]@Correlate[/USER] I recalled an article about possible weaknesses of Endpoint Detection Response software (Some time ago I made a thread about it on MT): [URL unfurl="false"]https://malwaretips.com/threads/endpoint-detection-and-responsesystems-against-advanced-persistent-threats.109745/[/URL] [URL unfurl="false"]https://malwaretips.com/threads/endpoint-detection-and-response-how-hackers-have-evolved-part-1.106619/post-970740[/URL] The full research article can be found here: [URL unfurl="true"]https://arxiv.org/pdf/2108.10422.pdf[/URL] Attack Vectors [LIST] [*]A .cpl file: A DLL file which can be executed by double-clicking under the context of the rundll32 LOLBINS which can execute code maliciously under its context. The file has been crafted using CPLResourceRunner9 . To this end, we use a shellcode storage technique using Memory-mapped files (MMF) [17] and then trigger it using delegates, ... [*]A legitimate Microsoft (MS) Teams installation that will load a malicious DLL. In this regard, DLL side-loading10 will lead to a self-injection, thus, allowing us to ”live” under a signed binary... [*]An unsigned PE executable file; from now on referred to as EXE, that will execute process injection using the “Early Bird” technique of AQUARMOURY into werfault.exe. For this, we spoofed the parent of explorer.exe using the PROC THREAD ATTRIBUTE MITIGATION POLICY flag to protect our malware from an unsigned by Microsoft DLL event that is commonly used by EDRs for processes monitoring. [*]An HTA file. Once the user visits a harmless HTML page containing an IFrame, he will be redirected and prompted to run an HTML file infused with executable VBS code that will load the .NET code provided in Listing 2 perform self-injection under the context of mshta.exe. [/LIST] I skipped the attack vector related to DLL side-loading because it was related to the lateral movement (common in Enterprises). The attacker had to drop the malicious DLL that was a modified system DLL (the original DLL is normally located in the "c:\Windows\system32" folder) to the application folder of Microsoft Teams (already installed in the system). When looking at the Defender results it can be seen that SWH + Microsoft Defender for Endpoints (Defender with advanced settings) could prevent all attack vectors (except lateral movement). It is interesting that many products missed the fileless attacks via CPL or HTA files (blocked by SWH): Carbon Black, Comodo, CrowdStrike, Elastic, F-Secure, Microsoft, Panda, Sentinel, Symantec, TrendMicro. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
