Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Simple Windows Hardening
Message
<blockquote data-quote="Andy Ful" data-source="post: 973399" data-attributes="member: 32260"><p>It is possible that this particular attack could finish the STAGE 2 of infection (but would be stopped by Defender at STAGE 3):</p><p></p><p></p><p></p><p>But the decisive infection starts at <span style="color: rgb(184, 49, 47)"><strong>STAGE 3 via the script Net.vbs</strong></span> which is obfuscated. This could be blocked by the ASR rule.</p><p> </p><p><strong><span style="font-size: 18px">STAGE 3:</span></strong></p><p></p><p>[ATTACH=full]263840[/ATTACH]</p><p></p><p>The full infection chain is very complicated to avoid detection. It is possible that some parts of the attack could be mitigated by the ASR rule "Use advanced protection against ransomware". Furthermore, the complicated infection chain could be detected by the very aggressive cloud protection level used in MAX settings.</p><p>I am not sure how this malware neutralization would be counted on Malware Hub. The system was compromised because the malware could connect to a malicious URL, download STAGE 1 payload, get persistence, and execute a few processes after reboot. But, it could not do anything truly malicious when ASR rules were enabled. The final payload (AsyncRAT) would not be injected, UAC would not be bypassed and Defender's settings would not be tampered, too.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 973399, member: 32260"] It is possible that this particular attack could finish the STAGE 2 of infection (but would be stopped by Defender at STAGE 3): But the decisive infection starts at [COLOR=rgb(184, 49, 47)][B]STAGE 3 via the script Net.vbs[/B][/COLOR] which is obfuscated. This could be blocked by the ASR rule. [B][SIZE=5]STAGE 3:[/SIZE][/B] [ATTACH type="full" alt="1643317933006.png"]263840[/ATTACH] The full infection chain is very complicated to avoid detection. It is possible that some parts of the attack could be mitigated by the ASR rule "Use advanced protection against ransomware". Furthermore, the complicated infection chain could be detected by the very aggressive cloud protection level used in MAX settings. I am not sure how this malware neutralization would be counted on Malware Hub. The system was compromised because the malware could connect to a malicious URL, download STAGE 1 payload, get persistence, and execute a few processes after reboot. But, it could not do anything truly malicious when ASR rules were enabled. The final payload (AsyncRAT) would not be injected, UAC would not be bypassed and Defender's settings would not be tampered, too. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
