D
Deleted member 178
Thread author
Actual version have them hardcoded, future betas seems to implement a command line rules creator like ERP
D
Deleted member 178
Thread author
ERP 2015 is abandonned but works very well, ERP 2017 is on development and from what i discussed with the dev, it will be far stronger.
ERP 2015 was already the n°1 anti-exe on the market; the next one will keep the lead.
Please explain a little about these advanced attack vectors etc.
I ask again: how does the fileless attack get into your system in the first place?
You speak about loading scripts and DLLs -- where did they come from, and what is loading them?
5
509322
Thread author
As a single example, use out of date unpatched browser. Navigate to exploit webpage. Webpage exploits browser, gains elevated privileges, and then begins to execute code in memory. Poweliks was an example. "Fileless attack" is more often than not a misnomer.
D
Deleted member 178
Thread author
XSS attacks, metasploits , network attacks/abuse (like EternalBlue/Double pulsar), etc...etc...
too long (off-) topic to discuss here and even explained it is quite difficult by using simple words. The best you can do is to google about those attacks.
All you have to know, is that anti-exe block only exe, nothing else (one rare exception is Smart Object Blocker, which block dll/drivers/exe); unfortunately exe are only ONE of the vectors.
It i why using only an anti-exe isn't enough, you need something else beside.
My first combo was Appguard (exe/dll/driver/memory protection ) + ERP (for command line parser) , one backing the other because they have complementary features.
In security, you need to have the big picture in mind, because rare complex attacks fastly become popular. (see the ransomwares or NSA tools)
But that is exactly my point. Poweliks and similar exploits need to run scripts, and the command line string will be blocked by the anti exe.
Admittedly, targeted attacks and network worms are credible threats in a business environment. But I don't see anything here that a home user with anti exe and vulnerable process protection needs to worry about.
5
509322
Thread author
That's just a single example. It is not always simple with black or white answers in every single case. There can be and are exceptions. The best thing to do is to research the topic online to gain insight. That way you can formulate your own personal thoughts and opinions on the subject matter. You can pretty much guess based upon prior experience the direction that this thread is heading.
Last edited by a moderator:
Maybe you could do me a favor and link me to an article about one of these exceptions. I am not trying to belabor the point. On the contrary, I am interested in learning more about the subject.
5
509322
Thread author
D
Deleted member 178
Thread author
XSS attacks affect every users that is unlucky enough to go to any hacked/infected site legit or not;
Example from 2011: 20 Famous websites vulnerable to Cross Site Scripting (XSS) Attack
happen once , will surely happen again.
This type of attack can result in an exploited browser, but the exploit is only dangerous if it gets control of a vulnerable process. The targeted vulnerable process will most likely be one that is already protected by the user's anti exe program, and the exploit will probably fail anyways, assuming the user has a modern OS and a secure browser.
But I agree with you that there is always room to be paranoid. I am running Kaspersky IS, NVT ERP, and Sandboxie, so I think I qualify as a paranoid...
5
509322
Thread author
You qualify for paranoid when you configure paranoid settings. With those three softs you have settings, Application Control, Policy Editor, Vulnerable Process List, and the SBIE .ini file. It will take you a couple of hours to configure the paranoid levels.
Guys, I'm really sorry to disturb the thread. I'm sure I don't have the same expertise as you guys. But recently I have detected similar activity in my PC, probably linked to a conhost miner. The thing is, the method used is this one last mentioned. It is copying files across memory and my Kaspersky TS 2017 with all defenses up doesn't even notice the dll/process injections. Usually system32, system32\wbem and syswow64\wbem.
It behaves much like a malware, whenever you close a process, other one pops up and injects into svchost, taskhost or any other available windows process. The constant here is running conhost.exe, cmd.exe or dllhost (COM SURROGATE into svchost), whenever I connect to internet or stay idle for too long, to restart the injection cycle
I can see these process are injected with scripts, because in ProcessExplorer you can tell, if hovered by mouse, will show you a non-complex description and filepath for the process, as well as the services related to it. The injected ones reference scripts, NTDLL calls and really huge instructions as well as Powershell references. I had Powershell installed without my knowledge and it wasn't showing on appwiz.cpl(Windows updates).
It was just there sitting on System32 and it had some nasty inheritance and permissions protections to each folder/file, that I have to perform several attempts to retrieve it, and finally learned to use PS to override these protections myself using a PS script downloaded on the web. BTW it had some folders like "modules" and "applock". The last was fu$#%¨* nasty. During the takeown attempts I did, he froze my machine, restarted it and started to copy explorer.exe process over memory. Until I manage to takeown with the script. Also PS execution policy was set to "unrestricted". lol
When I finally got permission, I deleted the registry keys related, as specified by Symantech guide and manually removed it from my machine. Did some whatever executables and dll renaming to "_bkp".
Several processes stopped showing and injecting with nasty codes. Now they behave more normally with few exceptions. Dllhost.exe, taskhost.exe and svchost.exe would be eventually injected by very subtle executables which would soon vanish, not able to click and inspect. Like sppsvc.exe and audiodg.exe. I know because they do a fast and red colored pop in ProcessExplorer and vanish.
It is damn persistent. Really, I'm not bad for a layman. I have some understanding of some Visual Studio, Java and Python and I'm the support guy from the family and neighbours. I think I have hit a solid wall with this infection.
This is some real #####. An exploit payload probably delivered by some tweaked Meterpreter(found traces) or Netcat.
It behaves much like a malware, whenever you close a process, other one pops up and injects into svchost, taskhost or any other available windows process. The constant here is running conhost.exe, cmd.exe or dllhost (COM SURROGATE into svchost), whenever I connect to internet or stay idle for too long, to restart the injection cycle
I can see these process are injected with scripts, because in ProcessExplorer you can tell, if hovered by mouse, will show you a non-complex description and filepath for the process, as well as the services related to it. The injected ones reference scripts, NTDLL calls and really huge instructions as well as Powershell references. I had Powershell installed without my knowledge and it wasn't showing on appwiz.cpl(Windows updates).
It was just there sitting on System32 and it had some nasty inheritance and permissions protections to each folder/file, that I have to perform several attempts to retrieve it, and finally learned to use PS to override these protections myself using a PS script downloaded on the web. BTW it had some folders like "modules" and "applock". The last was fu$#%¨* nasty. During the takeown attempts I did, he froze my machine, restarted it and started to copy explorer.exe process over memory. Until I manage to takeown with the script. Also PS execution policy was set to "unrestricted". lol
When I finally got permission, I deleted the registry keys related, as specified by Symantech guide and manually removed it from my machine. Did some whatever executables and dll renaming to "_bkp".
Several processes stopped showing and injecting with nasty codes. Now they behave more normally with few exceptions. Dllhost.exe, taskhost.exe and svchost.exe would be eventually injected by very subtle executables which would soon vanish, not able to click and inspect. Like sppsvc.exe and audiodg.exe. I know because they do a fast and red colored pop in ProcessExplorer and vanish.
It is damn persistent. Really, I'm not bad for a layman. I have some understanding of some Visual Studio, Java and Python and I'm the support guy from the family and neighbours. I think I have hit a solid wall with this infection.
This is some real #####. An exploit payload probably delivered by some tweaked Meterpreter(found traces) or Netcat.
Last edited:
D
Deleted member 178
Thread author
OMG you are so focused on Vulnerable Processes, that you forget/ignore everything else
XSS can be used to exploit your browser without even dropping a file in your system:
XSS > exploited browser > use exploit kit to create fileles payload > exploit the system... where is your anti-exe? nowhere , thanks , let me play with your owned system , bye.
I've heard of some of those techniques (process hollowing, dll injection, thread execution injection). Don't know much about subject, but I hope that HMPA and NoScript extension are ready to do their job if necessary.
XSS > exploited browser > scan the system > adjust the payload and drop it into the target as DLL> install reflective DLL loader in target's memory > run DLL
All the above can be applied automatically from the malicious web page. The similar scenarios are possible, when exploiting any software. Many security programs (including SRP and Anti-Exe) cannot fight such attacks, even if they can control DLLs in a standard way (like NVT SOB).
Edit.
SRP and Anti-Exe are not an anti-exploit solutions. They can only try to stop the malware on the post-exploitation stage. The above scenario will fail on an updated system (Windows/Software updated), especially when using Standard User Account.
All the above can be applied automatically from the malicious web page. The similar scenarios are possible, when exploiting any software. Many security programs (including SRP and Anti-Exe) cannot fight such attacks, even if they can control DLLs in a standard way (like NVT SOB).
Edit.
SRP and Anti-Exe are not an anti-exploit solutions. They can only try to stop the malware on the post-exploitation stage. The above scenario will fail on an updated system (Windows/Software updated), especially when using Standard User Account.
Last edited:
You may also like...
-
-
-
The Necessity of Simulating the Full Malware Infection Chain for Security Suite Testing- Started by harlan4096
- Replies: 3
-
-
Mockingjay Process Injection Technique Could Let Malware Evade Detection- Started by vtqhtr413
- Replies: 4