D
Deleted member 178
Thread author
there is some way to bypass Noscript with XSS , however HMPA will be more helpful.
Exactly , no need to be a genius, just need to practice. Anyway those using these techniques don't need to go as far as this , a simple "attractive" link on some popular social sites , which download a dropper and you will have hundreds of victims ready to be exploited. Only an handful of people uses and know how to use an anti-exe/SRP/HIPS.
I should agree these kind of attacks are not typical attacks that are engaged within executable points, the trend is all about the fileless attacks which many AV's are still primary focus on traditional techniques.
Enterprise products that are align with Anti-exe are surely protected on that, of course you need to purchase a license but expect it will perform well.
Enterprise products that are align with Anti-exe are surely protected on that, of course you need to purchase a license but expect it will perform well.
This thing is coming hot from July/2017 and being overlooked in all forums. I mean, everyone is saying "seems clean", "must be hardware", "check this defrag". It is just a pattern. Just look on the forums for svchost, dllhost and com surrogate in July and you'll see.
D
Deleted member 178
Thread author
Excellent pdf , thx .
not saying that using Reflective Dll Injection which contains embedded meterpreters/frameworks that can be loaded directly in memory would bypass classic anti-exe.
Thanks for the answer. I know that nothing is bulletproof but somehow I always thought that mitigating XSS attacks along with anti-clickjacking is NoScript's forte. I believe it's advertised as an extension that should be able to filter that kind of threats even if you set it to allow scripts globally.
Even though, there could be present vulnerabilities in extension itself which could help an attacker to pursue some of those malicious techniques.
Could you please share some info on that possibility to bypass NoScript that you mentioned in your answer above?
In page 13, there is a link that takes you to another paper. It describes the possibilities within WMI and its classes.
@Andy Ful , thanks for the explanations! I learned a lot. So it sounds like sandboxing the browser is a better protection than trying to control the DLLs.
The same can be said about applications opening vulnerable files, like: document readers, document editors, media players, etc.
Personally, I use Universal Applications (AppContainer) from Windows Store for that, and Office Online.
The last few days i 've been reading this thread.
Quite informative i can say at least even though i don't have the knowledge to fully understand all the terms.
Luckily i am a member of MT for some years now and i have learn some things
so i can at least get the big picture.
But i have a question to make.
@Umbra said that Comodo can protect up to a point.
So i have to ask, i am using now EAV and i have HIPS to Interactive mode. Can HIPS block some of those attacks?
Quite informative i can say at least even though i don't have the knowledge to fully understand all the terms.
Luckily i am a member of MT for some years now and i have learn some things
so i can at least get the big picture.But i have a question to make.
@Umbra said that Comodo can protect up to a point.
So i have to ask, i am using now EAV and i have HIPS to Interactive mode. Can HIPS block some of those attacks?
So the Windows 10 default apps will do it for most everything you mentioned, except for Word docs. To handle the Word docs, I have installed LibreOffice inside of the default sandbox of Sandboxie, so if I download a Word doc, I can open it virtualized.
I know Voodooshield and Kaspersky Free Antivirus detect Powershell execution because I run a scheduled task to download my hosts file using Powershell single -command. Most security products don't throw any red flags at the fact that I download a strange file directly from the Internet into a protected system32/driver/etc folder except those two which often makes me wonder what other malware could do with a SYSTEM token.
Not sure but it seems I have already posted something similar but I would like to add that the base relocation table is contained into the OptionalHeader (that’s not optional on executables) member of IMAGE_NT_HEADERS structure so we’ll get a handle to the current process image, and we’ll extract the relocation table.
Now, we can allocate a copy of our image and then we can calculate the delta from the remote memory address and the image base. The old delta (actual address of image, image base) will be replaced with the new delta into the relocation table and we can replace the old delta in the relocation table.
And finally we can write the memory buffer into the remote process memory allocated previously, and call CreateRemoteThread on the address of the function ThreadProc .
But if you need to inject a code within a process on a different session you can’t use CreateRemoteThread because it returns error 0x05 (Access Denied), that's why you can replace this function with NtCreateThreadEx.
Now, we can allocate a copy of our image and then we can calculate the delta from the remote memory address and the image base. The old delta (actual address of image, image base) will be replaced with the new delta into the relocation table and we can replace the old delta in the relocation table.
And finally we can write the memory buffer into the remote process memory allocated previously, and call CreateRemoteThread on the address of the function ThreadProc .
But if you need to inject a code within a process on a different session you can’t use CreateRemoteThread because it returns error 0x05 (Access Denied), that's why you can replace this function with NtCreateThreadEx.
D
Deleted member 178
Thread author
yes herad of that too, thanksi will check it out to see the symantec explanation
indeed, it is why using a sandbox is a main part of my security strategy. Bypassing a sandbox is surely possible, but not so easy and worth the time/resources.
Same here, im amazed by all those Win10 users that despise the very secure Metro Apps and rather use some crappy 3rd party party software without secureing them via a sandbox or a anti-exploit.
i do use 3rd party media players/reader but all are isolated/exploit-protected.
Detecting and blocking powershell.exe isn't enough anymore, i can launch a battery of powershell scripts without even using powershell.exe , and without any files even touching the disk. all being in memory. Anti-exe won't even react.
KIS should react because of its memory protection (i dont use it but i remember it has one).
ok, since I used f-secure I did some search and found a white paper about DEEPGUARD! seems it can detect these attacks@shmu26 keep calm and buy an F-secure
https://www.f-secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
2.1 Process monitoring
Applications are monitored for a number of suspicious actions, including (but not limited to): y Modifying the Windows registry y Editing files in certain critical system directories y Injecting code in another process’s space y Attempting to hide processes or replicate themselves As legitimate programs will also perform such actions from time to time, DeepGuard does not red-flag a program on the basis of a single action but instead watches for multiple suspicious operations. Once a critical threshold of suspect actions is reached, DeepGuard will block the process from continuing. If available, file reputation and prevalence rating information from the Security Cloud is taken into account to determine this critical threshold. For example, DeepGuard treats files with a low-prevalence rating more aggressively by lowering the critical threshold of suspicious actions that can be performed before the file is blocked
the deep guard is more than that(just take a look at pdf)!so worth the price
https://www.f-secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
2.1 Process monitoring
Applications are monitored for a number of suspicious actions, including (but not limited to): y Modifying the Windows registry y Editing files in certain critical system directories y Injecting code in another process’s space y Attempting to hide processes or replicate themselves As legitimate programs will also perform such actions from time to time, DeepGuard does not red-flag a program on the basis of a single action but instead watches for multiple suspicious operations. Once a critical threshold of suspect actions is reached, DeepGuard will block the process from continuing. If available, file reputation and prevalence rating information from the Security Cloud is taken into account to determine this critical threshold. For example, DeepGuard treats files with a low-prevalence rating more aggressively by lowering the critical threshold of suspicious actions that can be performed before the file is blocked
the deep guard is more than that(just take a look at pdf)!so worth the price
Last edited:
Idk if behavior shield in avg can block these things? can some one test the free avg against some Exploit and these dll things? hahaha
@Andy Ful @cruelsister @CyberSecurity GrujaRS can you test the Bitdefender free and avg free against these attacks?
A topic like this make ppl sick( feels HIV)
@Andy Ful @cruelsister @CyberSecurity GrujaRS can you test the Bitdefender free and avg free against these attacks?
A topic like this make ppl sick( feels HIV)
Last edited:
How would you compare it to Kaspersky IS?ok, since I used f-secure I did some search and found a white paper about DEEPGUARD! seems it can detect these attacks@shmu26 keep calm and buy an F-secure
https://www.f-secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
2.1 Process monitoring
Applications are monitored for a number of suspicious actions, including (but not limited to): y Modifying the Windows registry y Editing files in certain critical system directories y Injecting code in another process’s space y Attempting to hide processes or replicate themselves As legitimate programs will also perform such actions from time to time, DeepGuard does not red-flag a program on the basis of a single action but instead watches for multiple suspicious operations. Once a critical threshold of suspect actions is reached, DeepGuard will block the process from continuing. If available, file reputation and prevalence rating information from the Security Cloud is taken into account to determine this critical threshold. For example, DeepGuard treats files with a low-prevalence rating more aggressively by lowering the critical threshold of suspicious actions that can be performed before the file is blocked
the deep guard is more than that(just take a look at pdf)!so worth the price
IDK about Kasper sky i never used it(is there any white paper for Kasper behavior blocker?), some one should test BD(free) f-secure, KIS and AVG(free) and EMSI!
I really don't think that only one tool can do trick. From what I heard, the best options would be a combo of AV/Firewall/HIPS and a Sandbox. AV being the most vulnerable of the combo not meant to block attacks, but more to cleanup tasks.
These tools can Prevent it! but They can't detect (if I'm not wrong)it if that thing reaches your windows.
You may also like...
-
-
-
The Necessity of Simulating the Full Malware Infection Chain for Security Suite Testing- Started by harlan4096
- Replies: 3
-
-
Mockingjay Process Injection Technique Could Let Malware Evade Detection- Started by vtqhtr413
- Replies: 4