Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
WHHLight - simplified application control for Windows Home and Pro.
Message
<blockquote data-quote="Andy Ful" data-source="post: 1075175" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">WHHLight vs. Raspberry Robin</span></strong></p><p><strong>(Smart App Control set to OFF)</strong></p><p>[URL unfurl="false"]https://malwaretips.com/threads/raspberry-robin-malware-returns-with-early-access-to-windows-exploits.128932/post-1074940[/URL]</p><p>[URL unfurl="false"]https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/[/URL]</p><p></p><p>The attack was dangerous due to exploiting the vulnerability that allows a local attacker to escalate privileges to SYSTEM (Local Privilege Escalation). The exploit was sold on Dark Web forums several months before Microsoft and CISA released an advisory on active exploitation.</p><p>But in this post, I focus on the initial phase of the attack to show how WHHLight could prevent the attack in the wild.</p><p></p><p><strong><span style="color: rgb(184, 49, 47)">Attack flow:</span></strong></p><p>[ATTACH=full]281537[/ATTACH]</p><p></p><p>Such attacks via EXE files can be blocked when < WDAC > = ON in WHHLight.</p><p>The OleView.exe is a benign executable so it will be allowed by SmartScreen and WDAC ISG. But, the malicious DLL side-loading can be blocked by WDAC ISG.</p><p></p><p>Edit.</p><p>It is worth mentioning that DLL hijacking (0-day malware) can be a challenge for Microsoft Defender, even in MAX settings. The ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" does not cover this attack vector.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1075175, member: 32260"] [B][SIZE=5]WHHLight vs. Raspberry Robin[/SIZE] (Smart App Control set to OFF)[/B] [URL unfurl="false"]https://malwaretips.com/threads/raspberry-robin-malware-returns-with-early-access-to-windows-exploits.128932/post-1074940[/URL] [URL unfurl="false"]https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/[/URL] The attack was dangerous due to exploiting the vulnerability that allows a local attacker to escalate privileges to SYSTEM (Local Privilege Escalation). The exploit was sold on Dark Web forums several months before Microsoft and CISA released an advisory on active exploitation. But in this post, I focus on the initial phase of the attack to show how WHHLight could prevent the attack in the wild. [B][COLOR=rgb(184, 49, 47)]Attack flow:[/COLOR][/B] [ATTACH type="full" alt="1707770110306.png"]281537[/ATTACH] Such attacks via EXE files can be blocked when < WDAC > = ON in WHHLight. The OleView.exe is a benign executable so it will be allowed by SmartScreen and WDAC ISG. But, the malicious DLL side-loading can be blocked by WDAC ISG. Edit. It is worth mentioning that DLL hijacking (0-day malware) can be a challenge for Microsoft Defender, even in MAX settings. The ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" does not cover this attack vector. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
