- Feb 25, 2017
- 2,597
NoI'm not sure, but doesn't PS run in Constrained Language mode defeat this kind of attack as well?
Leo is not concerned with covering details in-depth. He just wants short-and-fast videos as opposed to long thorough videos. His target audience is neophytes and not enthusiasts.This is probably the worst of Leo's videos.
First, this video does not show any difference between Windows 10 and 11. Simply Leo did not notice that on Windows 10 the PowerShell was executed with high privileges and on Windows 11 with standard privileges.
if Leo would make his video several months ago and would use standard rights (instead of high privileges) to query for Defender's exclusions, then the video would be OK. In the year 2021, this attack vector was not covered by Microsoft (it has been patched several months ago).No
Leo is not concerned with covering details in-depth. He just wants short-and-fast videos as opposed to long thorough videos. His target audience is neophytes and not enthusiasts.
Yes and No.
H_C can fully block this attack in the Recommended_Settings, except when something is exploited and a special (rarely used in the wild) PowerShell CmdLine is executed. In most cases, such attacks will be blocked by Constrained Language Mode or FirewallHardening. I know only one technique that could bypass this protection, but it is used very rarely and not in the widespread attacks on home users.Good one. I temporarily unblocked PS Sponsors from H_C SRP rules, and launched it as user:
View attachment 267221
I'm not sure, but doesn't PS run in Constrained Language mode defeat this kind of attack as well?
What about Simple Windows Hardening?H_C can fully block this attack in the Recommended_Settings, except when something is exploited and a special (rarely used in the wild) PowerShell CmdLine is executed. In most cases, such attacks will be blocked by Constrained Language Mode or FirewallHardening. I know only one technique that could bypass this protection, but it is used very rarely and not in the widespread attacks on home users.
The script restrictions are the same as for the H_C.What about Simple Windows Hardening?
That is what I meant. I just did not spell it out.It is true that the script could read the exclusions
Your post does not make sense to me. If the innocent-looking malware wants to read exclusions on a home computer then it must elevate. If not, then the attack will fail just like Leo showed for Windows 11. Microsoft fixed the issue several months ago and the behavior on Windows 10 is (and was) the same as on Windows 11. Leo made a mistake in his test, so he thought that the behavior is different on Windows 10 and Windows 11.This is a Windows Defender bypass, not a UAC bypass, so it applies regardless of what Andy thinks of malware having admin rights.
Windows Defender has comprehensive protection against zero days, using local and in-the-cloud AI powered machine learning, reputation based analysis, behavioral analysis and its patended AMSI, latter of which almost all third party antiviruses use to detect malicious scripts, the trick to detecting the newest malware is keeping the Security Intelligence up go date as Microsoft is pretty quick to uncover new campaigns due to having acess to the largest amount of threat telemetry.This is a Windows Defender bypass, not a UAC bypass, so it applies regardless of what Andy thinks of malware having admin rights. Ignoring the fact what is using admin rights is not even malware, but is a valid command Windows accepts (which is the concern here).
But honestly, there are way easier ways to get rid of Windows Defender, and most malware is ready for it, due to being default on Windows. Windows Defender will only save you from old and detected malware.
There more than enough tests incl. in our own Malware Hub that prove that.