In memory fileless malwar edetection ..... any antimalware software?

A LUA, even a weak MS default one, can make a big difference with exploits. What I would expect is some information on what sort of account with what sort of privilege was used in the tests. The disabled Windows firewall is certainly not a default setting so I would expect any others to be listed. Doing tests with a disabled firewall and lots of vulnerable applications is a good way to judge AV performance but I would not run any such setup in the real world. So I'm inclined to agree with Peter2150 that this is pretty academic and none of the exploits discussed would succeed in any reasonably secured real world system without a lot of social engineering and sheer luck. Combining even a fairly weak AV like MSE with good ACL practices in a LUA along with SRP and other group policy tweaks will take care of almost all of them. Not to mention having the Windows firewall enabled and an external one on your network.

 

By default, any of the products tested would have disabled the WIN 7 firewall upon installation since they have their own firewall.

Don't know about MSE and Avira Pro but I will look at their test reports and see if the WIN 7 firewall was enabled. No, it wasn't. However, they were testing exploits and firewall use or not would not influence exploit behavior as noted with Avira Pro's test score of 98%.

 

Came across a major U.S. university's recommendation on exploit mitigations. Of note is none of them are security software related and only require minor browser and e-mail client setting adjustments. I have also inserted my own comments.

How exploits are distributed

The most common method used by attackers to distribute exploits is through webpages, but exploits may also arrive by email.

When you visit a website with malicious code while using vulnerable software, the exploit may be loaded. It’s important to note that some legitimate websites might unknowingly and unwillingly host malicious code in their advertising. This means that if you visit a site that is hosting these malicious ads an attempt to compromise your PC will be made.

How exploit attacks work with other malware

Often, an exploit detection on your PC is just one piece of a much larger attack. Hackers usually use a large number of exploits against different software to gain access to your PC. If your security software detects an exploit in your Java cache, it’s likely that an attempt to compromise your PC has been made. This applies to HTML/JavaScript exploits as well.

An exploit detection may be triggered by your antivirus software when you visit a website that contains malicious exploit code - even if you are not using the vulnerable software being targeted. This does not mean that you have been compromised. It means that an attempt to compromise your PC has been made.

The above paragraph notes that unless a vulnerabity exists, you really can't be exploited. To effectively test exploit protection, the PC's software must be configured with vulnerable software. So the only thing that can nail use is unknown 0-day bad guys. By apply the below mitigations, you have effectively reduced your attack surface to almost nill.

Exploit Mitigations

1.Update your application software. Keep your operating system up to date with all security patches.

2. Never browse the web with active content on. Turn off JAVA™, Javascript™, Visual Basic™ scripting and ActiveX™ content.

Uninstall FlashPlayer since you can't use it anyway if you have disabled ActiveX.

3. Update Java. Remove older versions of Java.

Don't install Java or uninstall it. Most apps don't require use of it.

4. Never open e-mail attachments unless the attachment comes directly from someone you know (not forwarded) AND you are certain it is safe.

Check you attachment settings in your e-mail client to ensure attachments are not automatically opened.

5. Avoid the use of HTML formatting for e-mail. If you use HTML-formatted e-mail, be sure you have turned off active content in your e-mail client.

http://security.vpit.txstate.edu/aw..._server/security_tips/exploit_protection.html

 

Since interested parties want examples of live exploits, here is one that Eset's network based web filter caught recently. Note that Eset is one of the few AVs whose web filter is directly linked to its real-time AV scanner. This puppy was caught by signature detection at the network level. So no further mitigation activity was required.

10/18/2015 6:49:12 PM HTTP filter file http://winhow.org/wp-content/themes...&ujmbg=Dcom Errors Ie 11 On Windows 7 Reviews JS/Kryptik.AWN trojan connection terminated - quarantined. Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.

A bit of background. This site is shown to be rated by ZScaler Zulu URL scanner as benign although a comment was posted that previous malware had been detected. Sucuri rates it low risk. Site is not listed in Emsisoft's AM web site blacklist.

The attack was a URL redirect to an exploit to perform click fraud. Here is a MalwareBytes overview on the malware: https://forums.malwarebytes.org/ind...removal-instructions-for-trojanagent-kryptik/ . Here is technical details from MBAM on the exploit: https://blog.malwarebytes.org/exploits-2/2014/08/shining-some-light-on-the-unknown-exploit-kit/ .

Appears what Eset caught is a new variant since the sig was created in 7/2015.

So you now have a site to test your anti-exploit protection.

-EDIT-

Beware of Wordpress sites using Striker themes!

2 possible reasons:
1) Bad/infected "free" theme with encrypted php code in footer
2) Scrupulous plugin that inject trojans/malware on client's side.

Solution: Fix your site by replacing "free" themes with "premium" from reputable sites, as well as the plugins too.

http://www.blackhatworld.com/blackh...ascript-kryptik-rw-trojan-wordpress-site.html

 

@itman
Thanks for all the replies on the thread, nice read ..
If you had to sum up in a single post ways to avoid Poweliks/Powershell based attacks including the reflective injection, what would you write? I've got some time in my hands currently I'd like to try that set up and check the efficiency of it

 

For Powerliks, I use the following HIPS rule to block registry changes it does:

Source applications:
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\System32\dllhost.exe

Target registry:
HKEY_CLASSES_ROOT\CLSID\*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*
HKEY_CURRENT_USER\Software\Classes\CLSID\*
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\*

I also have a separate HIPS rule to block any process modification, event interception, and global hooking into those dllhost.exe's.

For Powershell, I am monitoring any start-up of it with a HIPS rule. I also separately monitor cmd.exe and cs/js/wscript.exe usage in another HIPS rule. I also monitor critical system processes for any process modification, event interception, and global hooking.

Finally, I monitor any process startups in %AppData% and %Temp% directories.

 

The link you posted appears to be a working exploit. Wilders does not permit posting direct sources to Malware. Thanks for the link though! Maybe pm it next time lol
edited 11/26 @11:26 pm

 

The exploit was blocked by Malwarebytes using it's Application Behavior Module using Default settings.

 

Amazing thank you. I'll get the set up and try it out

 

What browser where you using?

The problem is that there is no way to know if modification to these areas are malicious or not, that's why it's useless to me.

 

Note the rule is for dllhost.exe. If the mod. is being done by it, it is malicious. Note: there are only a few things I block outright. Most of my HIPS rules are "ask" which will require user interaction.

 

OK I see, that is clever indeed, so the HIPS will stay quite for all other apps? Sounds like a handy feature, not all HIPS offer this.

 

What HIPS do you use? Which one recommended for Win8.1 x64? Can SOB (Smart Object Blocker) handle that with ease?
Thanks in advance.

 

I use the HIPS in Eset NOD32/Smart Security. I would stay away from the latest ver. 9 for the time being; way to many bugs in it.

You can get the ver. 8 installers for your x86/x64 OS here: http://support.eset.com/kb2885/

 

Good! Thank you!
Hope it has ability to disable real-time protection (I don't like it nor need it) and the HIPS component not so invasive or might cause lag.

 

You can but I wouldn't recommend it. Eset (taskbar icon) will also show your not fully protected. I use Eset Smart Security together with Emsisoft Anti-malware with no lag what so ever except for a slight 10 - 20 sec delay at boot time. I have many custom HIPS rules and they have zip impact on performance.

 

Ok, noted. Many thanks.

 

Since there was some discussion regarding Powershell Constrained Language Mode in this thread, I figured I would share the following link here:

Babushka Dolls or How To Bypass Application Whitelisting and Constrained Powershell
Source: https://improsec.com/blog//babushka...ation-whitelisting-and-constrained-powershell

 

He is using regsvc32.exe to execute the scripts. Nothing new there as it has been employed previously using .scr files. Additionally, it requires admin privileges on the local PC.

As I mentioned previously, the only way to 100% lock down Powershell is to set it to "NoLanguage" mode. Additionally, the InstallUtil.exe bypass of AppLocker is known.

Also, you should have HIPS rules to monitor mshta.exe use.

Here's another one:

Ref.: http://subt0x10.blogspot.com/2016/09/bypassing-application-whitelisting.html
​

Windows has more "holes" in it than Swiss cheese

 

Yes, most of these bypasses involve the use of system tools, so it's probably best to monitor child process launch of all system tools inside C:\Windows, at least if the parent process isn't another system tool.

 

If I recall correctly, Windows 10 Creators Update has some additional process mitigations specifically for parent process to child process creation and having the ability to have control over spawning of child processes.

 

BTW - Here's a link to the .SCT bypass using regsvc32.exe: http://subt0x10.blogspot.com/2016/08/advanced-use-case-for-sct-files.html

 

How does this look like, will you get alerts about child process launch? But yes, most apps have got absolutely no business trying to launch system tools, so if they do, there is a big chance something fishy is going on.

 

@Rasheed187 Have a look at the following document from one of the main sandbox gurus for Chromium:
Link: https://www.troopers.de/media/filer_public/f6/07/f6076037-85e0-42b7-9a51-507986edafce/the_joy_of_sandbox_mitigations_export.pdf

Go down to page 55 or simply search for "PROCESS_CREATION_CHILD_PROCESS" or "ChildProcess". There are some good explanations but also visual representations / diagrams to show how it works.

I don't think that the user would get any kind of alerts, although I could be wrong on that. It just defines the process in a way that denies any kind of child process launch. There are at least a dozen new process mitigations added in the various Windows 10 major platform updates and more coming with Creators Update as well with Strict CFG and hopefully RFG as well. Chromium is already planning to take advantage of many of these built-in OS process mitigations and any other software developers can do the same with their programs. A lot of these mitigations are specific to Windows 10 though. I don't think that Microsoft gets nearly enough credit lately with regard to lowering attack surface.

 

Personally, I believe Microsoft's attention would be better directed at for example, running all Level 1 processes within AppContainer - especially their own; beefing up service creation protection and related registry modification activities; and the like.