I also imagine that CyberArk was not very surprised by Microsoft's response to this recent POC. They got an almost identical response to their published: GhostHook – Bypassing PatchGuard with Processor Trace Based Hooking https://www.cyberark.com/threat-res...ing-patchguard-processor-trace-based-hooking/
Micosoft's official response: https://threatpost.com/windows-defender-bypass-tricks-os-into-running-malicious-code/128179/https://threatpost.com/windows-defender-bypass-tricks-os-into-running-malicious-code/128179/ Where have I heard this "spiel" before?
The usual forum drama. As mentioned in the Microsoft statement that Threatpost published yesterday, a user would have to suddenly start doing a series of actions that nobody normally does, before this "terrifying issue" even becomes a issue. To repeat the already quoted statement from Microsoft : Not exactly a mystery why this wasn't considered earth-shattering. It's more like a behavior that can be altered and included in one of the regular update intervals. And since some suffers from selective reading, then allow me to quote again from the article. This time a statement from CyberArk : Now, since none of the other AV vendors has started running around with their arms above their head screaming that the sky is falling after CyberArk approached them, then apparently they agree that this really isn't the issue it's made to look like. Both quotes are from : https://threatpost.com/windows-defender-bypass-tricks-os-into-running-malicious-code/128179/
The problem with these "limited practical applicability" bypasses as Microsoft states is that they eventually end up being used by malware developers. A case in point is Casey Smith's "squibbedoo" regsvr32 bypass given here: http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html . It was published over a year and a half ago. It also requires admin access to implement. If you follow malware postings on Wilders, it is being employed with ever increasing frequency in recent malware attacks. At least Casey Smith doesn't waste his time by first informing Microsoft since he knows the reply he will receive. The difference between the major security vendors and Microsoft is that the security vendors take these bypasses seriously and do not "diss" them outright. I would have thought by now people would realize that Microsoft's approach to security issues is to employ the old "talk is cheap" strategy. After all, a quick public rebuttal followed up by a blog posted one, costs them very little.
You know I'm not one to defend Microsoft arbitrarily but in this instance, if this threat requires the user had already installed system modifying malware then it was already game over when they did that. Isn't it like installing an ftp server and then calling it a threat because Windows Defender didn't notice people downloading all my files?
My advice to CyberArk is to look into the CIA's Pandemic exploit that employed a similar technique: https://arstechnica.com/information...-implant-turns-servers-into-malware-carriers/
The has been some fixation on the "custom SMB server" reference by CyberArk to dismiss this attack as unlikely. So let's clarify that: https://latesthackingnews.com/2017/...led-illusion-gap-can-bypass-windows-defender/ As far as how to create a hacked shortcut: https://attack.mitre.org/wiki/Technique/T1023 A dropper facsimile of code that would be executed via shortcut is given in the CyberArk article: https://www.cyberark.com/threat-research-blog/illusion-gap-antivirus-bypass-part-1/ -EDIT- The mitigation for this is to use a security solution with an IDS and block remote SMB access to admin shares.
