Combining YETI, an open-source threat intelligence project, with Elastic Stack is a great way to simplify and enhance the work performed by researchers and threat hunters.
Read More
L0rdix, currently available for purchase in underground forums, is aimed at infecting Windows-based machines, combines stealing and cryptocurrency mining methods, can avoid malware analysis tools and is designed to be a universal "go-to" tool for attackers. Indicators suggest the tool is still under development and we expect to encounter more
Read More
An active and stealthy cryptocurrency mining and ransomware campaign infecting targets in Spain and France which leverages multiple bypass techniques to evade detection by traditional AV.
cybersecurity, Windows, enSilo Breaking Malware, meltdown, KPTI, PatchGuard
The mitigation for Meltdown created a new part in the kernel which PatchGuard left unprotected, making hooking of system calls and interrupts possible, even with HVCI enabled.
cybersecurity, enSilo Breaking Malware
On August 8th, at the BSides Conference in Las Vegas, we unveiled a new exploitation technique against the Microsoft Windows operating system. It's a general technique to leverage with kernel vulnerabilities and make privilege escalation easier.
Windows, documentation, enSilo Breaking Malware
TL;DR: Security vendors and kernel developers beware – a programming error in the Windows kernel could prevent you from identifying which modules have been loaded at runtime. And the fix for it isn’t as foolproof as you would’ve hoped.
Windows, documentation, enSilo Breaking Malware
TL;DR: Security vendors and kernel developers beware – a programming error in the Windows kernel could prevent you from identifying which modules have been loaded at runtime.
Vulnerabilities, Windows, code injection, elevation, command injection, UAC, variables, enSilo Breaking Malware
Windows environment variables can be used to run commands and can also be used to bypass UAC, allowing an attacker with limited privileges to take complete control of the system. This code leverages a rather unusual scenario within Windows OS.
This is a continuation of our research as described in a previous post: Elastic Boundaries – Elevating
Windows, Injection Techniques, code injection, AtomBombing, CFG, Control Flow Guard, enSilo Breaking Malware
TL;DR: We show AtomBombing modifications to enable us to inject code into CFG-protected processes.
Tags
- enSilo Corporate and Product (202)
- Weekly Security News (96)
- Windows (50)
- Malware (42)
- cybersecurity (31)
- enSilo Breaking Malware (24)
- Industry (23)
- Research (22)
- Business (14)
- Ransomware (13)
- code injection (9)
- Vulnerabilities (7)
- AtomBombing (6)
- WannaCry (6)
- POS malware (5)
- RAT (5)
- NSA (4)
- exploit (4)
- APT (3)
- Endpoint Protection (3)
- Mac OS X (3)
- Moker (3)
- NotPetya (3)
- Process Doppelganging (3)
- UAC (3)
- Web Malware (3)
- documentation (3)
- hooking (3)
- vulnerability (3)
- Android (2)
- ArdBot (2)
- CFG (2)
- Control Flow Guard (2)
- Emotet Botnet (2)
- Fileless Malware (2)
- Furtim (2)
- Gartner (2)
- GlobeImposter (2)
- Injection Techniques (2)
- Windows XP (2)
- av (2)
- elevation (2)
- meltdown (2)
- tools (2)
- APC (1)
- Bad Rabbit (1)
- CVS (1)
- CryFile (1)
- Detours (1)
- ESTEEMAUDIT (1)
- Equifax (1)
- FindADetour (1)
- GOZI (1)
- HIPAA (1)
- Hancitor (1)
- KPTI (1)
- Linux (1)
- Lockerpin.A (1)
- MSSP (1)
- ModPOS (1)
- NtSetInformationVirtualMemory (1)
- PCI DSS (1)
- Patch (1)
- PatchGuard (1)
- SCADA (1)
- Scarab (1)
- Unix (1)
- Verizon (1)
- Windows 10 (1)
- anti-virus (1)
- avulnerabilitychecker (1)
- bypass UAC (1)
- command injection (1)
- environment variable (1)
- excel-scriptlet (1)
- hospitality (1)
- media (1)
- path redirect (1)
- spectre (1)
- variable expansion (1)
- variables (1)
Subscribe
Subscribe to enSilo's Blog
and Stay on Top of the
Latest Security Research
and Industry News