Blog | enSilo | enSilo Breaking Malware

GlobeImposter Ransomware

by Alon Hadar on January 16, 2018 -

enSilo Breaking Malware , Ransomware , GlobeImposter

GlobeImposter Ransomware

Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 2)

by Omri Misgav, Security Researcher, enSilo on September 11, 2017 -

Windows , documentation , enSilo Breaking Malware

TL;DR: Security vendors and kernel developers beware – a programming error in the Windows kernel could prevent you from identifying which modules have been loaded at runtime. And the fix for it...

Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 1)

by Omri Misgav, Security Researcher, enSilo on September 05, 2017 -

Windows , documentation , enSilo Breaking Malware

TL;DR: Security vendors and kernel developers beware – a programming error in the Windows kernel could prevent you from identifying which modules have been loaded at runtime.

Command Injection/Elevation – Environment Variables Revisited

by Yotam Gottesman, Security Researcher, enSilo on November 24, 2016 -

Vulnerabilities , Windows , code injection , elevation , command injection , UAC , variables , enSilo Breaking Malware

Windows environment variables can be used to run commands and can also be used to bypass UAC, allowing an attacker with limited privileges to take complete control of the system. This code...

AtomBombing CFG-Protected Processes

by Tal Liberman, Security Research Team Leader, enSilo on November 14, 2016 -

Windows , Injection Techniques , code injection , AtomBombing , CFG , Control Flow Guard , enSilo Breaking Malware

TL;DR: We show AtomBombing modifications to enable us to inject code into CFG-protected processes.

AtomBombing: Brand New Code Injection for Windows

by Tal Liberman, Security Research Team Leader, enSilo on October 27, 2016 -

Research , Windows , Injection Techniques , Malware , code injection , AtomBombing , APC , enSilo Breaking Malware

TL;DR Here’s a new code injection technique, dubbed AtomBombing, which exploits Windows atom tables and Async Procedure Calls (APC). Currently, this technique goes undetected by common security...

Elastic Boundaries – Elevating privileges by environment variables expansion

by Yotam Gottesman, Security Researcher, enSilo on August 18, 2016 -

Vulnerabilities , Windows , code injection , bypass UAC , elevation , environment variable , path redirect , UAC , variable expansion , enSilo Breaking Malware

Even though any process is provided with variables from its environment, they are often overlooked by users, developers and sometimes even the OS itself.

Captain Hook: Pirating AVs to Bypass Exploit Mitigations

by Udi Yavo, CTO, enSilo on July 19, 2016 -

av , Vulnerabilities , Windows , code injection , vulnerability , Detours , hooking , enSilo Breaking Malware

TL;DR: We found 6(!) different common security issues that stem from incorrect implementation of code hooking and injection techniques. These issues were found in more than 15 different products....

Documenting the Undocumented: Adding CFG Exceptions

by Tal Liberman, Security Research Team Leader, enSilo on June 21, 2016 -

Windows , documentation , CFG , Control Flow Guard , NtSetInformationVirtualMemory , enSilo Breaking Malware

TL;DR Microsoft’s Control Flow Guard (CFG) is a security feature that prevents the abuse of indirect calls from calling addresses that are not marked as safe. CFG can cause problems for anyone...

Analyzing Furtim: Malware that Avoids Mass-Infection

by Yotam Gottesman, Security Researcher, enSilo on May 16, 2016 -

Windows , Malware , Furtim , enSilo Breaking Malware

Overview

Recently we came across a new malware strain, first discovered by @hFireF0X, and at point of discovery, it was not detected by any of the 56 anti-virus programs tested by VirusTotal...

ENSILO BLOG

You are Reading:

GlobeImposter Ransomware

Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 2)

Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 1)

Command Injection/Elevation – Environment Variables Revisited

AtomBombing CFG-Protected Processes

AtomBombing: Brand New Code Injection for Windows

Elastic Boundaries – Elevating privileges by environment variables expansion

Captain Hook: Pirating AVs to Bypass Exploit Mitigations

Documenting the Undocumented: Adding CFG Exceptions

Analyzing Furtim: Malware that Avoids Mass-Infection

Overview

CATEGORIES

FEATURED ARTICLES

5 WAYS TO TACKLE RANSOMWARE ATTACKS

Customers Say It Best - Managed Security Service Provider

enSilo Protects: Point of Sale (POS)

ensilo blocks SYNACK RANSOMWARE

Ctrl-Inject

FOLLOW US

WHY ENSILO

PRODUCT

RESOURCES

PARTNERS

ABOUT

CONTACT US

SCHEDULE A DEMO TODAY!

ENSILO BLOG

You are Reading:

GlobeImposter Ransomware

Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 2)

Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 1)

Command Injection/Elevation – Environment Variables Revisited

AtomBombing CFG-Protected Processes

AtomBombing: Brand New Code Injection for Windows

Elastic Boundaries – Elevating privileges by environment variables expansion

Captain Hook: Pirating AVs to Bypass Exploit Mitigations

Documenting the Undocumented: Adding CFG Exceptions

Analyzing Furtim: Malware that Avoids Mass-Infection

Overview

SUBSCRIBE

SANS Review

CATEGORIES

FEATURED ARTICLES

FOLLOW US

tag cloud

PRE AND POST INFECTION ENDPOINT SECURITY

CONNECT WITH US

CONTACT US