Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 12/07/17 in all areas

  1. A team of security researchers has discovered a new malware evasion technique that could help malware authors defeat most of the modern antivirus solutions and forensic tools. Dubbed Process Doppelgänging, the new fileless code injection technique takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader. Ensilo security researchers Tal Liberman and Eugene Kogan, who discovered the Process Doppelgänging attack, presented their findings today at Black Hat 2017 Security conference held in London. Process Doppelgänging Works on All Windows Versions Apparently, Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10. Tal Liberman, the head of the research team at enSilo, told The Hacker New that this malware evasion technique is similar to Process Hollowing—a method first introduced years ago by attackers to defeat the mitigation capabilities of security products. In Process Hollowing attack, hackers replace the memory of a legitimate process with a malicious code so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running. Since all modern antivirus and security products have been upgraded to detect Process Hollowing attacks, use of this technique is not a great idea anymore. On the other hand, Process Doppelgänging is an entirely different approach to achieve the same, by abusing Windows NTFS Transactions and an outdated implementation of Windows process loader, which was originally designed for Windows XP, but carried throughout all later versions of Windows. Here's How the Process Doppelgänging Attack Works: Before going further on how this new code injection attack works, you need to understand what Windows NTFS Transaction is and how an attacker could leverage it to evade his malicious actions. NTFS Transaction is a feature of Windows that brings the concept of atomic transactions to the NTFS file system, allowing files and directories to be created, modified, renamed, and deleted atomically. NTFS Transaction is an isolated space that allows Windows application developers to write file-output routines that are guaranteed to either succeed completely or fail completely. According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below: Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file. Load—create a memory section from the modified (malicious) file. Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed. Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, "making it invisible to most recording tools such as modern EDRs." Process Doppelgänging Evades Detection from Most Antiviruses Liberman told The Hacker News that during their research they tested their attack on security products from Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and even advance forensic tools. In order to demonstrate, the researchers used Mimikatz, a post-exploitation tool that helps extract credentials from the affected systems, with Process Doppelgänging to bypass antivirus detection. When the researchers ran Mimikatz generally on a Windows operating system, Symantec antivirus solution caught the tool immediately, as shown below: However, Mimikatz ran stealthy, without antivirus displaying any warning when executed using Process Doppelgänging, as shown in the image at top of this article. Liberman also told us that Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, released earlier this year. But due to a different bug in Windows 10 Redstone and Fall Creators Update, using Process Doppelgänging causes BSOD (blue screen of death), which crashes users' computers. Ironically, the crash bug was patched by Microsoft in later updates, allowing Process Doppelgänging to run on the latest versions of Windows 10. I don't expect Microsoft to rush for an emergency patch that could make some software relying on older implementations unstable, but Antivirus companies can upgrade their products to detect malicious programs using Process Doppelgänging or similar attacks. This is not the very first time when enSilo researchers have discovered a malware evasion technique. Previously they discovered and demonstrated AtomBombing technique which also abused a designing weakness in Windows OS. In September, enSilo researchers also disclosed a 17-year-old programming error in Microsoft Windows kernel that prevented security software from detecting malware at runtime when loaded into system memory. Via thehackernews.com
    1 point
  2. https://cryptonotestarter.org/inner.html @Zatarra, ca brand owner si representative, te bagi sa facem PulencurCoin?
    1 point
  3. Eu am primit, si m-am logat cu fb. P.S. maine imi dau demisia si astept sa ajung milionar ************** 50 UTN Buy more tokens via icobacker By clicking the button above you are accepting Terms & conditions Share to get more UTN
    1 point
  4. Vorbesti cu vanzatorul sa ti le trimita prin DHL daca vrei rapid si direct acasa. Daca vrei ieftin si la posta vamala alegi varianta free shipping.
    1 point
  5. Dagon - Advanced Hash Manipulation Named after the prince of Hell, Dagon (day-gone) is an advanced hash cracking and manipulation system, capable of bruteforcing multiple hash types, creating bruteforce dictionaries, automatic hashing algorithm verification, random salt generation from Unicode to ASCII, and much more. Note: Dagon comes complete with a Hash Guarantee: I personally guarantee that Dagon will be able to crack your hash successfully. At any point Dagon fails to do so, you will be given a choice to automatically create a Github issue with your hash. Once this issue is created, I will try my best to crack your hash for you. The Github issue is completely anonymous, and no questions will be asked. This is my way of thanking you for using Dagon. There are alternatives to using the automatic issue creator. If you do not want your hash publicly displayed, and feel Dagon has failed you, feel free to create your own issue. Or send an email with the hash information to dagonhashguarantee@gmail.com Screenshots Bruteforcing made easy with a built in wordlist creator if you do not specify one. The wordlist will create 100,000 strings to use Verify what algorithm was used to create that hash you're trying to crack. You can specify to view all possible algorithms by providing the -L flag (some algorithms are not implemented yet) Random salting, unicode random salting, or you can make your own choice on the salt. Demo video Download Preferable you can close the repository with git clone https://github.com/ekultek/dagon.git alternatively you can download the zip or tarball here Basic usage For full functionality of Dagon please reference the homepage here or the user manual python dagon.py -h This will run the help menu and provide a list of all possible flags python dagon.py -c <HASH> --bruteforce This will attempt to bruteforce a given hash python dagon.py -l <FILE-PATH> --bruteforce This will attempt to bruteforce a given file full of hashes (one per line) python dagon.py -v <HASH> This will try to verify the algorithm used to create the hash python dagon.py -V <FILE-PATH> This will attempt to verify each hash in a file, one per line Installation Dagon requires python version 2.7.x to run successfully. git clone https://github.com/ekultek/dagon.git cd Dagon pip install -r requirements.txt This should install all the dependencies that you will need to run Dagon Contributions All contributions are greatly appreciated and helpful. When you contribute you will get your name placed on the homepage underneath contributions with a link to your contribution. You will also get massive respect from me, and that's a pretty cool thing. What I'm looking for in contributions is some of the following: Hashing algorithm creations, specifically; A quicker MD2 algorithm, full Tiger algorithms, Keychain algorithms for cloud and agile More wordlists to download from, please make sure that the link is encoded Rainbow table attack implementation More regular expressions to verify different hash types Source: https://github.com/Ekultek/dagon
    1 point
  6. Ori 100 ori pana la 100. Pana la 100 e ca vitezele garantate la net, poate sa fie si 1 EUR.
    1 point
  7. Acceptam tot felul de dubiosi pe forum si vorbim urat unui om caruia nu-i ajung banii de mancare si chirie in saracia de tara. Toti care ati postat rahaturi aici o sa va alegeti cu ban. Aveti timp sa va editati posturile si sa stergeti infectia scrisa. Sa va fie rusine.
    1 point
×
×
  • Create New...