To prevent such attacks, it’s recommended that you use Active Endpoint Deception which both creates an unattractive environment for attackers to deter them from executing in the first place and also detects such deceitful behaviors by malware before the malicious payload executes.One of the biggest problems for systems administrators is that they are constantly firefighting, solving problems that need an immediate response, and therefore, dedicating less time to more important tasks like improving their IT infrastructure. Ironically, according to Microsoft’s DLL security documentation, you can use SysInternals’ Process Monitor to check if related events occurred and you can also utilize existing security tools like EDR/XDR to search for inconsistent executions related to SysInternals’ tools. While previous suggestions we provided were meant for developers, the current vulnerabilities cannot be closed/prevented directly as Microsoft is responsible to close the vulnerability, which could take a while, if at all. Thank you, and we look forward to more submissions from you in the future! Also, check out the Microsoft Bounty Program for your future research: Please continue your vulnerability research and help us protect our customers. Our product group will address the issue as needed. However, this case does not meet the bar for servicing by MSRC and we will be closing this case. Our engineers have investigated the report and we have informed the appropriate team about the issues you reported. Thank you again for your submission to MSRC.
Microsoft provided the following response after a month: Of course cryptbase.dll is just an example and it is not the only one as many imported DLL in SysInternals can be weaponized and since SysInternals tools are signed by Microsoft, these attacks can easily bypass existing security tools and go undetected. The team used Dependency Walker (also by Microsoft) to find all the DLLs imported to the SysInternals suite and then tested some of the more common apps, here are some examples: The Deceptive Bytes team decided to check if it just occurs specifically with Process Explorer or if it’s widespread and there are other tools in the SysInternals suite that are susceptible as well.
0 kommentar(er)
