Hjem » Nyheder » Microsoft offentliggjorde listen over farlige legitime applikationer

Microsoft offentliggjorde listen over farlige legitime applikationer

Microsoft komponeret og udgivet en liste over lovlige programmer, der kan bruges af angribere til at omgå Windows Defender sikkerhedsregler.

Corporation notifies that attackers can penetrate organization’s network by using this legitimate programs. Microsoft refers to a special method that use cybercriminals – Living off. Living off suggests exploitation of OS functions or legitimate administrating tools in compromising corporate network.

Due to application of quite harmless tools attackers can often avoid detection by different antivirus decisions.

Hence Microsoft recommends creation of special rule that blocks certain legitimate applications.

“Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications”, — advice in Microsoft

List of applications:

  • addinprocess.exe
  • addinprocess32.exe
  • addinutil.exe
  • bash.exe
  • bginfo.exe[1]
  • cdb.exe
  • csi.exe
  • dbghost.exe
  • dbgsvc.exe
  • dnx.exe
  • fsi.exe
  • fsiAnyCpu.exe
  • kd.exe
  • ntkd.exe
  • lxssmanager.dll
  • msbuild.exe[2]
  • mshta.exe
  • ntsd.exe
  • rcsi.exe
  • system.management.automation.dll
  • windbg.exe
  • wmic.exe

[1] — A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here BGInfo 4.22. Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.

[2] — If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. Imidlertid, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.

“These applications and files can be used by attackers for bypassing of protective measures, for eksempel, rule white applications list. I særdeleshed, attackers can bypass Windows Defender Application Control protection», — warns Microsoft.

Kilde: https://docs.microsoft.com

LÆS  Millioner af unpatched Exim mailservere er nu under aktiv angreb
[i alt: 0    Gennemsnit: 0/5]

Om Trojan Killer

Carry Trojan Killer Portable på din memory stick. Vær sikker på, at du er i stand til at hjælpe din pc modstå eventuelle cyber trusler, hvor du går.

Tjek også

Android 0-dages Sårbarhed

Endnu 0-dages sårbarhed opdaget i Android

Deltagere i initiativet Google projekt Zero Day (TÆNK) published details of a 0-day vulnerability

Android dyrere end iOS

Zerodium først bedømt exploits til Android dyrere end til iOS

Den velkendte sårbarhed mægler, Zerodium, har opdateret sin prisliste, og nu for første …

Skriv et svar