Hjem » Nyheder » Microsoft offentliggjorde listen over farlige legitime applikationer

Microsoft offentliggjorde listen over farlige legitime applikationer

Microsoft komponeret og udgivet en liste over lovlige programmer, der kan bruges af angribere til at omgå Windows Defender sikkerhedsregler.

Corporation notifies that attackers can penetrate organization’s network by using this legitimate programs. Microsoft refers to a special method that use cybercriminals – Living off. Living off suggests exploitation of OS functions or legitimate administrating tools in compromising corporate network.

Due to application of quite harmless tools attackers can often avoid detection by different antivirus decisions.

Hence Microsoft recommends creation of special rule that blocks certain legitimate applications.

“Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications”, — advice in Microsoft

List of applications:

  • addinprocess.exe
  • addinprocess32.exe
  • addinutil.exe
  • bash.exe
  • bginfo.exe[1]
  • cdb.exe
  • csi.exe
  • dbghost.exe
  • dbgsvc.exe
  • dnx.exe
  • fsi.exe
  • fsiAnyCpu.exe
  • kd.exe
  • ntkd.exe
  • lxssmanager.dll
  • msbuild.exe[2]
  • mshta.exe
  • ntsd.exe
  • rcsi.exe
  • system.management.automation.dll
  • windbg.exe
  • wmic.exe

[1] — A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here BGInfo 4.22. Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.

[2] — If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. Imidlertid, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.

“These applications and files can be used by attackers for bypassing of protective measures, for eksempel, rule white applications list. I særdeleshed, attackers can bypass Windows Defender Application Control protection», — warns Microsoft.

Kilde: https://docs.microsoft.com

LÆS  I Atlassian Confluence Server er fundet sårbarhed hvorigennem ubudne gæster kan uploade malware-programmer
[i alt: 0    Gennemsnit: 0/5]

Om Trojan Killer

Carry Trojan Killer Portable på din memory stick. Vær sikker på, at du er i stand til at hjælpe din pc modstå eventuelle cyber trusler, hvor du går.

Tjek også

Oracle WebLogic sårbarhed

Oracle har frigivet et presserende patch til at fjerne kritiske sårbarheder i WebLogic Server

The company said that an unknown group of cybercriminals in real attacks is already actively

Sårbarheder i MMC tillader at tage kontrol over systemet

Microsoft Management Console (MMC), bruges af systemadministratorer til at konfigurere og spore systemets ydeevne, …

Skriv et svar