itman 1,746 Posted October 30, 2018 Share Posted October 30, 2018 I just noticed that the HIPS can now monitor registry key value changes. I know from testing with prior Eset versions, this was not possible although I haven't tested this in some time. So what else is new? Are file name wildcards; i.e. "*", now finally supported in the retail versions? Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted October 31, 2018 Most Valued Members Share Posted October 31, 2018 11 hours ago, itman said: I just noticed that the HIPS can now monitor registry key value changes. I know from testing with prior Eset versions, this was not possible although I haven't tested this in some time. So what else is new? Are file name wildcards; i.e. "*", now finally supported in the retail versions? That exploit does create a registry key inorder to give you Admin permissions while you are not admin, and it doesn't prompt you the UAC : https://www.exploit-db.com/exploits/45660/ ESET doesn't block it or prevent it from doing any changes to the registry Link to comment Share on other sites More sharing options...
itman 1,746 Posted October 31, 2018 Author Share Posted October 31, 2018 2 hours ago, Rami said: That exploit does create a registry key inorder to give you Admin permissions while you are not admin, and it doesn't prompt you the UAC : https://www.exploit-db.com/exploits/45660/ I wasn't referring to any specific registry key bypass. It appears Eset HIPS now has one or more default rules that specifically monitor for select reg. key value creation, modification, or deletion. In previous Eset vers., the HIPS did not have the capability to monitor reg. key values; only changes to reg. keys could be monitored. I found this out when attempting to create rules for the old Comodo Leak Test. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted October 31, 2018 Most Valued Members Share Posted October 31, 2018 51 minutes ago, itman said: I wasn't referring to any specific registry key bypass. It appears Eset HIPS now has one or more default rules that specifically monitor for select reg. key value creation, modification, or deletion. In previous Eset vers., the HIPS did not have the capability to monitor reg. key values; only changes to reg. keys could be monitored. I found this out when attempting to create rules for the old Comodo Leak Test. I see I understand now , I thought it had the capability to detect changes to the registry by programs/scripts. Link to comment Share on other sites More sharing options...
galaxy 11 Posted October 31, 2018 Share Posted October 31, 2018 This innovation was not listed in any change Link to comment Share on other sites More sharing options...
Azure Phoenix 11 Posted October 31, 2018 Share Posted October 31, 2018 6 hours ago, galaxy said: This innovation was not listed in any change That's why the title says 'under the hood' Link to comment Share on other sites More sharing options...
itman 1,746 Posted October 31, 2018 Author Share Posted October 31, 2018 10 hours ago, Rami said: That exploit does create a registry key inorder to give you Admin permissions while you are not admin, and it doesn't prompt you the UAC : https://www.exploit-db.com/exploits/45660/ ESET doesn't block it or prevent it from doing any changes to the registry FYI. To say UAC bypassing is trivial would be an understatement. I couldn't find a list of auto elevating Windows .exe's for Win 10, so below is a list for Win 7. Almost all can be detected if used maliciously by setting UAC to the maximum level: Quote Executables With Auto-Elevate Privileges ======================================== AdapterTroubleshooter.exe BitLockerWizardElev.exe CompMgmtLauncher.exe ComputerDefaults.exe DeviceEject.exe DeviceProperties.exe FXSUNATD.exe MdSched.exe MultiDigiMon.exe Netplwiz.exe OptionalFeatures.exe SndVol.exe SystemPropertiesAdvanced.exe SystemPropertiesComputerName.exe SystemPropertiesDataExecutionPrevention.exe SystemPropertiesHardware.exe SystemPropertiesPerformance.exe SystemPropertiesProtection.exe SystemPropertiesRemote.exe TpmInit.exe bthudtask.exe chkntfs.exe cleanmgr.exe cliconfg.exe dccw.exe dcomcnfg.exe dfrgui.exe djoin.exe eudcedit.exe eventvwr.exe fsquirt.exe hdwwiz.exe ieUnatt.exe iscsicli.exe iscsicpl.exe lpksetup.exe msconfig.exe msdt.exe msra.exe newdev.exe ntprint.exe ocsetup.exe odbcad32.exe perfmon.exe printui.exe rdpshell.exe recdisc.exe rstrui.exe sdbinst.exe sdclt.exe shrpubw.exe slui.exe spinstall.exe taskmgr.exe tcmsetup.exe verifier.exe wisptis.exe wusa.exe https://www.digitaldefense.com/ddi-labs/using-application-compatibility-fixes-to-bypass-user-account-control/ Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted November 1, 2018 Most Valued Members Share Posted November 1, 2018 10 hours ago, itman said: FYI. To say UAC bypassing is trivial would be an understatement. I couldn't find a list of auto elevating Windows .exe's for Win 10, so below is a list for Win 7. Almost all can be detected if used maliciously by setting UAC to the maximum level: https://www.digitaldefense.com/ddi-labs/using-application-compatibility-fixes-to-bypass-user-account-control/ The exploit is about 14 days old and still Microsoft didn't patch it, weird isn't it? Link to comment Share on other sites More sharing options...
itman 1,746 Posted November 1, 2018 Author Share Posted November 1, 2018 5 hours ago, Rami said: The exploit is about 14 days old and still Microsoft didn't patch it, weird isn't it? Microsoft has repeatedly stated that UAC is not a security boundary. As such, UAC bypasses will only be mitigated if they hit the public press outlets and "Big Brother" decides the "heat" generated warrants a fix. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted November 1, 2018 Most Valued Members Share Posted November 1, 2018 1 minute ago, itman said: Microsoft has repeatedly stated that UAC is not a security boundary. As such, UAC bypasses will only be mitigated if they hit the public press outlets and "Big Brother" decides the "heat" generated warrants a fix. The exploit will open you an admin CMD , with an admin CMD you can do whatever you want while in the first place you are not even the admin. Link to comment Share on other sites More sharing options...
itman 1,746 Posted November 1, 2018 Author Share Posted November 1, 2018 (edited) 7 minutes ago, Rami said: The exploit will open you an admin CMD , with an admin CMD you can do whatever you want while in the first place you are not even the admin. This technique is common among malware that use Win trusted processes that perform hidden admin elevation. Again, most of this activity can be detected by setting UAC to maximum level. If you get an UAC alert "out of the blue" from one of these processes, you can assume its most likely malware related. I also monitor all cmd.exe execution with an Eset user HIPS rule; have done this for some time. Edited November 1, 2018 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted November 1, 2018 Most Valued Members Share Posted November 1, 2018 (edited) 2 minutes ago, itman said: This technique is common among malware that use Win trusted processes that perform hidden admin elevation. Again, most of this activity can be detected by setting UAC to maximum level. If you get an UAC alert "out of the blue" from one of these processes, you can assume its most likely malware related. I also monitor all cmd.exe execution with an Eset user HIPS rule; have done this for some time. Ok I understand , thanks for the explanation. Edited November 1, 2018 by Rami Link to comment Share on other sites More sharing options...
Recommended Posts