unexpectedlocalsettings
localsettings 时间:2021-04-12 阅读:()
Protectingtheirreplaceable|f-secure.
comStudyoneffectivenessofpopulardefensemeasuresJarnoNiemel.
VirusBulletin2013Twitter:@jarnomnStatisticallyeffectiveprotectionagainstAPTattacksWhyThisResearchWasMadeApplyinghardeningincorporateenvironmentisexpensiveThusIwantedtogivedecisionmakingsupporttoolsforcorporatesecurityInthisresearchweevaluatedpopularhardeningapproachesagainstasetofexploitsAttacksanddefensesevolveconstantlysowefocusedmoreondifferentstylesofapproachratherthanexactsettingsortoolsFortestsweobviouslyusedpubliclyavailabletoolsExploitsUsedInTestsTheusedexploitsetconsistedof~930confirmedexploitdocumentsamplesSamplesinthewild2010-2013CVEidentificationwasdonebyscanresultsMostexploitshaveshortlifespaninactiveuseAPTnatureverifiedbycontextidentificationPressevents,conferenceproceedingsDiplomatic/politicalreports,analysisHumanrights/activismreports,articlesMilitaryreports,events,analysisBusinessrelatedmailF-SecureOctober10,20133050100150200250300051015202530354045500102030405060708090100110120130140150051015202530354045501.
1.
101.
3.
101.
5.
101.
7.
101.
9.
101.
11.
101.
1.
111.
3.
111.
5.
111.
7.
111.
9.
111.
11.
111.
1.
121.
3.
121.
5.
121.
7.
121.
9.
121.
11.
121.
1.
131.
3.
13AnalysisMethodWetestedsampleswithWindowsXPSP3AdobeAcrobat8.
0.
0AdobeFlashplayer6.
0Office2003WeintentionallyusedobsoletesoftwareversionstoenableasmanyexploitsaspossibleWeusedautomaticforensicstocheckforexploitsuccessindicatorsNetworkcommunicationProcesscreationFilecreationEachexploitwasverifiedtoworkconsistentlyinbasesystemF-SecureOctober10,20134ProtectionMethodsApplicationmemoryhandlingmitigationsApplicationSandboxingHardeningapplicationsettingsHardeningoperatingsystemF-SecureOctober10,20135ApplicationSanboxingChrome,Acrobat,etcpopularappshavebuiltinsandboxingTheproblemwiththemisthatattackerhastocircumventtheminordertoexploitThuswewantedtotestexploitsagainstunexpectedsandboxingWeusedSandboxie3.
76ProwithcustomconfigurationOwnsandboxforeachdocumenttypeFileexecutiondeniedforanyfilescreatedbysandboxedapplicationNofileaccessoutsidethesandboxforAcrobatAccessto%documents%%recent%andnetworkdrivesforOfficeapplicationsF-SecureOctober10,20136ChangestoOfficeInstalledOfficefilevalidationInstalledMOICEisolationSetMacrosecurityleveltohighDisabledtrustonadd-onsandtemplatesChangestoAcrobatDisabledopeningnon-PDFattachmentsDisabledtrustinmultimediacomponentsDisabledmultimediaplayerDisabledJavascriptF-SecureOctober10,20137HardenedSecuritySettingsForClientAppsAdvisoriesoftenhavemitigationinstructionswhattodobeforepatchisavailableWewantedtofindouthoweffectivethosemeasuresareingeneralWhoonearthneedsaflashcontentinPDFfileinthefirstplaceAfterVBpapersubmissionNSAcameoutwiththeirAcrobatguidelineshttp://www.
nsa.
gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.
pdfHardenedSystemAccessPoliciesInT22011weannouncedresearchpointingtothathardeningbreaksmalwareHoweverAPTsarequiteadifferentbeastcomparedtoplainoldmalwareWetestedthesamplesagainstfollowinghardenedsystemsettingsBlockedfilewritingtorootsofC:\,D:\,etc,%localsettings%,%appdata%BlockedfilewritingrecursivelytoC:\windows,%programfiles%PreventedfileexecutionfromC:\,%documents%,c:\RECYCLER,%temp%,%APPDATA%,%localsettings%F-Secure10.
lokakuuta20138ApplicationMemoryHandlingMitigationsMemoryhandlingmitigationspreventtypesofmemoryoperationsneededbyexploitsThusnormalappsaremostlyunhinderedwhileexploitsfailtoworkCurrentlyonlytoolprovidingsuchcapabilitiesisMicrosoftEMETAllocationmitigations(SEHOP,Heapspray,ASLR,Nullpage)Codeexecutionorloadingmitigations(DEP,ROP,Bottomuprnd,EAF)Hookingpreventions(Deephooks,Antidetours,Bannedfunctions)ForthisresearchweusedEmet4.
0bwhichwasthelatestavailableF-SecureOctober10,20139ApplicationSandboxingResultsUnfortunatelySandboxieinterferedwithourautomaticforensicsWewereabletogetresultsfor452sampleswith100%protectionOftheremainingsampleswetested60randomsampleswhichhad100%protectionSowecantsaywithfullcertainty,butthirdpartysandboxingseemstobeeffectiveBuiltinpayloadsweredroppedbutnotexecutedSampleswhichtriedtodownloadwereblockedF-SecureOctober10,201310CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-565921CVE-2008-48411CVE-2009-09271CVE-2009-3129219CVE-2009-43249CVE-2010-01886221231CVE-2010-08068CVE-2010-12975CVE-2010-257217CVE-2010-288382CVE-2010-3333133946CVE-2010-365429CVE-2011-00971CVE-2011-010168CVE-2011-061121CVE-2011-12691CVE-2012-0158144916CVE-2012-07792GrandTotal894556737HardenedClientAppsresultsHardeningapplicationsgave80%totalprotectionagainstexploitsCVE-2010-0188failedasnotallsampleswereusingJavaScriptCVE-2010-0188failedaswedidnotthinkifisolatingRTFfilesCVE-2012-0158alsofailedduenotisolatingRTFfilesInOffice2013OFVandMOICEarebuiltinInAcrobattherecommendationsstillapplyF-SecureOctober10,201311HardenedSystemAccessPoliciesresultsHardenedsystemaccesspoliciesgaveverysmalltotalprotectionof~10%~7%werepartiallymitigatedNetworkwasblockedin40samplesProcesscreationblockedin28samplesSointotalsystemhardeningisineffectiveF-SecureOctober10,201312CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-5659201CVE-2008-48411CVE-2009-09271CVE-2009-3129159528CVE-2009-4324324CVE-2010-01882942CVE-2010-080671CVE-2010-12975CVE-2010-2572287CVE-2010-2883327250CVE-2010-3333182141CVE-2010-365411126CVE-2011-00971CVE-2011-010145113CVE-2011-0611192CVE-2011-12691CVE-2012-015815217CVE-2012-07792GrandTotal34634115189MemoryHandlingMitigationsResultsEMETwasabletostopeverysingleexploit!
However4.
0bisnewerthansamples,soresultscanbeskewedThereareclaimsthatEMETcanbecircumventedButinourtestswecouldnotfindasamplethatactuallydoessoMemoryhandlingmitigationsarenoteffectiveagainstallexploittypesIfexploitisbasedonotherthancodeexecution,EMETwillnothelpButsuchexploitsareveryrareandwecouldnotfindinthewildsampleF-SecureOctober10,201313CVEfailedsuccesscve-2004-021001cve-2006-249201cve-2006-359003cve-2007-5659021cve-2008-484101cve-2009-092701cve-2009-31290219cve-2009-432409cve-2010-01880296cve-2010-080608cve-2010-129705cve-2010-2572017cve-2010-2883082cve-2010-3333098cve-2010-3654029cve-2011-009701cve-2011-0101068cve-2011-0611021cve-2011-126901cve-2012-0158043cve-2012-077902GrandTotal0927DefenceInDepth,HardenYourNetworkPreventlateralmovementwithinyournetworkIsolateeverythinginnetwork,noinboundtoclientsnooutboundfromserverBlockremoteexecutionandRDPfromotherthanadminnetworksegmentAllowusertologinonlytohisworkstationsIsolateemailtoapprovedbusinessuseonlyAllowemailonlyovercompanymailserverDon'tallowmailsendingwithoutuserauthenticationControlDNSresolution,donotallowunknowndomainstoresolveMostAPTC&CinfrarelyonbeingabletoresolvedomainnamesMakedatadifficulttostealUseDRMtomakestolendocumentsworthlessUserightsmanagementservertoprovidetransparentcryptofordocumentsValiduserscanreaddocuments,stolendocsareworthlessoutsidecompanyWatermarkcompanybrowsersandcheckwatermarkinserverHaveownbrowserthatcanaccessonlyintra.
CheckagainstthatintheserverWatermarkcanbefaked,buthardtoget100%rightonthefirstgo->alarmUsetokenbasedemailcertificatesandcryptoforallinternalmailDirectstealingofmailfilesbecomesuselessAttackerneedstodecryptmessagesbeforestealing,whichslowsdownattackandgivesyoutimetoreactConclusionsWiththeexceptionofOShardeningallothermethodswereveryeffectiveVeryfewattackersaimatanythingbutdefaultconfigurationWhichmethodstousedependsonwhatyourcorporateITfindseasiesttodeployAsruleofthumballapplicationsthatdealwithexternaldatashouldbehardenedPersonallyIwouldrecommendacombinationofhardenedapplicationsettingsandEMETSandboxingisalsoveryeffectivebutcanrequireefforttomakeittransparenttousersMostimportantthingtodoisnottorelyonasinglesecuritylayerOurcorporatesecurityproductisverygoodatcatchingexploitsbutnosinglelayerisgoingtobeenoughF-SecureOctober10,201316
comStudyoneffectivenessofpopulardefensemeasuresJarnoNiemel.
VirusBulletin2013Twitter:@jarnomnStatisticallyeffectiveprotectionagainstAPTattacksWhyThisResearchWasMadeApplyinghardeningincorporateenvironmentisexpensiveThusIwantedtogivedecisionmakingsupporttoolsforcorporatesecurityInthisresearchweevaluatedpopularhardeningapproachesagainstasetofexploitsAttacksanddefensesevolveconstantlysowefocusedmoreondifferentstylesofapproachratherthanexactsettingsortoolsFortestsweobviouslyusedpubliclyavailabletoolsExploitsUsedInTestsTheusedexploitsetconsistedof~930confirmedexploitdocumentsamplesSamplesinthewild2010-2013CVEidentificationwasdonebyscanresultsMostexploitshaveshortlifespaninactiveuseAPTnatureverifiedbycontextidentificationPressevents,conferenceproceedingsDiplomatic/politicalreports,analysisHumanrights/activismreports,articlesMilitaryreports,events,analysisBusinessrelatedmailF-SecureOctober10,20133050100150200250300051015202530354045500102030405060708090100110120130140150051015202530354045501.
1.
101.
3.
101.
5.
101.
7.
101.
9.
101.
11.
101.
1.
111.
3.
111.
5.
111.
7.
111.
9.
111.
11.
111.
1.
121.
3.
121.
5.
121.
7.
121.
9.
121.
11.
121.
1.
131.
3.
13AnalysisMethodWetestedsampleswithWindowsXPSP3AdobeAcrobat8.
0.
0AdobeFlashplayer6.
0Office2003WeintentionallyusedobsoletesoftwareversionstoenableasmanyexploitsaspossibleWeusedautomaticforensicstocheckforexploitsuccessindicatorsNetworkcommunicationProcesscreationFilecreationEachexploitwasverifiedtoworkconsistentlyinbasesystemF-SecureOctober10,20134ProtectionMethodsApplicationmemoryhandlingmitigationsApplicationSandboxingHardeningapplicationsettingsHardeningoperatingsystemF-SecureOctober10,20135ApplicationSanboxingChrome,Acrobat,etcpopularappshavebuiltinsandboxingTheproblemwiththemisthatattackerhastocircumventtheminordertoexploitThuswewantedtotestexploitsagainstunexpectedsandboxingWeusedSandboxie3.
76ProwithcustomconfigurationOwnsandboxforeachdocumenttypeFileexecutiondeniedforanyfilescreatedbysandboxedapplicationNofileaccessoutsidethesandboxforAcrobatAccessto%documents%%recent%andnetworkdrivesforOfficeapplicationsF-SecureOctober10,20136ChangestoOfficeInstalledOfficefilevalidationInstalledMOICEisolationSetMacrosecurityleveltohighDisabledtrustonadd-onsandtemplatesChangestoAcrobatDisabledopeningnon-PDFattachmentsDisabledtrustinmultimediacomponentsDisabledmultimediaplayerDisabledJavascriptF-SecureOctober10,20137HardenedSecuritySettingsForClientAppsAdvisoriesoftenhavemitigationinstructionswhattodobeforepatchisavailableWewantedtofindouthoweffectivethosemeasuresareingeneralWhoonearthneedsaflashcontentinPDFfileinthefirstplaceAfterVBpapersubmissionNSAcameoutwiththeirAcrobatguidelineshttp://www.
nsa.
gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.
pdfHardenedSystemAccessPoliciesInT22011weannouncedresearchpointingtothathardeningbreaksmalwareHoweverAPTsarequiteadifferentbeastcomparedtoplainoldmalwareWetestedthesamplesagainstfollowinghardenedsystemsettingsBlockedfilewritingtorootsofC:\,D:\,etc,%localsettings%,%appdata%BlockedfilewritingrecursivelytoC:\windows,%programfiles%PreventedfileexecutionfromC:\,%documents%,c:\RECYCLER,%temp%,%APPDATA%,%localsettings%F-Secure10.
lokakuuta20138ApplicationMemoryHandlingMitigationsMemoryhandlingmitigationspreventtypesofmemoryoperationsneededbyexploitsThusnormalappsaremostlyunhinderedwhileexploitsfailtoworkCurrentlyonlytoolprovidingsuchcapabilitiesisMicrosoftEMETAllocationmitigations(SEHOP,Heapspray,ASLR,Nullpage)Codeexecutionorloadingmitigations(DEP,ROP,Bottomuprnd,EAF)Hookingpreventions(Deephooks,Antidetours,Bannedfunctions)ForthisresearchweusedEmet4.
0bwhichwasthelatestavailableF-SecureOctober10,20139ApplicationSandboxingResultsUnfortunatelySandboxieinterferedwithourautomaticforensicsWewereabletogetresultsfor452sampleswith100%protectionOftheremainingsampleswetested60randomsampleswhichhad100%protectionSowecantsaywithfullcertainty,butthirdpartysandboxingseemstobeeffectiveBuiltinpayloadsweredroppedbutnotexecutedSampleswhichtriedtodownloadwereblockedF-SecureOctober10,201310CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-565921CVE-2008-48411CVE-2009-09271CVE-2009-3129219CVE-2009-43249CVE-2010-01886221231CVE-2010-08068CVE-2010-12975CVE-2010-257217CVE-2010-288382CVE-2010-3333133946CVE-2010-365429CVE-2011-00971CVE-2011-010168CVE-2011-061121CVE-2011-12691CVE-2012-0158144916CVE-2012-07792GrandTotal894556737HardenedClientAppsresultsHardeningapplicationsgave80%totalprotectionagainstexploitsCVE-2010-0188failedasnotallsampleswereusingJavaScriptCVE-2010-0188failedaswedidnotthinkifisolatingRTFfilesCVE-2012-0158alsofailedduenotisolatingRTFfilesInOffice2013OFVandMOICEarebuiltinInAcrobattherecommendationsstillapplyF-SecureOctober10,201311HardenedSystemAccessPoliciesresultsHardenedsystemaccesspoliciesgaveverysmalltotalprotectionof~10%~7%werepartiallymitigatedNetworkwasblockedin40samplesProcesscreationblockedin28samplesSointotalsystemhardeningisineffectiveF-SecureOctober10,201312CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-5659201CVE-2008-48411CVE-2009-09271CVE-2009-3129159528CVE-2009-4324324CVE-2010-01882942CVE-2010-080671CVE-2010-12975CVE-2010-2572287CVE-2010-2883327250CVE-2010-3333182141CVE-2010-365411126CVE-2011-00971CVE-2011-010145113CVE-2011-0611192CVE-2011-12691CVE-2012-015815217CVE-2012-07792GrandTotal34634115189MemoryHandlingMitigationsResultsEMETwasabletostopeverysingleexploit!
However4.
0bisnewerthansamples,soresultscanbeskewedThereareclaimsthatEMETcanbecircumventedButinourtestswecouldnotfindasamplethatactuallydoessoMemoryhandlingmitigationsarenoteffectiveagainstallexploittypesIfexploitisbasedonotherthancodeexecution,EMETwillnothelpButsuchexploitsareveryrareandwecouldnotfindinthewildsampleF-SecureOctober10,201313CVEfailedsuccesscve-2004-021001cve-2006-249201cve-2006-359003cve-2007-5659021cve-2008-484101cve-2009-092701cve-2009-31290219cve-2009-432409cve-2010-01880296cve-2010-080608cve-2010-129705cve-2010-2572017cve-2010-2883082cve-2010-3333098cve-2010-3654029cve-2011-009701cve-2011-0101068cve-2011-0611021cve-2011-126901cve-2012-0158043cve-2012-077902GrandTotal0927DefenceInDepth,HardenYourNetworkPreventlateralmovementwithinyournetworkIsolateeverythinginnetwork,noinboundtoclientsnooutboundfromserverBlockremoteexecutionandRDPfromotherthanadminnetworksegmentAllowusertologinonlytohisworkstationsIsolateemailtoapprovedbusinessuseonlyAllowemailonlyovercompanymailserverDon'tallowmailsendingwithoutuserauthenticationControlDNSresolution,donotallowunknowndomainstoresolveMostAPTC&CinfrarelyonbeingabletoresolvedomainnamesMakedatadifficulttostealUseDRMtomakestolendocumentsworthlessUserightsmanagementservertoprovidetransparentcryptofordocumentsValiduserscanreaddocuments,stolendocsareworthlessoutsidecompanyWatermarkcompanybrowsersandcheckwatermarkinserverHaveownbrowserthatcanaccessonlyintra.
CheckagainstthatintheserverWatermarkcanbefaked,buthardtoget100%rightonthefirstgo->alarmUsetokenbasedemailcertificatesandcryptoforallinternalmailDirectstealingofmailfilesbecomesuselessAttackerneedstodecryptmessagesbeforestealing,whichslowsdownattackandgivesyoutimetoreactConclusionsWiththeexceptionofOShardeningallothermethodswereveryeffectiveVeryfewattackersaimatanythingbutdefaultconfigurationWhichmethodstousedependsonwhatyourcorporateITfindseasiesttodeployAsruleofthumballapplicationsthatdealwithexternaldatashouldbehardenedPersonallyIwouldrecommendacombinationofhardenedapplicationsettingsandEMETSandboxingisalsoveryeffectivebutcanrequireefforttomakeittransparenttousersMostimportantthingtodoisnottorelyonasinglesecuritylayerOurcorporatesecurityproductisverygoodatcatchingexploitsbutnosinglelayerisgoingtobeenoughF-SecureOctober10,201316
- unexpectedlocalsettings相关文档
- eu_directiveslocalsettings
- spotlightlocalsettings
- 华为localsettings
- SIGNlocalsettings
- greatestlocalsettings
- attachedlocalsettings
raksmart:全新cloud云服务器系列测评,告诉你raksmart新产品效果好不好
2021年6月底,raksmart开发出来的新产品“cloud-云服务器”正式上线对外售卖,当前只有美国硅谷机房(或许以后会有其他数据中心加入)可供选择。或许你会问raksmart云服务器怎么样啊、raksm云服务器好不好、网络速度快不好之类的废话(不实测的话),本着主机测评趟雷、大家受益的原则,先开一个给大家测评一下!官方网站:https://www.raksmart.com云服务器的说明:底层...
legionbox:美国、德国和瑞士独立服务器,E5/16GB/1Gbps月流量10TB起/$69/月起
legionbox怎么样?legionbox是一家来自于澳大利亚的主机销售商,成立时间在2014年,属于比较老牌商家。主要提供VPS和独立服务器产品,数据中心包括美国洛杉矶、瑞士、德国和俄罗斯。其中VPS采用KVM和Xen架构虚拟技术,硬盘分机械硬盘和固态硬盘,系统支持Windows。当前商家有几款大硬盘的独立服务器,可选美国、德国和瑞士机房,有兴趣的可以看一下,付款方式有PAYPAL、BTC等。...
RAKsmart裸机云/云服务器/VPS全场7折,独立服务器限量秒杀$30/月起
适逢中国农历新年,RAKsmart也发布了2月促销活动,裸机云、云服务器、VPS主机全场7折优惠,新用户注册送10美元,独立服务器每天限量秒杀最低30.62美元/月起,美国洛杉矶/圣何塞、日本、香港站群服务器大量补货,1-10Gbps大带宽、高IO等特色服务器抄底价格,机器可选大陆优化、国际BGP、精品网及CN2等线路,感兴趣的朋友可以持续关注下。裸机云新品7折,秒杀产品5台/天优惠码:Bare-...
localsettings为你推荐
-
新iphone也将禁售iPhone停用怎么解锁 三种处理方法详解ym.163.comfoxmail设置163免费企业邮箱verticalflash平阴县教育和体育局下属锦东小学教学设备采购项目竞争性磋商文件dezender如何将shopex和phpwind两个伪静态规则写在一起引擎收录怎么使自己的网站被搜索引擎收录呢?joomla教程有谁能给一份详细的popsub特效教程---------广告管理系统求一款专业的广告公司管理软件帝国cms帝国cms怎么安装,帝国cms本地安装的技巧空间导航自定义名称空间导航自定义名称 短一点的