unexpectedlocalsettings
localsettings 时间:2021-04-12 阅读:()
Protectingtheirreplaceable|f-secure.
comStudyoneffectivenessofpopulardefensemeasuresJarnoNiemel.
VirusBulletin2013Twitter:@jarnomnStatisticallyeffectiveprotectionagainstAPTattacksWhyThisResearchWasMadeApplyinghardeningincorporateenvironmentisexpensiveThusIwantedtogivedecisionmakingsupporttoolsforcorporatesecurityInthisresearchweevaluatedpopularhardeningapproachesagainstasetofexploitsAttacksanddefensesevolveconstantlysowefocusedmoreondifferentstylesofapproachratherthanexactsettingsortoolsFortestsweobviouslyusedpubliclyavailabletoolsExploitsUsedInTestsTheusedexploitsetconsistedof~930confirmedexploitdocumentsamplesSamplesinthewild2010-2013CVEidentificationwasdonebyscanresultsMostexploitshaveshortlifespaninactiveuseAPTnatureverifiedbycontextidentificationPressevents,conferenceproceedingsDiplomatic/politicalreports,analysisHumanrights/activismreports,articlesMilitaryreports,events,analysisBusinessrelatedmailF-SecureOctober10,20133050100150200250300051015202530354045500102030405060708090100110120130140150051015202530354045501.
1.
101.
3.
101.
5.
101.
7.
101.
9.
101.
11.
101.
1.
111.
3.
111.
5.
111.
7.
111.
9.
111.
11.
111.
1.
121.
3.
121.
5.
121.
7.
121.
9.
121.
11.
121.
1.
131.
3.
13AnalysisMethodWetestedsampleswithWindowsXPSP3AdobeAcrobat8.
0.
0AdobeFlashplayer6.
0Office2003WeintentionallyusedobsoletesoftwareversionstoenableasmanyexploitsaspossibleWeusedautomaticforensicstocheckforexploitsuccessindicatorsNetworkcommunicationProcesscreationFilecreationEachexploitwasverifiedtoworkconsistentlyinbasesystemF-SecureOctober10,20134ProtectionMethodsApplicationmemoryhandlingmitigationsApplicationSandboxingHardeningapplicationsettingsHardeningoperatingsystemF-SecureOctober10,20135ApplicationSanboxingChrome,Acrobat,etcpopularappshavebuiltinsandboxingTheproblemwiththemisthatattackerhastocircumventtheminordertoexploitThuswewantedtotestexploitsagainstunexpectedsandboxingWeusedSandboxie3.
76ProwithcustomconfigurationOwnsandboxforeachdocumenttypeFileexecutiondeniedforanyfilescreatedbysandboxedapplicationNofileaccessoutsidethesandboxforAcrobatAccessto%documents%%recent%andnetworkdrivesforOfficeapplicationsF-SecureOctober10,20136ChangestoOfficeInstalledOfficefilevalidationInstalledMOICEisolationSetMacrosecurityleveltohighDisabledtrustonadd-onsandtemplatesChangestoAcrobatDisabledopeningnon-PDFattachmentsDisabledtrustinmultimediacomponentsDisabledmultimediaplayerDisabledJavascriptF-SecureOctober10,20137HardenedSecuritySettingsForClientAppsAdvisoriesoftenhavemitigationinstructionswhattodobeforepatchisavailableWewantedtofindouthoweffectivethosemeasuresareingeneralWhoonearthneedsaflashcontentinPDFfileinthefirstplaceAfterVBpapersubmissionNSAcameoutwiththeirAcrobatguidelineshttp://www.
nsa.
gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.
pdfHardenedSystemAccessPoliciesInT22011weannouncedresearchpointingtothathardeningbreaksmalwareHoweverAPTsarequiteadifferentbeastcomparedtoplainoldmalwareWetestedthesamplesagainstfollowinghardenedsystemsettingsBlockedfilewritingtorootsofC:\,D:\,etc,%localsettings%,%appdata%BlockedfilewritingrecursivelytoC:\windows,%programfiles%PreventedfileexecutionfromC:\,%documents%,c:\RECYCLER,%temp%,%APPDATA%,%localsettings%F-Secure10.
lokakuuta20138ApplicationMemoryHandlingMitigationsMemoryhandlingmitigationspreventtypesofmemoryoperationsneededbyexploitsThusnormalappsaremostlyunhinderedwhileexploitsfailtoworkCurrentlyonlytoolprovidingsuchcapabilitiesisMicrosoftEMETAllocationmitigations(SEHOP,Heapspray,ASLR,Nullpage)Codeexecutionorloadingmitigations(DEP,ROP,Bottomuprnd,EAF)Hookingpreventions(Deephooks,Antidetours,Bannedfunctions)ForthisresearchweusedEmet4.
0bwhichwasthelatestavailableF-SecureOctober10,20139ApplicationSandboxingResultsUnfortunatelySandboxieinterferedwithourautomaticforensicsWewereabletogetresultsfor452sampleswith100%protectionOftheremainingsampleswetested60randomsampleswhichhad100%protectionSowecantsaywithfullcertainty,butthirdpartysandboxingseemstobeeffectiveBuiltinpayloadsweredroppedbutnotexecutedSampleswhichtriedtodownloadwereblockedF-SecureOctober10,201310CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-565921CVE-2008-48411CVE-2009-09271CVE-2009-3129219CVE-2009-43249CVE-2010-01886221231CVE-2010-08068CVE-2010-12975CVE-2010-257217CVE-2010-288382CVE-2010-3333133946CVE-2010-365429CVE-2011-00971CVE-2011-010168CVE-2011-061121CVE-2011-12691CVE-2012-0158144916CVE-2012-07792GrandTotal894556737HardenedClientAppsresultsHardeningapplicationsgave80%totalprotectionagainstexploitsCVE-2010-0188failedasnotallsampleswereusingJavaScriptCVE-2010-0188failedaswedidnotthinkifisolatingRTFfilesCVE-2012-0158alsofailedduenotisolatingRTFfilesInOffice2013OFVandMOICEarebuiltinInAcrobattherecommendationsstillapplyF-SecureOctober10,201311HardenedSystemAccessPoliciesresultsHardenedsystemaccesspoliciesgaveverysmalltotalprotectionof~10%~7%werepartiallymitigatedNetworkwasblockedin40samplesProcesscreationblockedin28samplesSointotalsystemhardeningisineffectiveF-SecureOctober10,201312CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-5659201CVE-2008-48411CVE-2009-09271CVE-2009-3129159528CVE-2009-4324324CVE-2010-01882942CVE-2010-080671CVE-2010-12975CVE-2010-2572287CVE-2010-2883327250CVE-2010-3333182141CVE-2010-365411126CVE-2011-00971CVE-2011-010145113CVE-2011-0611192CVE-2011-12691CVE-2012-015815217CVE-2012-07792GrandTotal34634115189MemoryHandlingMitigationsResultsEMETwasabletostopeverysingleexploit!
However4.
0bisnewerthansamples,soresultscanbeskewedThereareclaimsthatEMETcanbecircumventedButinourtestswecouldnotfindasamplethatactuallydoessoMemoryhandlingmitigationsarenoteffectiveagainstallexploittypesIfexploitisbasedonotherthancodeexecution,EMETwillnothelpButsuchexploitsareveryrareandwecouldnotfindinthewildsampleF-SecureOctober10,201313CVEfailedsuccesscve-2004-021001cve-2006-249201cve-2006-359003cve-2007-5659021cve-2008-484101cve-2009-092701cve-2009-31290219cve-2009-432409cve-2010-01880296cve-2010-080608cve-2010-129705cve-2010-2572017cve-2010-2883082cve-2010-3333098cve-2010-3654029cve-2011-009701cve-2011-0101068cve-2011-0611021cve-2011-126901cve-2012-0158043cve-2012-077902GrandTotal0927DefenceInDepth,HardenYourNetworkPreventlateralmovementwithinyournetworkIsolateeverythinginnetwork,noinboundtoclientsnooutboundfromserverBlockremoteexecutionandRDPfromotherthanadminnetworksegmentAllowusertologinonlytohisworkstationsIsolateemailtoapprovedbusinessuseonlyAllowemailonlyovercompanymailserverDon'tallowmailsendingwithoutuserauthenticationControlDNSresolution,donotallowunknowndomainstoresolveMostAPTC&CinfrarelyonbeingabletoresolvedomainnamesMakedatadifficulttostealUseDRMtomakestolendocumentsworthlessUserightsmanagementservertoprovidetransparentcryptofordocumentsValiduserscanreaddocuments,stolendocsareworthlessoutsidecompanyWatermarkcompanybrowsersandcheckwatermarkinserverHaveownbrowserthatcanaccessonlyintra.
CheckagainstthatintheserverWatermarkcanbefaked,buthardtoget100%rightonthefirstgo->alarmUsetokenbasedemailcertificatesandcryptoforallinternalmailDirectstealingofmailfilesbecomesuselessAttackerneedstodecryptmessagesbeforestealing,whichslowsdownattackandgivesyoutimetoreactConclusionsWiththeexceptionofOShardeningallothermethodswereveryeffectiveVeryfewattackersaimatanythingbutdefaultconfigurationWhichmethodstousedependsonwhatyourcorporateITfindseasiesttodeployAsruleofthumballapplicationsthatdealwithexternaldatashouldbehardenedPersonallyIwouldrecommendacombinationofhardenedapplicationsettingsandEMETSandboxingisalsoveryeffectivebutcanrequireefforttomakeittransparenttousersMostimportantthingtodoisnottorelyonasinglesecuritylayerOurcorporatesecurityproductisverygoodatcatchingexploitsbutnosinglelayerisgoingtobeenoughF-SecureOctober10,201316
comStudyoneffectivenessofpopulardefensemeasuresJarnoNiemel.
VirusBulletin2013Twitter:@jarnomnStatisticallyeffectiveprotectionagainstAPTattacksWhyThisResearchWasMadeApplyinghardeningincorporateenvironmentisexpensiveThusIwantedtogivedecisionmakingsupporttoolsforcorporatesecurityInthisresearchweevaluatedpopularhardeningapproachesagainstasetofexploitsAttacksanddefensesevolveconstantlysowefocusedmoreondifferentstylesofapproachratherthanexactsettingsortoolsFortestsweobviouslyusedpubliclyavailabletoolsExploitsUsedInTestsTheusedexploitsetconsistedof~930confirmedexploitdocumentsamplesSamplesinthewild2010-2013CVEidentificationwasdonebyscanresultsMostexploitshaveshortlifespaninactiveuseAPTnatureverifiedbycontextidentificationPressevents,conferenceproceedingsDiplomatic/politicalreports,analysisHumanrights/activismreports,articlesMilitaryreports,events,analysisBusinessrelatedmailF-SecureOctober10,20133050100150200250300051015202530354045500102030405060708090100110120130140150051015202530354045501.
1.
101.
3.
101.
5.
101.
7.
101.
9.
101.
11.
101.
1.
111.
3.
111.
5.
111.
7.
111.
9.
111.
11.
111.
1.
121.
3.
121.
5.
121.
7.
121.
9.
121.
11.
121.
1.
131.
3.
13AnalysisMethodWetestedsampleswithWindowsXPSP3AdobeAcrobat8.
0.
0AdobeFlashplayer6.
0Office2003WeintentionallyusedobsoletesoftwareversionstoenableasmanyexploitsaspossibleWeusedautomaticforensicstocheckforexploitsuccessindicatorsNetworkcommunicationProcesscreationFilecreationEachexploitwasverifiedtoworkconsistentlyinbasesystemF-SecureOctober10,20134ProtectionMethodsApplicationmemoryhandlingmitigationsApplicationSandboxingHardeningapplicationsettingsHardeningoperatingsystemF-SecureOctober10,20135ApplicationSanboxingChrome,Acrobat,etcpopularappshavebuiltinsandboxingTheproblemwiththemisthatattackerhastocircumventtheminordertoexploitThuswewantedtotestexploitsagainstunexpectedsandboxingWeusedSandboxie3.
76ProwithcustomconfigurationOwnsandboxforeachdocumenttypeFileexecutiondeniedforanyfilescreatedbysandboxedapplicationNofileaccessoutsidethesandboxforAcrobatAccessto%documents%%recent%andnetworkdrivesforOfficeapplicationsF-SecureOctober10,20136ChangestoOfficeInstalledOfficefilevalidationInstalledMOICEisolationSetMacrosecurityleveltohighDisabledtrustonadd-onsandtemplatesChangestoAcrobatDisabledopeningnon-PDFattachmentsDisabledtrustinmultimediacomponentsDisabledmultimediaplayerDisabledJavascriptF-SecureOctober10,20137HardenedSecuritySettingsForClientAppsAdvisoriesoftenhavemitigationinstructionswhattodobeforepatchisavailableWewantedtofindouthoweffectivethosemeasuresareingeneralWhoonearthneedsaflashcontentinPDFfileinthefirstplaceAfterVBpapersubmissionNSAcameoutwiththeirAcrobatguidelineshttp://www.
nsa.
gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.
pdfHardenedSystemAccessPoliciesInT22011weannouncedresearchpointingtothathardeningbreaksmalwareHoweverAPTsarequiteadifferentbeastcomparedtoplainoldmalwareWetestedthesamplesagainstfollowinghardenedsystemsettingsBlockedfilewritingtorootsofC:\,D:\,etc,%localsettings%,%appdata%BlockedfilewritingrecursivelytoC:\windows,%programfiles%PreventedfileexecutionfromC:\,%documents%,c:\RECYCLER,%temp%,%APPDATA%,%localsettings%F-Secure10.
lokakuuta20138ApplicationMemoryHandlingMitigationsMemoryhandlingmitigationspreventtypesofmemoryoperationsneededbyexploitsThusnormalappsaremostlyunhinderedwhileexploitsfailtoworkCurrentlyonlytoolprovidingsuchcapabilitiesisMicrosoftEMETAllocationmitigations(SEHOP,Heapspray,ASLR,Nullpage)Codeexecutionorloadingmitigations(DEP,ROP,Bottomuprnd,EAF)Hookingpreventions(Deephooks,Antidetours,Bannedfunctions)ForthisresearchweusedEmet4.
0bwhichwasthelatestavailableF-SecureOctober10,20139ApplicationSandboxingResultsUnfortunatelySandboxieinterferedwithourautomaticforensicsWewereabletogetresultsfor452sampleswith100%protectionOftheremainingsampleswetested60randomsampleswhichhad100%protectionSowecantsaywithfullcertainty,butthirdpartysandboxingseemstobeeffectiveBuiltinpayloadsweredroppedbutnotexecutedSampleswhichtriedtodownloadwereblockedF-SecureOctober10,201310CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-565921CVE-2008-48411CVE-2009-09271CVE-2009-3129219CVE-2009-43249CVE-2010-01886221231CVE-2010-08068CVE-2010-12975CVE-2010-257217CVE-2010-288382CVE-2010-3333133946CVE-2010-365429CVE-2011-00971CVE-2011-010168CVE-2011-061121CVE-2011-12691CVE-2012-0158144916CVE-2012-07792GrandTotal894556737HardenedClientAppsresultsHardeningapplicationsgave80%totalprotectionagainstexploitsCVE-2010-0188failedasnotallsampleswereusingJavaScriptCVE-2010-0188failedaswedidnotthinkifisolatingRTFfilesCVE-2012-0158alsofailedduenotisolatingRTFfilesInOffice2013OFVandMOICEarebuiltinInAcrobattherecommendationsstillapplyF-SecureOctober10,201311HardenedSystemAccessPoliciesresultsHardenedsystemaccesspoliciesgaveverysmalltotalprotectionof~10%~7%werepartiallymitigatedNetworkwasblockedin40samplesProcesscreationblockedin28samplesSointotalsystemhardeningisineffectiveF-SecureOctober10,201312CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-5659201CVE-2008-48411CVE-2009-09271CVE-2009-3129159528CVE-2009-4324324CVE-2010-01882942CVE-2010-080671CVE-2010-12975CVE-2010-2572287CVE-2010-2883327250CVE-2010-3333182141CVE-2010-365411126CVE-2011-00971CVE-2011-010145113CVE-2011-0611192CVE-2011-12691CVE-2012-015815217CVE-2012-07792GrandTotal34634115189MemoryHandlingMitigationsResultsEMETwasabletostopeverysingleexploit!
However4.
0bisnewerthansamples,soresultscanbeskewedThereareclaimsthatEMETcanbecircumventedButinourtestswecouldnotfindasamplethatactuallydoessoMemoryhandlingmitigationsarenoteffectiveagainstallexploittypesIfexploitisbasedonotherthancodeexecution,EMETwillnothelpButsuchexploitsareveryrareandwecouldnotfindinthewildsampleF-SecureOctober10,201313CVEfailedsuccesscve-2004-021001cve-2006-249201cve-2006-359003cve-2007-5659021cve-2008-484101cve-2009-092701cve-2009-31290219cve-2009-432409cve-2010-01880296cve-2010-080608cve-2010-129705cve-2010-2572017cve-2010-2883082cve-2010-3333098cve-2010-3654029cve-2011-009701cve-2011-0101068cve-2011-0611021cve-2011-126901cve-2012-0158043cve-2012-077902GrandTotal0927DefenceInDepth,HardenYourNetworkPreventlateralmovementwithinyournetworkIsolateeverythinginnetwork,noinboundtoclientsnooutboundfromserverBlockremoteexecutionandRDPfromotherthanadminnetworksegmentAllowusertologinonlytohisworkstationsIsolateemailtoapprovedbusinessuseonlyAllowemailonlyovercompanymailserverDon'tallowmailsendingwithoutuserauthenticationControlDNSresolution,donotallowunknowndomainstoresolveMostAPTC&CinfrarelyonbeingabletoresolvedomainnamesMakedatadifficulttostealUseDRMtomakestolendocumentsworthlessUserightsmanagementservertoprovidetransparentcryptofordocumentsValiduserscanreaddocuments,stolendocsareworthlessoutsidecompanyWatermarkcompanybrowsersandcheckwatermarkinserverHaveownbrowserthatcanaccessonlyintra.
CheckagainstthatintheserverWatermarkcanbefaked,buthardtoget100%rightonthefirstgo->alarmUsetokenbasedemailcertificatesandcryptoforallinternalmailDirectstealingofmailfilesbecomesuselessAttackerneedstodecryptmessagesbeforestealing,whichslowsdownattackandgivesyoutimetoreactConclusionsWiththeexceptionofOShardeningallothermethodswereveryeffectiveVeryfewattackersaimatanythingbutdefaultconfigurationWhichmethodstousedependsonwhatyourcorporateITfindseasiesttodeployAsruleofthumballapplicationsthatdealwithexternaldatashouldbehardenedPersonallyIwouldrecommendacombinationofhardenedapplicationsettingsandEMETSandboxingisalsoveryeffectivebutcanrequireefforttomakeittransparenttousersMostimportantthingtodoisnottorelyonasinglesecuritylayerOurcorporatesecurityproductisverygoodatcatchingexploitsbutnosinglelayerisgoingtobeenoughF-SecureOctober10,201316
- unexpectedlocalsettings相关文档
- eu_directiveslocalsettings
- spotlightlocalsettings
- 华为localsettings
- SIGNlocalsettings
- greatestlocalsettings
- attachedlocalsettings
iON Cloud:新加坡cn2 gia vps/1核/2G内存/25G SSD/250G流量/10M带宽,$35/月
iON Cloud怎么样?iON Cloud升级了新加坡CN2 VPS的带宽和流量最低配的原先带宽5M现在升级为10M,流量也从原先的150G升级为250G。注意,流量也仅计算出站方向。iON Cloud是Krypt旗下的云服务器品牌,成立于2019年,是美国老牌机房(1998~)krypt旗下的VPS云服务器品牌,主打国外VPS云服务器业务,均采用KVM架构,整体性能配置较高,云服务器产品质量靠...
美国G口/香港CTG/美国T级超防云/物理机/CDN大促销 1核 1G 24元/月
[六一云迎国庆]转盘活动实物礼品美国G口/香港CTG/美国T级超防云/物理机/CDN大促销六一云 成立于2018年,归属于西安六一网络科技有限公司,是一家国内正规持有IDC ISP CDN IRCS电信经营许可证书的老牌商家。大陆持证公司受大陆各部门监管不好用支持退款退现,再也不怕被割韭菜了!主要业务有:国内高防云,美国高防云,美国cera大带宽,香港CTG,香港沙田CN2,海外站群服务,物理机,...
香港云服务器 1核 1G 29元/月 快云科技
快云科技: 12.12特惠推出全场VPS 7折购 续费同价 年付仅不到五折公司介绍:快云科技是成立于2020年的新进主机商,持有IDC/ICP等证件资质齐全主营产品有:香港弹性云服务器,美国vps和日本vps,香港物理机,国内高防物理机以及美国日本高防物理机产品特色:全配置均20M带宽,架构采用KVM虚拟化技术,全盘SSD硬盘,RAID10阵列, 国内回程三网CN2 GIA,平均延迟50ms以下。...
localsettings为你推荐
-
css加载失败为什么打开微博都显示CSS层加载失败?2019支付宝五福支付宝集五福在哪里看到flashftp下载rmdown怎么下载河南省全民健康信息平台建设指引(试行)pletecuteftp客服电话赶集网客服电话是多少oa办公软件价格一般中小企业用的OA办公系统需要多少钱?qq头像上传失败昨天和今天QQ头像上传失败,是怎么回事?联系我们代码卸载失败!请联系我们帮助您解决!(错误代码13)--是什么情况discuz7.2求解答Discuz!7.2 论坛怎么设置