[HN Gopher] 'Fully undetectable' Windows PowerShell backdoor det...
___________________________________________________________________
'Fully undetectable' Windows PowerShell backdoor detected
Author : ppjim
Score : 11 points
Date : 2022-10-18 21:22 UTC (1 hours ago)
(HTM) web link (www.theregister.com)
(TXT) w3m dump (www.theregister.com)
| vmoore wrote:
| What if PowerShell itself _is_ the backdoor? You can remove
| PowerShell from Windows as a hardening /mitigation strategy. I do
| it on all my systems. I regularly see threat hunters disclosing
| how 99% of malware leverages the shit out of PowerShell to drop
| payloads.
| raydiatian wrote:
| I find it kind of astonishing that Word documents have been an
| attack vector (a) in the first place and (b) for as long as they
| have without a sealing patch. Like, why do I need my word
| document to contain any sort of RPC invoking capability.
| zamadatix wrote:
| Macro enabled documents enable you to programmatically publish
| content. E.g. you can pull from an Access database or an Excel
| sheet and have it autogenerate formatted quotes for customers.
| Such flexibility is naturally a security risk which is why it
| has been made so difficult for the typical user to run this
| kind of document without jumping through hoops to do so but it
| makes no sense to remove the functionality from Word itself in
| the same way it doesn't make sense to remove PowerShell.
| technion wrote:
| Honestly if if a big enough organisation hasn't disabled
| untrusted Word macros by policy several years ago their odds of
| being ransomware victims by now would be close to 100%, and based
| on what I've seen the odds of having been victims 10+ times are
| pretty high. One new malware in this space isn't game changing,
| and new fully undetectable variations show up every day.
| sph wrote:
| Not fully undetectable after it's been detected now, is it?
___________________________________________________________________
(page generated 2022-10-18 23:02 UTC)