Windows Defense Mechanism - Part 1

最新推荐文章于 2024-08-21 08:45:00 发布
最新推荐文章于 2024-08-21 08:45:00 发布
阅读量1k 收藏
点赞数
分类专栏: 网络安全 文章标签: windows microsoft AppLocker ASR WDAC
本文为博主原创文章,未经博主允许不得转载。
本文链接:https://blog.csdn.net/heisejiuhuche/article/details/128445263
版权

Overview

If I’m a long-time CTF player (or HackTheBox lab machine player), things are gonna go a little off when I’m put into a real world scenario - meaning that, when facing a well defended Windows machine.

This article will summarize the main Windows defense mechanisms, to have an understanding of what you may encounter along the way.

Of course Linux machines will install anti-virus software too, but due to the huge market share and historical reasons (Windows being the main target of attacks), Windows are the one we’re going to talk about here.

We’re going to discuss Windows built-in anti-virus products and other protections in companion that Microsoft has made to improve Windows system security. These include Windows Defender, AppLocker, Attack Surface Reduction (ASR), and Windows Defender Application Control (WDAC).

At the time of writing, the ones mentioned above is the built-in defense line for cutting edge Windows workstations and servers.

We may discuss bypass techniques in detail in the future, but it is not the purpose of this article.

Let’s dive in.

Don’t Believe What You Hear

It will be a lot harder than simply drop someone an email with a malicious attachment and get a reverse shell or a beacon. Tricking someone to open the attachment and run the payload is the LOT easier part. The moment after clicking, if the payload is a raw one and has no evasion technique applied, nearly 100% of the time, it will be snatched by the first and most basic defense mechanism - Windows Defender.

Windows Defender is enabled as default on all Microsoft Windows system production lines (Legacy Windows 7s and 8s are off topic here). So, getting a foothold on a Windows machine, isn’t as trivial as it is and requires a lot more effort.

An example of default metasploit payload being detected and removed (Windows VM uses default setting, no tweaking of any kind).

Generating payload.

在这里插入图片描述

在这里插入图片描述

The moment touch the disk on a windows 10 workstation, Windows Defender pops up and removes the file.
在这里插入图片描述

在这里插入图片描述

Vanilla Beacon?

Way too easy for Windows Defender.

在这里插入图片描述

在这里插入图片描述

Windows Defense Mechanisms

Let’s look into the them one by one.

Wind

最低0.47元/天 解锁文章
0pr
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
【论文阅读笔记】NeurIPS2020文章列表Part1
zincrain的博客
12-09 2万+
A graph similarity for deep learning An Unsupervised Information-Theoretic Perceptual Quality Metric Self-Supervised MultiModal Versatile Networks Benchmarking Deep Inverse Models over time, and the Neural-Adjoint method Off-Policy Evaluation and Learning.
红蓝对抗之致盲 Windows defender
kjuhfkicf154的博客
03-31 847
红蓝对抗之致盲 Windows defender
Microsoft Security Essentials是一个免费的防病毒实用程序
culul01313的博客
09-19 746
Microsoft Security Essentials is a free utility that provides real-time protection to identify and eliminate harmful viruses and other malware from your PC. Today we’ll take a look at how it performs ...
Windows Defense Mechanism - Part 2
0pr
12-30 1056
Last time, we talked about Windows Defender and AppLocker. In this part, we will continue the journey and see what other defense mechanisms Microsoft Windows has in offer.
【翻译】大规模软件多样性作为防御机制——Massive-Scale Software Diversity as a Defense Mechanism
ronnie88597的博客
05-26 1946
大规模软件多样性作为防御机制 【文章为google-translate的直译结果,最近暂时没有时间修改翻译内容。google-translate的翻译结果中有很多明显的错误,遇到类似的问题,请读者结合英文仔细揣摩。】 ABSTRACT 摘要 We contend that the time has come to revisit the idea of software diversity for defense purposes. Four fundamental paradigm shifts that
Cisco Secure Firewall Threat Defense Virtual 7.4.2 - 思科下一代防火墙软件
最新发布
sysin | SYStem INside
08-21 485
Cisco Secure Firewall Threat Defense Virtual 7.4.2 - 思科下一代防火墙软件
SIP RFC 关系图汇总--超全---part6
Jenny_yu1025的专栏
08-26 2415
SIP RFC 关系图汇总--超全---part6         Top p. 1 3261-32xx 33xx 34xx 35xx 36xx 37xx 38xx 39xx
DoubleAgent: Zero-Day Code Injection and Persistence Technique
lixiangminghate的专栏
04-24 1176
转自:https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ Overview We’d like to introduce a new Zero-Day technique for injecting code and maintaining persistency on a
计算机视觉论文-2021-04-06
中科院AI算法工程师的博客
04-06 3190
本专栏是计算机视觉方向论文收集积累,时间:2021年4月6日,来源:paper digest 欢迎关注原创公众号【计算机视觉联盟】,回复【西瓜书手推笔记】可获取我的机器学习纯手推笔记! 直达笔记地址:机器学习手推笔记(GitHub地址) 1, TITLE:IDOL-Net: An Interactive Dual-Domain Parallel Network for CT Metal Artifact Reduction AUTHORS: TAO WANG et. al. CATEG...
Mechanism-Bot:GMEK Studios机器人命令
03-09
【标题】:“Mechanism-Bot: GMEK Studios机器人命令” 在IT行业中,尤其是在社区管理和在线游戏交流领域,机器人程序的使用越来越普遍。"Mechanism-Bot"是由GMEK Studios开发的一款专用于Discord平台的机器人应用...
static-mechanism-solver-client
03-13
静态机制求解器客户端用于构建和解决静态机制系统的图形用户界面设置配置复制放置在/public/js/config-example.js的config.js文件。 cp ./public/js/config-example.js ./public/js/config.js打开服务器...
extension-mechanism-demo
04-28
扩展机制演示这是使用延迟加载模块的Angular扩展机制的示例。构建扩展cd extensionnpm inpm run build运行应用程序cd platformnpm inpm start打开浏览器并导航到
Struts Back Mechanism-开源
04-26
Struts Back Mechanism 是一个开源项目,专门为Struts应用程序提供了一种状态回退(Back Mechanism)的功能。在Struts框架中,用户交互通常通过Action类处理,每次请求都会导致页面跳转,但往往在没有明确的历史记录...
Salto Persistence Mechanism-开源
08-06
Salto Persistence 是一个用于 J2EE 环境的对象/关系持久性框架。 它带有 Salto-db 生成器,该生成器使用模板机制从任何现有的 JDBC 支持的数据库生成 Salto-db 数据对象。
OSCP证书考试总结与终身学习 - 带你走上 OSCE3
热门推荐
0pr
08-25 1万+
终于有点时间写些东西了。这半年来一直在准备 Offensive Security 的各种考试,内容太多。直到昨天,也就是8月24日,我完成了第二轮 OSEP 的 Lab,心里踏实多了,等着9月4日考试的同时,也想做个小结,谈谈我拿 OSCP 的历程以及今后的目标。希望可以为想考取 OSCP 的同学指明一些道路。
配置 FoxyProxy 规则自由切换代理模式
0pr
05-23 4192
背景介绍 FoxyProxy 已经是很好用的 Firefox 插件了,但是缺少键盘快捷键切换代理让使用体验变得很麻烦。 举例说明,FoxyProxy 设置了 4 个代理,分别是 Socks,none,BurpSuite 以及 ZAP。 Socks 你懂的,none 代表无需代理,BurpSuite 和 ZAP 是在测试 webapp 的时候使用(TryHackMe HackTheBox)。Burp 和 ZAP 我经常配合使用。麻烦事情就来了,如果每次使用 Burp 和 ZAP 的时候,都要手动切换,效率真的
初遇 chatGPT
0pr
12-19 4061
感觉人们的搜索行为方式要发生巨大改变了。Google 我想已经瑟瑟发抖(提供数据但是门户可能要洗白)。GPT 的回答准确率只要能保证,我想绝大多数人还是会喜欢用 GPT 搜索答案,不需要在搜索引擎上一条一条点进去看了。Amazon Alexa,Google Home,这些在智能家居和人机交互方面做出过尝试的应用,也要重新审视一下未来的市场变革。想象一下 GPT 强大的语义处理如何配合上强大的语音处理,BANG!钢铁侠的管家 Jarvis 就成了。
解决 Metasploit 启动及使用过程中一直出现警告信息的问题
0pr
04-30 2816
问题描述 运行 msfconsole,即报如下警告信息: ➜ recon msfconsole /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/connection_adapters/abstract_adapter.rb:84: warni...
Exception authenticating MongoCredential{mechanism=SCRAM-SHA-1,
08-18
异常中提到的 MongoCredential {mechanism=SCRAM-SHA-1, ...} 表明身份验证机制确实是 SCRAM-SHA-1。然而,由于你没有提供完整的异常消息,我无法准确地判断出具体的问题所在。 通常情况下,出现身份验证失败的异常...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值