There are dozens of\nLoLBins<\/a> for criminals to choose from that are native to the Windows\nOS, such as powershell.exe, certutil.exe, regsr32.exe, and many more.\nAdditionally, there are a variety of common third party applications that are\npretty easy to exploit if present, such as java.exe, winword.exe, and\nexcel.exe.<\/p>\n\n\n\n According to Grayson, this is one of the ways malicious hackers disguise their activities, because default OS applications are unlikely to be detected or blocked by an antimalware solution. He warns, \u201cunless you have strong visibility into the exact commands that these processes are executing, then it can be very hard to detect malicious behavior originating from LoLBins.<\/p>\n\n\n\n Like LoLBins and\nscripting overall, hiding the true content or behavior of a script\u2014or content \u201cobfuscation\u201d\u2014has completely\nlegitimate purposes. But, in terms of malicious hacking, it\u2019s pretty\nself-explanatory why obfuscation would lend itself to criminal activities. The\nwhole point is not to get caught, right? So it makes sense that you\u2019d take\nsteps to hide bad activities to avoid detection. The screenshots below show an\nexample of obfuscated code (top), with its de-obfuscated version (bottom). <\/p>\n\n\n\n Using scripts,\nit\u2019s actually possible to execute actions on a system without needing a file.\nBasically, a script can be written to allocate memory on the system, then write\nshellcode to that memory, then pass control to that memory. That means the\nmalicious functions are carried out in memory, without a file, which makes\ndetecting the origin of the infection (not to mention stopping it) extremely\ndifficult.<\/p>\n\n\n\n Grayson explains,\n\u201cone of the issues with\nfileless execution is that, usually, the memory gets cleared when you reboot\nyour computer. That means a fileless infection\u2019s execution could be stopped\njust be restarting the system. Persistence after a reboot is pretty top-of-mind\nfor cybercriminals, and they\u2019re always working on new methods to do it.\u201d <\/p>\n\n\n\n The Windows\u00ae 10 operating system now includes Microsoft\u2019s Anti-Malware Scan\nInterface (AMSI) to help combat the growing use of malicious and obfuscated\nscripts. That means one of the first things you can do to help keep yourself\nsafe is to ensure any Windows devices you own are on the most up-to-date OS\nversion. <\/p>\n\n\n\n Additionally, there are several other easy steps that can help ensure an effective and resilient cybersecurity strategy. <\/p>\n\n\n\n Malicious hackers\nare always looking to come up with new ways to outsmart defenses. Grayson\nreminds us, \u201cIt\u2019s up to all\nof us in cybersecurity to research these new tactics and innovate just as\nquickly, to help keep today\u2019s businesses and home users safe from tomorrow\u2019s\nthreats. There\u2019s always more work to be done, and that\u2019s a big part of what\ndrives us here at Webroot.\u201d<\/p>\n\n\n\n \u201cWhat\u2019s an evasive attack? At a very basic level, it\u2019s exactly what it sounds like; it\u2019s a cyberattack that\u2019s designed to hide from you,\u201d says Grayson Milbourne, Security Intelligence Director at Webroot, an OpenText company. Based on Grayson\u2019s initial explanation, you can imagine that evasive tactics are pretty common throughout cybercriminal activities. But they\u2019re especially […]<\/p>\n","protected":false},"author":151,"featured_media":30115,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[5267,21497,10719,25603,25551,25601,3717,25605,25597,4065,25607,25609,3895,25611,5953,3479,3819,9079,25613,25599],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/30109"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/151"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=30109"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/30109\/revisions"}],"predecessor-version":[{"id":30131,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/30109\/revisions\/30131"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/30115"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=30109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=30109"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=30109"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=30109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Script Content Obfuscation <\/h2>\n\n\n\n
![\"\"](\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2020\/07\/01104144\/Picture1.jpg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2020\/07\/01104208\/Picture2.jpg\")
<\/figure>\n\n\n\nFileless and\nEvasive Execution <\/h2>\n\n\n\n
Staying\nProtected<\/h2>\n\n\n\n
\nCheck all Windows and third party apps regularly for updates (and actually run\nthem) to decrease the risk of having outdated software that contains\nvulnerabilities criminals could exploit.<\/li>
\nAlthough enabling macros has legitimate applications, the average home or\nbusiness user is unlikely to need them. If a file you\u2019ve downloaded gives you a\nwarning that you need to enable macros, DON\u2019T. This is another common evasive\ntactic that cybercriminals use to get malware onto your system. IT admins\nshould ensure macros and script interpreters are fully disabled to help prevent\nscript-based attacks. You can do this relatively easily through Group Policy.<\/li>
\n<\/strong>Applications such as Python and Java are often unnecessary. If present and\nunused, simply remove them to help close a number of potential security gaps.<\/li>
\n<\/strong>End users continue to be a business\u2019 greatest vulnerability. Cybercriminals\nspecifically design attacks to take advantage of their trust, naivet\u00e9, fear,\nand general lack of technical or security expertise. By educating end users on\nthe risks, how to avoid them, and when and how to report them to IT personnel,\nbusinesses can drastically improve their overall security posture.<\/li>
\n<\/strong>In a recent update to Webroot\u00ae Business Endpoint Protection, we released a\nnew Evasion Shield policy. This shield leverages AMSI, as well as new,\nproprietary, patented detection capabilities to detect, block, and quarantine\nevasive script attacks, including file-based, fileless, obfuscated, and\nencrypted threats. It also works to prevent malicious behaviors from executing\nin PowerShell, JavaScript, and VBScript files, which are often used to launch\nevasive attacks<\/li><\/ul>\n\n\n\n
\nTo learn more about evasive scripts and what Webroot is doing to combat them,\nwe recommend the following resources:<\/p>\n\n\n\n