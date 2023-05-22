IOCTL 222264h Is used to restart the system by calling the HalBackToFirmware APIs.

Malicious actors who actively seek high-privileged access to the Windows operating system employ techniques that attempt to counter the increased protection of users and processes through Endpoint Protection Platform (EPP) and detection technologies and terminal response (EDR). Because of these additional layers of protection, attackers tend to take the path of least resistance to execute their malicious code through the kernel layer (or even lower levels). That’s why we believe these threats won’t disappear from threat actors’ tools anytime soon.

Malicious actors will continue to use rootkits to hide malicious code from security tools, tamper with defenses, and go undetected for long periods of time. These rootkits will be widely used by sophisticated groups who have both the skills to reverse engineer low-level system components and the resources to develop such tools. These malicious actors also tend to have enough financial resources to buy rootkits from underground sources or buy code signing certificates to create a rootkit. This means that the main danger with these types of rootkits is their ability to mask complex targeted attacks that will be used early in the kill chain, allowing an attacker to tamper with defenses before the actual payloads are delivered. launched in the environments of the victims.

Code signing certificates can often be misused by hackers, as they provide an additional layer of obfuscation in their attacks. For organizations, compromised keys not only pose a security risk, but can also lead to loss of reputation and trust in the original signed software. Companies should aim to protect their certificates by implementing best practices such as reducing access to private keys, which reduces the risk of unauthorized access to the certificate. Using strong passwords and other authentication methods for private keys can also help protect them against theft or compromise by malicious actors. Additionally, the use of separate test-signing certificates (for pre-release code used in test environments) minimizes the risk of misuse of the actual release-signing certificates during an attack.

For general protection against ransomware attacks, organizations can implement a systematic security framework that allocates resources to establishing a robust defense strategy. Here are some recommended guidelines:

Take inventory of assets and data

Identify authorized and unauthorized devices and software

Audit event and crash logs

Manage hardware and software configurations

Grant admin privileges and access only when needed

Monitor network ports, protocols and services

Establish a software allow list for legitimate applications

Implement data protection, backup and recovery measures

Enable Multi-Factor Authentication (MFA)

Deploy the latest versions of security solutions on all layers of the system

Watch for the first signs of an attack

By taking a multifaceted approach to securing potential entry points, such as endpoints, email, websites and networks, organizations can detect and protect against malicious elements and suspicious activity, thus protecting against ransomware attacks.

A layered approach can help organizations protect possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect businesses.

Trend Vision One provides multi-layered protection and behavior detection, which helps block questionable behaviors and tools before ransomware can cause damage.

Trend Micro Apex One offers next-level automated threat detection and response against advanced issues such as fileless threats and ransomware, ensuring endpoint protection.



The indicators of compromise for this entry can be found here.