If you make your machine look like a malware execution sandbox, a lot of malware will terminate to avoid being analyzed. This is just part of the cat and mouse game.
Yea sophisticated malware checks how many CPU cores PC has, how much hard drive space, some even check hardware temperature or if any debuggers are present. Windows malware got pretty sophisticated in the last 30 years.
I'm not a reverse engineer or a white hacker but I like reading about it. Most of the malware is made for Windows OS because of the Windows' enormous market share.
Majority of information about Windows malware I get from big computer security companies' research blogs like:
Majority of the research combes down to researching malware's capabilities regarding malware persistence, anti-VM techniques and anti-debugging techniques.
Here is for example good compilation of malware's anti-debugging and anti-VM techniques:
IIRC the extensions pack has a (very limited) free license for personal and educational use, although I'm not sure if the 'pretending to be a sandbox' usecase would be covered.
Because every time an account logs onto a computer, it leaves traces. Some ephemeral in memory, some permanent on disk. It can be Kerberos tickets, process tokens, domain cached credentials, hashes or even clear text passwords in memory. It's common practice in a lot of organizations for administrators to log on to random workstations to perform whatever task they need to do.
Or there is a service running in the context of a service user domain account. Or the password of the local administrator account is identical on all systems, which was very common before LAPS became a thing.
Yes, if you do everything perfectly and always go by best practices, none of this should be relevant, but most people aren't doing everything perfectly all of the time.
To access any of these things, you need local admin permissions. Then you can reuse them to log on to other systems.
Even if you do everything perfectly there's always a chance one of Microsoft engineers made a mistake somewhere and somebody found it and is now sitting on a zero day. And now with vibe coding the likelihood of that went up by who knows how much. Even air gapped systems get infected if the attacker is sophisticated enough.
Got it. So it's less about the account itself, and more about the other account data you can only acquire with admin privileges from the local machine (almost like credential stuffing)
As with the other reasons stated...
local admin, atleast in the environments I've seen, can still install software.
Installing and running something like AngryIPScanner may be possible as local admin
To be fair the vast, vast majority of exploitation that we see (especially in the news) comes from sub-par security setups and poor training/architecture. That’s no even going into security monitoring which most companies don’t or barely have.
Zero days account for very small amount of exploitation in comparison and by definition are unpatched so I think the commenter was right to point out the basics.
> If you make your machine look like a malware execution sandbox, a lot of malware will terminate to avoid being analyzed. This is just part of the cat and mouse game.
What? This is an entirely separate concern. If you have a Russian input method installed, malware will terminate to avoid legal repercussions.
They seem to be offering this as another means of getting the malware not to run. I don't read it strictly as an explanation of the Russian keyboard thing.
