let’s say I turn on HIPS/Safe mode.
I go to a website and click on an ad, and my browser gets exploited.
The exploit wants to run powershell or some other sensitive Windows process.
Will I get a prompt for that?
will it say that chrome wants to execute powershell, or something like that?
No because powershell.exe is a safe/trusted application, but you could create a HIPS rule to block execution of powershell or any other trusted application for the browser.
Yes. In your case, browser creates a process and you get HIPS event. Let’s say that you allow it anyway but file gets virtualized.
I thought that a trusted app will produce a prompt if it starts another process, even if the child process is trusted.
Is this not so?
Or maybe this is not how browser exploits work?
I’m guessing that script deployment is unpractical. If the powershell script is safe, you will not get alerts. (contrary to paranoid mode)
Assuming that you utilize safe mode,
powershell path\unknown.ps1=> generates alert
powershell path\trusted.ps1=> does not generate alert
(I’m imagining the above scenario in your case. As mentioned, how will that file get into your system is another question.)
Such concerns are related to process execution, there are COM restrictions as well. Let’s say that it make use of taskkill since it’s a trusted application in order to eliminate virtualization phase. It will not work.
so if the exploit executes a file, it will be detected, but if it is a pure “fileless” exploit, then it will not be detected?