Microsoft’s Response to AtomBombing is Post Infection Detection

CERT-LatestNews Security News ThreatsCybercrime ThreatsEconomic Uncategorized VulnerabilitiesAll VulnerabilitiesApplications VulnerabilitiesMicrosoft VulnerabilitiesOS

Screen Shot 2017-07-21 at 09.01.48.pngIn March 2017, Microsoft, a multinational technology company that is known for fixing vulnerabilities in their software products ~ once a month non-formally known as, “Patch Tuesday”.  Microsoft has recently addressed post-infection detection and investigation and response with their Windows Defender Advanced Threat Protection (Windows Defender ATP).   Microsoft is a company that is continuing to evolve in product/services and is now, expanding to the depths of defending operating systems from attacks.  The most recent Windows Defender ATP update indicates protecting against both code injection techniques, “Process Hollowing” and “AtomBombing”.   While it is important to protect infection on the front line, sophisticated attackers will find their way in, so post-exploitation techniques become the only way to detect data being exfiltrated.


The Microsoft update that addresses both “Process Hollowing” and “AtomBombing” will only be available for those that have purchased Windows Defender and will only be available in October or November 2017.  Windows Defender ATP has only been addressing security issues for less than a year and Windows customers have to purchase Windows Defender ATP. 

enSilo researchers discovered AtomBombing back in October 2016. At the time of AtomBombing’s release, AtomBombing went undetected by most security solutions, due to the attacker hiding the injected malicious code within an atom table.  Once AtomBombing is used successfully, the attacker has the ability to hide within legitimate processes, making it more difficult to detect them.  AtomBombing opens a new route for attackers to move freely within an infected device.

  • Atom tables lie within Windows’ operating systems and allow applications to store and share data. The name AtomBombing is derived from the use of Atom tables and the “bombing” part is self-explanatory. AtomBombing is stealthy and avoids detection by using innocent looking API’s to pass code into the target process, through the global atom table.
  • AtomBombing has the ability to fool whitelisted apps into executing malicious operations, which go undetected with most security products.
  • AtomBombing can’t be patched.
  • AtomBombing evades detection.
  • AtomBombing is another tool for an attacker to add to their toolbox.

AtomBombing was also found in a version of a notorious banking Trojan of Dridex that evaded detection and took part in a malicious campaign targeting UK banks.

According to Microsoft, “even the best pre-infection endpoint defenses will be breached eventually, as cyberattacks become more sophisticated and targeted. Windows Defender Advanced Threat Protection (ATP) helps our enterprise customers detect, investigate, and respond to advanced attacks and data breaches on their networks.”

enSilo takes both a pre-infection (NGAV) and post-infection (automated EDR)- approach that goes beyond detection but also offers real-time protection and blocking of malware on infected endpoints.  enSilo’s post-infection capabilities reside inside of the operating system and will stop attackers from stealing, or maliciously encrypting your data. enSilo is the only comprehensive endpoint security solution that provides real-time protection, pre and post infection.   

Malware/cyberattacks are evolving and modifying intrusion techniques at a rate that even an overcrowded market of security products is continuously getting bypassed daily.  We read in data breach forensic reports that malware causing the most significant data breaches went undetected for usually months and in some cases years without being detected.  Isn’t it time to look at information security differently?  Keeping up with the different malware strands and the new malicious techniques that are constantly being developed is beyond manic.  Simply prevent the consequences.