How it works.
HARPOON
FUNCTIONAL SPECIFICATION
- Microsoft certified Windows application
- Detection and blocking of file-less injection malware in real-time
- Supported operating systems (both 64-bit and 32-bit): Windows Server 2012 R2, Windows 10, Windows 8.1, Windows 8, Windows 7.
- Harpoon Security provides the following protection methods:
- Malicious DLL injection detection and prevention
- Export Address Table access filtering (EAF)
- Atom Tables code injection (AtomBombing)
- Export Address table access filter plus (EAF+)
Harpoon Security can monitor the system in the following modes: - No Action mode (Log Only). The default mode of Harpoon Security. In this mode, HarpoonSecurity detects the DLL injection and informs the user about it without preventing the attack or killing the detected malware process. If the Web Service is installed, the No Action mode is automatically switched to the Prevention mode after the Agent receives the whitelist rules from the Web Server.
- Prevention mode (Access Denied). In this mode, Harpoon Security detects and prevents attempts of the DLL injection without killing the detected malware process.
- Kill mode (Kill Attacker). In this mode, Harpoon Security detects the attempt of the DLLinjection, prevents the attack, and kills the detected malware process.
LOGGING
UNDERSTANDING THE HARPOON LOGFILES
EXAMPLE
Description of each element:
- Date and time of the attack
- Process name and PID of the attacker
- Process name and PID of the process being attacked
- Name of the user who started the attacker process
- Name of the user who started the process being attacked
- Address and module base of the injection
- Monitoring mode (Access Denied)
- SHA256 hash of the attacker process
All the Harpoon events are written to Windows Event Viewer too. They are available in the Application section of Event Viewer:
HARPOON SPLUNK APP: