{"id":6342,"date":"2017-01-23T15:50:28","date_gmt":"2017-01-23T23:50:28","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-180\/"},"modified":"2017-01-23T15:50:28","modified_gmt":"2017-01-23T23:50:28","slug":"news-180","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-180\/","title":{"rendered":"Windows 10: protection, detection, and response against recent Depriz malware attacks"},"content":{"rendered":"<p><span>A few weeks ago, multiple organizations in the Middle East fell victim to targeted and destructive attacks that wiped data from computers, and in many cases rendering them unstable and unbootable. Destructive attacks like these have been observed repeatedly over the years and the Windows Defender and Windows Defender Advanced Threat Protection Threat Intelligence teams are working on protection, detection, and response to these threats. <\/span><\/p>\n<p><span>Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names. <\/span><\/p>\n<p>Although the extent of damage caused by this latest attack by TERBIUM is still unknown, Windows 10 customers have a set of features available for them to enable to mitigate such attack. Windows 10 has built-in proactive security components, such as <a href=\"https:\/\/blogs.technet.microsoft.com\/ash\/2016\/03\/02\/windows-10-device-guard-and-credential-guard-demystified\/\">Device Guard<\/a>, that mitigate this threat; <a href=\"https:\/\/www.microsoft.com\/en-us\/windows\/windows-defender\">Windows Defender<\/a> customers are protected through multiple signature-based detections; and <a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/Windows-ATP\">Windows Defender Advanced Threat Protection (ATP)<\/a> customers are provided extensive visibility and detection capabilities across the attack kill chain, enabling security operation teams to respond quickly. Microsoft\u2019s analysis has shown that the components and techniques used by TERBIUM in this campaign trigger multiple detections and threat intelligence alerts in <a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp\">Windows Defender Advanced Threat Protection<\/a><span><u>.<\/u><\/span><\/p>\n<h2>Attack composition<\/h2>\n<p><span>Microsoft Threat Intelligence has observed that the malware used by <\/span>TERBIUM<span>, dubbed \u201cDepriz\u201d by Microsoft, reuses several components and techniques seen in the 2012 attacks, and has been highly customized for each targeted organization. <\/span><\/p>\n<p>We do not see any indicators that a zero-day exploit is being used by TERBIUM.<\/p>\n<h3>Step 1: Writing to disk<\/h3>\n<p>The initial infection vector TERBIUM uses is unknown. As credentials have been hard-coded in the malware TERBIUM uses, it is suspected that TERBIUM has harvested credentials or infiltrated the target organization previously. Once TERBIUM has a foothold in the organization, its infection chain starts by writing an executable file to disk that contains all the components required to carry out the data-wiping operation. These components are encoded in the executables resources as fake bitmap images.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"587\" height=\"297\" class=\"alignnone size-full wp-image-9765\" alt=\"shamoon-depriz-implants\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/shamoon-depriz-implants.png\" \/><\/p>\n<p><em>Figure 1. The components of the Trojan are fake bitmap images<\/em><\/p>\n<p>We decoded the components as the following files:<\/p>\n<ul>\n<li>PKCS12 &#8211; a destructive disk wiper component<\/li>\n<li>PKCS7 &#8211; a communication module<\/li>\n<li>X509 &#8211; 64-bit variant of the Trojan\/implant<\/li>\n<\/ul>\n<h3>Step 2: Propagation and persistence through the target network<\/h3>\n<p><span>We have seen TERBIUM use hardcoded credentials embedded in the malware to propagate within a local network. The availability of these credentials to the activity group suggests that the attacks are highly targeted at specific enterprises. <\/span><\/p>\n<p>The propagation and persistence is carried out as follows:<\/p>\n<ol>\n<li>First, it tries to start the <em>RemoteRegistry<\/em> service on the computer it is trying to copy itself to, then uses <em>RegConnectRegistryW<\/em> to connect to it.<\/li>\n<li>Next, it attempts to disable <span><a href=\"https:\/\/support.microsoft.com\/en-us\/kb\/951016\">UAC remote restrictions<\/a><\/span> by setting the <em>LocalAccountTokenFilterPolicy<\/em> registry key value to <em>\u201c1\u201d<\/em>.<\/li>\n<li>Once this is done, it connects to the target computer and copies itself as <em><span>%System%ntssrvr32.exe<\/span><\/em> or <em><span>%System%<\/span><\/em><em>ntssrvr64.exe<\/em> before setting either a remote service called \u201c<em>ntssv<\/em>\u201d or a scheduled task.<\/li>\n<\/ol>\n<h3>Step 3: Wiping the machine<\/h3>\n<p>Next, the Trojan installs the wiper component. Note: TERBIUM establishes a foothold throughout the organization and does not proceed with the destructive <span>wiping operation until a specific date\/time: November 17, 2016 at 8:45 p.m.<\/span><\/p>\n<p>The wiper component is installed as <em><span>%System%<\/span><\/em><em>&lt;random name&gt;.exe.<\/em> During our testing, it used the name \u201c<em>routeman.exe<\/em>\u201d, but static analysis shows it can use several other names that attempt to imitate file names of legitimate system tools.<\/p>\n<p>The wiper component also contains encoded files in its resources as fake bitmap images.<\/p>\n<p>The first encoded resource is a legitimate driver called <em>RawDisk<\/em> from the Eldos Corporation that allows a user mode component raw disk access. The driver is saved as <em><span>%System%<\/span><\/em><em>driversdrdisk.sys<\/em> and installed by creating a service pointing to it using \u201c<em>sc create<\/em>\u201d and \u201c<em>sc start<\/em>\u201d. This behavior can be observed in the process tree available in the Windows Defender ATP portal. The below alert represents an example of the generic detections in Windows Defender ATP:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"312\" class=\"alignnone size-large wp-image-10025\" alt=\"Screenshot of Windows Defender ATP alert: Depriz starting ephemeral service to load RawDisk driver &quot;drdisk&quot;\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/Shamoon2-1024x312.png\" \/><\/p>\n<p><em>Figure 2. <\/em><i><span lang=\"EN-US\"><span style=\"color: #000000;font-family: Calibri\">Windows Defender ATP alert: Depriz starting ephemeral service to load RawDisk driver &#8220;drdisk&#8221;<\/span><\/span><\/i><\/p>\n<p><span style=\"color: #000000;font-family: Times New Roman\"><br \/> <\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"558\" class=\"alignnone size-large wp-image-10035\" alt=\"Screenshot of Windows Defender ATP event tree: Depriz Trojan dropping the wiper component (named \u201crouteman\u201d in this instance), which in turn drops the RawDisk driver \u201cdrdisk\u201d\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/Shamoon3-1024x558.png\" \/><\/p>\n<p><em>Figure 3. Windows Defender ATP event tree: Depriz Trojan dropping the wiper component (named \u201crouteman\u201d in this instance), which in turn drops the RawDisk driver \u201cdrdisk\u201d<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>There are two interesting things worth noting about <em>RawDisk<\/em>:<\/p>\n<ul>\n<li>It requires a valid license key from Eldos Corporation to run. However, the license key included in Depriz is the same as the one used in the 2012 attacks \u2013 and this license key <span>was only valid for a short period in 2012. TERBIUM works around this by changing the system time on targeted computers to a valid period in 2012.<\/span><\/li>\n<li>It is the same as the driver used in the 2012 attacks.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"239\" class=\"alignnone size-large wp-image-10045\" alt=\"Screenshot of Depriz license key (the same as the one used in 2012 attacks) and its limited validity period\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/Shamoon4-1024x239.png\" \/><\/p>\n<p><em>Figure 4. Depriz license key (the same as the one used in 2012 attacks) and its limited validity period<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>The wiper component uses an image file to overwrite files in locations listed in the following:<\/p>\n<ul>\n<li><i><em>Master Boot Records (MBR)<\/em><\/i><\/li>\n<li><i><em>HKLMSystemCurrentControlSetControlSystemBootDevice<\/em><\/i><\/li>\n<li><em>HKLMSystemCurrentControlSetControlFirmwareBootDevice<\/em><\/li>\n<li><em>C:WindowsSystem32Drivers<\/em><\/li>\n<li><em>C:WindowsSystem32Configsystemprofile<\/em><\/li>\n<li>Typical user folders like \u201c<em>Desktop<\/em>\u201d, \u201c<em>Downloads<\/em>\u201d, \u201c<em>Documents<\/em>\u201d, \u201c<em>Pictures<\/em>\u201d, \u201c<em>Videos<\/em>\u201d and \u201c<em>Music<\/em>\u201d<\/li>\n<\/ul>\n<p>Microsoft is also aware of a second threat that uses a distinct wiping component. We detect this as <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Trojan:Win32\/Cadlotcorg.A\">Trojan:Win32\/Cadlotcorg.A!dha<\/a> in Defender and generic detections with Defender ATP. Microsoft is continuing to monitor for additional information on this threat.<\/p>\n<h3>Step 4: Rendering the machine unusable<\/h3>\n<p>Finally, the following command is used to reboot the system into the intended unusable state:<\/p>\n<p><em>shutdown -r -f -t 2<\/em><\/p>\n<p>When the computer attempts to restart after shutting down, it is unable to find the operating system because the MBR was overwritten in step 3. The machine will no longer boot properly.<\/p>\n<h2>Mitigation: Multiple layers of protection from Microsoft<\/h2>\n<p><span>Windows 10 protects, detects and responds to this threat. Windows 10 has built-in proactive security components, such as <a href=\"https:\/\/blogs.technet.microsoft.com\/ash\/2016\/03\/02\/windows-10-device-guard-and-credential-guard-demystified\/\">Device Guard<\/a><u>,<\/u> that mitigate this threat by restricting execution to trusted applications and kernel drivers. <\/span><\/p>\n<p><span>In addition, <a href=\"https:\/\/www.microsoft.com\/en-us\/windows\/windows-defender\">Windows Defender<\/a> detects and remediates all components on endpoints as <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/entry.aspx?Name=Trojan:Win32\/Depriz.A!dha\">Trojan:Win32\/Depriz.A!dha<\/a>, <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/entry.aspx?Name=Trojan:Win32\/Depriz.B!dha\">Trojan:Win32\/Depriz.B!dha<\/a>, <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/entry.aspx?Name=Trojan:Win32\/Depriz.C!dha\">Trojan:Win32\/Depriz.C!dha<\/a>, and <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/entry.aspx?Name=Trojan:Win32\/Depriz.D!dha\">Trojan:Win32\/Depriz.D!dha<\/a>. <\/span><\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/Windows-ATP\">Windows Defender Advanced Threat Protection (ATP)<\/a>, our post-breach security service, provides an additional layer of security to enterprise users. With threat intelligence indicators, generic detections, and machine learning models, Windows Defender ATP (<a href=\"http:\/\/aka.ms\/register-wdatp\">trial link<\/a>) provides extensive visibility and detection capabilities across the attack kill chain of threats like TERBIUM.<\/p>\n<h3>Appendix &#8211; Indicators of compromise<\/h3>\n<p>We discovered the following SHA1s in relation to TERBIUM:<\/p>\n<p>SHA1 hashes for malicious files<\/p>\n<ul>\n<li>5c52253b0a2741c4c2e3f1f9a2f82114a254c8d6<\/li>\n<li>e7c7f41babdb279c099526ece03ede9076edca4e<\/li>\n<li>a2669df6f7615d317f610f731b6a2129fbed4203<\/li>\n<li>425f02028dcc4e89a07d2892fef9346dac6c140a<\/li>\n<li>ad6744c7ea5fee854261efa403ca06b68761e290<\/li>\n<\/ul>\n<p>SHA1 hashes for legitimate RawDisk drivers<\/p>\n<ul>\n<li>1292c7dd60214d96a71e7705e519006b9de7968f<\/li>\n<li>ce549714a11bd43b52be709581c6e144957136ec<\/li>\n<\/ul>\n<p>Signature names for malicious files<\/p>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/entry.aspx?Name=Trojan:Win32\/Depriz.A!dha\">Trojan:Win32\/Depriz.A!dha<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/entry.aspx?Name=Trojan:Win32\/Depriz.B!dha\">Trojan:Win32\/Depriz.B!dha<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/entry.aspx?Name=Trojan:Win32\/Depriz.C!dha\">Trojan:Win32\/Depriz.C!dha<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/entry.aspx?Name=Trojan:Win32\/Depriz.D!dha\">Trojan:Win32\/Depriz.D!dha<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><em><span><span style=\"color: #000000;font-family: Calibri\">Mathieu Letourneau<\/span><\/span><\/em><\/p>\n<p><em><span><span style=\"color: #000000;font-family: Calibri\">Windows Defender Advanced Threat Protection Threat Intelligence Team<\/span><\/span><\/em><\/p>\n<table width=\"112\" style=\"border: currentColor;border-collapse: collapse\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr style=\"height: 12.7pt\">\n<td width=\"352\" valign=\"top\" style=\"padding: 0cm 5.4pt;border: #000000;width: 263.8pt;height: 12.7pt;background-color: transparent\"><span style=\"color: #000000;font-family: Times New Roman\">\u00a0 <\/span><\/td>\n<td width=\"4\" style=\"padding: 0cm;border: 0px #000000;background-color: transparent\">\n<p style=\"margin: 0cm 0cm 8pt\"><span style=\"color: #000000;font-family: Calibri\">\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n<tr style=\"height: 12.7pt\">\n<td width=\"352\" valign=\"top\" style=\"padding: 0cm 5.4pt;border: #000000;width: 263.8pt;height: 12.7pt;background-color: transparent\"><span style=\"color: #000000\"><span lang=\"EN-US\"><span style=\"font-family: Calibri\"><\/span><\/span><\/span><\/td>\n<td width=\"4\" style=\"padding: 0cm;border: 0px #000000;background-color: transparent\">\n<p style=\"margin: 0cm 0cm 8pt\"><span style=\"color: #000000;font-family: Calibri\">\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n<tr style=\"height: 13.25pt\">\n<td width=\"352\" valign=\"top\" style=\"padding: 0cm 5.4pt;border: #000000;width: 263.8pt;height: 13.25pt;background-color: transparent\"><span style=\"color: #000000\"><span lang=\"EN-US\"><span style=\"font-family: Calibri\"><\/span><\/span><\/span><\/p>\n<p><span style=\"color: #000000;font-family: Times New Roman\"> <\/span><\/td>\n<td width=\"4\" style=\"padding: 0cm;border: 0px #000000;background-color: transparent\">\n<p style=\"margin: 0cm 0cm 8pt\"><span style=\"color: #000000;font-family: Calibri\">\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n<tr style=\"height: 12.7pt\">\n<td width=\"352\" valign=\"top\" style=\"padding: 0cm 5.4pt;border: #000000;width: 263.8pt;height: 12.7pt;background-color: transparent\"><span style=\"color: #000000;font-family: Times New Roman\">\u00a0<\/span><\/td>\n<td width=\"4\" style=\"padding: 0cm;border: 0px #000000;background-color: transparent\">\n<p style=\"margin: 0cm 0cm 8pt\"><span style=\"color: #000000;font-family: Calibri\">\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n<tr style=\"height: 12.7pt\">\n<td width=\"352\" valign=\"top\" style=\"padding: 0cm 5.4pt;border: #000000;width: 263.8pt;height: 12.7pt;background-color: transparent\"><span style=\"color: #000000;font-family: Times New Roman\"> <\/span><\/p>\n<p style=\"margin: 0cm 0cm 0pt 36pt;line-height: normal;text-indent: -18pt\"><span style=\"color: #000000\"><span lang=\"EN-US\"><span style=\"font-family: Calibri\">\u00a0<\/span><\/span><\/span><\/p>\n<p><span style=\"color: #000000;font-family: Times New Roman\"> <\/span><\/td>\n<td width=\"4\" style=\"padding: 0cm;border: 0px #000000;background-color: transparent\">\n<p style=\"margin: 0cm 0cm 8pt\"><span style=\"color: #000000;font-family: Calibri\">\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n<tr style=\"height: 12.7pt\">\n<td width=\"352\" valign=\"top\" style=\"padding: 0cm 5.4pt;border: #000000;width: 263.8pt;height: 12.7pt;background-color: transparent\"><span style=\"color: #000000;font-family: Times New Roman\">\u00a0<\/span><\/td>\n<td width=\"4\" style=\"padding: 0cm;border: 0px #000000;background-color: transparent\">\n<p style=\"margin: 0cm 0cm 8pt\"><span style=\"color: #000000;font-family: Calibri\">\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n<tr style=\"height: 12.4pt\">\n<td width=\"356\" valign=\"top\" style=\"padding: 0cm 5.4pt;border: #000000;width: 267.15pt;height: 12.4pt;background-color: transparent\" colspan=\"2\"><span style=\"color: #000000;font-family: Times New Roman\"> <\/span><\/p>\n<p style=\"margin: 0cm 0cm 0pt;line-height: normal\"><b><span lang=\"EN-US\"><span style=\"color: #000000;font-family: Calibri\">\u00a0<\/span><\/span><\/b><\/p>\n<p><span style=\"color: #000000;font-family: Times New Roman\"> <\/span><\/p>\n<p style=\"margin: 0cm 0cm 0pt;line-height: normal\"><b><span lang=\"EN-US\"><span style=\"color: #000000;font-family: Calibri\">\u00a0<\/span><\/span><\/b><\/p>\n<p><span style=\"color: #000000;font-family: Times New Roman\"> <\/span><\/td>\n<\/tr>\n<tr style=\"height: 12.4pt\">\n<td width=\"356\" valign=\"top\" style=\"padding: 0cm 5.4pt;border: #000000;width: 267.15pt;height: 12.4pt;background-color: transparent\" colspan=\"2\"><span style=\"color: #000000;font-family: Times New Roman\"> <\/span><\/p>\n<p style=\"margin: 0cm 0cm 0pt 36pt;line-height: normal;text-indent: -18pt\"><span style=\"color: #000000\"><span lang=\"EN-US\"><span style=\"font-family: Calibri\">\u00a0<\/span><\/span><\/span><\/p>\n<p><span style=\"color: #000000;font-family: Times New Roman\"> <\/span><\/td>\n<\/tr>\n<tr style=\"height: 13pt\">\n<td width=\"356\" valign=\"top\" style=\"padding: 0cm 5.4pt;border: #000000;width: 267.15pt;height: 13pt;background-color: transparent\" colspan=\"2\"><span style=\"color: #000000;font-family: Times New Roman\"> <\/span><\/p>\n<p style=\"margin: 0cm 0cm 0pt 36pt;line-height: normal;text-indent: -18pt\"><span style=\"color: #000000\"><span lang=\"EN-US\" style=\"font-family: Symbol\"><span>\u00a0<\/span><\/span><\/span><\/p>\n<p><span style=\"color: #000000;font-family: Times New Roman\"> <\/span><\/td>\n<\/tr>\n<tr style=\"height: 12.4pt\">\n<td width=\"356\" valign=\"top\" style=\"padding: 0cm 5.4pt;border: #000000;width: 267.15pt;height: 12.4pt;background-color: transparent\" colspan=\"2\"><span style=\"color: #000000;font-family: Times New Roman\"> <\/span><\/p>\n<p style=\"margin: 0cm 0cm 0pt;line-height: normal\"><b><span lang=\"EN-US\"><span style=\"color: #000000;font-family: Calibri\">\u00a0<\/span><\/span><\/b><\/p>\n<p><span style=\"color: #000000;font-family: Times New Roman\"> \u00a0 <\/span><span style=\"color: #000000;font-family: Times New Roman\"> <\/span><\/td>\n<\/tr>\n<tr style=\"height: 12.4pt\">\n<td width=\"356\" valign=\"top\" style=\"padding: 0cm 5.4pt;border: #000000;width: 267.15pt;height: 12.4pt;background-color: transparent\" colspan=\"2\"><span style=\"color: #000000;font-family: Times New Roman\">\u00a0<\/span><\/td>\n<\/tr>\n<tr style=\"height: 13pt\">\n<td width=\"356\" valign=\"top\" style=\"padding: 0cm 5.4pt;border: #000000;width: 267.15pt;height: 13pt;background-color: transparent\" colspan=\"2\"><span lang=\"EN-US\"><span style=\"color: #000000;font-family: Calibri\">\u00a0<\/span><\/span><span style=\"color: #000000;font-family: Times New Roman\"> <\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"color: #000000;font-family: Times New Roman\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/12\/09\/windows-10-protection-detection-and-response-against-recent-attacks\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A few weeks ago, multiple organizations in the Middle East fell victim to targeted and destructive attacks that wiped data from computers, and in many cases rendering them unstable and unbootable. Destructive attacks like these have been observed repeatedly over the years and the Windows Defender and Windows Defender Advanced Threat Protection Threat Intelligence teams&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[11016,10864,10760,11017,11018,11019,10833,11020,11021,10761,11022,10762,10865,11023],"class_list":["post-6342","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-0-day-exploit","tag-advanced-persistent-threats","tag-antimalware-research-for-it-pros-and-enthusiasts","tag-depriz-malware","tag-device-guard","tag-terbium-apt","tag-trojan","tag-trojanwin32cadlotcorg-adha","tag-win32depriz","tag-windows-10","tag-windows-10-protection","tag-windows-defender","tag-windows-defender-atp","tag-zero-day-exploit"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6342","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6342"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6342\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6342"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6342"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}