ArcticMyst Security is a free EDR (endpoint detection & response) tool for Windows, developed by DeepTide with a focus on XLL / RunDLL32 attack blocking and detecting crashing applications.  The software is available on the Microsoft App Store, MajorGeeks and Softpedia.  The current version is 20230923a.

ArcticMyst Security Technical Features Overview:

1) Monitoring: Processes executed (file path and command line)

2) Monitoring: SHA256 hash of processes executed

3) Blocking: RunDLL32.exe is not allowed to call Winsock DLLs or the WSAStartup function.  These events are blocked and a systray balloon notification appears. Excel not allowed to load XLL files – malware attack vector – balloon notification alert.  User can choose to temporarily pause these blocking functions

4) Monitoring: Registry startup changes (Causes systray balloon notification alert)

5) Monitoring: Crashing Processes via Windows Event Log event callback - crashes often occur during an attempted attack.  This monitoring function may also help identify problematic software (Causes systray balloon notification alert)

6) Monitoring: Changes to PendingFileRenameOperations registry (monitored because some malware uses this to delete security tools on reboot)

The software is completely free to use.  If you would like us to provide threat hunting and analytics services based on your ArcticMyst logs, then this can be arranged on a fee-for-service basis.  Please contact us for more info.