tzuzut
Members-
Posts
28 -
Joined
-
Last visited
Everything posted by tzuzut
-
I can see that the root cert in the browser is ESET, so I assume its working. I thought I recalled years earlier that when enabling this feature, one could view the log and watch the list of https connections and files being scanned... or is this only active during a detection? I am seeing "allowed" status white listed domains showing up under 'filtered websites', and thats about it when it comes to internet activity.
-
I get the following error in eventviewer, with both the Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe and wmic process call create "notepad.exe" commands. They only open notepad one time on an a clean boot, then the error persists each consecutive execution from then on. Initially when it works, it appears to load the legacy notepad, with an option to open the 'updated' version. 0x80070005: Cannot create the process for package Microsoft.WindowsNotepad_11.2306.15.0_x64__8wekyb3d8bbwe because an error was encountered while adjusting the token. [GetPackageToken]
-
So, oddly, I am getting inconsistent results with windows. I've disabled exploit protections for wmic, and restarted the service, and though it claims notepad launch was successful, it does not appear, not even temporarily, according to task manager. At times it does; perhaps on a fresh boot of windows. I had strange issues like this before... and other issues, where exploit protection child process blocking for wmic would work on one windows system and only partially on another. On one system it worked for wmic.exe only, but not the powershell command. In the other system, it blocked both. I tried disabling the following attack surface reduction rule as well, but the same issue (if it is one) persists. I'm not sure if attack surface reduction rules actually work when using a third party av. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide
-
Thanks for the excellent tips! I originally created a scheduled task that monitored for wmic implants based on eventviewer ids, which executed a batch script (see comment) upon detection that scanned the wmic repository for consistency, and stopped the service. The method I used previously was blocking child process of wmic.exe and wmiprvse.exe via windows exploit protections, in part because they can be used to easily bypass constrained language mode, but it doesn't offer the granularity of a hips setup, and caused compatibility issues with certain applications. I had months ago created a hips for both processes in eset, but neither worked when spawning a processes from cmd or powershell. I don't understand why eset can't detect this. But I guess blocking CMD and Powershell from running wmic would go a long way. Id prefer blocking to logging... a hips/whitelist approach would be most useful in my circumstance; to immediately stop it in its tracks. Attached is my scripts. wmi.zip
-
No matter what I do with custom hips, eset will not ask to block wmi from creating child process via the following commands: Powershell: Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe CMD: wmic process call create "notepad.exe" It had only some success, for example, when loading Adobe After Effects, hips asked if wmi should call up 'conhost.exe'. Why is this not working as intended via the aforementioned commandlines? System Informer clearly shows that notepad is a child process of wmi.