pps 4 Posted December 10, 2019 Share Posted December 10, 2019 Hello, As I know if you run eset uninstalltool in safe mode you can uninstall agent and endpoint. If a zero day ransomware reboots the pc into safe mode is there any client settings to be enabled to prevent the ransomware from uninstalling the endpoint security? https://www.zdnet.com/article/snatch-ransomware-reboots-pcs-in-windows-safe-mode-to-bypass-antivirus-apps/ Thanks, Peter Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 10, 2019 Share Posted December 10, 2019 Off the top of my head, the best way to prevent this is to create a HIPS rule to monitor the running of shutdown.exe. Note that malware since the XP days have used this to force a reboot to run their nasty at boot time. As such, it would not surprise me that Eset already as a built-in HIPS rule to monitor the start up of shutdown.exe. pps 1 Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 10, 2019 Share Posted December 10, 2019 (edited) Also of note is this malware uses bcdedit.exe to modify Win startup settings. I have had an existing HIPS rule in place for sometime to monitor its startup: Quote Using the BCDEDIT tool on Windows, it issues a command that sets up windows operating system to boot in Safe Mode, and then immediately forces a reboot of the infected computer. bcdedit.exe /set {current} safeboot minimal shutdown /r /f /t 00 https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ Edited December 10, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 10, 2019 Share Posted December 10, 2019 The Sophos article is a bit murky on how PsExec is being used. From what is shown, it appears the attacker is running PsExec remotely after the reboot to safe mode to execute the ransomware. To accomplish this, both psexecsvc.exe download and creation of a service to run it would have had to been created prior to reboot. I have an Eset HIPS rule in place to prevent this but creation of it was a bit tricky. Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 10, 2019 Share Posted December 10, 2019 (edited) I also forgot to post on the most important part of this ransomware attack: Quote Deciphering the Snatch attack In one of the incidents, which targeted a large international company, the MTR team managed to obtain detailed logs from the targeted company that the ransomware had not been able to encrypt. The attackers initially accessed the company’s internal network by brute-forcing the password to an administrator’s account on a Microsoft Azure server, and were able to log in to the server using Remote Desktop (RDP). All the organizations where these same files were found also were later discovered to have one or more computers with RDP exposed to the internet. At this point, the attacker had admin privileges. Any thing after this point is academic in what the attacker could do. Edited December 10, 2019 by itman Link to comment Share on other sites More sharing options...
pps 4 Posted December 11, 2019 Author Share Posted December 11, 2019 15 hours ago, itman said: Off the top of my head, the best way to prevent this is to create a HIPS rule to monitor the running of shutdown.exe. Note that malware since the XP days have used this to force a reboot to run their nasty at boot time. As such, it would not surprise me that Eset already as a built-in HIPS rule to monitor the start up of shutdown.exe. @Marcos is any official answer from ESET, is there any builtin protection or is gonna to be one? Link to comment Share on other sites More sharing options...
Recommended Posts