itman 1,801 Posted July 10, 2020 Posted July 10, 2020 There is a SRP/AppLocker and also Eset recommended ransomware rules PowerShell bypass; one of dozens that exist, on Github: https://github.com/p3nt4/PowerShdll . Eset detects the .dll version of this as MSIL/Agent.SXW upon download. However, there is also a .exe version of this bypass that Eset does not detect. Not even after a LiveGrid upload of it after download: Time;Component;Event;User 7/9/2020 1:50:52 PM;ESET Kernel;File 'https://raw.githubusercontent.com/p3nt4/PowerShdll/master/exe/bin/Release/Powershdll.exe' was sent to ESET Virus Lab for analysis.;SYSTEM Why not? If Eset detects the .dll version, it should also detect the .exe version. Powershdll.zip
ESET Moderators Peter Randziak 1,181 Posted July 15, 2020 ESET Moderators Posted July 15, 2020 Hello @itman, the .exe itself is not malicious, it loads the .dll, which is being detected... Peter mallard65 and Nightowl 2
itman 1,801 Posted July 15, 2020 Author Posted July 15, 2020 (edited) 2 hours ago, Peter Randziak said: Hello @itman, the .exe itself is not malicious, it loads the .dll, which is being detected... Peter Depends how you look at it. Since the .dll is embedded in the .exe, it is in reality part of the .exe. Also the AV detection's on this one are a bit strange. Eset was one of the few who detected the .dll. On the other hand, Kaspersky and Checkpoint, plus now others, originally detected the .exe. Note that Eset does not detect the .exe version on VirusTotal. Detection of .dll after .exe startup is post-execution detection. As Eset points out in its write ups on post-execution detection, it is a less desirable detection method since system modifications may have occurred prior to detection. However in this case, it is N/A since the .dll is actually not being run by the .exe. Finally as I understand this bypass, it is using a .Net based .dll that only runs on .Net 2.0 or 3.5. In other words, the .dll is running actually via .Net. Therefore all the .exe version is doing is the equivalent to e.g. rundll32.exe PowerShdll.dll. So the question remains why can't Eset detect by signature the .dll code embedded in .exe as it can for the standalone .dll? I do not beleive the code in the .exe is hidden in any way by packing, encryption, or obfuscation. Edited July 15, 2020 by itman
ESET Moderators Peter Randziak 1,181 Posted July 17, 2020 ESET Moderators Posted July 17, 2020 Hello @itman, thank you for your submission, I contacted the lab and they decided to add the exe to detection as well Powershdll.exe - MSIL/Agent.SXW trojan Peter itman and peteyt 2
Recommended Posts