kamiran.asia 5 Posted July 11, 2021 Share Posted July 11, 2021 10 hours ago, itman said: You can also download the source code for the .dll used in this test, add some additional code In Our tests ESET will detect attack with any DLL file , Even with an empty file ! it does not depend on detection of Dll file. 10 hours ago, itman said: Also check this out which tests the previous known vulnerabilities: https://github.com/cube0x0/CVE-2021-1675 We will also check that. Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 11, 2021 Share Posted July 11, 2021 (edited) 9 hours ago, kamiran.asia said: We will also check that. Actually, the test exploit you need to run is the PowerShell based one because: Quote This PowerShell script performs local privilege escalation (LPE) with the PrintNightmare attack technique. The LPE technique does not need to work with remote RPC or SMB, as it is only working with the functions of Print Spooler. https://github.com/calebstewart/CVE-2021-1675 BTW - if you test this: https://github.com/JumpsecLabs/PrintNightmare and have PowerShell set to ConstrainedLanguage mode, the remote script will fail since CL will block the import-module command. So Constrained_Language mode has to removed;i.e. set to FullLanguage mode, for testing purposes. Edited July 11, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 12, 2021 Share Posted July 12, 2021 (edited) Oops - I missed this detection by Eset in regards to the above PowerShell exploit test: Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 7/11/2021 2:09:28 PM;HTTP filter;file;https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1;PowerShell/Exploit.CVE-2021-1675.A trojan;connection terminated;XXXX\XXX;Event occurred during an attempt to access the web by the application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054).;2645CC7AA381D5D4A6386F84FB2BE23C586CB46A; Here's the problem. Eset didn't actually block the connection. I saw the script running in a PowerShell session I had open. Now I do monitor outbound Powershell network traffic with an Eset firewall rule. But allowing the connection which I did, should have no bearing on the above. -EDIT- Reflecting, it did appear the script "petered out" at the end. The script execution comments being displayed ended in mid-sentence. So it is possible Eset did eventually block the connection but the damage would have already been done. Edited July 12, 2021 by itman Link to comment Share on other sites More sharing options...
Recommended Posts