Jump to content

Win Update Fiasco

itman
 Share

Recommended Posts

itman

itman 1,659

Posted
Posted

Today I was running just issued Win 10 Feb. cumulative update. Malicious Software Remover tool is running. Eset displays popup that MRT.exe is accessing a PUA. Popup options are clean or ignore. I select clean option.

Well folks, it turns out Eset is now detecting Process Explorer's driver as a PUA:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
2/14/2023 4:27:25 PM;Real-time file system protection;file;C:\Windows\System32\drivers\PROCEXP152.SYS;Win64/ProcessExplorer.B potentially unsafe application;cleaned by deleting;NT AUTHORITY\SYSTEM;Event occurred during an attempt to access the file by the application: C:\Windows\System32\MRT.exe (372516C8F7462A5C6B46F4D44B4EB5BED9FE1378).;BC47E15537FA7C32DFEFD23168D7E1741F8477ED;6/28/2022 12:26:43 PM

Luckily, this wasn't a critical OS driver that was deleted.

Eset, an explanation on this activity please.

Link to comment
Share on other sites
itman

itman 1,659

Posted
  • Author
Posted (edited)

VirusTotal detection comments yields this:

Quote

This is an older version of the Process Explorer driver, by Microsoft SysInternals (Mark Russinovich).

It is the reference sample for https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_VulnDriver_ProcExp.yar

AgenTesla uses this driver: https://twitter.com/SBousseaden/status/1592949091184611329

Guess it's time to update Process Explorer. On the other hand, the linked Twitter posting notes that both Elastic and Sentinel are flagging newer Process Explorer versions driver. Appears to be used to kill AV's real-time protection. I am going to miss using PE though.

Edited by itman
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,071

Posted
  • Administrators
Posted

It's a potentially unsafe application detection of vulnerable drivers which was added in March 2022, ie. not detected with default settings. The detection is correct and is limited to real-time protection since the driver does not pose any risk unless dropped and misused by actual malware.

Link to comment
Share on other sites
itman

itman 1,659

Posted
  • Author
Posted
10 hours ago, Marcos said:

It's a potentially unsafe application detection of vulnerable drivers which was added in March 2022, ie. not detected with default settings.

This driver has been present on my PC for many months.

Are you stating that now with real-time protection PUA settings set to Aggressive, Eset is starting to detect the driver?

Also, it appears that Eset will only detect the driver if some process tries to access it as was the case here with MRT.exe? Appears so. When I tried to run Process Explorer, I now receive the driver PUA alert since PE will add the driver on-the-fly if not present. So this current detection processing is relatively new.

I will download the most recent version of PE and see how that goes as far as Eset PUA detection.

Link to comment
Share on other sites
itman

itman 1,659

Posted
  • Author
Posted

Confirmed that with the latest ver. of Process Explorer, Eset is no longer detecting its driver as a PUA. This driver has zero detections at VirusTotal.

Link to comment
Share on other sites
itman

itman 1,659

Posted
  • Author
Posted (edited)

Found "a deep dive" analysis article on the Process Explorer driver vulnerability and its not the only driver that can be exploited:

Quote

Digging deeper into the source code we actually discover that there are two drivers at play here: a victim driver and a vulnerable driver. Initially I presumed these to be the same driver, but the code appears to unpack, load and start the vulnerable driver first – this is the provider – after which it calls KDUMapDriver which tries to load the victim driver.

In the case of KDU, the victim driver is always the process explorer PROCEXP152.sys driver, it bootstraps shellcode into the IRP_MJ_DEVICE_CONTROL callback of PROCEXP152, before finally unloading it, triggering the shellcode to execute inside PROCEXP152, allowing the target driver to be loaded into kernel memory.

Finally, let’s take a look at the core loader functionality, we want to understand the shellcode bootstrapping, and the system calls used to help us figure out what level of detection is possible.

https://labs.jumpsec.com/a-defenders-guide-for-rootkit-detection-episode-1-kernel-drivers/

Of note is this article was written in April, 2020 ....................

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
  • Author
Posted
54 minutes ago, rememberSiberia said:

Is there any other recommended action please?

Download latest ver. of Process Explorer: https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer and use this ver.. Delete all old versions that may exist in your Downloads folder.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...