itman 1,748 Posted February 14, 2023 Share Posted February 14, 2023 Today I was running just issued Win 10 Feb. cumulative update. Malicious Software Remover tool is running. Eset displays popup that MRT.exe is accessing a PUA. Popup options are clean or ignore. I select clean option. Well folks, it turns out Eset is now detecting Process Explorer's driver as a PUA: Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 2/14/2023 4:27:25 PM;Real-time file system protection;file;C:\Windows\System32\drivers\PROCEXP152.SYS;Win64/ProcessExplorer.B potentially unsafe application;cleaned by deleting;NT AUTHORITY\SYSTEM;Event occurred during an attempt to access the file by the application: C:\Windows\System32\MRT.exe (372516C8F7462A5C6B46F4D44B4EB5BED9FE1378).;BC47E15537FA7C32DFEFD23168D7E1741F8477ED;6/28/2022 12:26:43 PM Luckily, this wasn't a critical OS driver that was deleted. Eset, an explanation on this activity please. Link to comment Share on other sites More sharing options...
itman 1,748 Posted February 15, 2023 Author Share Posted February 15, 2023 (edited) VirusTotal detection comments yields this: Quote This is an older version of the Process Explorer driver, by Microsoft SysInternals (Mark Russinovich). It is the reference sample for https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_VulnDriver_ProcExp.yar AgenTesla uses this driver: https://twitter.com/SBousseaden/status/1592949091184611329 Guess it's time to update Process Explorer. On the other hand, the linked Twitter posting notes that both Elastic and Sentinel are flagging newer Process Explorer versions driver. Appears to be used to kill AV's real-time protection. I am going to miss using PE though. Edited February 15, 2023 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,272 Posted February 15, 2023 Administrators Share Posted February 15, 2023 It's a potentially unsafe application detection of vulnerable drivers which was added in March 2022, ie. not detected with default settings. The detection is correct and is limited to real-time protection since the driver does not pose any risk unless dropped and misused by actual malware. Link to comment Share on other sites More sharing options...
itman 1,748 Posted February 15, 2023 Author Share Posted February 15, 2023 10 hours ago, Marcos said: It's a potentially unsafe application detection of vulnerable drivers which was added in March 2022, ie. not detected with default settings. This driver has been present on my PC for many months. Are you stating that now with real-time protection PUA settings set to Aggressive, Eset is starting to detect the driver? Also, it appears that Eset will only detect the driver if some process tries to access it as was the case here with MRT.exe? Appears so. When I tried to run Process Explorer, I now receive the driver PUA alert since PE will add the driver on-the-fly if not present. So this current detection processing is relatively new. I will download the most recent version of PE and see how that goes as far as Eset PUA detection. Link to comment Share on other sites More sharing options...
itman 1,748 Posted February 15, 2023 Author Share Posted February 15, 2023 Confirmed that with the latest ver. of Process Explorer, Eset is no longer detecting its driver as a PUA. This driver has zero detections at VirusTotal. Link to comment Share on other sites More sharing options...
itman 1,748 Posted February 15, 2023 Author Share Posted February 15, 2023 (edited) Found "a deep dive" analysis article on the Process Explorer driver vulnerability and its not the only driver that can be exploited: Quote Digging deeper into the source code we actually discover that there are two drivers at play here: a victim driver and a vulnerable driver. Initially I presumed these to be the same driver, but the code appears to unpack, load and start the vulnerable driver first – this is the provider – after which it calls KDUMapDriver which tries to load the victim driver. In the case of KDU, the victim driver is always the process explorer PROCEXP152.sys driver, it bootstraps shellcode into the IRP_MJ_DEVICE_CONTROL callback of PROCEXP152, before finally unloading it, triggering the shellcode to execute inside PROCEXP152, allowing the target driver to be loaded into kernel memory. Finally, let’s take a look at the core loader functionality, we want to understand the shellcode bootstrapping, and the system calls used to help us figure out what level of detection is possible. https://labs.jumpsec.com/a-defenders-guide-for-rootkit-detection-episode-1-kernel-drivers/ Of note is this article was written in April, 2020 .................... Edited February 15, 2023 by itman Link to comment Share on other sites More sharing options...
rememberSiberia 0 Posted February 16, 2023 Share Posted February 16, 2023 Hi, I just had this flagged by my Eset too. I have selected the “clean” option. Is there any other recommended action please? Thanks! Link to comment Share on other sites More sharing options...
itman 1,748 Posted February 17, 2023 Author Share Posted February 17, 2023 54 minutes ago, rememberSiberia said: Is there any other recommended action please? Download latest ver. of Process Explorer: https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer and use this ver.. Delete all old versions that may exist in your Downloads folder. Link to comment Share on other sites More sharing options...
Recommended Posts