Quizzical9796 0 Posted September 19, 2023 Posted September 19, 2023 Several detections recently poped up from our Inspect and in the detection detail is stated that signature is Trusted, but "was Invalid when detection was triggered". Examples included Microsoft and even ESET files, could you explain me how it is possible, please? Thank you in advance
Administrators Marcos 5,451 Posted September 19, 2023 Administrators Posted September 19, 2023 Does it come from ESET Inspect? If so, please raise a support ticket but I'm not sure the root cause can be determined backwards if it cannot be reproduced again.
Quizzical9796 0 Posted September 19, 2023 Author Posted September 19, 2023 Yes, it is showing in detection details of ESET Inspect. I thought it could be some update because I saw it several times already but not sure... Ok, could you point me where to submit ticket, please? I dont think it have to be threat but I am just curious how it could have happend.
itman 1,801 Posted September 19, 2023 Posted September 19, 2023 One possibility is this hack method: https://attack.mitre.org/techniques/T1036/001/ . You will need to closely examine the signatures of the files that are generating these Eset detections.
itman 1,801 Posted September 19, 2023 Posted September 19, 2023 (edited) FYI; Quote Various tools can be used in order to hijack a certificate from a trusted binary and use it to a non-legitimate binary. SigThief: python sigthief.py -i consent.exe -t mimikatz.exe -o signed-mimikatz.exe Sigthief – Stealing Certificates SigPirate: SigPirate.exe -s consent.exe -d mimikatz.exe -o katz.exe -a SigPirate – Stealing Certiificates The consent file is an executable which is part of Windows operating system and therefore it is digitally signed by Microsoft. The binary will appear to have a digital signature of Microsoft. Malicious Binary with Trusted Certificate As previously the digital signature will fail to validate. https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/ Edited September 19, 2023 by itman
ESET Staff JamesR 58 Posted September 21, 2023 ESET Staff Posted September 21, 2023 @Quizzical9796 What you are seeing is not caused by a threat. And it will be best for you to contact your local ESET support to get a ticket and potentially more thorough troubleshooting steps. Some things which can cause what you saw: Older version of ESET Endpoint Protection or Inspect Connector on the endpoint. Ensure you are using the latest versions of Endpoint and Inspect Connector (and latest Inspect Server...if you are using Cloud, you are on latest Inspect Server). Possible solution: Updating to latest versions of endpoint and inspect may resolve this problem Blocking of ESET servers on endpoints If your network is using a UTM/Next Gen Firewall, there is a good chance many of ESETs public servers are being blocked and could lead to ESET not being able to check the validation of a certificate seen on an executable. As the endpoints and the server will both be checking ESET servers for a multitude of things, it could be that your endpoints cant communicate with a handful of ESET servers while your Inspect server has no issues communicating with ESET servers. Possible solution: Ensure you have added ESET public servers to any whitelists/allow lists/exclusions on your UTM/Next Gen Firewall. Full list of servers with Domains/IPs is here: https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall Your local support teams may be able to assist with identifying if there are any communication problems with any ESET servers which could cause what you are seeing.
Recommended Posts