Invalid signature when detection was triggered

[Quizzical9796 0]

Several detections recently poped up from our Inspect and in the detection detail is stated that signature is Trusted, but "was Invalid when detection was triggered".

Examples included Microsoft and even ESET files, could you explain me how it is possible, please?

Thank you in advance

 

[Marcos 4,844]

Does it come from ESET Inspect? If so, please raise a support ticket but I'm not sure the root cause can be determined backwards if it cannot be reproduced again.

[Quizzical9796 0]

Yes, it is showing in detection details of ESET Inspect. I thought it could be some update because I saw it several times already but not sure...

Ok, could you point me where to submit ticket, please?

I dont think it have to be threat but I am just curious how it could have happend.

[itman 1,602]

One possibility is this hack method: https://attack.mitre.org/techniques/T1036/001/ .

You will need to closely examine the signatures of the files that are generating these Eset detections.

[itman 1,602]

FYI;

Quote

Various tools can be used in order to hijack a certificate from a trusted binary and use it to a non-legitimate binary.

SigThief:

python sigthief.py -i consent.exe -t mimikatz.exe -o signed-mimikatz.exe

Sigthief – Stealing Certificates

SigPirate:

SigPirate.exe -s consent.exe -d mimikatz.exe -o katz.exe -a

SigPirate – Stealing Certiificates

The consent file is an executable which is part of Windows operating system and therefore it is digitally signed by Microsoft. The binary will appear to have a digital signature of Microsoft.

Malicious Binary with Trusted Certificate

As previously the digital signature will fail to validate.

https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/

Edited September 19 by itman

[JamesR 50]

@Quizzical9796  What you are seeing is not caused by a threat.  And it will be best for you to contact your local ESET support to get a ticket and potentially more thorough troubleshooting steps.

Some things which can cause what you saw:

• Older version of ESET Endpoint Protection or Inspect Connector on the endpoint.
  • Ensure you are using the latest versions of Endpoint and Inspect Connector (and latest Inspect Server...if you are using Cloud, you are on latest Inspect Server). 
  • Possible solution: Updating to latest versions of endpoint and inspect may resolve this problem
• Blocking of ESET servers on endpoints
  • If your network is using a UTM/Next Gen Firewall, there is a good chance many of ESETs public servers are being blocked and could lead to ESET not being able to check the validation of a certificate seen on an executable.  As the endpoints and the server will both be checking ESET servers for a multitude of things, it could be that your endpoints cant communicate with a handful of ESET servers while your Inspect server has no issues communicating with ESET servers.
  • Possible solution: Ensure you have added ESET public servers to any whitelists/allow lists/exclusions on your UTM/Next Gen Firewall.  Full list of servers with Domains/IPs is here: https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall
    • Your local support teams may be able to assist with identifying if there are any communication problems with any ESET servers which could cause what you are seeing.