CertUtil.exe Could Allow Attackers To Download Malware While Bypassing AV April 4, 2018 https://www.bleepingcomputer.com/ne...ckers-to-download-malware-while-bypassing-av/
I am wondering if any MitigationOptions might be beneficial here. Particularly, Arbitrary Code Guard (ACG) should stop the dynamic code modification. Possibly NoRemoteImages as well but I am not sure. I may have to test this later and try various options out of curiosity. It's great and easy to block this via Application Whitelisting solutions, but I am always curious to find multiple methods to deter certain scenarios.
I think no modification is used against CertUtil, but maybe you mean hardening initial attack vector such as browser or PDF reader? I'm not sure if blocking CertUtil completely won't cause problem.
https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
Good find! I am sure most Wilder's folks are covered on this one since none allow anything to execute from %Temp% directory; signed or not.
I have to allow mpam-*.exe, MPSigStub.exe, and CR_*.tmp\setup.exe on Windows\Temp, but I think default-deny rule of firewall will stop the attack even if attacker modified filename to match them.
