MS Signed #Mimikatz in just 3 steps ;-)

Discussion in 'other security issues & news' started by itman, Sep 29, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Last edited: Sep 29, 2017
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,788
    Location:
    .
    Don't want to pollute CCleaner thread with not so off-topics.

    What is a reliable way in your opinion in general terms when we, the average users, download a file from a trusted company with "trusted" digital signatures.

    Remember, any computer user, downloads almost every day files to install their favorite/needed programs updates.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    The simple answer is you have to rely on your AV software to catch anything malicious in the download. The only thing that AV software uses signatures for is one evaluation in its many reputational criteria in determining if an "unknown" binary is safe or not.

    In regards to backdoors withstanding ones imbedded in trusted update downloads, the only way they can be detected it is by signature or through aggressive network monitoring. Of course for a backdoor signature to be developed, it first has to be discovered. If you are lucky, an unknown backdoor might be detected by your AV solution if it tries to connect to a known malicious C&C server by IP blacklist detection. Unfortunately, the malware developers are well aware of this and are constantly setting up new and unknown C&C server connections.
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,788
    Location:
    .
    This opens a door to enter false positives, zero detection, wrong reputation, etc. Anyways thanks for your advice.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    As I stated, signing status is only one criteria among many; the most important criteria would be heuristic/behavior analysis. In the case of a backdoor, none would be detected since most will not establish a remote connection immediately upon program execution.
     
  7. guest

    guest Guest

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.