MS Signed #Mimikatz in just 3 steps ;-)

Discussion in 'other security issues & news' started by itman, Sep 29, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
    Last edited: Sep 29, 2017
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
  3. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,941
    Location:
    Mexico
    Don't want to pollute CCleaner thread with not so off-topics.

    What is a reliable way in your opinion in general terms when we, the average users, download a file from a trusted company with "trusted" digital signatures.

    Remember, any computer user, downloads almost every day files to install their favorite/needed programs updates.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
    The simple answer is you have to rely on your AV software to catch anything malicious in the download. The only thing that AV software uses signatures for is one evaluation in its many reputational criteria in determining if an "unknown" binary is safe or not.

    In regards to backdoors withstanding ones imbedded in trusted update downloads, the only way they can be detected it is by signature or through aggressive network monitoring. Of course for a backdoor signature to be developed, it first has to be discovered. If you are lucky, an unknown backdoor might be detected by your AV solution if it tries to connect to a known malicious C&C server by IP blacklist detection. Unfortunately, the malware developers are well aware of this and are constantly setting up new and unknown C&C server connections.
     
  5. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,941
    Location:
    Mexico
    This opens a door to enter false positives, zero detection, wrong reputation, etc. Anyways thanks for your advice.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
    As I stated, signing status is only one criteria among many; the most important criteria would be heuristic/behavior analysis. In the case of a backdoor, none would be detected since most will not establish a remote connection immediately upon program execution.
     
  7. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,051
    Location:
    Europe then Asia
Loading...