This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exclude Threat Detection "TA0005 - Defense Evasion"

Colsam 6 months ago

Our SAP server’s backup process, that is using certutil.exe, is detected as a defense evasion threat.

In details the detection is

Detection ID: WIN-EVA-PRC-CERTUTIL-DECODE-1
Command Line: certutil -decode password.b64 password.txt
File Path: C:\Windows\System32\certutil.exe
Parent Command Line: C:\Windows\System32\cmd.exe /c "C:\Users\p01adm\scripts\backup_db.cmd P01 tlog Y:\sapbackup > backup_tlog.log 2 >&1!"
Mitre Tactics: TA0005 Defense Evasion
T1140 Deobfuscate/Decode Files or Information

I've tried to exclude certutil.exe with an exclusion in the Threat Protection device policy, but it not works.

How can I disable this detection?

Thanks.

This thread was automatically locked due to age.

0 Qoosh 6 months ago

Hi Colsam,

Thanks for reaching out to the Sophos Community Forum.

Allow me some time to inquire with our team regarding your question and I'll update you here.

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Maxim-Sophos 6 months ago

The exclusions in Threat Protection policy will not suppress EDR/XDR detections. We expect to allow customer suppression of detections in the first quarter of the new year. (As always, roadmaps are subject to change.) In the meantime, I will pass this info along to our detections team to determine whether a global suppression or change to the rule is warranted in this case.
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent 6 months ago

That's a tough one -- as certutil is often used for evil purposes (I understand, not in your case) --- question about your backups -- is this a SAP native app for backup that is calling certutil, a script you (or someone else wrote), or a commercial backup application, that is leveraging certutil? Just curious so I can keep an eye out for it as a MSP.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent 6 months ago in reply to BrucekConvergent

I see it is using certutil to encrypt / decrypt what looks like the password for the backup to complete... I have seen some customers with custom powershell scripts that decode / encode things in base64 trigger events too.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 Colsam 6 months ago in reply to BrucekConvergent

You're right, we use certutil do encrypt / decrypt the password for the backup. I'll wait for the feature to suppress EDR/XDR detections.

Thanks for your replies.
Cancel
Vote Up 0 Vote Down

Cancel
0 Colsam 6 months ago in reply to Maxim-Sophos

Thank you, I'll wait for this new feature.
Cancel
Vote Up 0 Vote Down

Cancel