Exclude Threat Detection "TA0005 - Defense Evasion"

Our SAP server’s  backup process, that is using certutil.exe, is detected as a defense evasion threat.

In details the detection is

Detection ID:                    WIN-EVA-PRC-CERTUTIL-DECODE-1
Command Line:              certutil -decode password.b64 password.txt
File Path:                           C:\Windows\System32\certutil.exe
Parent Command Line: C:\Windows\System32\cmd.exe /c "C:\Users\p01adm\scripts\backup_db.cmd P01 tlog Y:\sapbackup > backup_tlog.log 2 >&1!"
Mitre Tactics:                    TA0005  Defense Evasion
                                           T1140   Deobfuscate/Decode Files or Information

 I've tried to exclude certutil.exe with an exclusion in the Threat Protection device policy, but it not works.

How can I disable this detection?

Thanks.



Added tags
[edited by: Gladys at 9:37 AM (GMT -8) on 2 Jan 2024]
Parents
  • That's a tough one -- as certutil is often used for evil purposes (I understand, not in your case) --- question about your backups -- is this a SAP native app for backup that is calling certutil, a script you (or someone else wrote), or a commercial backup application, that is leveraging certutil?  Just curious so I can keep an eye out for it as a MSP.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • I see it is using certutil to encrypt / decrypt what looks like the password for the backup to complete... I have seen some customers with custom powershell scripts that decode / encode things in base64 trigger events too.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • I see it is using certutil to encrypt / decrypt what looks like the password for the backup to complete... I have seen some customers with custom powershell scripts that decode / encode things in base64 trigger events too.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children