This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exclude Threat Detection "TA0005 - Defense Evasion"

Our SAP server’s  backup process, that is using certutil.exe, is detected as a defense evasion threat.

In details the detection is

Detection ID:                    WIN-EVA-PRC-CERTUTIL-DECODE-1
Command Line:              certutil -decode password.b64 password.txt
File Path:                           C:\Windows\System32\certutil.exe
Parent Command Line: C:\Windows\System32\cmd.exe /c "C:\Users\p01adm\scripts\backup_db.cmd P01 tlog Y:\sapbackup > backup_tlog.log 2 >&1!"
Mitre Tactics:                    TA0005  Defense Evasion
                                           T1140   Deobfuscate/Decode Files or Information

 I've tried to exclude certutil.exe with an exclusion in the Threat Protection device policy, but it not works.

How can I disable this detection?

Thanks.



This thread was automatically locked due to age.
Parents
  • That's a tough one -- as certutil is often used for evil purposes (I understand, not in your case) --- question about your backups -- is this a SAP native app for backup that is calling certutil, a script you (or someone else wrote), or a commercial backup application, that is leveraging certutil?  Just curious so I can keep an eye out for it as a MSP.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • I see it is using certutil to encrypt / decrypt what looks like the password for the backup to complete... I have seen some customers with custom powershell scripts that decode / encode things in base64 trigger events too.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • You're right, we use certutil do encrypt / decrypt the password for the backup. I'll wait for the feature to suppress EDR/XDR detections.

    Thanks for your replies.

Reply Children
No Data